Privacy News Highlights

01–14 May 2010



CA – Ontario Police Forces Seek Access to Driver’s-Licence Photos. 3

US – Clear Program to Reopen at Airports by Fall 3

US – Voice Verification Tech Deployed to Prevent Abuse of Florida’s Medicaid Services. 3

CA – Alberta Enacts Breach Notification Requirement 3

CA – Ontario Sees More Privacy Complaints than Ever Before. 4

CA – U.S. Control of its Airspace ‘Beyond US’ 4

CA – Denham Named BC Information and Privacy Commissioner 4

WW – Hotels Connect the Dots Between Guests and Online Reviews. 4

US – Service Allows Consumers to Manage Online Ads. 5

US – HHS Seeking Comments on Process. 5

WW – The Fundamental Limits of Privacy for Social Networks. 5

WW – Sharing Puts Users at Risk. 5

US – Consumer Groups Lodge Complaint with FTC.. 5

EU – Parliament Pushing for Data Rights Charter by 2012. 6

EU – Support for EU Data Retention Directive Could Mean “Surveillance Regime”. 6

US – Leon County, Fla., Hosts Database for Tracking Pawnshop Transactions. 6

CA – Supreme Court to Rule on Protection of News Sources In Shawinigate Case. 6

US – Walgreens Won’t Sell Over-The-Counter Genetic Test After FDA Raises Questions. 7

CA – Health Minister ‘Fundamentally Disagrees’ With Commissioner’s Privacy Worries. 7

US – Health IT Panel Troubleshoots NHIN Privacy Gaps. 7

US – Heartland Breach Expenses Pegged at $140M so Far 8

US – Online List Shows Reported Data Breaches Have Affected 1.2 Million People. 8

AU – Commisioners Release ID Theft Tool 8

CA – Ontario Appellate Court Sets Standard for Disclosing Anonymous Posters. 8

WW – Facebook Measures Our ‘Gross National Happiness’ through Status Updates. 9

WW – MySpace Creates New CPO Post 9

WW – Google Urged to Protect Privacy in Street View Rollouts. 9

US – Government Reintroduces ISP Child Pornography Reporting Bill 9

US – Library of Congress, Facing Privacy Concerns, Clarifies Twitter Archive Plan. 9

HK – Survey Hong Kong’s Elderly Lack Awareness of Privacy Protection. 10

HK – Commissioner Warns Elderly Are Vulnerable. 10

MX – Violators of Mexico’s Data Protection Act Could Face Prison Time. 10

Facebook Bug Reveals Users’ Private Chats. 10

WW – Google Search Anonymizer Up and Running Again. 10

WW – Nerds Unite on Privacy-Rich Social Network. 11

AU – Commissioner Launches Privacy Guide. 11

IN – Use of Narco Analysis, Brain-Mapping Unconstitutional: Indian Court 11

BU – Data Retention Legislation Takes Effect 11

US – Choose Privacy: Teaching Children about Online Privacy. 12

US – The Navigator: Hotels Connect the Dots Between Guests and Online Reviews. 12

US – Wisconsin: No Privacy Invasion for Noisy Neighbor Recording. 12

CA – RFID Driver’s Licence Demand Underwhelming Across Four Provinces. 12

US – University Plans to Install Electronic Sensors to Track Class Attendance. 12

NZ – Privacy Commissioner Concerned about PSD Risks. 13

CN – China Cracks Down on ‘Anonymous’ Internet and Cell-Phone Users. 13

US – Police Wiretapping Jumps 26%.. 13

US – School District Blasted for Web Cam Use. 13

US – Maryland First to Bar Schools from Releasing Tests to Military. 14

US – Lawmakers Boucher and Stearns Draft Web Ad Privacy Safeguards Bill 14





CA – Ontario Police Forces Seek Access to Driver’s-Licence Photos

Police chiefs are calling on the McGuinty government to make Ontario the first province in Canada to give officers access to a database of driver’s licence photographs to help instantly verify the identity of suspects and traffic accident victims. The Ontario police chiefs descended on the legislature on Monday to present government officials with a list of requests that also include new powers to suspend officers facing serious criminal charges without pay and to allow officers to testify in court through affidavits instead of in person. The chiefs went public with measures they’ve been seeking since 2006, which require changes to the Police Services Act, in an effort to heighten awareness about the government’s lack of response. As things now stand, police officers can retrieve personal information on drivers and passengers contained in the Ministry of Transportation’s database, but not a driver’s licence photo. As a result, police often rely on fingerprint evidence to verify identities, a process that can take several days. The Ontario Association of Chiefs of Police says the technology exists to allow officers to instantly compare a picture in the ministry’s database with a driver’s licence photo. In a pilot project, 500 officers in the field are using the technology. The project will be expanded to another 300 officers. [Source]


US – Clear Program to Reopen at Airports by Fall

The Clear program, which allowed travelers quick passage through airport security checkpoints in exchange for biometric data and Social Security numbers, has a new owner and is expected to reopen by the fall. When Clear’s former owner declared bankruptcy last year, the program stopped abruptly, prompting questions from customers about what would happen to their personal data. That data, currently stored by a private security company, will now be transferred to new owner Alclear, pending permission from Clear’s 160,000 former customers. [Associated Press]


US – Voice Verification Tech Deployed to Prevent Abuse of Florida’s Medicaid Services

In south Florida, where in-home health-care fraud runs rampant, the Florida Agency for Health Care Administration (AHCA) hopes to stem future scams and save money using voice verification technology. Starting July 1, the agency, which administers Florida’s Medicaid program, will launch a pilot project in Miami-Dade County using the technology to make sure assigned nurses or home health aides actually deliver services to Medicaid recipients. Sandata Technologies, a New York-based software company, will implement the pilot program. The company will keep the recorded voices of all nurses and home health aides in a database. When the registered health-care providers arrive at a patient’s house, they will dial a number, enter a code and speak an assigned message. The software will verify whether the voices match. Florida’s pilot program stems from SB 1986. Passed by the Florida Legislature last year, the bill gave the AHCA authority to raise standards for home health-care providers in the state, including penalties and sanctions to help prevent fraud and abuse. [Source]




CA – Alberta Enacts Breach Notification Requirement

Alberta’s Personal Information Protection Amendment Act, 2009 came into effect on May 1. The amendments included a variety of changes but perhaps most notably include a new notification requirement if an organization experiences a security breach. The Alberta government has come out with a brochure to help organizations understand their obligations under this new requirement

Here’s the Coles Notes version:

The brochure itself contains helpful explanations, examples and illustrations on some of these concepts, such as what is meant by “real risk of significant harm” and who is responsible for notification. [Source] [Alberta amends privacy legislation] [Read more]


CA – Ontario Sees More Privacy Complaints than Ever Before

There’s good news and bad news in the 2009 Annual Report from Ontario’s Office of the Information and Privacy Commissioner (IPC). Released this week, the report notes that “264 privacy complaints were filed with the IPC – the most ever in the 22 years”! That’s bad news, in the sense that personal information is always vulnerable – and seemingly never more so than today. From lost PC memory sticks to Facebook privacy settings to home hydro meters, there are more and more ways that privacy can be compromised. But it’s good news, says Brian Beamish, Assistant Commissioner for Access, IPC, in the sense that more companies are voluntarily disclosing privacy breaches or losses of personal information. In the ‘old days’, they might not be willing to admit such breaches, and so possible remedial action would be much harder to implement. [Source] [Ontario privacy commissioner seeks solution to ‘abandoned patient records’ problem] See also: [A Conversation with Gary Dickson, Q.C.] [Commissioner: Smart Grid Data Must be Protected]


CA – U.S. Control of its Airspace ‘Beyond US’

Canada’s privacy watchdog has concerns about new U.S. security rules that will require Canadian airlines to give Washington personal information about passengers flying over the United States, but there is nothing Ottawa can do about it, parliamentarians were told yesterday. “There is a limit that is beyond us -- and that is United States sovereignty over U.S. airspace,” Chantal Bernier, Canada’s assistant privacy commissioner, testified at parliamentary hearings into aviation safety and security. Homeland Security’s Secure Flight policy, which comes into effect in December, says passengers, including Canadians, who raise the suspicions of U.S. authorities or who share the name of someone on a U.S. security watchlist can be prevented from boarding flights that fly over U.S. airspace. [Source]


CA – Denham Named BC Information and Privacy Commissioner

Federal Assistant Privacy Commissioner Elizabeth Denham has been appointed to a six-year term as British Columbia’s new information and privacy commissioner. Denham has spearheaded high-profile investigations into social networking and other online services to improve privacy safeguards during her term as assistant privacy commissioner. “We had a good number of applications for the position, we interviewed six candidates and the committee unanimously felt that Ms. Denham had all of the qualities and experience we were looking for,” said Stephanie Cadieux, chair of the five-member committee that unanimously recommended Denham for the post. Denham’s start date at the Office of the Information and Privacy Commissioner has not yet been announced. [Times Colonist]




WW – Hotels Connect the Dots Between Guests and Online Reviews

Hotels want to know who you are. Especially if you’re reviewing them anonymously. An increasing number of image-conscious properties have begun connecting the dots between unbylined write-ups that appear on such popular travel sites as TripAdvisor or Yelp, and your personal information, such as your loyalty program preferences. If you write a positive review, you might expect a reward from the hotel -- a gift basket or a discount on your next stay. Pan a property, and you could get a concerned e-mail from the general manager asking you to reconsider your review. Or even a black mark against you in the chain’s guest database. John Baird, a lodging consultant in Jacksonville , Fla., says that hotels now use locations, dates and usernames that appear online to triangulate a guest’s identity. Once they find a likely match, the review is added to a hotel’s guest preference records, next to information such as frequent-guest number, newspaper choice and preferred room type. [Source]


US – Service Allows Consumers to Manage Online Ads

A new service has now been unveiled with the aim of giving marketers the ability to let Web users decide what type of targeted advertising they receive. UnsubCentral’s new PreferenceCentral will allow companies to collect information directly from consumers about what kinds of targeted ads they wish to receive--if any at all. “This is a tool that will help brands comply with the online behavioral advertising principles,” said PreferenceCentral Privacy Officer Steven Vine, explaining that the company has developed the tool in response to requests by clients that use UnsubCentral to ensure their e-mail lists comply with the federal CAN-SPAM law. [MediaPost News]


Electronic Records


US – HHS Seeking Comments on Process

The Department of Health and Human Services wants stakeholders to comment on the process of accounting for disclosure of patients’ protected health information contained within electronic health records, reports Government Health IT. The HITECH Act requires that providers, plans and business partners account for such disclosures, even when the data is for treatment and billing purposes, the reports states. The HHS Office of Civil Rights published the request for comments in the Federal Register. [Source]


WW – The Fundamental Limits of Privacy for Social Networks

Using social networks to make recommendations will always compromise privacy, according to a mathematical proof of the limits of privacy. Recommendation engines are among the hottest properties on the web. These sites make recommendations by mining the pattern of links that crop up in social networks. Facebook recommends new contacts based on the pattern of connections between existing users, Amazon recommends books and other products based on purchase histories and Netflix recommends movies based historical ratings. To be sure, these sites produce useful results for users which can dramatically increase sales for a merchant. But they can also compromise privacy. For example, a social network recommendation might reveal that one person has been in email contact with another or that an individual has bought a certain product or watched a specific film. It may even be a breach of privacy to discover that your friend doesn’t trust your judgement in books. In fact there’s a long history of privacy controversies associated with social networks. Now Aleksandra Korolova at Stanford University with Ashwin Machanavajjhala and Atish Das Sarmait, say that privacy breaches are inevitable when networks are exploited in this way. In fact, they’ve worked out a fundamental limit to the level of privacy that is possible when social networks are mined for recommendations. [Technology Review] see also:


WW – Sharing Puts Users at Risk

About 52 percent of social networking users post personal information that potentially exposes them to identity theft. That’s according to a Consumer Reports magazine survey that found 38 percent of users posted the month, date and year of their birth, eight percent posted their home address and three percent posted details about when they were away from home. The report suggests “seven things to stop doing on Facebook,” noting that nine percent of social networking users have experienced cyber-related abuse. In a Huffington Post article, Consumer Reports technology editor Jeff Fox says the study results confirm that Senator Charles Schumer’s recent request for the Federal Trade Commission to create guidelines for social networks’ use of private information is “well-founded.” [San Francisco Chronicle]


US – Consumer Groups Lodge Complaint with FTC

The Electronic Privacy Information Center (EPIC) and 14 other consumer protection groups have filed a formal complaint against Facebook with the FTC alleging the social networking service’s new policies “violate user expectations, diminish user privacy and contradict Facebook’s own representations.” NetworkWorld reports that Facebook’s response to the complaint has been that the new features are “transparent, consistent with user expectations and in full compliance with legal requirements.” According to the report, Facebook violated its own privacy policy by making user information publicly available with the changes it introduced in April—including making users’ hometowns, education, employment, activities, likes and interests public. The complainants’ requests include asking the FTC to require Facebook to restore its prior privacy settings. [Source] [38-page complaint]


EU Developments


EU – Parliament Pushing for Data Rights Charter by 2012

The European Parliament is calling for a charter of citizen data rights to be implemented by 2012, advocating for Internet users to be able to have their information removed from online systems even if it was collected with their consent. The European Parliament has adopted a new digital strategy called, which outlines its ambitions for Internet policy, and has passed a resolution for implementation by the European Commission. Parliament has issued a statement asserting that, “A clear legal framework laying down the rights and duties of citizens while protecting personal data is essential” while balancing information holders’ rights with access to content “is also crucial.” [] [The Strategy]


EU – Support for EU Data Retention Directive Could Mean “Surveillance Regime”

An opinion poll has found that 51% of the Norwegian public are in favour of implementing the EU’s Data Retention Directive (DRD), but Norwegian privacy advocates remain concerned. Gunnel Helmers of the Data Inspectorate believes that although “people are increasingly concerned about privacy, we see a tendency towards numerous believing it doesn’t concern them. It’s a rather abstract issue, and many think they’ve nothing to hide. But we all do.” Regardless of majority support for the plan, Lars-Henrik Parup Michelson, head of an independent bipartisan campaign against the DRD, cautions, “We’re talking about a directive that will introduce one of the most comprehensive surveillance regimes in Norway’s history.” [The Foreigner]




US – Leon County, Fla., Hosts Database for Tracking Pawnshop Transactions

An effective way to motivate multiple law enforcement jurisdictions to partner on a centralized database is to make subscribing to it free of charge. That was how Leon County, Fla., got 18 counties to upload data beginning in 2006 to its pawnshop transaction tracking database. The repository enables law enforcement to track where stolen property is bought and sold in pawnshops across the participating jurisdictions. The information has other uses besides stolen property investigations too. [Government Technology]




CA – Supreme Court to Rule on Protection of News Sources In Shawinigate Case

The Supreme Court of Canada rules in a case which bears on the right of journalists to shield confidential sources. The National Post and former Post reporter Andrew McIntosh are asking the court to quash a search warrant issued almost a decade ago as part of what became known as the Shawinigate affair. At stake is McIntosh’s guarantee of confidentiality to a source known only as X, who sent the reporter a key document which was later denounced as a forgery. Now, journalists seeking to protect sources have to meet a four-part test. The key is the fourth part of the test, which requires them to show that the public interest in protecting a source overrides the public interest in a police investigation. The court might switch the onus in this test, forcing the Crown to show that its interests trump the protection of a source. [Source]




US – Walgreens Won’t Sell Over-The-Counter Genetic Test After FDA Raises Questions

The nation’s largest drugstore chain backed out of plans to sell a saliva test that promised to scan a customer’s DNA to assess his or her risk for breast cancer, heart attacks and a host of other diseases. Walgreens had planned to offer the Pathway Genomics test at more than 6,000 of its 7,500 stores nationwide beginning Friday, but it reversed course after the Food and Drug Administration questioned whether the test could be sold legally without the agency’s authorization. Other companies have been selling on the Internet tests that can analyze genes for a person’s risk of some diseases, and genetic tests for paternity and ancestry have been widely available in stores. But the plan by Pathway Genomics of San Diego represented the boldest move yet to bring personalized genomic science to the mass market. It was welcomed by those who hope that deciphering the genetic code will launch a new era in biomedical science. But it raised objections from those who worried that the average consumer would have problems interpreting the results, leading to dangerous complacency about some diseases or unnecessary alarm, as well as opening the door to privacy violations, genetic discrimination and other problems. [Source] ALSO: [Company plans to sell genetic testing kit at drugstores]


Health / Medical


CA – Health Minister ‘Fundamentally Disagrees’ With Commissioner’s Privacy Worries

British Columbia Health Minister Kevin Falcon dismissed privacy concerns that acting Information and Privacy Commissioner Paul Fraser last week raised about changes to provincial health laws. Introduced earlier in April, Bill 11, the 2010: Miscellaneous Statutes Amendment Act (No. 2), 2010, included changes to the Ministry of Health Act, Public Health Act and the Health Authorities Act dealing with how personal information is managed. “The amendments will allow for extensive sharing of personal information across numerous public bodies,” Fraser wrote to Falcon, the Tyee reported. Fraser recommended the amendments be removed from the bill “so that our offices can continue to discuss the proposals and so that the serious privacy concerns raised by the proposed data sharing are properly and completely canvassed before any further legislative proposals are introduced.” Falcon said the legislation will be moving ahead without changes. The main issues are around sharing information between the ministry and the six provincial health authorities, he said. The government passed the E-Health (Personal Health Information and Protection of Privacy) Act in 2008 that covers how people’s personal health information can be collected and stored, said New Democratic Party health critic Adrian Dix. “The government has simply decided to end run the act,” he said. “The government seems to think following its own act is a major problem.” [Source] [Saskatchewan patient privacy rule changes slammed]


US – Health IT Panel Troubleshoots NHIN Privacy Gaps

An HHS workgroup is wrestling with questions of whether existing laws are strong enough to protect the privacy of patient information conveyed using NHIN Direct, a set of specifications for helping healthcare organizations swap basic health information electronically. The workgroup has sent the HIT Policy Committee broad recommendations for setting up a “trust framework” that applies to NHIN Direct. Panel members are now beginning to drill down into the details, starting with the business and legal requirements that apply to NHIN Direct. The NHIN Direct architecture has been developed so that routing organizations do not need to view the content of files it is transmitting, panelists said. Routing organizations would simply see an email message header providing information on the type of file or what application will open it. Lansky said that his panel will coordinate with the committee’s privacy and security work group on the tow groups’ overlapping concerns about privacy related to NHIN Direct. [Government Health IT]


Horror Stories


US – Heartland Breach Expenses Pegged at $140M so Far

Quarterly financial results released by Heartland last week show that the card payment processor has accrued $139.4 million in breach-related expenses. The figure includes a settlement totaling nearly $60 million with Visa, another of about $3.5 million with American Express and more than $26 million in legal fees. That total also includes $42.8 million that Heartland has set aside to fund proposed settlements with several other litigants over the breach. One example of what the fund is set up for is Heartland’s offer to settle several consumer class action lawsuits against it for $4 million. So far, Heartland has recovered about $30 million from insurance companies. Even with the updated figures, Heartland so far has spent considerably less than the staggering $250 million that TJX Companies Inc. estimated it would eventually spend to address its massive 2006 data breach. Even so, given the scope of the Heartland breach, in which an estimated 130 million credit and debit cards were compromised, it is likely that Heartland will end up spending more than TJX over time. Heartland’s disclosure of its breach-related expenses comes at a time when studies show that costs to companies from data breaches is steadily rising. Costs to companies from data breaches are significantly impacted by notification laws, the Ponemon study noted. In the U.S., the cost per lost record is 43% higher than the global average because of breach notification laws in 48 states. [Source]


US – Online List Shows Reported Data Breaches Have Affected 1.2 Million People

Since the Department of Health and Human Services (HHS) began listing healthcare breaches online, 64 incidents affecting well over one million people have been reported. The HHS updated the list of breaches in April. Hospitals and large medical centers are identified by name in the updated list, the report states, and private practices will soon be named as well. Of the breaches reported so far, theft was listed as the cause for the majority of the incidents, and seven involved laptops, 12 involved paper records, 11 involved desktop computers, eight involved either hard drives or network servers, seven involved portable electronic devices and the remainder were classified as “other” in the report. [American Medical News]


Identity Issues


AU – Commisioners Release ID Theft Tool

Australian Privacy Commissioner Karen Curtis is kicking off Privacy Awareness Week by calling on Australians to take practical steps to protect their privacy. Partnering with the Asia Pacific Privacy Authorities, the commissioner’s office has released an online tool allowing individuals to assess their risk of identity theft. “Identity theft is an area of increasing concern and this easy-to-use tool will help people understand how at risk they may be,” the commissioner said. Themed “Privacy, it’s in your hands,” the week aims to raise awareness about privacy rights and educate people on how to protect their personal information. [Source]


CA – Ontario Appellate Court Sets Standard for Disclosing Anonymous Posters

The Ontario Superior Court of Justice has issued its decision on an appeal filed by the Canadian Civil Liberties Association and CIPPIC regarding whether Web site owners can be ordered to disclose the identities of anonymous users accused of defamation. Michael Geist reports that the court referenced factors raised by the Federal Court of Appeal in the case Sony BMG v. Doe, including that public interest must outweigh legitimate privacy interests when it comes to disclosure. The court determined the “principles are similarly applicable to defamation cases,” the report states, and has established specific criteria for requests related to information on anonymous online posters. [Michael Geist] [Decision]


Internet / WWW


WW – Facebook Measures Our ‘Gross National Happiness’ through Status Updates

Canadians are becoming happier and more positive people - at least according to our Facebook statuses. Facebook revealed the latest results of its Gross National Happiness index, an application that measures the collective spirits of various countries based on positive and negative words in users’ status updates. For example, words like “happy,” “yay” and “awesome” are deemed positive; words like “sad,” “doubt” and “tragic” are negative. Scientific? Maybe not so much, but the results are interesting. Just in case you’re worried that Facebook is using the application to invade your privacy (which the site has been known to do), the research team attests that no one actually reads your status updates. A computer does all the calculations once all your personal information is removed. [The National Post] See also: [We take privacy very seriously, says Facebook exec] and [Facebook Taps Former FTC Chairman to Defend Privacy Practices]


WW – MySpace Creates New CPO Post

Social networking service MySpace has promoted its vice president of business and legal affairs to its newly created chief privacy officer position. Jennifer Mardosz will now be responsible for managing the risks and business impacts of privacy laws and policies for MySpace, the report states. And just as MySpace was announcing the creation of its new CPO post, rival social networking site Facebook’s former CPO was criticizing the company’s new “instant personalization” program. Chris Kelly, who is now running for California Attorney General, wrote, “I strongly encourage Facebook to structure all its programs to allow Facebook users to give permission before their information is shared with third parties.” [Source]


WW – Google Urged to Protect Privacy in Street View Rollouts

Officials from 30 European countries yesterday supported a measure that would force Google to create a coordinated approach to privacy issues arising as Street View is rolled out in Europe. Google’s Street View mapping feature may break EU laws unless it improves the blurring technique it uses to disguise images, the report states. “There needs to be a right to object for people, even when the images have not yet been put online,” said Gerard Lommel, a member of the Article 29 Working Party. Google recently stressed its commitment to user privacy in response to similar calls last month. [Bloomberg] [Google Responds to DPAs]


Law Enforcement


US – Government Reintroduces ISP Child Pornography Reporting Bill

The Government has reintroduced a bill designed to require providers of Internet services to report incidents of child pornography. The bill was introduced as Bill C-58 last year. Michael Geist discussed the bill here. The new bill is Bill C-22. [Source]




US – Library of Congress, Facing Privacy Concerns, Clarifies Twitter Archive Plan

Faced with privacy concerns, the Library of Congress is clarifying its plans to archive all public tweets posted since Twitter went live in March 2006. Twitter announced last month that it would donate its archive of public messages to the library. Since the announcement, privacy concerns have emerged. In response, the database won’t contain deleted tweets or private account information, the report states. “There’s concern about privacy issues in the near term, and we’re sensitive to these concerns,” said a library spokeswoman. “We may have to filter certain things or wait longer to make them available.” [The Chronicle of Higher Education]




HK – SurvK – ey Hong Kong’s Elderly Lack Awareness of Privacy Protection

The Office of the Privacy Commissioner for Personal Data in Hong Kong entrusted the University of Hong Kong’s Sau Po Centre on Ageing to conduct a survey on privacy protection and found that the elderly in Hong Kong lack awareness of personal privacy protection. Among the respondents who had been in a situation in which they were asked to give their personal information, nearly 40% gave their personal information to the person on the other side of the phone without any knowledge of who they were. The survey showed that 83% of respondents would provide all information required when applying for certain public services, 59% when they receive opinion surveys, 25% when they receive parcels and 19% when they fill in raffle tickets. [Source]


HK – Commissioner Warns Elderly Are Vulnerable

Privacy Commissioner for Personal Data Roderick Woo Bun is warning that elderly citizens are more vulnerable to data fraud because they are less aware of the need to protect their data. Woo made the comments in response to a recent Internet scam that has duped elderly people into divulging their personal information and on the heels of a University of Hong Kong survey of 400 people age 65 and older that revealed the ease with which many would relinquish their identify card number. Woo launched a campaign today to help the elderly protect their data from thieves and fraudsters. [Source]


MX – Violators of Mexico’s Data Protection Act Could Face Prison Time

Those convicted of selling confidential personal data collected by the government will face up to five years in prison under Mexico’s new Federal Data Protection Act. The new law also mandates fines as high as $2.9 million for the improper use of sensitive data, the report states. Mexico’s Federal Institute for Access to Public Information (IFAI) has announced that the new law will give citizens assurance their information will be used only for legitimate purposes and provides them with the right to view their government files and have erroneous items removed. The legislation is also consistent with international standards, according to an IFAI statement. [Latin American Herald Tribune]


Online Privacy


Facebook Bug Reveals Users’ Private Chats

A bug in Facebook’s security technology temporarily allowed users to view the live chats and friend requests of people on their contact list. Although Facebook has reportedly fixed the problem, there is no word of how many users may have been affected by the latest security breach from the world’s largest social network. For an unspecified period of time, users were able to change a few settings in the privacy settings portion of the Website which would then enable them to access the live chats of their friends and the pending friend requests of contacts they have in common. TechCrunch posted a video outlining how users could exploit the loophole in Facebook’s system. [National Post] See also: [NYT: Service Provides Forum for Anonymous Insults - Formspring] and [NYT: Nerds Unite on Privacy-Rich Social Network (Diaspora) ]


WW – Google Search Anonymizer Up and Running Again

A service that allows Google’s search engine to be used anonymously is running again after a code change briefly knocked it down. Scroogle allows people to use Google’s search engine without the company recording their search terms with their real IP (Internet protocol) address. Google’s search results are proxied through a Scroogle server and only sees Scroogle’s IP address. Privacy activists contend that connecting IP addresses with search queries -- done by all major search engine companies -- poses privacy and security concerns. Google anonymizes the last octet of the IP address after nine months, but many argue that level of anonymization doesn’t go far enough. For Scroogle, search results were “scraped,” or automatically copied, from a specific Google search Web page ( designed to deliver results to people using Microsoft’s outdated Internet Explorer 6 browser with the Google search toolbar. Scroogle receives around 325,000 queries a day, just a tiny fraction of the more than one billion queries Google’s search engine receives on a daily basis, Brandt said. [Source] See also: [Peter Fleischer: Which privacy laws should apply on the global Internet?]


WW – Nerds Unite on Privacy-Rich Social Network

Four college students are creating a social network that differentiates on privacy, and the funds rolling in to back the project suggest a strong demand for such an offering. The creators of Diaspora* plan to freely distribute the software and will open the code so other programmers can build upon it, the report states. “In our real lives, we talk to each other,” says co-creator Raphael Sofaer, describing why centralized social networks are unnecessary. “We don’t need to hand our messages to a hub.” The creators say the value of existing social networks “is negligible in the scale of what they are doing, and what we are giving up is all of our privacy.” [The New York Times]


Other Jurisdictions


AU – Commissioner Launches Privacy Guide

The Australian Privacy Commissioner has launched new information to guide businesses on how to handle personal information. Privacy Commissioner, Karen Curtis, described the Privacy Impact Assessment Guide (PIA Guide) as a tool for companies to use when working on projects that use the personal information of consumers. Online payment service, PayPal has thrown its support behind the guide. [CIO Australia] [PIA Guide]


IN – Use of Narco Analysis, Brain-Mapping Unconstitutional: Indian Court

In a major blow to investigating agencies, the Indian Supreme Court held unconstitutional and violation of the ‘right to privacy’ the use of narco analysis, brain-mapping and polygraph tests on accused, suspects and witnesses without their consent. A three-Judge Bench of Chief Justice K.G. Balakrishnan and Justices R.V. Raveendran and J.M. Panchal, in a 251-page judgment, said: “We hold that no individual should be forcibly subjected to any of the techniques in question, whether in the context of investigation in criminal cases or otherwise. Doing so would amount to an unwarranted intrusion into personal liberty.” The judges said: “The compulsory administration of the impugned techniques violates the right against self-incrimination. The test results cannot be admitted in evidence if they have been obtained through the use of compulsion. Article 20 (3) of the Constitution [No person accused of any offence shall be compelled to be a witness against himself] protects an individual’s choice between speaking and remaining silent, irrespective of whether the subsequent testimony proves to be inculpatory or exculpatory.” The Bench made it clear that even when the subject had given consent to undergo any of these tests, the test results by themselves could not be admitted as evidence because “the subject does not exercise conscious control over the responses during the administration of the test. However, any information or material that is subsequently discovered with the help of voluntary administered test results can be admitted, in accordance with Section 27 of the Evidence Act.” [Source]


BU – Data Retention Legislation Takes Effect

An amendment to Bulgaria’s new Electronic Communications Act will take effect Monday. The amendment will allow authorities to ask electronic communications providers for traffic data when serious or computer crimes are being investigated. It includes rules for deleting data. Earlier this year, the amendment drew protests, with critics asserting that “Bulgaria is not Big Brother...” The Commission for the Protection of Private Data will present Parliament and the European Commission with annual reports on cases where operators have provided the traffic data to the Interior Minister, the report states. []


Privacy (US)


US – Choose Privacy: Teaching Children about Online Privacy

The first week of May is Choose Privacy Week, an initiative by the American Library Association (ALA) to raise awareness about sharing information online. Angela Maycock, assistant director for the ALA’s Office for Intellectual Freedom, says, “school librarians play a really important and critical part in this effort as they’re a starting gate in learning how to access information, and do it responsibly and safely.” The ALA launched a Web site that offers tips for educators and parents on age-appropriate ways to address privacy concerns with children. “People are saying they’re very concerned about their privacy online. But they lack good information on how to deal with it,” says Maycock. [School Library Journal]


US – The Navigator: Hotels Connect the Dots Between Guests and Online Reviews

Hotels want to know who you are. Especially if you’re reviewing them anonymously. An increasing number of image-conscious properties have begun connecting the dots between unbylined write-ups that appear on such popular travel sites as TripAdvisor or Yelp, and your personal information, such as your loyalty program preferences. If you write a positive review, you might expect a reward from the hotel -- a gift basket or a discount on your next stay. Pan a property, and you could get a concerned e-mail from the general manager asking you to reconsider your review. Or even a black mark against you in the chain’s guest database. .[The Washington Post ]


US – Wisconsin: No Privacy Invasion for Noisy Neighbor Recording

A Wisconsin couple did not invade their neighbors’ privacy by placing a $50 recorder from Radio Shack on the windowsill in order to bust them for being too noisy, the Wisconsin Court of Appeals ruled. Andrea Burns and James Barr complained to police that their neighbors, Karen and Barry Poston, were harassing them and making too much noise. The police responded that they would listen to audio recordings of the offending racket. Burns and Barr placed a recorded on their windowsill and taped 18 hours’ worth of audio over five months. Police issued a ticket to Karen Poston for disorderly conduct based on her yelling at Burns and Barr on one of the audio CDs. “The recording of sounds emanating from the Postons’ home using a common recording device that was placed inside the Burns-Barrs’ own window was not, as a matter of law, an intrusion ‘of a nature highly offensive to a reasonable person,’” Judge Joan Kessler wrote. [Source]




CA – RFID Driver’s Licence Demand Underwhelming Across Four Provinces

After about a year of issuing the RFID-enabled enhanced driver’s licences, government bodies are reporting the cards are not meeting the high demand that was expected. Ontario, British Columbia, Quebec and Manitoba have been issuing the technology-embedded identity cards as part of the U.S. Western Hemisphere Travel Initiative requirement that went into effect June 1, 2009. A bad economy and an easier passport application process could be the explanation. More than 115,000 RFID-enabled cards have been issued across the four provinces. But that is less than the expected demand, according to ministry contacts. [Source]


US – University Plans to Install Electronic Sensors to Track Class Attendance

A plan to electronically track attendance at an Arizona university is being framed as a way to encourage going to class and participation, but privacy experts and some students are wary the technology could become a security and privacy concern. Northern Arizona University (NAU) in Flagstaff, will start using “proximity card readers” in some lower-division classes in fall 2010, to record student attendance, said NAU Spokesman Tom Bauer. Using $85,000 in federal stimulus funds, the university hopes such a tool will push professors to incorporate attendance in their grading systems, he said. [Source]




NZ – Privacy Commissioner Concerned about PSD Risks

New Zealand’s privacy commissioner has expressed concern about the potential security risks portable storage devices (PSDs) pose in the workplace following a survey that found 120 PSDs were lost or stolen within the last year. Released today, the survey studied security controls for PSDs at 42 government agencies, finding that only half had policies for disposing of PSDs and 16 had policies on when stored data should be deleted. Privacy Commissioner Marie Shroff said due to significant increases in PSDs’ storage capacity, agencies are exposed to data breach risks, which “can seriously damage both the reputation of the agency concerned and the trust that the public has in that agency.” []




CN – China Cracks Down on ‘Anonymous’ Internet and Cell-Phone Users

Beijing: China is vigourously promoting the use of real-name registration for users of Internet and cell phone services. Continuing its earlier efforts to adopt a real-name registration system for website moderators at major news portals and big commercial sites, as well as a ban on “anonymous” comments following news stories, the Chinese claim these measures have yielded “substantial” results. “We’re exploring an identity authentication system for users of online bulletin board systems,” China Daily quoted Chinese Minister of the State Council Information Office as saying. He said China would also strengthen monitoring on “harmful information” on the Internet, in a bid to block harmful overseas information from spreading in the country via the Internet and prevent “hostile overseas forces from infiltrating through the Internet.” In addition, Wang said the country would intensify a crackdown on online crimes and anyone using the Internet to spread pornography, gamble or commit fraud would be severely punished. [Source]


US – Police Wiretapping Jumps 26%

The number of wiretaps authorized by state and federal judges in criminal investigations jumped 26% from 2008 to 2009, according to a report released by the Administrative Office of the U.S. Courts. Courts authorized 2,376 criminal wiretap orders in 2009, with 96% targeting mobile phones in drug cases, according to the report. Federal officials requested 663 of the wiretaps, while 24 states accounted for 1,713 orders. Not one request for a wiretap was turned down. Each wiretap caught the communications of an average of 113 people, meaning that 268,488 people had text messages or phone calls monitored through the surveillance in 2009, a new record. Only 19% of the intercepted communications were incriminating, the same as in 2008. The report attributes some of the rise in the numbers to better reporting by the nation’s courts. The 2009 taps led to the arrests of 4,537 people and 678 convictions. Law enforcement officials have long warned that encryption technology allows criminals to hide their activities, but investigators encountered encrypted communications only one time during 2009’s wiretaps. The state investigators told the court that the encryption did not prevent them from getting the plain text of the messages. The numbers in the report do not include wiretap orders in terrorism investigations, which go through a secret court in Washington, D.C. They also don’t account for the number of Americans whose communications were caught by the National Security Agency’s warrantless wiretapping program, which Congress legalized in July 2008. [Source]


US – School District Blasted for Web Cam Use

A team of lawyers and computer experts have reached the conclusion that a Pennsylvania school district’s decision to activate Web cams on student computers was an “overzealous” use of technology “without any apparent regard for privacy considerations”. The conclusions followed a 10-week investigation into the Lower Merion School District’s use of software to capture nearly 58,000 images, mostly from lost or stolen laptops, in the past two years. However, the reports states, “because employees frequently failed to turn off the tracking system, more than 50,000 of those images were taken after the computers had been recovered and given back to students.” Superintendent Christopher McGinley said the district would learn from its mistakes and “must restore confidence...starting immediately.” [Source] [Report of Independent Investigation]


US Government Programs


US – Maryland First to Bar Schools from Releasing Tests to Military

A first-of-its-kind law bars public high schools in Maryland from automatically sending student scores on a widely used military aptitude test to recruiters, a practice that critics say was giving the armed forces backdoor access to young people without their parents’ consent. School districts around the country have the choice of whether to administer the Armed Services Vocational Aptitude Battery exam, and ones that offer it typically pass the scores and students’ contact information directly to the military. Topics on the test range from math and reading to knowledge of electronics and automobiles. The Maryland law, the first in the nation after similar California legislation was vetoed, was signed last month and bars schools from automatically releasing the information to military recruiters. Instead, students, and their parents if they are under 18, will have to decide whether to give the information to the military. The law takes effect in July. One other state, Hawaii, has a similar policy for its schools, but not a law. Roughly 650,000 U.S. high school students took the exam in the 2008-2009 school year, and the Department of Defense says scores for 92% of them were automatically sent to military recruiters. In the fiscal year that ended in September, 7.6% of those who enlisted in the military used scores from the test as part of their applications. [Source]


US Legislation


US – Lawmakers Boucher and Stearns Draft Web Ad Privacy Safeguards Bill

Advertisers and Internet companies have been scrambling to head off regulation they say will hamper growth of online advertising. The pressure is expected to build as lawmakers prepare to announce proposed privacy legislation. More than a year in the making, the draft legislation proposes regulating Internet companies’ tactics for collecting information about Web visitors and the use of that data for ad targeting. It also could apply to the practices for collecting consumers’ information in the offline world. Rep. Rick Boucher (D., Va.), and Rep. Cliff Stearns (R., Fla.) revealed details of the much-anticipated legislation. Under the current draft, websites collecting information about their visitors would need to disclose to consumers how that information is collected and used, with whom it is shared and the circumstances under which that sharing takes place. If consumers decide they don’t want their information to be collected or used for those stated purposes, they should be able to opt out directly on the site. The regulation also lays out a separate set of regulations for outside companies that collect information about consumers on websites and target ads to those consumers on other, unrelated sites. Consumers would need to grant these third-party companies special permission for their data to be collected. The draft legislation provides some exceptions. The ad company wouldn’t need to solicit permission to collect information about consumers if the targeted ad includes a link that explains which company was involved in making the ad appear, shows consumers what information is collected about them and gives them the chance to opt out. The draft also includes special restrictions for the collection of sensitive information, including financial information, medical history, government identifiers such as drivers’ license and Social Security cards and information about children or adolescents. The legislation would grant authority to the FTC to endorse the provisions of the bill. “Although I do not support all of the provisions in the draft, I look forward to getting back comments to improve the bill and then hopefully advance it through the committee process,” Rep. Stearns said in a statement, noting that it was premature for him to comment on the legislation as it has yet to be made public. He said that the bill is based on earlier privacy legislation that he developed in 2005. [Wall Street Journal]