Privacy News Highlights

15–31 May 2010



UK – Fingerprinting at St Martin’s School Labelled as ‘Big Brother’ state. 3

CA – Proposed PIPEDA Amendments Would Require Breach Notifications. 3

CA – Treasury Board Issues New Directive on Privacy Impact Assessment 3

CA – Poll: Canadian Businesses Unconcerned About Privacy Breach Risk. 3

UK – New Center to Support Privacy Cause. 4

CA – Border Guard Used Private Info to Woo Women on Facebook. 4

UK – HMRC Investigates Tax Data Breach. 4

CA – Government Tables Anti-Spam Legislation. 4

US – Study: HITECH Hasn’t Stopped Leaks. 5

WW – Major Step Ahead for Cryptography. 5

US – Workgroup: Encrypt Patient Data. 5

EU – Commission Adopts Draft Mandate on EU-U.S. Data Transfers. 5

UK – New UK Coalition Government Begins Dismantling the Database State. 6

EU – Thür: A Change in Legislation Needed in Europe. 6

EU – New ‘Model Clauses’ for Exports of Personal Data Now in Force. 6

UK – Secret Surveillance Regime Does Not Breach Human Rights, Rules ECHR.. 6

EU – EDPS Comments on Citizens’ Initiative Proposal 6

EU – Google, Yahoo and Microsoft Data Retention Practices Run Afoul of EU Authorities. 7

EU – German DPA Imposes €120,000 Fine on Deutsche Postbank AG.. 7

US – FTC Extends Red Flags Enforcement Deadline. 7

EU – Italian Police Reviewing Stolen Account Information. 7

US – Senate Unanimously Passes Faster FOIA Act of 2010. 8

US – UC Berkeley Plan to Test Student DNA Raises Alarms. 8

US – House Votes to Expand DNA Database. 8

CA – Storing B.C. Babies’ Blood Violates Privacy: Group. 8

CA – Ontario Hospitals May Lose Privacy. 8

CA – Alberta Commissioner Issues Health Care PIA Guide. 9

CA – Sask. Patient Name Release to Fundraisers Halted. 9

US – HHS Proposes Survey of Patients. 9

US – Data Breach Reports Now Posted Online. 10

US – Laptop Stolen from Contractor’s Office Holds Army Reservists’ Information. 10

US – LifeLock CEO Victim of 13 ID Theft Incidents. 10

WW – History of Social Network Use Reveals Your Identity. 10

WW – Majority of Phishing Attacks are the Work of One Group. 11

CA – Erase ID Card Information After G20: Police Chief 11

IR – Eircom Implements “Three Strikes” Anti-Piracy Program.. 11

WW – Google Rolls Out Encrypted Search. 11

UK – Outrage at Secret Probe Into 47,000 Innocent Flyers. 12

GM – Senators Introduce Privacy Bill 12

EU – Working Party: Search Engines Violate EU Data Protection Rules. 12

WW – Facebook Unveils Simpler Privacy Controls. 13

CA – Facebook Warned it’s Not in Compliance. 13

WW – MySpace Launches Simplified Privacy Settings. 13

WW – Browsers Provide Information that Helps Identify Users. 13

UK – Report: UK Users Are Limiting Profile Access. 13

US – Study: Young Adults Are Most Privacy Proactive. 14

RU – Russia Considers Improving its Data Protection Law.. 14

US – Advocates Slam AG’s Attempt to Identify Web Posters. 14

US – Commerce Dept. Seeking Input on Internet Privacy. 14

US – Physicians, AMA Sue FTC.. 14

US – Study: Regulations Affect Ads’ Effectiveness. 15

US – FTC Investigating Copy Machine Privacy Risks. 15

US – Gruesome Death Photos are at the Forefront of an Internet Privacy Battle. 15

WW – New Companies Bank on Privacy. 15

WW – Mozilla Tools Tests Plug-in Safety for Other Browsers. 16

EU – Industry proposed RFID Privacy Impact Assessment Framework. 16

US – DHS Piloting New Cyber Threat Information Sharing Program.. 16

EU – German Authorities Launch Investigation into Google Wi-Fi Data-Gathering. 16

EU – Google Admits Error in Collecting Wi-Fi Data and Fixes the Problem.. 17

EU – German Court Says WiFi Owners Must Secure Networks. 17

WW – Officials Denounce Google Over WiFi Data Collection. 17

WW – Google Balks at Turning Over Private Internet Data to Regulators. 17

US – General Alexander Confirmed as Head of Defense Dept’s US Cyber Command. 18

WW – Facebook Introduces New Security Measures. 18

WW – Facebook Fixes Data Exposure Flaw.. 18

US – Researchers to Present Paper on Security Issues in Cars’ Computer Systems. 18

US – Federal Employees Using Unsecure File Transfer Methods. 18

US – NASA Shifts Cyber Security Focus and Money to Real-Time Threat Reporting. 19

EU – Dutch Hacker Steals E-Mail Addresses, Demands Astley Tune. 19

US – School to Notify Students Whose Pictures Were Taken with Surveillance Software. 19

US – California Bill Would Allow for Video Cameras on Dashboards. 19

CA – Law on Video Cameras in B.C. Schools Under Dispute. 20

EU – Italy’s Government Tries to Limit Wiretap Powers. 20

WW – Caller ID Spoofing Used for Harassment, Fraud, Critics Say. 20

US – Border Searches of Laptops May Be Conducted Off-Site for Cause, Court Rules. 21

US – Pushy Fliers May Show Up on TSA’s Radar 21

US – Electronic Privacy Act Draft Released. 21

US – House Subcommittee Approved Bill to Revamp FISMA.. 22

US – Rockefeller Introduces Senate Online Privacy Bill 22

US – Bill Could Mandate Black Boxes in Cars. 22

EU – Germany Releases Key Issues Paper on Employee Data Protection Regulation. 22

CA – Alberta Province Ran Unauthorized Credit Checks on Employees. 22

AU – AUS Fake ANZ Facebook Profile May Breach Laws. 23





UK – Fingerprinting at St Martin’s School Labelled as ‘Big Brother’ state

A school is accused of abusing children’s civil liberties with plans to record their fingerprints for school dinners. Such was the outrage from parents at St Martin’s School in Hutton, the idea was put on hold just a day after being unveiled while fears are quelled. The school wants to use state-of-the-art biometric finger mapping technology replacing the need for cash in the canteen. It would mean pupils and staff simply scan their fingertips to pay for lunches and snacks. But the move has been labelled by some as a move towards a “Big Brother” state. Concerned parent Claire Flood was shocked to discover all pupils were due to be fingerprinted this week, before another letter, dated the following day, quickly pulled the plug on its introduction after complaints came flooding in. [Source]




CA – Proposed PIPEDA Amendments Would Require Breach Notifications

Proposed amendments to Canada’s private sector privacy law would require that companies report material data breaches to the Office of the Privacy Commissioner and notify affected individuals in cases involving significant risks. The government tabled the proposed amendments on Tuesday. They would require companies to notify affected individuals “when the organization deems the breach to pose a real risk of significant harm, such as identity theft, fraud or damage to reputation.” Privacy Commissioner Jennifer Stoddart welcomed the proposal, but Janet Lo of the Public Interest Advocacy Centre said “that’s a really, really high trigger threshold to inform the individual.” University of Ottawa law professor Michael Geist described the Safeguarding Canadians’ Personal Information Act as “the anti-privacy privacy bill.” [The Vancouver Sun] [Red-lined version: PIPEDA] and [Geist: Security breach disclosure bill has bark but no bite] see also: [Gowlings’ summary of Alberta notification requirements] and [OIPC Process for Determining Whether to Require Notification]


CA – Treasury Board Issues New Directive on Privacy Impact Assessment

The Treasury Board’s Directive has applications for the private sector; an organization’s privacy impact assessment (“PIA”) process should be commensurate with the level of risk related to the privacy invasiveness of the organization’s programs or activities. A PIA should be initiated when personal information (“PI”) is used as part of a decision-making process that directly affects the individual, upon substantial modifications to existing programs or activities where PI is used for an administrative purpose and when contracting out or transferring a program or activities would result in substantial program or activity modifications. A PIA should be completed and approved by senior executives and the legal department prior to implementation and shared with partners or other companies as required; if further elaboration on specific risk mitigation is warranted, a numbered risk scale should be used and the strategies to alleviate high level risks should be documented. The core PIA should be reviewed on an annual basis to ensure that it remains relevant and any necessary amendments are proposed. [Source]


CA – Poll: Canadian Businesses Unconcerned About Privacy Breach Risk

New poll results suggest that Canadian businesses are collecting more personal information than ever but they aren’t worried about privacy breaches. The poll conducted by EKOS for the Office of the Privacy Commissioner of Canada found that 42% of businesses surveyed are not concerned about security breaches. The survey revealed that the collection of personal information by Canadian businesses is a growing trend. 68% of businesses surveyed indicated they collect personal information from their customers - an increase of 5% since a previous study conducted by the Office in 2007. Approximately two in three of the companies surveyed indicate they are more concerned about protecting their customers’ personal information (68%), and have increased their awareness of privacy obligations (63%) as a result of PIPEDA. And more than half (57%) said the introduction of PIPEDA has resulted in improved security associated with personal information held by the company on its customers. [Source: The Office of the Privacy Commissioner of Canada]




UK – New Center to Support Privacy Cause

Britain’s Law Society and Privacy International are teaming up to help usher in a more privacy-sensitive society. On the heels of the new coalition government’s promise to “reverse and restrain many of the surveillance systems that have marked its citizens out as the most watched in the world,” the groups today launched a center dedicated to helping individuals take part in that effort. The founders hope to shadow the government agenda by “helping create a respect for privacy that reaches into the DNA of society” and by empowering more individuals to bring claims against those alleged to have breached their privacy. [Financial Times] see also: [UK coalition to halt computer surveillance]




CA – Border Guard Used Private Info to Woo Women on Facebook

A B.C. border guard e-mailed himself the passport details of attractive women who came through his inspection line so he could hit on them later on Facebook, according to an internal government investigation. The guard’s behaviour first came to the attention of the Canada Border Services Agency last October when officials received a complaint from a married female traveller. The woman told CBSA investigators she came into Canada on Oct. 18, 2009 at around 5 p.m. Four hours later, around 9 p.m., she received a friend request on Facebook. After receiving the woman’s complaint, CBSA investigators determined that the woman had indeed come through the guard’s inspection line on Oct. 18. Investigators also looked at the guard’s computer and found that he had contacted the woman through Facebook. “On numerous occasions (he had) captured images and names of female travellers he had conducted primary processing on” and then sent the information to his personal e-mail account. The report does not show exactly how many other times the guard attempted to contact female travellers through Facebook. [Vancouver Sun]


UK – HMRC Investigates Tax Data Breach

Her Majesty’s Revenue and Customs (HMRC) is investigating a breach involving taxpayer data. HMRC sent 50,000 letters to tax credit recipients, some of which contained details about other taxpayers, the report states. The agency has not disclosed how many customers have been affected by what it describes as a printer’s error. “HMRC takes data security extremely seriously,” a spokeswoman said. “Unfortunately, an error has occurred in one of the tax credit print runs causing some customer information to be wrongly formatted.” The breach comes as the agency works to implement Poynter Review data protection recommendations made after the 2007 data breach involving HMRC’s child benefit database. [The Register]




CA – Government Tables Anti-Spam Legislation

The Canadian government yesterday tabled what Industry Minister Tony Clement described as long-overdue legislation—an anti-spam law that would impose up to $1 million penalties and would allow for civil actions against violators. Clement said the Fighting Internet and Wireless Spam Act would result in “a significant diminution” of spam and would nix Canada’s reputation as a haven for spammers. The Office of the Privacy Commissioner would enforce the legislation, which would also see the creation of a spam reporting centre. University of Ottawa law professor Michael Geist praised the bill and predicted its swift passage. [Vancouver Sun] [Industry Canada press release] [Bill C-28] [David Canton: FISA - New Anti-Spam Bill Introduced]


Electronic Records


US – Study: HITECH Hasn’t Stopped Leaks

A study by Dartmouth College’s Tuck School of Business shows that eight months after enacting the HITECH Act, organizations are still leaking information through peer-to-peer (P2P) networks. The study searched P2P networks for healthcare-related keywords and found that health information was just as accessible as it was before the implementation of stronger data controls required under the HITECH Act. The study found that 20% of the documents uncovered in the search contained data protected under the HITECH Act. According to the report, data leaks often happen when users improperly install software onto computers that store personal information. [Computerworld] See also: [Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis - Office of the National Coordinator for Health IT and George Washington University Medical Center] [IHE IT Infrastructure Technical Framework Supplement 2009: Basic Patient Privacy Consents - Integrating the Healthcare Enterprise] and also: [P2P Networks a Treasure Trove of Leaked Health Care Data, Study Finds]




WW – Major Step Ahead for Cryptography

Researchers at the University of Bristol (UB) and Katholieke University have developed a new system for encrypted data computing that they say could have a broad impact on areas such as database access, electronic auctions, and electronic voting. “Our scheme allows for computations to be performed on encrypted data, so it may eventually allow for the creation of systems in which you can store data remotely in a secure manner and still be able to access it,” says UB professor Nigel Smart, who developed the system along with Katholieke’s Frederik Vercauteren. Many encryption schemes have been proposed that either have the “add” operation or the “multiply” operation, but not both. In 2009, IBM researcher Craig Gentry developed the first scheme that simultaneously allows users to add and multiply ciphertexts. However, Gentry’s scheme was only theoretical. Smart and Vercauteren’s scheme is a simpler version of Gentry’s scheme. Although the new system is not fully practical, it is a key step toward forming a system which is truly practical. [University of Bristol News]


US – Workgroup: Encrypt Patient Data

The Health IT Policy Committee’s privacy and security workgroup has recommended that healthcare providers encrypt patient data even in direct exchanges with other providers and in cases not facilitated by third-party organizations. At its May 19 meeting, the workgroup proposed policies for encryption, identity verification and usable personal information, the report states. The workgroup took the perspective of what a “reasonable patient would expect,” said Deven McGraw, the panel’s co-chair. “If strong policies...are in place and enforced, we don’t think this scenario needs any additional individual consent beyond what is already required by current law.” [Healthcare IT News]


EU Developments


EU – Commission Adopts Draft Mandate on EU-U.S. Data Transfers

The European Commission has adopted a draft mandate to negotiate a personal data protection agreement between the EU and U.S. for information shared during criminal investigations or anti-terrorism efforts. The goal is to ensure protection of personal information such as passenger data or financial records transferred during instances of transatlantic cooperation in criminal matters, the report states. According to a statement from the commission, “The agreement would enhance the right of citizens to access, rectify or delete data, where appropriate. EU citizens would receive a right to seek judicial redress in the U.S. if their data is unlawfully processed.” [Source]


UK – New UK Coalition Government Begins Dismantling the Database State

The new UK government’s coalition agreement includes a list of measures in order “to reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.” This includes the following:

§         The scrapping of ID card scheme, the National Identity register, the next generation of biometric passports and the Contact Point Database. - Outlawing the finger-printing of children at school without parental permission.

§         The extension of the scope of the Freedom of Information Act to provide greater transparency.

§         Adopting the protections of the Scottish model for the DNA database.

§         The protection of historic freedoms through the defence of trial by jury.

§         The restoration of rights to non-violent protest.

§         The review of libel laws to protect freedom of speech.

§         Further regulation of CCTV.

§         Safeguards against the misuse of anti-terrorism legislation.

§         Ending of storage of internet and email records without good reason.

The latter two points make a possible reference to the Regulation of Investigatory Powers Act and the reform or repeal of the Data Retention Directive implementation respectively. The legal status of several state databases have been called into question in a 2009 comprehensive map of UK government databases called the “Database State” published by the liberal Joseph Rowntree Reform Trust. [Full Text: Conservative-Lib Dem deal] [Welcome to the former Big Brother House] [UK Identity cards scheme will be axed ‘within 100 days’ ]


EU – Thür: A Change in Legislation Needed in Europe

According to Swiss Data Protection Commissioner Hanspeter Thür, new rules should be put in place to regulate Internet service companies that handle sensitive personal data. “A change in legislation is needed...for all IT applications,” Thür said. “Everyone that offers applications on the market that could harm personal rights must be certified.” The commissioner is currently in a legal dispute with Google over its Street View mapping service, as well as part of a multinational effort taking the company to task for collecting personal data from unprotected wireless networks while taking pictures for Street View. [Sonntag] [European Commission Plans Stronger Data Protection and Copyright Laws - Out-Law See: The Digital Agenda


EU – New ‘Model Clauses’ for Exports of Personal Data Now in Force

New ‘model clauses’ governing the exporting of personal data outside of the European Economic Area (EEA) have come into force. The new documents update one of the ways in which data can leave the EEA legally. [Out-Law] see also guide: [Model clauses for transferring personal data overseas: the May 2010 changes]


UK – Secret Surveillance Regime Does Not Breach Human Rights, Rules ECHR

The European Court of Human Rights has rejected a claim that the UK’s Regulation of Investigatory Powers Act (RIPA) violates the human right to a private life. The UK’s rules and safeguards on covert surveillance are proportionate, said the court. [Out-Law] See: The ruling (40 pages)


EU – EDPS Comments on Citizens’ Initiative Proposal

The European Data Protection Supervisor (“EDPS”) focused on the requirements and procedures for collection of statements of support, registration of the Citizen’s Initiative and security of the data collected; as data controller, the organiser is collecting personal information including the personal identification numbers, nationality and identification documents from signatories to the initiative (the collection of the personal identification number is considered inappropriate and should not be collected and a standard privacy statement must be communicated); having collected the necessary statements of support from the signatories the organiser must submit these statements to the relevant competent authority for verification and certification (data collected by the organiser must not used for any other purpose than its indicated support of the given citizens’ initiative and data received by the competent authority must be used only for the purpose of verifying the authenticity of statements of support for a given citizens’ initiative); and the organiser must ensure that his online collection system has adequate security, as stated in the General Directive, and can request certification of the security of the system (certification should take place before the statements are collected in order to prevent the collection of personal data of at least one million citizens through a system which afterwards would appear to be not sufficiently secured).[EDPS Opinion]


EU – Google, Yahoo and Microsoft Data Retention Practices Run Afoul of EU Authorities

European authorities told the three major search engines on Wednesday that their data retention practices violate a rule requiring the deletion of users’ personal information after six months. The Article 29 Working Party alleged in letters to Google, Yahoo and Microsoft that they don’t adequately anonymize information about search users. “Therefore,” the letters state, “WP29 cannot conclude your company complies with the European data protection directive.” The European authorities previously told the companies they shouldn’t keep logs tying search queries to users’ IP addresses for longer than six months. All of the search engines changed their policies in response, but the authorities said this week that the new practices don’t go far enough. “An individual’s search history contains a footprint of that person’s interests, relations, and intentions and should rightly be treated as highly confidential personal data,” the letters state. “Pursuant to the data protection directive the retention period should be no longer than necessary for the specific purposes of the processing, after which the data should be deleted.” [Source]

EU – German DPA Imposes €120,000 Fine on Deutsche Postbank AG

On May 7, 2010, the data protection authority of the German federal state of North Rhine-Westphalia imposed a fine of €120,000 on Deutsche Postbank AG for illegal disclosure of customers’ bank account transaction data. The bank unlawfully allowed approximately 4,000 self-employed agents to access information on more than a million customer accounts for sales purposes. [Hunton & Williams LLP, Privacy and Information Security Law Blog]




US – FTC Extends Red Flags Enforcement Deadline

The FTC has extended the enforcement deadline of its Red Flags Rule again. According to an FTC press release, the new enforcement deadline is December 31, 2010. The commission says the extension comes at the request of several members of congress who are considering legislation related to the scope of the rule. FTC Chairman Jon Leibowitz said, “Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule—and to fix this problem quickly.” [Press Release]


EU – Italian Police Reviewing Stolen Account Information

Italian finance police investigating instances of possible tax evasion or money laundering are reviewing a list of more than 7,000 Swiss bank accounts stolen by a former bank employee earlier this year. The names are included on a list of 127,000 accounts belonging to 80,000 people, the report states. HSBC previously confirmed that French authorities had obtained details on about 24,000 accounts that were stolen by the employee in March, stating that while the theft posed a threat to client privacy, the data in question would not allow third-party access to the accounts. Tensions persist between Switzerland and countries that are willing to pay for stolen data to pursue tax evaders, the report states. [Bloomberg]




US – Senate Unanimously Passes Faster FOIA Act of 2010

The Senate unanimously passed the Faster FOIA Act of 2010, introduced by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX). The legislation seeks to improve the processing of Freedom of Information Act (FOIA) requests by establishing a 16-member commission to study methods for reducing delays in processing FOIA requests. Government reports reveal substantial delays in disclosing records subject to the open government law, sometimes as long as 15 years. President Obama’s recent Open Government Directive requires agencies to put forth plans to reduce agency FOIA request backlogs by 10% each year. The commission created by the Faster FOIA Act will also be responsible for examining the current FOIA fee structure and granting fee waivers for FOIA requestors. Fees are often the subject of prolonged FOIA appeals and litigation against agencies. [The Faster FOIA Act of 2010] See also: [Department of Justice: Annual FOIA Reports] [EPIC: FOIA Litigation Docket] [EPIC: FOIA Litigation Manual] See also: [‘500 ways to say no’ – Canada’s Access to Information program is in shambles.]




US – UC Berkeley Plan to Test Student DNA Raises Alarms

A program at UC Berkeley that would solicit voluntary DNA samples from students is raising privacy concerns. The university plans to send cotton swabs to 5,500 incoming students, asking them to collect cheek samples to be tested for tolerances to folic acid, lactose and alcohol. The researchers plan to destroy the samples and have put other precautions in place to protect the data. However, criticism from the Council for Responsible Genetics and others has project officials taking another look. Biology Dean Mark Schlissel said, “The rapidity and energy behind the criticism have a validity we have to think about.” [The Mercury News]


US – House Votes to Expand DNA Database

By a vote of 357 to 32, the House of Representatives has approved legislation to provide funding to state governments that require DNA samples from adults arrested on suspicions of serious crimes. While supporters of the plan point to the use of such data to reduce instances of false convictions and to help solve violent crimes, civil libertarians and privacy advocates are concerned about plans to extract DNA from individuals who have not been convicted of a crime. Marc Rotenberg of the Electronic Privacy Information Center said the U.S. should instead follow the example set by the European Court of Human Rights, which has ruled that holding DNA samples from people arrested but not convicted of crimes violates their privacy rights. [CNET News] [H.R.4614]


CA – Storing B.C. Babies’ Blood Violates Privacy: Group

The B.C. Civil Liberties Association says as many as 800,000 babies in the province have been the victims of privacy violations that began the day they were born. “A functional DNA database has been created of all the infants born,” Eby told CBC News. The association says blood samples taken from infants at birth in B.C. hospitals are used to test for about 50 genetic disorders. But after those tests are completed, the samples are then kept in storage indefinitely by the hospital system, and some have been used for medical research. According to a statement released by the Newborn Screening Program of B.C., the samples, which are kept on so-called blood spot cards, dating back to 1999 have been kept in storage by a private contractor with no written policy specifying how long they will be kept. But BCCLA executive director David Eby says the practice is a breach of privacy, because the parents are never informed about the researchers’ use of the samples or asked for their consent. [Source]


Health / Medical


CA – Ontario Hospitals May Lose Privacy

Ontario hospitals may soon be required to provide information about how they’re run to the public. Premier Dalton McGuinty said he’s taking a “good look” at including hospitals in the province’s freedom of information laws. McGuinty said there might be some real value in making the move to ensure that precious health-care dollars are well spent, “so that is something that we will seriously consider.” John Hinds of the Canadian Newspaper Association also supports the move. Hinds said while journalists certainly want hospitals subject to freedom of information laws, the issue should also matter to the general public. “Hospitals are very important to individual Ontarians — they want to know what’s going on in their hospitals, they want to know what’s going on in health — and I think transparency and accountability leads to better quality of care, more efficient care and more cost-effective care.” Privacy and information commissioner Ann Cavoukian has long called for hospitals to be included in the legislation, along with universities and Children’s Aid societies. The Ontario Hospital Association has also asked that hospitals be made subject to the law. []


CA – Alberta Commissioner Issues Health Care PIA Guide

Privacy impact assessments (“PIAs”) submitted under the Alberta Health Information Act include specific, detailed and mandatory requirements; PIAs are best submitted after the determination of all business requirements but before completing detail design or development work. Before writing the PIA, an organization should review the project’s health information elements, understand how they will be collected, used and disclosed and draft information security requirements (e.g. system logging controls and encrypting health information transmitted over public networks or stored on mobile devices). PIAs must follow a mandatory format and order which includes a cover letter, cover page and sections on project summary (a description of the project) which is posted in a publicly-available PIA registry, organizational privacy management (management structure, policy management, training and awareness, incident response, access and correction requests), project privacy analysis (a health information listing, information flow analysis, notice, consent and expressed wishes, data matching, contracts and agreements and use of health information outside Alberta), privacy risk mitigation (access controls, privacy risk assessment and mitigation plans, monitoring and PIA compliance), and policy and procedure attachments; organizations must not skip sections and explain the reason for inapplicable or unavailable items. [PIA Requirements document] [Updated PIPA Information Sheets]


CA – Sask. Patient Name Release to Fundraisers Halted

The Saskatchewan provincial government’s plan to amend privacy rules in order to allow the names and addresses of recent hospital patients to be used for fundraising has drawn criticism from the province’s privacy commissioner and the NDP. The amendment, which was approved in April, came into effect this month. Health Minister Don McMorris now says the government won’t release any information until it determines how people who don’t want to participate can opt out. “We are going to take our time on this, because we know the sensitivity, and so what I would just do is ask the general public to be patient,” he said. “When we have the information regarding opting out, we are going to make that public ... then people will have the opportunity to opt out.” The province says it won’t make any changes, but will review the program after one year to evaluate how well it’s working. The patient information will be shared with hospital foundations so they can contact patients directly for donations. A spokesperson for the Hospitals of Regina Foundations has said donations will only be solicited by mail and that no telemarketers would contact former patients. [Source]


US – HHS Proposes Survey of Patients

The Department of Health and Human Services (HHS) plans to conduct a study to address “an evidence gap about patients’ preferences and perceptions of delivery of healthcare services by providers who have adopted EHR systems in their practices.” The proposed “Patient Perceptions of EHR” study will survey 840 patients of healthcare providers currently using EHRs to get their opinion on the quality of their care. The aim is to help policymakers understand how EHRs affect patients’ medical care, communication with their doctor and coordination of care, the report states. []


Horror Stories


US – Data Breach Reports Now Posted Online

Since the Health and Human Services Dept. started posting a list of health care breaches, there have been 64 incidents reported, affecting more than 1 million people. When a breach affects more than 500 patients, practices and other health care entities – or their business associates – are required to notify the HHS Office for Civil Rights and the media. HHS is required to post a list of the breaches online. HHS started listing the breaches on its website in February, then updated the list in April. The reported incidents affected 1,243,815 individuals. Of the 64 breaches:

·         7 involved laptops.

·         12 involved paper records.

·         11 involved desktop computers.

·         8 involved either hard drives or network servers.

·         7 involved portable electronic devices.

The remaining incidents either were isolated events that didn’t fit into another category or were classified as “other” in the report. Some single events included more than one category – a theft that included a laptop and a desktop computer, for example. Theft was the most common cause of a breach, with 44 of the cases classified as such. The others were either loss, unauthorized access, hacking or other causes. The latest report lists by name hospitals and large medical centers that experienced breaches. Private practices are listed as “private practice,” with the city and state, but soon will be named. The report is online. [Source] See also: [ICO Sends Warning as Data Breach List Nears 1,000]


US – Laptop Stolen from Contractor’s Office Holds Army Reservists’ Information

The US Army Reserve Command is notifying approximately 207,000 reservists that their personally identifiable information is on a CD-ROM in a laptop computer stolen from a government contractor. The compromised data include names, addresses and Social Security numbers (SSNs). The computer may also contain information about reservists’ dependents and spouses. The computer was one of three stolen from the Morrow, Georgia offices of Serco Inc. [Kreb on Security] [Gov Info Security] See also: [Roger Clarke: Vignettes of Corporate Privacy Disasters: Google Buzz and WiFi - 2009-10]


Identity Issues


US – LifeLock CEO Victim of 13 ID Theft Incidents

The CEO of a credit monitoring services company has been the victim of identity theft 13 times. LifeLock CEO Todd Davis, who is notorious for publishing his Social Security number (SSN) in numerous advertisements to demonstrate confidence in his company’s product, says not all of the instances were “true identity thefts.” The Phoenix New Times first reported Davis had been victimized by thieves who used his SSN to open cellular phone and utility accounts and to purchase gifts. Davis noted that the 13 successful attempts were among “hundreds” that were prevented by LifeLock’s product. [Computerworld]


WW – History of Social Network Use Reveals Your Identity

Web browsing history can be used to identify individuals in a membership group on a social networking site, according to researchers at the Vienna University of Technology. The researchers built a Web site to read the Web addresses visited by people who use Xing, a business-oriented social network based in Hamburg, Germany. They collected data on 6,500 groups containing 1.8 million users, and analyzed the overlap between the lists of names of group members that were publicly available. The researchers estimate that 42% of Xing users could be uniquely identified by the membership groups they visited. Xing has begun to add random numbers to mask addresses, but the response might not be enough to foil a similar snooping site, says Stanford University computer scientist Arvind Narayanan. The next round of Firefox, Chrome, and Safari browsers could have fixes to prevent browsing history from being relayed to Web site owners. [New Scientist]


WW – Majority of Phishing Attacks are the Work of One Group

According to a report from the Anti-Phishing Working Group (APWG), one phishing gang in Eastern Europe is believed to be responsible for about two-thirds of all phishing attacks. Of the 127,000 phishing attempts tracked by the APWG, 84,000 appear to have originated with this group. The Global Phishing Survey: Trends and Domain Name Use in [the Second half of 2009] also notes that the group, which has been dubbed “Avalanche,” has changed the way it operates and is running on a ‘greatly reduced scale.” The majority of phishing attacks appear to come from just five top-level domains. [Report] [Dark Reading] [ComputerWorld]


CA – Erase ID Card Information After G20: Police Chief

The Toronto Police Service is countering concerns that personal information collected from people who live and work in the area around the G20 summit could be misused, with Chief Bill Blair pushing to have those records destroyed two days after the meeting wraps up. During the summit, police will place checkpoints around the G20 security zone. Police have encouraged people who live and work in that area to register for identification cards so they can be fast-tracked through the checkpoints. In order to receive a card, people must submit their names, as well as their home and business addresses, a requirement that is drawing criticism from some who live in the area. In an attempt to allay concerns, police chief Bill Blair is expected to ask Toronto’s Police Services Board on Thursday afternoon to pass a resolution that says any personal information gathered will be destroyed once the summit is over. By law, the information could be kept for a year. Blair wants the information erased no later than June 29, two days after the summit. [Source] see also: [Authorities have begun to install 77 closed-circuit video cameras in and around Toronto’s Financial District]


Intellectual Property


IR – Eircom Implements “Three Strikes” Anti-Piracy Program

As of Monday, May 24, Irish Internet service provider (ISP (Eircom) will start cutting off broadband service to its customers who have been identified as persistent illegal filesharers. Eircom will receive the IP addresses of the alleged copyright violators from the Irish Recorded Music Association (IRMA); IRMA obtains the information with the help of Dtecnet, an anti-piracy monitoring company. Eircom will warn users the first two times they are identified as copyright violators. If a particular Eircom customer is found to have engaged in illegal filesharing three times, the company will suspend access for one week. If the activity persists after the week’s suspension, the account will be suspended for a year. The rules apply to illegal music sharing only. [Silicon Republic] [Irish Times]


Internet / WWW


WW – Google Rolls Out Encrypted Search

Google is gradually rolling out a new choice to search more securely at When you search on, an encrypted connection is created between your browser and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party on your network. The service includes a modified logo to help indicate that you’re searching using SSL and that you may encounter a somewhat different Google search experience, but as always, remember to check the start of the address bar for “https” and your browser lock indicators: [Google Announcement] [EFF Commentary]


Law Enforcement


UK – Outrage at Secret Probe Into 47,000 Innocent Flyers

Police secretly investigated the travel habits, family, friends and backgrounds of 47,000 innocent people last year after they bought plane tickets to fly into and out of Britain. The intrusiveness has provoked fury among civil liberties campaigners and now may be stopped by Britain’s new coalition Government. The flyers were singled out by the ‘terrorist detector’ database, introduced by Labour, monitoring millions of British tourists and other travellers. Checks included scrutiny of the police national computer, financial records and analysis of ‘known associates’ before people were cleared for travel. Yet it is understood the £1.2billion system has never led to the arrest of a terrorist – and police now use it to target ‘sex offenders and football hooligans’. Police have also used it to produce 14,000 intelligence reports on travellers for ‘future use’. They can be shared by security services worldwide. ‘Suspect’ requests likely to lead to innocent holidaymakers receiving ‘red flags’ as potential terrorists include ordering a vegetarian meal, asking for an over-wing seat and travelling with a foreign-born husband or wife. The system will also ‘red flag’ anyone buying a one-way ticket and making a last-minute reservation and those with a history of booking tickets and not showing up for flights. A history of travel to the Middle East, Pakistan, Afghanistan or Iran will also trigger an alarm. The new figures, produced by the Association of Chief Police Officers, cover the ten months to this February. Police arrested 2,000 people – out of a total of 48,682 investigated – after they were flagged up by the computer system. It is tied into airlines’ ticketing networks and makes judgments about travel habits and friends and family to decide if passengers are a security risk. All information passengers give to travel agents, including home address, phone numbers, email address, passport details and the names of family members, is shared with an unknown number of Government agencies for ‘analysis’ and stored for up to ten years. The Home Office claims the system has led to arrests of murderers and rapists – and to 1,000 people being denied entry to Britain. But it refused to say if any terrorists had been caught by the system, despite it being a counter-terrorist measure. [Read more] [Source]




GM – Senators Introduce Privacy Bill

Lawmakers in Guam have introduced The Guam Privacy Protection Act. Senators Ray Tenorio (R) and Adolpho Palacios (D) say the bill will mirror the federal Privacy Protection Act of 1980, which regulates newsroom searches. Bill 398 comes on the heels of an incident last week involving the Guam Police Department’s search of a KUAM newsroom. “This local statute...would actually provide for a penalty--not just disallow what was obtained during a search in a newsroom,” Palacios said. According to Tenorio, violators will face civil and criminal penalties. The bill provides for third-degree felony charges. [KUAM News]


Online Privacy


EU – Working Party: Search Engines Violate EU Data Protection Rules

The Article 29 Data Protection Working Party announced that search engine operators Google, Microsoft and Yahoo are noncompliant with the EU’s data protection rules. The group sent letters to the companies, U.S. Federal Trade Commission and EU Commissioner Viviane Reding specifying that the methods used to make search data anonymous do not comply with the EU’s Data Protection Directive. The Working Party also wants the time period in which data is kept before it is made anonymous reduced to six months. The Wall Street Journal reports that while Yahoo and Microsoft fall within that timeframe, Google has responded that it keeps search queries for nine months to provide “the best experience for users both in terms of respect for their privacy and the quality and security of our services.” [Source] [Art 29 announcement]


WW – Facebook Unveils Simpler Privacy Controls

Facebook has announced plans for simplified privacy settings, including giving users a single control for their content. “The net effect of that is that all applications are going to have restricted access to your personal information,” Facebook CEO Mark Zuckerberg said at a press conference on the new privacy settings. The conference came in the wake of international concerns about changes to the site’s privacy policy and in the midst of social networking privacy becoming a topic of conversation around dinner tables and a focus for mainstream media and primetime television alike. “The number one thing we’ve heard,” Zuckerberg said, “is that there just needs to be a simpler way to control your information.” [Source] [Facebook makes 4 major changes to privacy rules] [Zuckerberg: New Privacy Controls, But No Apologies] [WSJ: Facebook Grapples With Privacy Issues]


CA – Facebook Warned it’s Not in Compliance

Canada’s Office of the Privacy Commissioner warned that Facebook is not complying with federal privacy laws despite major fixes unveiled this week that give users more control over how their data is shared on the sprawling social media network. Hours after Facebook’s founder Mark Zuckerberg introduced a number of simplifications to make it easier for its 500 million users to shield personal information, Assistant Commissioner Denham cited concerns in an interview. She said Facebook’s new settings continue to require users to publicly reveal their names, profile information, pictures, gender and networks to the broader Internet. Under Canadian law companies are bound to give consumers full control over how their personal data is used. Another issue is Facebook’s recent move to allow outside software developers to cull users personal data and track their Internet movements. Facebook had committed last year to give members the ability to block such Internet trespassing by August. “We are still waiting for Facebook to honour all of its commitments. I am disappointed in the direction they have taken,” Ms. Denham said. Mr. Zuckerberg said Wednesday that the company will be introducing new controls that allow it to block outside companies, but the details will not be available for a few weeks. Ms. Denham said her office will pay close attention to the changes.[Source] [Don’t like Facebook? Walk away, Cavoukian says] [Privacy groups assail Facebook changes]


WW – MySpace Launches Simplified Privacy Settings

MySpace has announced it has created simplified privacy settings for user information. The new controls include giving users the option of selecting one privacy setting for all their information as well as choosing whether to make their profile public to friends only, to all users over the age of 18 or to everyone. MySpace users also have the ability to block the sharing of their information with other Web sites or third-party applications, the report states. In disclosing the company’s new policies, MySpace Co-President Mike Jones said, “we want to get out and state a clear position so that our users understand that we take privacy very seriously.” [The Wall Street Journal]


WW – Browsers Provide Information that Helps Identify Users

Research conducted by the Electronic Frontier Foundation (EFF) shows that Web browsers such as Firefox and the Internet Explorer provide Web sites with information needed to build a unique profile of whoever visits these sites. Information about browser configuration, including the type of browser, the plugins that have been installed, the operating system on which the browser runs, fonts available, and more can enable individuals who are able to harvest this information to distinguish one user from another approximately 94% of the time, although the specific identities of users cannot be determined on the basis of this information alone. This research shows that cookies do not comprise the only threat to Web surfing anonymity. [ComputerWorld] [EFF Report: How Unique is your web browser?]


UK – Report: UK Users Are Limiting Profile Access

A report released this week states that British subscribers to social networking sites such as Facebook are limiting those who can see their online profiles to friends and family. Ofcom, Britain’s communications regulator, released a portion of its Media Literacy reports that shows that in 2009, 80% of adults with a social networking profile allowed only friends and family to view their profiles, compared with 48 percent in 2007. The findings come as regulators and lawmakers worldwide examine ways to protect consumers’ privacy in the social era. [The Washington Post]


US – Study: Young Adults Are Most Privacy Proactive

According to a study conducted by the Pew Internet & American Life Project, young adults are more likely to pay attention to online privacy than most people think. The study shows that 18 to 29-year-olds keep tighter control of their online personas than any other age group. Seventy-one percent have changed their privacy settings on social networking sites and they have been consistent in this practice since 2006. Another major finding, the report states, is that no matter their age, people who are most aware of others viewing their online behavior are also the most likely to closely manage their privacy settings. [Ars Technica]           


Other Jurisdictions


RU – Russia Considers Improving its Data Protection Law

Russia’s data protection regulator has already received more than 100 recommendations from businesses and data protection professionals as it considers improving the country’s data protection law. Businesses have pointed to issues with the law, including requirements for digital signatures for online data processing, as being extremely difficult to meet, the report states. The Russian Federal Service for Oversight of Communications, Information Technology and Mass Media, which is proposing amendments to the law, reported that approximately 400 audits conducted in 2009 revealed 86 incidents of noncompliance with the current version. [Hunton & Williams Privacy and Information Security Law Blog]


Privacy (US)


US – Advocates Slam AG’s Attempt to Identify Web Posters

Efforts by the Pennsylvania Attorney General’s Office to subpoena Twitter to determine whether a former legislative aide was the anonymous writer behind Internet postings about a court case have come under fire from privacy advocates. Prosecutors withdrew the subpoena, the report states, but advocates continue to denounce it as an invasion of privacy. Meanwhile, Deputy Attorney General E. Marc Costanzo is pointing to the potential “chilling effect” of such posts on witnesses and jury members, suggesting, “This whole realm of the law is going to have to be something that gets ultimately addressed by our courts and our legislature.” On the federal level, calls are going out to revise the Electronic Communications Privacy Act. [The Philadelphia Inquirer]


US – Commerce Dept. Seeking Input on Internet Privacy

The Department of Commerce (DOC) is actively seeking input from Internet users as part of its recent entry into the complex discussions and debate around federal data privacy legislation. The DOC will continue to gather public comments on Internet privacy through June 7. Respondents have the chance to comment on a range of topics, including the nation’s legal framework for privacy protection, the impact of state and international laws and the effects of data privacy law on trade. Comments received will contribute to the Obama Administration’s domestic policy and international engagement on Internet privacy, the report states. [Federal Computer Week]


US – Physicians, AMA Sue FTC

The American Medical Association (AMA), American Osteopathic Association and the Medical Society of the District of Columbia have filed a lawsuit against the FTC for defining physicians as “creditors” under its Red Flags Rule. Beginning June 1, the Red Flags Rule will require the verification of patient identities before providing treatment. The physician groups contend that the requirement to set up identity theft prevention and detection programs is unnecessary because they are already bound by the Health Insurance Portability and Accountability Act. They argue that the FTC acted beyond its authority because physicians are not creditors and patients are neither accountholders nor customers under the Fair and Accurate Credit Transactions Act, the report states. [HealthLeaders Media]


US – Study: Regulations Affect Ads’ Effectiveness

A study conducted by marketing professors concludes that even moderate regulation impacts the effectiveness of ad targeting. The study explored European participants’ intent to purchase and compared the results with similar studies carried out in non-EU countries, concluding that online ad effectiveness in Europe is lower by more than 65% due to more stringent online privacy laws, the researchers say. Another academic suggests the findings may be due to greater consumer awareness in the EU about targeted ads rather than the regulations. [MediaPost News] [Privacy Regulation and Online Advertising by Avi Goldfarb, University of Toronto, Joseph L. Rotman School of Management and Catherine Tucker, Massachusetts Institute of Technology (MIT), Management Science (MS)]


US – FTC Investigating Copy Machine Privacy Risks

The Federal Trade Commission (FTC) is contacting copy machine manufacturers and retailers about privacy concerns related to sensitive data stored on the machines’ hard drives. Chairman Jon Leibowitz said in a letter to Rep. Ed Markey (D-MA) last week that the FTC is working with manufacturers and sellers to provide educational materials about privacy risks to consumers. Markey called for an FTC investigation after a CBS News report revealed that sensitive data is readily accessible. Markey said most users aren’t aware of the risks, including identity theft, “when they place their tax returns, financial records and other personal information on the copier and hit the start button.” [Computerworld] [Source] [Source] [Source] [Source]


US – Gruesome Death Photos are at the Forefront of an Internet Privacy Battle

A car crash victim’s father is suing the CHP over the wide dissemination of pictures of his daughter’s body. Three weeks after his 18-year-old daughter sped away in his Porsche and swerved to her death in Lake Forest, Christos Catsouras understood why he had not been allowed to see her body. Photographs of the Halloween 2006 crash, taken and leaked by the California Highway Patrol, were proliferating on the Internet. The crash had left his daughter unrecognizable. Catsouras said he found 35 websites — and soon hundreds more — that showcased the macabre photographs, some with headlines that mocked his daughter. When he took them to the attention of CHP officials and pleaded for help, he said, they told him there was nothing they could do. “They said if we wanted to file a complaint, we could file a complaint.” The result: a lawsuit that, even though it has yet to go to trial, has reshaped the boundaries of privacy law in the Internet age. In 2008, an Orange County Superior Court judge threw out the lawsuit against the CHP and two civilian dispatchers accused of disseminating the photos, on the grounds that the agency had not breached any legal duty to the family. The law, at the time, did not recognize the right of family members to sue for invasion of privacy involving photos of the dead. That changed in January, when the state’s 4th District Court of Appeal in Santa Ana reversed the decision. For the first time in California, the court established that surviving family members have a right to sue for invasion of privacy in such cases. “We rely upon the CHP to protect and serve the public,” the court said. “It is antithetical to that expectation for the CHP to inflict harm upon us by making the ravaged remains of our loved ones the subjects of Internet sensationalism.” [Source]


Privacy Enhancing Technologies (PETs)


WW – New Companies Bank on Privacy

In the wake of recent backlash against Facebook and Google over their handling of user information, The San Francisco Chronicle reports that “a slate of ambitious online startups are aiming to squeeze into the fields of social networking and search by touting a stronger focus on privacy.” In such privacy-focused social networking projects as Diaspora, Appleseed and OneSocialWeb as well as search engines like Yauba, Ixquick and Duck Duck, a strong focus on privacy is included as part of the package, the report states. And while market analysts do not see privacy as the sole factor to draw users from one service to another, Ryan Calo, whose company reviews Web applications based on privacy, security and openness, believes companies have begun to use privacy as a business differentiator. [Source]


WW – Mozilla Tools Tests Plug-in Safety for Other Browsers

Mozilla has launched a tool that users of other browsers can use to test whether or not plug-ins are secure. The tool is an offshoot of a Firefox feature launched last year that checks Firefox for plug-ins that need to be updated. Mozilla launched the tool for Chrome, Opera, Safari and Internet Explorer because “plug-in safety is an issue for the web as a whole.” Coverage for IE is not as extensive as for the other browsers because “IE requires specific code to be written for each plug-in.” [ComputerWorld] [The Register]




EU – Industry proposed RFID Privacy Impact Assessment Framework

Following the RFID recommendation issued by the European Commission on 12.05.2009, an informal working group on the implementation on the recommendation was set up, especially focusing on the task of creating a RFID Privacy Impact Assessment Framework. Members of the group were mainly industry representatives, some representatives of European standardisation organisations and a very limited number of civil society representatives. While the status of the group was strictly informal, its meetings were facilitated and organised by the European Commission. Following the RFID recommendation, the final industry proposal was submitted for endorsement to the Article 29 Working Party on 31.03.2010. Almost one month later, on 26.04.2010 - one day before it was published on the website of the European Commission - the members of the informal working group also received a copy of this final proposal from industry representatives. According to the process defined in the Commission’s RFID recommendation, it is now on the Article 29 Working Party to respond to the Industry proposal, either by endorsement or otherwise. The Industry Proposal Privacy and Data Protection Impact Assessment Framework for RFID is publicly available on the website of the European Commission. [European Commission: Commission Recommendation on the implementation of privacy and data protection principles in Applications supported by radio-frequency identification (12.05.2009) ] [Industry Proposal Privacy and Data Protection Impact Assessment Framework for RFID Applications (31.03.2010) ]




US – DHS Piloting New Cyber Threat Information Sharing Program

The USs Department of Homeland Security (DHS) and the Defense Department are partnering with several financial services companies to test a new model of cyber threat information sharing. The program allows participants to share cyber threat information in real time and to examine network intrusions and activity. The long term goal is to allow DHS to look at cyber threat data across the government and private sectors, as many components of the country’s critical infrastructure are private, and improve cyber security for everyone. [Source]


EU – German Authorities Launch Investigation into Google Wi-Fi Data-Gathering

The Google data-gathering issue is gaining widespread attention. Google has acknowledged that it inadvertently gathered personal information, including scraps of websites and personal email messages, from unprotected Wi-Fi networks while gathering images for Google Street View. German prosecutors have opened an investigation into Google’s collection of data from Wi-Fi networks. German officials have asked that Google turn over a hard drive containing some of the data. Google has said it will destroy the data. US legislators are also questioning the legality of Google’s data collection and have asked the FTC to investigate. France and Italy are launching investigations as well. The Irish Data Protection Commissioner requested that data gathered there be destroyed and Google has complied. The UK Information Commissioner’s Offices (ICO) have asked Google to delete the data it has collected there and declined to launch an investigation, although there are groups pushing for the data to be retained for an investigation. [NY Times] [Washington Post] [PC World] [V3]


EU – Google Admits Error in Collecting Wi-Fi Data and Fixes the Problem

Google has admitted that when Street View cars drove through neighborhoods, they also inadvertently recorded data transmissions on wireless networks in the area. The cars routinely collect Wi-Fi SSIDs and MAC addresses, but in some cases, they also recorded “payload data from open Wi-Fi points.” A Google executive called the recording, which has been going on since 2006, “a mistake.” Google Street View cars have been removed from service until the code responsible for the recording has been removed. European officials are angry about what appears to be a violation of privacy laws in some countries. [Source] [Source] [Source] [Source] [Source] [WSJ] [Class Action Lawsuit Filed Against Google for Data Collection] [Google to Offer WiFi Data Compromise]


EU – German Court Says WiFi Owners Must Secure Networks

Germany’s top criminal court has ruled that people who have wireless networks must secure them with passwords or face a fine of 100 euros if other people use their networks to download content illegally. “Private users are obligated to check whether their wireless connection is adequately secured to the danger of unauthorized third parties abusing it to commit copyright violation.” The decision stems from a case in which a copyright holder sued a network owner because his music was downloaded and was later made available for filesharing. The network owner had proof that he was away from his home at the time the music was downloaded. [MSNBC] [The Register] [SC Magazine] [Google Says it Won’t Delete Any More Wi-Fi Data]


WW – Officials Denounce Google Over WiFi Data Collection

Privacy commissioners in Australia and New Zealand have joined many of their counterparts across the globe in investigating the company’s admission that its Street View vehicles had gathered personal data from unsecured wireless networks around the world. Describing actions Google has taken so far to address the issue, New Zealand Privacy Commissioner Marie Shroff said she is joining other commissioners to consider whether its plan to keep information about personal networks and signal strength is acceptable in terms of privacy law. Meanwhile, Australia Communications Minister Stephen Conroy, a proponent of Internet filtering, has denounced Google, Financial Times reports, describing the data collection as “probably the single greatest breach in the history of privacy.” [Source]


WW – Google Balks at Turning Over Private Internet Data to Regulators

Google has balked at requests from regulators to surrender Internet data and fragments of e-mail messages that it collected from unsecured home wireless networks, saying it needed time to resolve legal issues. In Germany, Google said it was not able to fully comply with the Hamburg data protection supervisor’s deadline of Thursday to hand over data the company had collected - inadvertently, it said - while roving cars were compiling its Street View photo map archive. The company implied that German privacy laws were preventing it from turning over the information, even to a government agency. The Hamburg data protection supervisor, Johannes Caspar, expressed his disappointment. Meanwhile, the privacy commissioner in Hong Kong, Roderick B. Woo, threatened unspecified sanctions after Google did not respond to his request to inspect data collected in the territory by the roving cars. Mr. Woo said Google had ignored a deadline on Monday to turn over the information. The company has said that its cars collected 600 gigabytes of “fragmentary data” from unsecured Wi-Fi networks in 33 countries and Hong Kong. It has declined to describe the data in more detail and says it was gathered inadvertently because of a programming error. Google has offered to destroy the data but has not allowed regulators to see and verify what it collected. Google has destroyed data collected in Denmark, Ireland and Austria at the request of local regulators. But eight other European countries - Belgium, Britain, the Czech Republic, France, Germany, Italy, Spain and Switzerland - have asked Google to retain data collected in those nations, which may be used as evidence in future legal proceedings. In the United States, the chairman of the Federal Trade Commission, Jon Leibowitz, told Congress last week that his agency would look into Google’s actions. Some have questioned Google’s assertion that it gathered the data inadvertently. Proving that the driver of a Street View recording vehicle had such knowledge and intent may be difficult. “This is not going to be an easy prosecution.” [The New York Times]


US – General Alexander Confirmed as Head of Defense Dept’s US Cyber Command

The US Senate has unanimously confirmed General Keith B. Alexander as the head of the US military’s US Cyber Command. General Alexander is also the director of the National Security Agency (NSA). The Senate also elevated Alexander from lieutenant general to four-star general. During his confirmation hearing, Alexander said that the Cyber Command will focus on cyber defense, but acknowledged that “under the right circumstances,” Cyber Command could use offense cyber measures. [Wash Post] [ComputerWorld] [The Register] [Information Week] [Federal News Radio]


WW – Facebook Introduces New Security Measures

Facebook has introduced two new security measures to help prevent account hijacking. Facebook users can now approve the specific devices from which they access Facebook and receive email or text message alerts when attempts to access their access their accounts are made from devices not on the list. If a user attempts to log in from an unfamiliar device, Facebook will now ask that user additional security questions. In addition, Facebook users will soon be able to see the location of the most recent log in attempts. [ComputerWorld] [GadgetWise] [MSNBC] [Zuckerberg Admits Mistakes, Discusses Intentions] [WSJ report of social networking sites providing user information to advertisers | Paper] See also: [Stolen Facebook Account Hawker Identified] and [TACD Resolution on Social Networking]


WW – Facebook Fixes Data Exposure Flaw

Facebook has fixed a cross-site request forgery vulnerability that discloses certain information, including birthdates, even if it has been classified as private. Attackers could exploit the flaw by enticing users to click on a specially-crafted link while logged into Facebook. The attackers would then be able to read and alter the users’ profile pages. Although Facebook says the issue has been fixed, the researcher who reported the flaw to Facebook says there are still ways to exploit it. The problem lies in the way Facebook checks to ensure that the browser requesting an action, for instance, “like”ing a page, is actually the one through which the account is logged in. By removing a small piece of code, Facebook completely bypasses the checking function and allows the action. [The Register] [ComputerWorld]


US – Researchers to Present Paper on Security Issues in Cars’ Computer Systems

Researchers from the University of Washington and the University of California, San Diego, plan to present a paper in which they describe how computer programs used in automobiles can be manipulated by hackers to take control of braking and other critical systems in cars. The researchers created a tool called CarShark that “can sniff and inject packets on the” Controller Area Network (CAN) system, the diagnostic tool used for all US cars built in 2008 and later. The cyber attackers would need access to a standard diagnostic computer port in the targeted car. In a demonstration last year, the researchers connected a laptop to the targeted car and controlled that car’s computer system wirelessly with another laptop in a car close by. The researchers are not trying to scare people, but to drive home the point to automobile manufacturers that they must bake security into the computer systems that accompany new cars. [NY Times] [The Register] [PC World] [CNET]


US – Federal Employees Using Unsecure File Transfer Methods

More than half of the respondents in a survey of 200 government IT and information security professionals said employees at their agencies use unsecure methods to transfer information. 52% said employees transfer files through personal email both within the agency and when transmitting to other agencies. Two-thirds of the respondents said employees use USB drives, DVDs and other physical media to transfer files and 60% said their employees use the File Transfer Protocol (FTP). A significant problem seems to be that government agencies are lagging behind private industry in the use of encryption tools and the establishment of secure file transfer policies. Some agencies are faring better than others. For instance, the Internal Revenue Service (IRS) logs access to taxpayer information, uses an encrypted WAN, and all files transfers both within and outside the IRS are encrypted. [ComputerWorld]


US – NASA Shifts Cyber Security Focus and Money to Real-Time Threat Reporting

NASA deputy chief information officer Jerry Davis has issued a memo instructing all NASA CIOs and CISOs to “shift [their focus and contracts] away from cumbersome and expensive C&A [certification and accreditation] paperwork processes, in favor of a value-driven, risk-based approach to system security.” The Federal Information Security Management Act (FISMA), which had never mandated C&As the way they were implemented by NIST, has been facing increasing criticism for being a paperwork sinkhole, requiring agencies to commit time and money to creating reports that assess compliance, but not requiring any actions to secure systems. C&As are still required before new systems are authorized for operation, but the wasteful 3-year C&A updates, consuming 85% of the C&A budgets are no longer allowed. Davis took his lead from a list of security requirements released by the Office of Management and Budget (OMB) last month. [NextGov] [CyberSecurityReport]


EU – Dutch Hacker Steals E-Mail Addresses, Demands Astley Tune

Dutch hacker Darkc0ke hijacked a radio station database containing 22,000 e-mail addresses and threatened to publish them unless the station play Rick Astley’s “Never Gonna Give You Up,” a variation of an Internet meme known as “rickrolling.” Last weekend Darkc0ke mailed DJs from the Dutch nationwide radio station 3FM and issued his threat and demand. The disc jockeys notified the station’s IT department, which realized that a backdoor to their database was indeed open. “Of course, we did not comply” with the demand, said a 3FM spokeswoman. She confirmed that the database could be accessed and that Darkc0ke obtained the e-mail addresses. “We repaired the vulnerability as soon as possible.” 3FM reported the hack to the police. Darkc0ke said in various e-mail messages that he warned 3FM two weeks ago and pointed out the vulnerability to the station. He claims he never got an answer. 3FM’s spokeswoman said the e-mail was not received. Darkc0ke said he planned to publish the database content threads on In the end, he published the table of contents, but didn’t go through with his threat to publish the e-mail addresses. [Source]




US – School to Notify Students Whose Pictures Were Taken with Surveillance Software

The Pennsylvania school district that made recent headlines for the questionable use of a video surveillance program on laptops used by students has been ordered to notify all students whose pictures were taken with the software. In all, the LANrev TheftTrack software on the Macbooks took tens of thousands of pictures of students in their homes. The tracking software was intended to be used to locate missing or stolen computers, but was activated in at least one case when a family had not paid an insurance fee for the computer’s use. In addition, once the program was activated on the computers, it continued to take pictures even after the computers were located or other problems resolved. The district stopped using the TheftTrack software in February after one student’s parents complained. Magistrate Judge Thomas J. Rueter ordered Lower Merion School District to provide student names; mailing addresses; the dates on which tracking software was activated and deactivated; the number of webcam pictures taken; and the number of screenshots taken. [WIRED] [Court Order]


US – California Bill Would Allow for Video Cameras on Dashboards

California’s state assembly passed a bill yesterday that would allow video recorders to be installed on vehicles’ dashboards. AB1942, which passed 49-0, is supported by those who hope the cameras will ensure safe driving and help determine fault in accident claims. But in a letter to the bill’s author, Assemblyman Nathan Fletcher (R-San Diego), the American Civil Liberties Union said the bill should specify that the recorded data belongs to the vehicle owner and that employees should have the right to refuse being recorded. “You want safety precautions, but on the other hand, an individual’s sense of autonomy and privacy has to be protected,” said an ACLU spokeswoman. [The Mercury News]


CA – Law on Video Cameras in B.C. Schools Under Dispute

The B.C. Civil Liberties Association says provincial legislation that permits video cameras in schools must be dropped. The amendment introduced last month gives school boards the go-ahead to install the cameras for the protection of students or staff. But in the past, surveillance in schools and everywhere else was dictated under privacy legislation and a public body had to demonstrate the safety measure was needed before cameras were installed. Under this amendment, the association says school planning councils only have to aim to provide more safety. A spokesman for the Education Ministry was unavailable for immediate comment, but has noted in the past that the legislation fulfils an election promise. The B.C. Teachers Federation is still studying the legislation and doesn’t yet have an opinion. [Source]


Telecom / TV


EU – Italy’s Government Tries to Limit Wiretap Powers

In the name of protecting citizens’ privacy, Italian Prime Minister Silvio Berlusconi is pushing a bill that would severely restrict police use of wiretaps and impose harsh jail terms on journalists who report the contents of bugged conversations. But free speech advocates are up in arms, and prosecutors say it would undermine efforts to combat organized crime and terrorism. Last week, U.S. Assistant Attorney General Lanny Breuer voiced concern that restrictive wiretap rules could harm joint U.S.-Italian investigations into narcotrafficking, money laundering and terrorism. Nevertheless, the government is pressing ahead, and the bill goes before the Senate next week. [Source]


WW – Caller ID Spoofing Used for Harassment, Fraud, Critics Say

Caller ID spoofing lets users phone a number, and plug in the digits they want to show up on that person’s caller ID. Denis Doyle/Bloomberg Caller ID spoofing lets users phone a number, and plug in the digits they want to show up on that person’s caller ID. It may seem like a harmless practical joke, but authorities say caller ID spoofing is increasingly being used for more sinister purposes than pretending to call your mother from the White House while disguising your voice. New York City police say an identity-theft ring used it to obtain bank-account information and steal more than $15 million from 6,000 victims. And a U.S. congressman has cited the case of a woman who posed as a pharmacist using the technology to trick a romantic rival into taking a drug used to cause abortions. Launched online five years ago, the original caller ID spoofing service Spoofcard works much like a calling card. It let users phone a number, and plug in the digits they want to show up on that person’s caller ID. Users also have the option to disguise their voice and record the phone conversation. The president of TelTech Systems, which patented the technology and has since sold it to other service providers, estimates about 200,000 Canadians have used Spoofcard. “It’s a way that if somebody is avoiding your calls, you can really get them to pick up,” said Meir Cohen. “It’s also a tool for privacy, and that’s really what most people use it for.” He argues doctors and lawyers like using it to phone clients and patients from home after hours. It’s also useful for private investigators, celebrities and battered women’s shelters, he said, adding it’s more effective than the *67 call-blocking feature telephone service providers offer. He said *67 merely masks calls and can easily be traced or unblocked. [Read more] [Source] see also: [Rogers sued for exposure of woman’s affair]


US Government Programs


US – Border Searches of Laptops May Be Conducted Off-Site for Cause, Court Rules

In recent cases, U.S. courts have supported the government’s right to search the contents of computers and other electronic devices carried by travelers arriving at U.S borders. A federal court in Michigan this week added that if such a search could not be performed at the border, the government has the right to seize and transport a computer to a secondary inspection facility, as long as there’s reasonable suspicion. [Source]


US – Pushy Fliers May Show Up on TSA’s Radar

A Transportation Security Administration (TSA) database aimed at preventing violence against airport screeners is raising privacy concerns. According to a TSA report, the database includes such information as names, birth dates, Social Security numbers, home addresses and phone numbers of aggressors, victims and witnesses involved in airport incidents where threats, bullying or verbal abuse against TSA employees or excessive displays of anger have occurred. Advocates are concerned the database could lead to additional airport screening for innocent travelers. “Is this going to be the baby watch list?” asks American Civil Liberties Union lawyer Michael German. “There’s a potential for the misuse of information or the mischaracterization of harmless events as potential threats.” [USA Today]


US Legislation


US – Electronic Privacy Act Draft Released

Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.), the Chairman and Ranking Member of the House Energy and Commerce’s Subcommittee on Communications, Technology and the Internet, released their draft bill to ensure the privacy of information about individuals both on the Internet and offline on May 3, 2010. Committee staff indicated the draft bill will become the subject of ongoing discussions with numerous stakeholders as the two members seek to refine and improve the bill. Comments will be wrapped-up by Friday, June 4, 2010. The members’ aim with the legislation is to encourage greater levels of electronic commerce by providing to Internet users the assurance that their experience online will be more secure. According to a summary issued by the members, the draft bill contains a number of important provisions to change current law, including:

·         New disclosure of privacy practices: Any company collecting a user’s “personally identifiable information” must conspicuously display a “clearly written, understandable privacy policy that explains how information about individuals is collected, used, and disclosed.”

·         Changes to collection and use of information: Currently, companies may collect information about users from the Internet unless an individual affirmatively opts out of that collection at the outset. Opt-out consent also applies when a Web site relies upon services delivered by another party to effectuate a first-party transaction such as the serving of ads on that Web site. Under the proposal, companies will instead need a user’s express opt-in consent to knowingly collect sensitive information about them, including such sensitive information relating to a user’s medical records, financial accounts, SSN, government-issued identification, and precise geographic location information.

·         New disclosure of information to unaffiliated parties: The proposal addresses concerns about the practice of third-party advertisers who collect information about users and then build a profile and target ads based on that profile. The draft would create an exception to the opt-in consent requirement for third-party information sharing by applying “opt-out consent” to the sharing of an individual’s information with third-party advertisers’ network. The bill would require companies to provide a “clear, easy-to-find link to a Web page for the ad network” that allows a user to edit his or her profile, and if he so chooses, to opt out of having a profile created, provided that the ad network does not share the user’s information with anyone else.

·         FTC implementation and enforcement: The FTC would adopt rules to implement and enforce the measure. States also may enforce the FTC’s rules through state attorneys general or state consumer protection agencies. [Source]


US – House Subcommittee Approved Bill to Revamp FISMA

The House Oversight and Government Reform Committee has approved a bill aimed at revamping the Federal Information Security Management Act (FISMA) which is nearly 10 years old. The 2010 Federal Information Security Amendments Act (HR 4900) would establish permanent positions of director of cyber security, and chief technology officer. It would also abolish certain paperwork requirements and require continuous network monitoring in place of 3-ring binders. The bill would also require IT contracts to address cyber security requirements. The bill now goes before the full House; a vote is expected sometime next month. A companion bill in the Senate is expected to be introduced in the next few weeks. [NextGov]


US – Rockefeller Introduces Senate Online Privacy Bill

Sen. John Rockefeller (D-WV) introduced the Restore Online Shoppers’ Confidence Act, a bill that aims to curb sales tactics used by third-party online affiliates. Rockefeller introduced the bill May 19, shortly after the US Senate Committee on Commerce, Science and Transportation released a staff report outlining what it described as deceptive tactics used by companies. The report said the companies used the tactics to enlist consumers in services without their consent and make it intentionally difficult for them to receive money back upon request. The legislation specifically referenced Affinion, Vertrue and Webloyalty. Legal analyst Linda Goldstein of Manatt, Phelps & Phillips, said the bill focuses on increasing consumer consent for any post-purchase messaging from third parties. The bill would force third-party sellers to obtain consumer information directly from the online buyer through a separate data-input and opt-in process than the buyer used for the original purchase, she said. Violation of any of the act’s parameters would constitute a violation of the Federal Trade Commission Act, Goldstein explained. [DM News]


US – Bill Could Mandate Black Boxes in Cars

Privacy interests will likely be watching an auto safety bill that proposes all new cars be equipped with black boxes that record crash data. One of the bill’s more controversial elements would require the collection of pre- and post-crash data. While one proposal calls for recording 75 seconds of data, a Virginia Tech researcher says that having more would provide a better picture for post-crash investigations. “From a research point of view,” said H. Clay Gabler, “the more data the better.” [The Washington Post] See also: [Cars’ Computer Systems Called at Risk to Hackers] and [US: Groups spar over car black boxes as congress mulls auto safety bill]


Workplace Privacy


EU – Germany Releases Key Issues Paper on Employee Data Protection Regulation

Key issues to be addressed by new rules on employee data protection are recruitment processes (only essential data may be requested), health checks (only with consent and if necessary to determine if an employee can perform a specific activity), enforcement of compliance requirements (use existing data as necessary and proportionate for compliance purposes), biometrics (as required for authentication and authorization), collective bargaining and participation rights (these rights are maintained), consent (lawfulness of employee consent is limited), and termination of employment relationships (information processed is necessary to finalize the relationship). Also addressed will be activities around video surveillance (secret surveillance is only allowed pursuant to a concrete suspicion), tracking (only during working hours to ensure safety or coordination), and monitoring of telephone, internet and e-mail use (permitted for billing or fraud prevention reasons). [Hunton & Williams Privacy blog]


CA – Alberta Province Ran Unauthorized Credit Checks on Employees

Provincial government employees were subjected to unauthorized credit checks earlier this year, officials confirmed this week. The credit checks -- Alberta Justice collected personal information on 27 employees – are now the focus of an investigation by the privacy commissioner. “There’s nothing stopping the employer from investigating employees on certain levels. But there has to be due process followed to do that,” said Guy Smith, president of the Alberta Union of Provincial Employees. The union has filed a grievance against the government over the credit checks, which Smith called an unnecessary invasion of privacy. The credit checks were made public Tuesday when an anonymous tipster e-mailed media outlets alerting reporters Alberta Justice had performed unauthorized credit checks on employees in the Maintenance Enforcement Program in January. Alberta’s Maintenance Enforcement Program polices child and spousal support court orders. The checks came to light in April when employees noticed the flags on their own credit reports. The tipster alleged the checks came at the same time as a separate internal probe. A letter from Alberta’s privacy commissioner indicates his review should be finished by mid-August. [Source]


AU – AUS Fake ANZ Facebook Profile May Breach Laws

Consumer rights advocates say ANZ bank employees may have breached privacy laws and the Trade Practices Act when they allegedly used Facebook to gather customers’ information. It is alleged that someone in the bank’s debt collection team secretly set up a fake Facebook profile. Using this false identity, they then befriended ANZ customers with bad credit in order to track down their current contact details. The fake Facebook profile was set up under the name of Max Bourke, but did not mention ANZ in any way. ANZ has confirmed that several members of its debt collection department are now under investigation over the fake profile. The bank’s spokesman, Paul Edwards, does not believe it is a widespread issue. “I think it’s more an issue of rogue activity by an individual or a small group of individuals in this area and we’ll take the appropriate action against them,” he said. “Clearly where we’re not being transparent, where we’re not being open within our dealings with customers, that’s just completely unacceptable.” [Source]