Privacy News Highlights

01–17 September 2010



US – Homeland Security to Test Iris Scanners. 3

CA – Proposed Amendments to PIPEDA to Include Breach Notification Requirement 3

CA – Canadian Information Commissioners Call for “Open Government”. 4

CA – Conviction Overturned as Search Ruled Unlawful 4

CA – Commissioner Cavoukian Names Privacy Ambassadors. 4

CA – Relevance Test Necessary to Protect Privacy during eDiscovery. 4

CA – Universities Teaching New Students to Brush Up on Social Media Skills. 5

US – Report Calls for National Database for Voting Machine Problems. 5

US – Web Monitoring Software Co. to Pay $100k for Privacy Violation. 5

US – Opinion: EHR Privacy Issues Must Be Addressed. 6

US – HHS Receives Thousands of Pages of Comments. 6

UK – Unencrypted Flash Drive Found on Street Contains Police Data. 6

EU – Article 29 Data Protection Working Party Issues Opinion on Accountability. 6

EU – 7,500 Germans Rally for Greater Data Privacy. 7

UK – TalkTalk Criticized for Running Secret Anti-Malware Pilot 7

UK – ICO Warns Estate Agents to Notify. 7

US – Universities at Greater Risk of Data Breaches: Studies. 7

CA – Canadians Expect to Be Victims of Cyber Crime: Report 8

WW – Haystack Privacy Tool Disabled Over Security Concerns. 8

US – Massive Cache of Iraq War Docs to be Published by WikiLeaks. 8

US – Retiree Files Class-Action Suit 9

UK – Secret Dossier of Lawbreaking Trouble for Rupert Murdoch...and David Cameron. 9

US – Police Want Prescription Database Access. 9

US – University Hospital Fined $250,000 for Breach. 9

US – Hospital: Tapes Gone, No Letters to be Sent 9

US – Hotel Systems Hacked. 10

UK – FIFA Fan Database Allegedly Stolen and Sold. 10

CN – China Now Requires Identification for Cell Phone and SIM Card Purchases. 10

IN – UID an Assault On Individual Liberty, Say Activists. 10

WW – Facebook Introduces Remote Device Logout Feature. 11

US – License Plates Used for Public Messaging. 11

WW – Paper Argues IP Addresses Are PII 11

CH – Court: File Sharers’ Privacy Infringed Upon. 11

WW – Researchers to Create a Privacy Dictionary. 11

WW – Web’s Creator: Mobile Devices Require Privacy Rethink. 12

WW – Unabomber’s Victims Fear He Could Post Writings. 12

WW – Regulators Raise Cloud Concerns. 12

US – Virginia Court: Police Can Use GPS to Track Suspect 12

CA – Social Network Sites Are ‘Unsupervised Playground’: Police Study. 12

WW – Smartphones Unwittingly Stealing Our Privacy. 12

US – Senators Push for Cell Phone Law.. 13

TK – Turkey Launches Wiretap Investigation. 13

US – Judge: No Privacy for ISP Subscribers. 13

US – Class Lawsuit Claims Fox Hacks Into Computers. 13

US – Lawsuit: Advertiser Evaded Cookie Controls. 14

UK – Opinion: Gov’t Needs to Clarify Cookie Law.. 14

WW – Researchers: Promises Fall Short in Compact Policies. 14

UK – Analysis of UK ICO Personal Information Code of Practice. 14

US – Bing Could get Access to Anonymized Facebook Data. 15

WW – Google Instant Gives Users As-You-Type Search Results. 15

EU – EC Backs Off From Data Sharing Plan With Israel 15

NZ – Parliament Passes Cross-Border Data Bill 16

EU – Denmark: US to Gain Access to National Register 16

AU – Communications Privacy Complaints Process Unacceptable. 16

CZ – Czechs Block New Street View Photos From Google. 16

IN – Stalker Held For Cellphone Photo In Privacy Test Case. 16

US – Privacy Rights of the Deceased Could Change. 17

US – SIA Releases Privacy Framework. 17

US – IAB Expected to Launch Certification Program.. 17

US – Company Hit With $459 Million Judgment Over ‘Junk Fax’ Transmissions. 17

US – Craigslist Yanks ‘Adult Services’ Section Without Comment 17

WW – How Much Would You Pay for Web Privacy?. 18

US – Airport `Naked Image’ Scanners May Get Privacy Upgrades. 18

WW – When Augmented Reality Bites. 18

Tracking Preschoolers With Location-Based Microchips. 18

US – NIST Issues Smart Grid Security Guidelines. 19

WW – Survey: Data Security Spending to “Skyrocket”. 19

US – Groups Sue Government over Laptop Searches. 19

CA – SK Privacy and Security Awareness Month. 19

US – Sensitive Company Information Bleeding Out the Door 19

US – GAO: Gov’t Contractors Have Inappropriate Access. 20

WW – Two Interesting Research Papers on Website Password Policies. 20

US – Court Rules Judges May Require Warrants to Access Cell Phone Location Data. 21

US – Judge Says FBI Must Obtain Warrant Before Requesting Cell Phone Location Data. 21

US – EPIC Sues for NSA-Google Info. 21

US – Echometrix Agrees to Stop Collecting and Selling Kids’ Chats. 21

IN – India Wants RIM and Other Communications Firms to Place Servers in the Country. 22

US – Google Updates Privacy Policy, Agrees to Pay US$8.5 Million to Settle Buzz Lawsuit 22

US – Tracking Systems in Almost Every State. 22

US – Growth in Shadow State: Special Investigative Report 22

US – DHS IG Says Customs and Border Patrol Needs to Address Cyber Security Issues. 22

US – Connecticut Insurance Dept. Imposes Strict New Data Breach Rules. 23

WW – Google Engineer Fired for Violating Internal Privacy Policies. 23

CA – B.C. Privacy Commish Sides With Man Who Lost Job Over Inaccurate Data. 23




US – Homeland Security to Test Iris Scanners

The Homeland Security Department plans to test futuristic iris scan technology that stores digital images of people’s eyes in a database and is considered a quicker alternative to fingerprints. The department will run a two-week test in October of commercially sold iris scanners at a Border Patrol station in McAllen, Texas, where they will be used on illegal immigrants. “The test will help us determine how viable this is for potential (department) use in the future,” Vemury said. Iris scanners are little used, but a new generation of cameras that capture images from 6 feet away instead of a few inches has sparked interest from government agencies and financial firms. The technology also has sparked objections from the American Civil Liberties Union. ACLU lawyer Christopher Calabrese fears that the cameras could be used covertly. “If you can identify any individual at a distance and without their knowledge, you literally allow the physical tracking of a person anywhere there’s a camera and access to the Internet,” he said. [USA TODAY]




CA – Proposed Amendments to PIPEDA to Include Breach Notification Requirement

The Canadian government recently introduced Bill C-29, which proposes to amend Personal Information Protection and Electronic Documents Act (PIPEDA) to add new exceptions to consent requirements, specify what constitutes “valid consent,” and - most significantly - impose mandatory breach notification obligations. If passed, Bill C-29 will implement the government’s response to the first statutory review of PIPEDA, the federal private sector privacy legislation.

Valid Consent: The bill would specify the meaning of “valid consent” to require that individuals understand the “nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting.”

Consent Exceptions: PIPEDA currently carves out certain business-related contact information from its definition of “personal information.” Bill C-29 would formally codify these exceptions in a proper “Business Contact Information” clause that would exempt from PIPEDA any information “the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.” The bill would also introduce a broad exception that would allow the use and disclosure of personal information in the context of prospective or completed business transactions such as mergers and acquisitions, financings, leases, licences and securitizations. This exemption would not apply, however, where the transaction’s primary purpose is the purchase, sale or lease of personal information. Bill C-29 would also add new exceptions to allow the collection, use and disclosure of personal information without an individual’s consent. The new exceptions would apply to personal information that is (i) contained in a witness statement related to an insurance claim; (ii) produced in the course of employment, or to establish, manage or terminate an employment relationship; (iii) required to communicate with next-of-kin; (iv) required for policing services; (v) disclosed to prevent, detect or suppress fraud or financial abuse; or (vi) used to identify injured, ill or deceased individuals. The bill also clarifies the existing exception for disclosure to a lawful authority, by noting that organizations do not require a subpoena, warrant or court order before disclosing personal information required as part of a formal government investigation. Nor is the organization required to verify the validity of the lawful authority before complying.

Breach Notification: Under Bill C-29, the biggest change to PIPEDA would be the introduction of a reporting and notification requirement for privacy breaches. Specifically, in the event of a breach of security safeguards that protect personal information:

  1. An organization would be required to report to the federal privacy commissioner “any material breach of security safeguards involving personal information under its control.” The bill sets out a non-exhaustive list of factors to be considered in determining materiality, including the sensitivity of the information, the number of individuals involved, and the cause of the breach.
  2. If it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to any individuals, the organization must notify those individuals of the breach. Significant harm is defined in the bill to include “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.”
  3. The organization would also be required to notify any third-party company or government body of the breach if notification might mitigate the harm of the breach. [Mondaq News ]


CA – Canadian Information Commissioners Call for “Open Government”

The information and privacy commissioners of Canada are calling on the government to be more transparent. In a joint resolution, the federal, provincial and territorial commissioners call for proactive sharing of information. “The norm should really be proactive disclosure,” said Information Commissioner Susanne Legault from a gathering in Whitehorse. “We feel that all Canadian governments at all levels should really embrace this approach and this cultural shift.” In the resolution, the commissioners call on the federal government to commit to stronger open government standards and to change the system so that Canadians get information without having to formally file access requests, among other changes. [Montreal Gazette] [Open Government: Resolution of Canada’s Access to Information and Privacy Commissioners, September 1, 2010 – Whitehorse, Yukon]


CA – Conviction Overturned as Search Ruled Unlawful

The B.C. Court of Appeal has overturned the conviction of a man who was arrested after a police sniffer dog found 34 half-kilogram bags of marijuana in his vehicle. Sebastien Payette was driving along Highway 3 near Midway in the Kootenay Boundary Regional District when he was stopped at an RCMP random traffic checkpoint. The provincial court judge hearing the case in Rossland, who is not named in the appeal court ruling, found the traffic safety stop was lawful and determined that police had a reasonable suspicion that Payette was involved in criminal activity. In June 2009 the judge found Payette guilty of one count of possession of marijuana for the purpose of trafficking. But Payette appealed his conviction, arguing that his rights had been violated by the police search. In a ruling released this week, Court of Appeal Justice Kathryn Neilson found that the trial judge had erred in assessing the factors that the police officer used to conduct the search. The judge found that police had conducted an unreasonable search and seizure and while the Charter breach was not wilful or flagrant, it could not be characterized as inadvertent. The judge excluded the evidence and overturned the conviction. [Source]


CA – Commissioner Cavoukian Names Privacy Ambassadors

Ontario Information and Privacy Commissioner Ann Cavoukian has announced the inaugural group of Privacy by Design (PbD) Ambassadors. The ambassadors program was established to publicly recognize individuals’ and organizations’ efforts to build privacy into their businesses and technologies on a daily basis. “With the ease that vast amounts of personal information can otherwise be collected and potentially misused, companies and government organizations can’t treat privacy as an has to be built in from the outset, as the default option,” Cavoukian said. The group includes 27 international ambassadors, including European Data Protection Supervisor Peter Hustinx and New Zealand Privacy Commissioner Marie Shroff. [CNW]


CA – Relevance Test Necessary to Protect Privacy during eDiscovery

Production of documents on discovery must meet the semblance of relevance test; in this instance, the plaintiff seeks damages from a motor vehicle accident pertaining to her “emotional life” and opposed production of documents concerning her stay at a women’s shelter after the accident (where she stayed as a result of depression and emotional abuse) - the plaintiff has a right to privacy in counselling records, however, by advancing her claim, she has put her emotional health in issue (the order requested by the defendant for the clinical notes and records of the shelter is a reasonable approach). The plaintiff also cannot object to the production of photographs based on a right to privacy, as they demonstrate her ability to engage in activities pre- and post-accident, and an argument that she has lost function necessitates evidence of pre-accident activity. [Source: CANLII]




CA – Universities Teaching New Students to Brush Up on Social Media Skills

Call it Facebook 101. Universities across the country are offering workshops, seminars and tipsheets on social media etiquette to new students, warning them of the potential consequences of posting every drunken moment online. Ryerson has offered a tipsheet for new students this year, with recommendations such as “keep your social networks separate from your professional networks.” There’s also this terse reminder: “the Internet is timeless; a photo you post on the web will probably outlive you.” The career centre at Toronto’s York University offers a workshop to students wanting to learn how to use social media to find jobs, which includes a component on how to present oneself professionally online. Carleton University in Ottawa offers a similar program through its career centre, and — at the request of faculty members — offers presentations to classes. At Dalhousie University in Halifax, students who log-in to their internal email see an article posted to the web portal about online media titled, “Facebook: Don’t be so trusting.” The University of British Columbia has dubbed the danger the “digital tattoo.” The school has a website offering tips and workshops to help students think about their permanent presence online. The University of Western Ontario in London, Ont., trains and encourages peer mentors to warn new students about the dangers of uploading compromising photos or tweeting libellous comments. [Source]




US – Report Calls for National Database for Voting Machine Problems

A report from the Brennan Center for Justice calls on the US government to establish a public clearinghouse for electronic voting machine issues. The report cites several instances in which election officials in one state experienced trouble with voting machines only to discover that other election officials elsewhere in the country experienced the same problems at an earlier date. The report calls for establishing a publicly searchable database of voting machine issues; requiring the machines’ vendors to report problems to the database; granting a federal agency the authority to investigate voting machine issues and to enforce the requirements. [Wired] [Brennan Center]




US – Web Monitoring Software Co. to Pay $100k for Privacy Violation

New York’s Attorney General has reached a settlement with the manufacturer of software that allows parents to monitor their children’s activity on the Web, following a complaint to the Federal Trade Commission last year that the company was collecting and selling data about the children being monitored. The $100,000 settlement, reached by Attorney General Andrew Cuomo and EchoMetrix, requires that the company also refrain from analyzing or sharing any of the data it has access to, the report states. The complaint followed the company’s launch of “Pulse” software, which enabled data mining of teens’ Web activities both for parents and for marketing purposes. The company no longer offers the product. [MediaPost]


Electronic Records


US – Opinion: EHR Privacy Issues Must Be Addressed

Latanya Sweeney of Carnegie Mellon University cautions that for the Nationwide Health Information Network (NHIN) to be successful, privacy concerns cannot be overlooked. In a Modern Healthcare report, Sweeney writes, “A significant loss of privacy in the NHIN will render it useless and can cause serious personal harm as patients opt out and doctors find unforeseen ways to hide sensitive patient information.” She notes, however, that the list of meaningful uses for 2011 does not include privacy incentives. Without privacy, she writes, “It doesn’t take a doctorate in computer science to know the prognosis for the NHIN is not good, and it doesn’t require political sensitivity to know what public reaction will be.” [Source]


US – HHS Receives Thousands of Pages of Comments

The comment period for proposed changes to the HIPAA privacy, security and enforcement rules ended on Monday and the Department of HHS received thousands of pages of comments from hundreds of organizations. Those who commented highlighted concerns about the cost associated with allowing patients to restrict who sees their medical information and the provision requiring covered entities to modify their business associate agreements to reflect the latest modifications, the reports states. Some requested more guidance on the risk assessment requirement and many asked for the 180-day compliance deadline to be extended. [GovInfoSecurity]




UK – Unencrypted Flash Drive Found on Street Contains Police Data

A flash drive found on the street in Manchester, UK contains police anti-terror training information and personnel data. The device, which had a logo on it identifying it as belonging to the Greater Manchester Police Public Order Training Unit, was found outside a police station in Stalybridge, Greater Manchester. The drive was not encrypted. GMP Superintendent Bryan Lawton said his organization is looking into the incident. [SCMagazineUK] [The Register]


EU Developments


EU – Article 29 Data Protection Working Party Issues Opinion on Accountability

A new accountability provision in the General Directive would turn the general data protection principles into concrete policies and procedures (that are defined at the level of the controller), in compliance with applicable laws and regulations; such a general provision would focus on two main elements - the need for a controller to take appropriate and effective measures to implement data protection principles, and to demonstrate upon request that appropriate and effective measures have been taken. Common accountability measures may include the following non-exhaustive list - establishment of internal procedures prior to the creation of new personal data processing operations (internal review, assessment, etc.), setting up written and binding data protection policies to be considered and applied to new data processing operations (e.g., compliance with data quality, notice, security principles, access, etc.) which should be made available to data subjects, mapping of procedures to ensure proper identification of all data processing operations (and maintenance of an inventory of data processing operations), appointment of a data protection officer (and other individuals with responsibility for data protection), training and education to staff members, setting up of procedures to manage access, correction and deletion requests, establishment of an internal complaints handling mechanism and internal procedures for the effective management and reporting of security breaches, performance of privacy impact assessments and the implementation and supervision of verification procedures (internal or external audits, etc). In the longer term, the provision on accountability may foster the development of certification programs or seals; such programs would help prove to the Data Protection Authority that the data controller has fulfilled the accountability provision. [Working Paper 173]


EU – 7,500 Germans Rally for Greater Data Privacy

Some 7,500 people demonstrated Saturday in Berlin to express their concerns about personal data privacy as the German government and private companies amass giant databases, organisers said. Called out by numerous civic organisations and political parties under the banner of “Liberty Instead of Fear!”, the protestors denounced a government database which will collect information on wages, taxes and social payments. They also protested against electronic passports, electronic health insurance cards, and an accord allowing the United States to access EU banking information as part of anti-terror efforts. [Source]


UK – TalkTalk Criticized for Running Secret Anti-Malware Pilot

The UK Information Commissioner’s Office (ICO) has chastised Internet service provider (ISP) TalkTalk for not informing its customers or the ICO about running a trial of anti-malware technology. The system keeps track of the URLs of websites visited by TalkTalk customers and checks them for malware. TalkTalk customers were automatically included in the trial. The omission has been compared to BT’s silent testing of behavior tracking technology to help target online advertising to its users, which met with criticism. TalkTalk dismisses the comparison, saying its program is designed to keep its customers safe. [BBC] [ZDNet]


UK – ICO Warns Estate Agents to Notify

The UK Information Commissioner’s Office (ICO) is warning lettings and estate agents of their legal obligation to notify the ICO that they are handling people’s personal information. According to an ICO press release, only a small percentage of industry members are registered, despite the Data Protection Act requirement for all organizations handling personal information to register with the watchdog. The ICO has written to professional bodies, urging them to encourage their members to notify. ICO Head of Enforcement Mick Gorrill said, “We want to work with the industry to ensure all property agents meet the legal requirement to notify us.” If the encouragement is ignored, said Gorrill, “we will take action against those who flout the law.” [ICO Press Release]


Facts & Stats


US – Universities at Greater Risk of Data Breaches: Studies

A database security vendor says colleges and universities need to do more to secure their databases against break-ins. Application Security, which uses the name AppSec, reviewed data breaches in higher education, drawing from a variety of published sources. The data in its report, “An Examination of Data Breaches at Higher Education Institutions,” highlights increasing data-loss incidents at colleges and universities. The document cites data from Privacy Rights Clearinghouse to assert that “higher education institutions have experienced a substantially large number of data breaches - nearly 160 breaches and more than 2.3 million records breached since 2008.” By means of what the AppSec report calls a “forensic analysis,” the authors conclude that the most common methods used by attackers to gain database administrator privileges are:

Once they have access, attackers can sidestep logging mechanisms intended to record and track their activities. Techniques include: disabling logging completely; loading external libraries (a common database practice to add functionality) to execute code inside the database server process and gain access to process memory and database components; impersonating other database users to perform unauthorized actions; deleting or overwriting logs.

AppSec says some risks are unique to higher education. Among them:

Finally, the document recommends six “best practices” to secure education databases:

[Source] [] [PRC Chronology of Data Breaches] [US: Exposed student data leaves prying eyes wide open]


CA – Canadians Expect to Be Victims of Cyber Crime: Report

Nearly every Canadian who uses the Internet believes they will be the victim of cyber crime, a new report shows. While a whopping 99% of Canadians involved in the Norton Cybercrime Report: The Human Impact believe they will fall victim to some kind of online scam or phishing attempt, less than half of the people report it. It’s hard to say why. While 58% of Canadians are angry when it happens and 40% feel cheated, another 26% said they feel helpless when they’re the victim. As well, some people might feel embarrassed, like they should have known better, Hargrove said. Globally, the survey found 79% of people don’t expect cyber criminals will ever be brought to justice. [Winnipeg Sun]




WW – Haystack Privacy Tool Disabled Over Security Concerns

A software tool designed to help Iranian activists evade government surveillance and censorship online has been disabled due to concerns that the tool, known as Haystack, could reveal users’ identities. Haystack encrypts users’ traffic and hides it among other packets to avoid being detected by government censors. Flaws discovered in the tool’s code could be used by authorities to identify users. The tools’ developer maintained that it was in limited and controlled distribution, but other researchers found that it was readily available for download. The developers have asked people with copies of Haystack to destroy them. The software’s lead developer has resigned; those who remained with the company say they will have the code reviewed by third-party auditors and release it as open-source. [Wired] [Register] [BBC] [H-Online] [CNET]




US – Massive Cache of Iraq War Docs to be Published by WikiLeaks

A massive cache of previously unpublished classified U.S. military documents from the Iraq War is being readied for publication by WikiLeaks, a new report has confirmed. The documents constitute the “biggest leak of military intelligence” that has ever occurred, according to Iain Overton, editor of the Bureau of Investigative Journalism, a nonprofit British organization that is working with WikiLeaks on the documents. The documents are expected to be published in several weeks. []


US – Retiree Files Class-Action Suit

A Delaware woman has filed a class-action lawsuit after her personal information was exposed on a state Web site. The state confirmed this week that its benefits consultant, Aon Consulting, inadvertently included the Social Security numbers, birth dates and genders of about 22,000 state retirees in a document posted to the state’s procurement site. “She’s always going to have to live with the fear that her identity could be stolen,” said the attorney for the plaintiff. Ryan Calo of Stanford University Law School told the Daily Dashboard that even were none of the victims of the breach to suffer identity theft, “the law ought to recognize the subjective apprehension they’ll experience, never quite knowing whether their finances or credit will one day be compromised. One way to mitigate this form of harm is to provide free credit monitoring,” said Calo, who has written a paper on the “Boundaries of Privacy Harm,” which will be published next year. [The News Journal]


UK – Secret Dossier of Lawbreaking Trouble for Rupert Murdoch...and David Cameron

The News of the World paid a private detective to provide hundreds of pieces of confidential information, often using illegal means, a confidential document obtained by The Independent has revealed. The “Blue Book”, a ledger of work carried out by Steve Whittamore for News International titles, including the NoW and The Sunday Times, details a series of transactions including obtaining ex-directory phone numbers, telephone accounts, criminal records checks and withheld mobile numbers. It reveals the itemised details of checks on public figures, including Peter Mandelson, ordered and paid for – at up to £750 a time – by reporters working for the redtop. Staff from a number of other national newspapers made similar requests, and their details are contained in further dossiers held by the Information Commissioner, the privacy watchdog. [The Independent]


Health / Medical


US – Police Want Prescription Database Access

The North Carolina Sheriffs’ Association has asked for access to a state prescription drug database, and that has people worried about “local law enforcement looking over who is prescribed what, without warning or a warrant.” Since 2007, the report states, NC pharmacists have been required to report the filling of prescriptions for controlled substances scheduled by the Drug Enforcement Agency to a Department of Health and Human Services database. “If law enforcement wants access to that kind of private information, they should have to go get a warrant,” said Sarah Preston of the NC ACLU. The State Bureau of Investigation can already access the database in drug investigations, the report states, and privacy advocates are concerned about any expansion. [Greensboro News & Record]


US – University Hospital Fined $250,000 for Breach

California Department of Public Health (CDPH) officials have fined Lucile Salter Packard Children’s Hospital at Stanford University $250,000--the maximum amount allowed under state law--for failing to report a breach of 532 patient medical records due to the theft of a hospital computer. The records included such information as names, dates of birth, procedures and Social Security numbers. The hospital, which is appealing the decision, has stated that when it was determined the computer could not be recovered, the incident was reported to the CDPH, federal authorities and families of potentially affected patients. Under California’s failure-to-notify penalties, which are unique in the U.S., state health officials have issued more than $1.8 million in fines against 143 hospitals for failing to report a variety of incidents including breaches of medical records, the report states. [HealthLeaders Media]


US – Hospital: Tapes Gone, No Letters to be Sent

A Massachusetts hospital has concluded its investigation into the disappearance of backup computer tapes containing the personal information of approximately 800,000 individuals. “All available evidence indicates that the files are unrecoverable and that there is little to no risk that information on the files has been or could be acquired,” the South Shore Hospital said in a statement. Investigators concluded that the tapes were probably sent to a commercial landfill, according to the report. Hospital officials have determined that they will not send notification letters to those potentially affected. That decision has drawn the ire of Mass. Attorney General Martha Coakley. [The Boston Globe] [Mass. AG Objects to Hospital’s Decision Not to Notify Data Breach Victims Personally]


Horror Stories


US – Hotel Systems Hacked

HEI Hospitality, the owner of Marriott, Sheraton, Westin and other hotel brands, is the latest in a growing number of operators to announce a breach of its point-of-sale system. HEI sent letters to 3,400 customers informing them that their credit card data may have been compromised when hackers intruded on several of its hotels’ payment systems between March and April of this year. According to the report, an HEI spokesman said there is no evidence that any of the exposed data has been misused, and the company is offering affected customers one year of free credit monitoring. [Computerworld]


UK – FIFA Fan Database Allegedly Stolen and Sold

The UK information Commissioner’s office (ICO) has launched an investigation into allegations that someone sold information from a database of FIFA World Cup Soccer tournament attendees for GBP 500,000 (US $770,000). The data breach appears to affect as many as 250,000 people who purchased World Cup tickets from FIFA outlets for the 2006 World Cup event that was held in Germany. Investigators are trying to determine who stole the information and why that database was not destroyed. The compromised data may include passport information. [DailyMail] [Guardian]


Identity Issues


CN – China Now Requires Identification for Cell Phone and SIM Card Purchases

As of September 1, people purchasing cell phones or SIM cards in China will need to provide identification, according to a government order. The rule applies to people setting up new accounts; people holding accounts already will eventually be required to provide identification as well. The Chinese government says the new rule is aimed at combating spam, pornography and telecommunications fraud, but it has been observed that it will also expand the government’s ability to monitor communications. China is not alone in seeking access to communications data. India has asked BlackBerry to allow the government to monitor BlackBerry communications and proposed legislation in the US would require people purchasing prepaid cell phones to provide identification. [NYTimes] [Washington Post] [CNET]


IN – UID an Assault On Individual Liberty, Say Activists

The Centre’s plan for a unique biometric-enabled number to every Indian resident is facing opposition from social activists who say it will impact civil liberties — state-citizen relations and privacy. Members of the National Advisory Council (NAC) and other organisations have expressed their dissent against the Unique Identification Authority of India (UIDAI) — the nodal agency responsible for implementing Aadhaar. The Central Employment Guarantee Council (CEGC)) had also raised concerns, objecting to the linking of the UIDAI project to the National Rural Employment Guarantee scheme. Anil Chaudhury, a member of Indian Social Action Forum (INSAF), said the UID scheme violates right to privacy and the state can misuse it for targeted attacks and discrimination against certain communities. Wilfred Dsouza of INSAF argued that a centralised identity pool is always fraught with risks. It can be hacked and misused by terrorists. He said the Labour Government had faced opposition from the Tories on similar grounds when it tried to introduce the Identity Cards Act 2006. The UK Home Secretary had been quoted as saying that the “The national identity card scheme represents the worst of government. It is intrusive and bullying. It is ineffective and expensive. It is an assault on individual liberty that does not promise a great good.” [Source]


WW – Facebook Introduces Remote Device Logout Feature

Facebook is introducing a feature that allows users to check if they are logged into their accounts through other computers and log out of those active sessions remotely. This feature builds on a notification feature that Facebook introduced earlier this year that alerts users when other devices log into their accounts. Multiple devices logged in to the account can occur when users access their Facebook accounts through friends’ computers, through a public computer such as one at a library, or through other devices. In addition, Facebook accounts are increasingly being hacked and used by spammers to send out their unsolicited messages. [eWeek] [CNET] [PCWorld]


US – License Plates Used for Public Messaging

Apps that read license plates can send notes to their owners, and help businesses track customers. Next time you’re stuck in traffic, take a look at the license plates on the cars around you. To a user of launches today--each one is like an email address that can be used to contact the owner, whether to tell them a rear light is out or that you like their bumper sticker. “To send a message you just need to specify state and plate,” said Bump’s VP of technology John Albers-Mead. Anyone that has registered their license plate can pick up those messages while an upcoming smartphone app—initially for iPhone but later Android too—will use image recognition to make sending messages easier. When using it you simply snap a photo of a license plate after which it is processed in the cloud to direct your message appropriately. : [Technology Review]


WW – Paper Argues IP Addresses Are PII

In a paper published in the DePaul Law Review, Joshua J. McIntyre writes about the potential to use IP addresses to “expose the individuals behind the computers.” His paper, entitled “The Number is Me: Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable Information,” explores various definitions of PII, concluding that IP addresses are “functionally similar” to other types of PII and should be similarly protected by law. According to the paper’s abstract, “While various federal statutes protect similar data, such as telephone numbers and mailing addresses, as Personally Identifiable Information, federal privacy law does not sufficiently protect IP addresses.” [Source]


Intellectual Property


CH – Court: File Sharers’ Privacy Infringed Upon

The Swiss supreme court has ordered a company to stop collecting information on suspected illegal file sharers, saying the practice breaches sharers’ privacy rights. Logistep AG’s distribution of file-sharers’ information to film and music companies seeking to protect their copyrights is a significant infringement of privacy rights, a Lausanne-based Federal Tribunal said in a Wednesday ruling. The information distributed included IP addresses, which the court said are protected by Switzerland’s strict data protection laws. [Associated Press]


Internet / WWW


WW – Researchers to Create a Privacy Dictionary

Researchers at four universities in the UK are working to create an automated privacy dictionary to assist researchers studying privacy. Disputes on what criteria belong to the concept of “privacy” have hampered research thus far, according to the paper’s abstract. “The lack of a clear definition or consensus on privacy, along with the need to avoid priming questions, suggests that without methodological tools that help capture a nuanced and broad perspective on privacy, privacy-related content may end up being ignored in favor of more easily coded themes,” the report states. [SSRN]


WW – Web’s Creator: Mobile Devices Require Privacy Rethink

The creator of the World Wide Web believes that mobile devices will continue to evolve and pose new privacy challenges. Speaking at a conference on Wednesday, Sir Tim Berners-Lee shared concerns around the development of mobile technologies, noting that geolocation features are the “tip of the iceberg,” and such devices may eventually be able to monitor everything from where users are to how they feel. “The problem that has not been worked out yet is how to allow a user to share their location while still making it easy for them to understand when they’re sharing critical information, how much control they have over that information and who can access that data.” [ReadWriteWeb] [Mobile Banking: How Secure Is It? ]


WW – Unabomber’s Victims Fear He Could Post Writings

It has been nearly 15 years since the arrest of Ted Kaczynski, aka the “Unabomber,” and yet his ability to terrorize the public persists. Now, survivors of his mail-bomb attacks and victims’ families are haunted by the fear that the Harvard-educated mathematician might upload 40,000 pages of his writings and other documents to the Internet. “My primary concern is privacy for everybody,” Gary Wright, a victim of one of Kaczynski’s terrorist attacks, told AOL News. “Nobody’s personal information [should go] out there.” [Source]


WW – Regulators Raise Cloud Concerns

Concerns about the Safe Harbor Framework voiced recently by Schleswig-Holstein Data Protection Commissioner Thilo Weichert illustrate the importance of developing transparency and standardized policies in the cloud computing market, ReadWriteWeb reports. Referencing a report from the Information Law Group that, despite the German regulator’s concerns, there is no “imminent danger of a European crackdown,” the report points to questions that still remain about protecting personal information in the cloud. “European authorities have a reputation for strict data protection requirements. That’s not going to change,” the report states. “It’s just a question what effect the law will have on the technology itself as privacy takes center stage.” [Source]


Law Enforcement


US – Virginia Court: Police Can Use GPS to Track Suspect

The same GPS technology that motorists use to get directions can be used by police without a warrant to track the movements of criminal suspects on public streets, the Virginia Court of Appeals said. In a case that prompted warnings of Orwellian snooping by the government, the court unanimously ruled that Fairfax County Police did nothing wrong when they planted a GPS device on the bumper of a registered sex offender’s work van without obtaining a warrant. According to the court, citizens have no expectation of privacy on public streets. The use of the GPS system provided police with the same information they could get by physically tailing a suspect, the court said. [Source]


CA – Social Network Sites Are ‘Unsupervised Playground’: Police Study

A Nova Scotia police force conducted a five-week study to gauge teenagers’ use of social networks. Supervised by Truro police, university students created fictitious profiles to garner “friends” between the ages of 12 and 17. Two out of the nearly 300 teens who received the friend requests refused them, the report states. Constable Todd Taylor described the findings as “astounding.” [The Globe and Mail]




WW – Smartphones Unwittingly Stealing Our Privacy

A new website, almost threateningly called, is exposing the privacy hole left by many smartphones. The site amalgamates twitter updates and modifies them to include the GPS data of where the information was gathered, posting maps and co-ordinates of where the person was when the tweet was sent with each tweet. The site was created by a group of computer security professionals because they “don’t feel that enough people realize what kind of data they are posting.” “After analyzing your photos, someone could find out where you live, who else lives there, your commuting patterns, where you go for lunch each day, who you go to lunch with, why you and your attractive co-worker really like to visit a certain nice restaurant on a regular basis,” and other things. Every time a smart phone with a GPS chip clicks to snap a photo, it automatically tags that photo with the exact GPS co-ordinates where that photo was taken. In many phones, this feature is turned on by default, and many consumers don’t even know it. [Source]


US – Senators Push for Cell Phone Law

Senators Ron Wyden (D-OR) and James Risch (R-ID) are drafting legislation to set regulations for government collection and use of cell phone geolocation data. Cell phone service providers track the location of phones in order to provide services, and increasingly, police and courts are requesting this information to assist in investigations. “I was struck by the fact there was no legal framework to make clear how this information is protected. It’s become a huge legal quagmire,” said Wyden. The senator says the bill is to be modeled on regulations for wiretapping, with a requirement that authorities “show cause and a real basis in evidence” to access the information and penalties for surreptitiously tracking someone. [The Oregonian]




TK – Turkey Launches Wiretap Investigation

A top military commander in Turkey has requested the army to investigate widespread allegations of illegal wiretapping against thousands of people. The scandal-scarred Deputy Chief of General Staff Gen. Aslan Guner said in a written statement that an administrative investigation had been launched upon his request to probe the allegations. The general is accused of illegally wiretapping 2,000 people in 2007 via an Israeli device he obtained as the head of Turkey’s military intelligence in a supposed effort to listen to members of the outlawed Kurdistan Workers’ Party, also known as the PKK. [Source]


Online Privacy


US – Judge: No Privacy for ISP Subscribers

In a case aimed at those who download movies from peer-to-peer networks, U.S. District Court Judge Rosemary Collyer has ruled that ISP subscribers have no “cognizable claim of privacy in their subscriber information.” In making that determination, Collyer noted that users “already have conveyed such information to their Internet service providers.” Some legal scholars, meanwhile, maintain that IP addresses should be protected as PII. Collyer’s rationale also contradicts another court’s ruling, the report states, referencing a two-year-old decision by the New Jersey Supreme Court “that citizens have a reasonable expectation of the subscriber information they provide to Internet service providers--just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by companies.” [MediaPost]


US – Class Lawsuit Claims Fox Hacks Into Computers

A class action claims Fox Entertainment Group hacked into millions of computers to install “rogue, cookie-like tracking code” to snoop on people who visit Fox’s “American Idol” website. The class claims Fox and Clearspring Technologies committed crimes, circumvented privacy settings, and that the rogue devices reinstall themselves even if their victims can find and delete them. Lead plaintiff Erica Intzekostas claims Fox and Clearspring Technologies concocted the plan “so they could help themselves to users’ personal information, and continue doing so for as long as defendants liked without ever having to ask or take a user’s ‘no’ for an answer. In fact, users’ ‘no’ answers were the reason defendants devised the scheme in the first place.” Intzekostas claims Clearspring developed a system to install cookies on users’ computers on behalf of advertisers such as Fox, along with a backup cookie that runs through Adobe Flash Player. That way, if a user deletes the first cookie, the “flash cookie” would “re-spawn” the tracking device, according to the federal complaint. Adobe Systems “condemned” the practice in a January 2010 letter to the Federal Trade Commission. The class seeks restitution, disgorgement and punitive damages for computer fraud, computer crime, privacy invasion, trespass, unjust enrichment, and violations of consumer and business law. It also wants Fox and Clearspring enjoined from continuing their game. The class is represented by Avi Kreitenberg, with the Los Angeles officer of New York, N.Y.-based Kamberlaw. [Source]


US – Lawsuit: Advertiser Evaded Cookie Controls

A class-action lawsuit has been filed against Ringleader Digital, alleging the company tracks Internet users even after they delete cookies. The suit claims that the company uses an HTML5 feature to place a “Media Stamp” on mobile devices to allow the tracking of users’ Web activities without their knowledge or consent. “When a mobile Web site that uses Media Stamp is accessed, Ringleader’s own databases collect information from the mobile device,” the lawsuit states, assigning each device a unique number that is then stored by the company. The suit claims the company has violated both the U.S. Computer Fraud and Abuse Act and California’s Computer Crime law. A Ringleader spokesman has said the company will “defend its practices vigorously.” [OUT-LAW.COM]


UK – Opinion: Gov’t Needs to Clarify Cookie Law

The government has “let businesses down” by failing to clarify an EU directive on cookies that has privacy regulators and advertisers at an impasse and Web publishers “languishing in the middle, unsure whether their advertising is lawful or not,” according to an opinion piece in OUT-LAW.COM. The report states that UK officials failed to provide much-needed clarity by writing the “confusion into UK law, word for word.” The article suggests that the EU law is bad for business and consumers since it adds “confusion without improving privacy in any meaningful way...Regurgitating the directive’s wording, without any further guidance, is not helpful.” [OUT-LAW.COM]


WW – Researchers: Promises Fall Short in Compact Policies

The longtime tenets of know-say-do have been incorporated into the development of many privacy policies. According to the findings of a recent Carnegie Mellon University study, when it comes to the compact policies (CPs) created for the Platform for Privacy Preferences (P3P) protocol, industry may be falling short of doing what it says it is doing. Researchers from CMU’s CyLab analyzed the CPs of more than 33,000 Web sites, finding errors in one-third of them. “Our work identifies potentially misleading practices by Web administrators, as well as common accidental mistakes,” the researchers write in the report’s abstract. “It appears that large numbers of Web sites that use CPs are misrepresenting their privacy practices...” The CyLab project is one of the first major studies to call out significant noncompliance with P3P standards. [Source]


UK – Analysis of UK ICO Personal Information Code of Practice

Summary: When it is indeterminate whether information about a particular person is being collected, treat all the information collected as though it was personal data; avoid holding personal data in a form that identifies people explicitly (pseudonyms can allow individuals to identify themselves to other users of an online service, or to personalise an account, without revealing their real world identities). Processing can take place even if no obvious identifiers (e.g., names, addresses) are held; a difficulty arises collecting information online because non-obvious identifiers (e.g., cookies or IP addresses) are linked to a device rather than a particular user, (the device may have multiple users which may make it impossible to tell whether the information obtained is about a single user or group of users). The providers of services aimed at particular age groups (children of primary school age or in their early teens) should ensure that they only collect personal data in a way that their core audience is likely to understand, and parents would be unlikely to object if they knew about it; seek parental consent if the collection or use of information about a child is likely to, e.g., result in disclosure of a child’s name and address to a third party, or publication of a child’s image on a website that anyone can see. Ensure technical protection is up to date (install anti-virus software and keep it updated and security patches as soon as they become available) and allow staff to access only the information they need to do their job (use appropriate access permissions, and secure access controls). Give individuals as clear and simple an explanation as possible of what happens when they access a service, and how information about their visit is collected and analysed (e.g., being served an advertisement for a particular product); the explanation should be given due prominence and be expressed in terms most visitors to a site could understand (a more visual or ‘diagrammatic’ approach can be a good way of explaining how the technology works). Set privacy defaults to reflect the likely wishes and expectations of the individuals dealt with, and the nature of the business. [Source] [ebook]


US – Bing Could get Access to Anonymized Facebook Data

Microsoft and Facebook are in talks to further strengthen their search partnership, possibly resulting in Bing gaining access to anonymized data generated by Facebook users to better personalize its search results, according to anonymous sources cited by All Things Digital. Microsoft would be able to use the information from Facebook’s Like buttons, which the social giant has managed to have plastered all over the Web. When a user likes a webpage, their Facebook friends are notified; if this deal goes through, Microsoft would also be able to know which webpages users are appreciating, and would be able to work that into Bing’s algorithms (it could be particularly useful for Bing News), instead of just relying on spiders scouring the Internet. With Facebook’s 500 million users, such a deal could give it quite a boost over Google, which presumably would be excluded from the data. The sources did point out an important hurdle though: because of Facebook’s many privacy issues, the possible expansion of the search relationship would only be able to encompass information which users have already agreed to make public. All Things Digital emphasizes there’s no deal yet—the talks could fall apart. Both Microsoft and Facebook declined to comment on the report. [Source] See also: [Facebook may help crack Mariam case, police say] See also: [Facebook Privacy Settings: Who Cares? by danah boyd] and [Schneier: A Revised Taxonomy of Social Networking Data] and [Thieves Robbed Homes Based on Facebook, Social Media Sites] [NetworkWorld: Microsoft’s Davis on Privacy: Your Digital Life Data is Bankable Currency]


WW – Google Instant Gives Users As-You-Type Search Results

Google has announced a new feature that will allow users to get search results as they type their queries. Google Instant is designed to speed search results. It’s about search as you type, according to Google’s VP of search products and user experience. “We think it’s possible to enter a query and get search results as you type,” she said. “It’s search before you type. We’re predicting what query you’re likely to type.” The announcement is a major salvo in Google’s ongoing battle for search market share with Microsoft Corp. ‘s Bing search engine . This rivalry has been spurring innovation, bringing new features, such as real-time search and Google Goggles, in the last year. [IT World Canada]


Other Jurisdictions


EU – EC Backs Off From Data Sharing Plan With Israel

The European Commission (EC) has put the brakes on a plan to share information about European Union citizens with Israel in light of issues raised by the Irish government. Assassins allegedly used forged Irish passports in a plot that took the life of a Hamas operative in Dubai. The operation was allegedly carried out by Israeli agents. The EC withdrew a procedure that would recognize Israeli protection standards as being consistent with EU standards. In Israel, manually gathered data are not held to the same level of protection as digital information. [RTE]


NZ – Parliament Passes Cross-Border Data Bill

New Zealand lawmakers have passed a bill that could bring them closer to the European Union’s coveted “adequate” status when it comes to cross-border data transfers. reports that the New Zealand Parliament passed The Privacy (Cross-border Information) Amendment Act on August 26. “The government recognizes that in today’s difficult economic environment, we need to do everything possible to improve the international competitiveness of our businesses,” said Justice Minster Simon Power, who added that the new law allows businesses “to assure their international business partners that their customers’ personal information will be protected by the full force of the law.” [Source]


EU – Denmark: US to Gain Access to National Register

A new intergovernmental agreement would allow US authorities access to the Danish DNA and fingerprints registers in the hunt for criminals and potential terrorists. Lars Barfoed, the justice minister, has sent a draft of the agreement to parliament’s legal committee for approval. The move goes against the recommendations of national information authority the Data Protection Agency, which has argued that no control mechanisms exist to ensure the register would only be used for legitimate inquiries. US authorities have been pressuring Denmark for the cooperation, arguing that the access would greatly improve efforts to prevent terrorism and track down suspects. Denmark has already entered into a similar agreement with EU member states known as the Prüm Cooperation, expected to take effect in mid-2011. [Source]


AU – Communications Privacy Complaints Process Unacceptable

The Communications privacy complaints report, funded by the Australian Communications Consumer Action Network (ACCAN), noted that complaints were a “vital” element in privacy protection. It found the three commonly used complaint paths for privacy complaints in the communications sector, the Office of the Privacy Commissioner (OPC), the Australian Communications and Media Authority (ACMA), and the Telecommunications Industry Ombudsman (TIO), do not manage complaints effectively and are not delivering efficient regulation of privacy complaints. According to a statement from the ACCAN, the ACMA will, on average, resolve a privacy complaint in five days, the TIO in ten days, while the OPC takes an average of six months. The ACMA receives approximately 16,000 (mostly spam, general privacy complaints and “Do Not Call” complaints), the TIO about 5000 (general privacy complaints and internet related complaints) and the OPC, only about 110 complaints (general privacy complaints, telemarketing and internet complaints). [Source]


CZ – Czechs Block New Street View Photos From Google

For a second time, the Czech Office for Personal Data Protection (UOOU) has rejected Google’s request to collect information necessary to complete the photo imaging for its Street View mapping service. Reuters reports that UOOU spokeswoman Hana Stepankova said the ruling doesn’t ban Google from using photos it has already taken, and that if the company can ensure that the process can be done legally, the office may consider reversing its decision. While Google can publish only blurred images of individuals in the Czech Republic, the parties have not resolved whether it can include non-blurred images of car license tags and building facades, reports The Wall Street Journal. According to the report, Czech authorities are scheduled to release more information at a press conference on September 22. [Source]


IN – Stalker Held For Cellphone Photo In Privacy Test Case

A suspected stalker has been arrested for clicking a woman on his cellphone at the Netaji Bhawan Metro station, setting the stage for a test case dealing with privacy in public places in the age of ubiquitous digital gadgets. The accused, a 35-year-old mechanic living near Park Street, has been charged with “insulting the modesty of a woman, by word, gesture or act” under section 509 of the Indian Penal Code. Section 509 also states that a person is liable to face punishment for “intruding upon the privacy” of a woman. Offences proved under the act are punishable by simple imprisonment for a year or fine, or both. [Source]


Privacy (US)


US – Privacy Rights of the Deceased Could Change

The Center for Democracy & Technology (CDT) reports on a Department of Health and Human Services proposal to remove health information privacy protections for people who have been dead for 50 years. Currently, the law requires companies to contact the deceased’s relatives before using their medical data, but the proposed rule argues that it’s difficult to locate relatives for authorization and that waiting 50 years would protect the privacy of the deceased and their families. The CDT, however, disagrees. It argues that patients already withhold embarrassing conditions from doctors and will likely withhold information they believe may be detrimental to their legacies and could affect the privacy of their offspring. Meanwhile, some researchers are arguing that medical research on mummies invades their privacy because it does not allow for patient consent. [Source]


US – SIA Releases Privacy Framework

The Security Industry Association (SIA) has released its 12-point Privacy Framework to address privacy concerns related to the recording of video, the collection of personally identifiable information and the use of biometrics, RFID and other security technologies. “While security without privacy is possible, privacy without security is impossible,” Kathleen Carroll, the chair of the SIA Government Relations Department’s State & Local Policy Working Group, said in a press release. The guidelines, she explained, show practical ways to apply responsible privacy protection throughout the security industry. The guidelines include such recommendations as conducting privacy impact assessments, implementing privacy by design principles, adopting a breach notification plan and establishing a retention policy and limiting access to personally identifiable information to those who “need to know.” [Privacy Framework]


US – IAB Expected to Launch Certification Program

The Interactive Advertising Bureau (IAB) is expected to launch a program on Monday that will certify that online companies comply with self-regulatory guidelines. It is expected that the start-up Better Advertising will be tapped to assist in monitoring compliance, the report states. In addition, the icon designed last year to help Web users identify when ads are being served to them based on their browsing history is expected to undergo modifications before the online ad industry begins using it. The original “power i” icon was deemed too similar to other images. [MediaPost News]


US – Company Hit With $459 Million Judgment Over ‘Junk Fax’ Transmissions

A now-defunct home improvement company has been hit with a $459 million “junk fax” judgment following a four-hour bench trial, said plaintiffs attorney Marc B. Hershovitz. The case, originally filed in 2003, targeted American Home Services Inc. for sending unsolicited fax advertisements to 306,000 class members in violation of the Telephone Consumer Protection Act. “That’s $1,500 per class member,” said Hershovitz. “American Home Services really liked sending junk faxes.” The case is A Fast Sign Co. v. American Home Services, No. 2003CV77276. [Source]


US – Craigslist Yanks ‘Adult Services’ Section Without Comment

Craigslist pulled its adult services listings this week. Users now see a black bar with the word “censored” where the listings previously appeared. The move comes after years of pressure to remove the ads, including an open letter from 17 state attorneys general in late August. The letter said “sharp public criticism of craigslist’s Adult Services section reflects a growing recognition that ads for prostitution -- including ads trafficking children -- are rampant on it.” The attorneys general requested Craigslist take immediate action to stop accepting ads since it “cannot, or will not” screen them. The letter wasn’t Craigslist’s first scuffle regarding sex-related ads. The site formerly had an “Erotic Services” section that was shut down in May 2009. It was pulled after law enforcement filed suit, claiming the classifieds facilitated prostitution, and after the alleged “Craigslist Killer” was arrested. The “Adult Services” section took its place shortly after. Craigslist said the postings would require manual, human approval of all entries and cost $10. In October 2009, an Illinois judge dismissed the lawsuit saying intermediaries aren’t responsible when customers use their services to commit unlawful acts. [Source]


Privacy Enhancing Technologies (PETs)


WW – How Much Would You Pay for Web Privacy?

New companies aimed at helping people protect their online anonymity are facing a challenge, as many are reluctant to pay for Web privacy. With the majority of Internet users unaware of how their Web searches, posts and visits can be used by marketers and others, privacy company executives say many are uncertain about trusting their information to an unfamiliar company. As the founder of Web privacy company VaporStream put it, “Individuals don’t understand the risk of privacy online.” When it comes to protecting privacy online, the report states, “Overall, the Web-privacy industry remains fractured, with many free and for-purchase products tackling a range of risks. [The Wall Street Journal]


US – Airport `Naked Image’ Scanners May Get Privacy Upgrades

The concerns of travelers about new airport body-scanners, which led privacy advocates to sue the government, may soon be eased. L-3 Communications Holdings Inc. and OSI Systems Inc.’s Rapiscan, makers of the scanners for U.S. airports, are delivering software upgrades that show a generic figure rather than an actual image of a passenger’s body parts. The new display would mark sections of a person’s body that need to be checked. The revisions “certainly address most of the privacy concerns,” Peter Kant, a Rapiscan executive vice president, said in an interview. Every passenger will generate an avatar that “looks like a guy wearing a baseball cap,” he said. The Transportation Security Administration aims to add the software to the machines, which sparked complaints, as more airports get the scanners. Marc Rotenberg, president of the Electronic Privacy Information Center, a civil liberties group that sued the agency in July over the devices, said revising the machine software “makes a lot of sense” from an engineering standpoint. The upgrades don’t resolve privacy questions, said Rotenberg. The agency may someday decide it wanted to record passenger images or link scan results to traveler names, he said. “Over time there’s every reason to believe TSA would want to know the identities of passengers, because it would make threat detection more informed,” Rotenberg said. [] See also: [Regina Airport Authority unveils full body scanner]


WW – When Augmented Reality Bites

The emerging world of augmented reality (AR), the commercial promise of which “will almost certainly cement its future,” the report states. The future market for AR apps is expected to reach into the hundreds of millions of consumers, but “how much personal information will people be prepared to give away in order to reap the rewards of amusements like these?” the report asks. ReadWriteWeb blogger Chris Cameron says consumers “need more aware of what data they are sharing” and the founder of an online reputation management group says businesses must not overlook the “significant risks associated with these technologies.” [The Sydney Morning Herald]




Tracking Preschoolers With Location-Based Microchips

One U.S. school is using a $50,000 government grant toward establishing RFID technology to track preschool students, which a San Francisco Chronicle editorial says has created “very real privacy and safety concerns.” One county’s Head Start program is complying with federal requirements that it take attendance every hour using the Child Location, Observation and Utilization Data System (CLOUDS), which outfits the children in jerseys embedded with electronic locator chips. But school officials aren’t the only ones capable of picking up the chips’ signals; research has shown that informed criminals, for example, can trace the signals, too. “This isn’t the right solution,” the report states. “The privacy and safety of these very young children must outweigh the inconvenience of their teachers.” [RFIDWorld Canada]




US – NIST Issues Smart Grid Security Guidelines

The National Institute of Standards and Technology (NIST) has published “Guidelines for Smart Grid Cyber Security,” a three-volume, 537-page report aimed at “facilitat[ing] organization-specific Smart Grid cyber security strategies focused on prevention, detection, response and recovery.” The publication includes “high-level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and additional information for businesses and organizations to use as they craft strategies to protect the modernizing power grid from attacks, malicious code, cascading errors and other threats.” [InformationWeek] [GCN] [NIST Announcement] [Guidelines]


WW – Survey: Data Security Spending to “Skyrocket”

A recent global poll shows that corporate spending on data security will increase sharply. That’s because the number of companies reporting losses due to data breaches is up six percent from last year, the highest proportion to forecast an increase in the last five years, according to the PricewaterhouseCoopers (PwC) survey. More than half of respondents said their companies plan to increase spending on security technologies. But a PwC spokesman said technology isn’t always the problem. “Technical solutions are too frequently being prescribed for people problems,” he said. [ComputerWeekly] See also: [Companies Turn to Insdurance as Data-Loss Safety Net]


US – Groups Sue Government over Laptop Searches

A Montreal university student, the American Civil Liberties Union, criminal defense lawyers and photographers have filed a lawsuit challenging the policy permitting officers at U.S. borders to detain travellers’ laptop computers to search their contents without suspicion of wrongdoing. The suit, filed Tuesday in U.S. District Court for the Eastern District of New York, alleges the searches violate privacy and freedom of speech and asks that they require a warrant. A spokeswoman from the Canadian Civil Liberties Association says the suit may prompt constitutional challenges in Canada as well. The Bush-era search policies were updated with U.S. Department of Homeland Security revisions under the Obama administration last year to increase information available to travellers about the searches and set time limits. Some say those changes didn’t go far enough. [Toronto Sun] [Washington Post] [Wired] [ComputerWorld] [Montreal student sues U.S. over laptop search]


CA – SK Privacy and Security Awareness Month

Saskatchewan’s Justice Minister and Attorney General Don Morgan has designated September as Privacy and Security Awareness Month. According to a news release, the initiative is part of a government-wide effort to raise awareness about data privacy within government and will include workshops for government employees and the public. “Our government is committed to protecting the privacy of personal information in our possession or control,” AG Morgan said. “We are equally concerned about managing our records, keeping them secure and supporting the public’s right to access records.” [News Release]


US – Sensitive Company Information Bleeding Out the Door

According to a recent study in Europe by Ipswitch, a file transfer security vendor, 69% of IT managers transmit highly confidential data, such as payroll, financial and customer information, over the Internet using unsecured emails. And practically half of surveyed employees readily concede that at least once a week they send confidential or regulated content, the type of which could potentially require data breach notifications under governing laws if the content is stolen or lost. On top of this, 69% of those surveyed said that they send highly confidential information at least once per month simply using regular, unencrypted emails and attachments. Moreover, 34% report that they do so daily! In addition, 70% of respondents answered that they house company information on their PDAs, USB drives, and elsewhere through remote connections. While 62% of companies surveyed have security policies in place that detail how sensitive information must be secured for transmission, 72% admit that they do not have enough transparency to ascertain how data is transferred internally and externally. [Mondaq News]


US – GAO: Gov’t Contractors Have Inappropriate Access

A report by the Government Accountability Office (GAO) says that some government agencies have given contractors inappropriate access to and have not appropriately safeguarded sensitive materials, reports Security Director News. The report “Contractor Integrity: Stronger Safeguards Needed for Contractor Access to Sensitive Information” focused on the Departments of Defense, Homeland Security and Health and Human Services between May 2009 and September 2010 and found that nearly half the contracts the GAO reviewed did not protect “all relevant types of sensitive information that contractors may have had access to through the program offices they support.” According to a NextGov report, the GAO recommends that the White House instruct agencies to require vendors to sign nondisclosure agreements. [Source]


WW – Two Interesting Research Papers on Website Password Policies

Where Do Security Policies Come From? Abstract: We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength. We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement.


The Password Thicket: Technical and Market Failures in Human Authentication on the Web: Abstract: We report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Our study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news, and communication websites. Although all sites evaluated relied on user-chosen textual passwords for authentication, we found many subtle but important technical variations in implementation with important security implications. Many poor practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks. While a spectrum of implementation quality exists with a general correlation between implementation choices within more-secure and less-secure websites, we find a surprising number of inconsistent choices within individual sites, suggesting that the lack of a standards is harming security. We observe numerous ways in which the technical failures of lower-security sites can compromise higher-security sites due to the well-established tendency of users to re-use passwords. Our data confirms that the worst security practices are indeed found at sites with few security incentives, such as newspaper websites, while sites storing more sensitive information such as payment details or user communication implement more password security. From an economic viewpoint, password insecurity is a negative externality that the market has been unable to correct, undermining the viability of password-based authentication. We also speculate that some sites deploying passwords do so primarily for psychological reasons, both as a justification for collecting marketing data and as a way to build trusted relationships with customers. This theory suggests that efforts to replace passwords with more secure protocols or federated identity systems may fail because they don’t recreate the entrenched ritual of password authentication. [Source: Bruce Schneier CryptoGram]




US – Court Rules Judges May Require Warrants to Access Cell Phone Location Data

A US federal appeals court has ruled that judges have the option to require prosecutors to obtain a warrant before accessing cell phone location data if judges believe it is justified. The US Court of Appeals for the Third Circuit did not address the question of whether such information is protected under the Fourth Amendment. [CNET] [Wired] [ComputerWorld] [MSNBC]


US – Judge Says FBI Must Obtain Warrant Before Requesting Cell Phone Location Data

A federal magistrate in New York has ruled that government investigators must obtain a warrant before using cell phone information to track a suspect’s location. Magistrate Judge James Orenstein’s ruling comes close on the heels of an appeals court decision that a suspect’s rights were violated when federal investigators used a surreptitiously attached GPS device on his car to track his whereabouts. The prosecutors in the case Orenstein heard cites a precedent of a 1983 case that ruled that tracking individuals’ alocations outside the home is the equivalent of physical surveillance, but Judge Orenstein said he “believe[s] that magistrate judges presented with ex parte requests for authority to deploy various forms of warrantless location-tracking must carefully re-examine the constitutionality of such investigative techniques, and that it is no longer enough to dismiss the need for such analysis by relying on” precedents. [The Register] [Regmedia]


US – EPIC Sues for NSA-Google Info

The Electronic Privacy Information Center (EPIC) has filed a lawsuit to require the National Security Agency (NSA) to divulge information about its agreement to help defend Google against foreign cyber attacks. EPIC filed its case on Monday, stating, “As of 2009, Gmail had roughly 146 million monthly users, all of whom would be affected by any relationship between the NSA and Google. In order for the public to make meaningful decisions regarding their personal data and e-mail, it must be aware of the details of that relationship.” According to national security expert Richard Clarke, there is probably not a significant privacy concern, “But the easy way for Google and NSA to prove that is by letting an outside group come in and find out.” [Los Angeles Times]


US – Echometrix Agrees to Stop Collecting and Selling Kids’ Chats

Attorney General Andrew M. Cuomo announced a settlement that stops the software company Echometrix from gathering information from children’s private online conversations and offering it to paying marketers. EPIC had complained to the FTC about Echometrix last year and the Dept. of Defense had subsequently canceled its contract with Echometrix in light of the complaint. Echometrix is a New York-based software company that sells parental Internet monitoring software which allows parents and guardians to keep track of what their children do on the Internet. In June 2009, Echometrix began offering a program to companies called “Pulse” that used its Internet monitoring software to secretly collect and analyze portions of children’s private online instant messaging conversations. Pulse was marketed as a way for third party companies to get insight into what children privately said about products and services. Echometrix did not disclose to parents and guardians that its Internet monitoring programs were collecting and analyzing children’s conversations for marketing purposes. Said Attorney General Cuomo. “This settlement prevents Echometrix from using the guise of children’s safety to undermine children’s privacy. Under the settlement, Echometrix has agreed that it will not analyze or share with third parties any private communications, information, or online activity to which they have access. Echometrix will also pay a $100,000 penalty to the State of New York. Echometrix, which cooperated with the Attorney General’s office, ceased offering the Pulse product after the Attorney General commenced his investigation. [Source] See also: [Keeping an eye on Mom and Dad]


Telecom / TV


IN – India Wants RIM and Other Communications Firms to Place Servers in the Country

India is now asking not only for Blackberry parent company Research in Motion (RIM) to put a server in the country so it can monitor Blackberry communications, but has now asked Google and Skype to provide servers in India as well. The Associated Press is reporting that Indian Home Secretary G.K. Pillai said “people who operate communication services in India should [install a] server in India as well as make available access to law enforcement agencies.” India is seeking to access Gmail data, which are encrypted. According to an Indian government press release, “Any communication through the telecom networks should be accessible to the law enforcement agencies and all telecom service providers, including third parties, have to comply with this.” In a separate story, a UN official who heads the organization’s International Telecommunication Union said that all governments engaged in combating terrorism have the right to request access to RIM customer data. [CNET] [MSNBC] [BBC] See also: [AP Interview: UN says BlackBerry should share data]


US – Google Updates Privacy Policy, Agrees to Pay US$8.5 Million to Settle Buzz Lawsuit

Google has reached an $8.5 million settlement in a class-action suit regarding its Buzz social-networking feature, PC Magazine reports. The agreement includes an acknowledgment that the company has addressed the privacy issues and the creation of a fund for “existing organizations focused on Internet privacy policy or privacy education,” the report states. The settlement was released on the same day that the company announced it will simplify its privacy policies--cutting the length of the policies by 22 percent. “To be clear, we aren’t changing any of our privacy practices,” Google officials wrote in the company’s official blog, noting “we want to make our policies more transparent and understandable.” However, Marc Rotenberg of the Electronic Privacy Information Center is questioning whether the changes will be good for Google users. The revisions go into effect October 3. [PCMag] [The Register] [BBC] [ComputerWorld] [NY Times] [New Privacy Policy] [FAQ]


US Government Programs


US – Tracking Systems in Almost Every State

The U.S. State Higher Education Executive Officers (SHEEO) have found that 44 states and the District of Columbia have student record systems in place collecting demographic and postsecondary enrollment data, AACRAO reports, with 39 states linking, sharing or exchanging data with other entities. Meanwhile, educators are opposing the collection of student Social Security numbers required by the Maine Department of Education. While schools are required to collect the information, some school officials are urging parents to exercise their option of not providing the data. When it comes to databases of student information, many advocates are concerned about the privacy implications and potential future uses of such repositories of personal information, the report states. [Source]


US – Growth in Shadow State: Special Investigative Report

The Washington Post has published a phenomenal piece of investigative journalism: a long, detailed, and very interesting expose on the U.S. intelligence industry. It’s a truly excellent piece of investigative journalism. Pity people don’t care much about investigative journalism – or facts in politics, really – anymore. [Source]


US – DHS IG Says Customs and Border Patrol Needs to Address Cyber Security Issues

According to a report from the Department of Homeland Security’s (DHS) Inspector General (IG), the US Customs and Border Patrol (CBP) has a number of cyber security issues to address. The report found that there was no regular review of employee access rights changes; no strong password enforcement; that systems were not configured to lock users out after a certain number of failed login attempts; that accounts were still active after 45 days of inactivity; and that users were not restricted to accessing the least amount of info necessary to perform their duties. [NextGov]


US Legislation


US – Connecticut Insurance Dept. Imposes Strict New Data Breach Rules

A new policy introduced by the Connecticut state insurance department requires all insurance companies conducting business in Connecticut to report data breaches to state authorities within five calendar days. The new policy applies to both paper and electronic records and applies whether or not the compromised data are encrypted. The rule supersedes rules in the HITECH Act which require that breaches of health insurance information be reported within 60 days and does not require companies to report breaches of encrypted data. Connecticut is gaining a reputation for being hard on healthcare data breaches; state Attorney General Richard Blumenthal recently became the first attorney general to sue a company for violating HIPAA. While the new policy applies to health maintenance organizations, preferred provider organizations and other health insurers, property and casualty insurers and medical discount plans, physicians and hospitals are not subject to the requirements. Under the new policy, organizations do not have the option of deciding whether or not the extent of the breach merits notification; all breaches are subject to notification. [GovInfoSecurity]


Workplace Privacy


WW – Google Engineer Fired for Violating Internal Privacy Policies

Google has acknowledged that it fired an employee in July for allegedly accessing user accounts without authorization. David Barksdale, a Site Reliability Engineer, allegedly accessed Gmail and Google Voice accounts of at least four minors. There are no allegations of sexual misconduct; it appears Barksdale was attempting to “impress [the teenagers] with his level of access and power.” According to a statement from Google senior vice president of engineering Bill Coughran, Google is “significantly increasing” log auditing to make sure privacy policies are being followed. Law enforcement authorities were not contacted about the incidents because one of the families has asked to remain anonymous. Barksdale is not the first Google engineer who was fired for privacy policy violations. [Register] [CNN] [MSNBC] [Wired] See also: [Mayo Clinic Employee Fired for Snooping] and [Former MI6 Software Engineer Gets One-Year Sentence for Attempting to Sell Information | Guardian] and, finally: [Jeffrey Evans, The Huffington Post: If Only Irony Had a Privacy Setting]


CA – B.C. Privacy Commish Sides With Man Who Lost Job Over Inaccurate Data

A man who lost his job when the Ministry of Children and Family Development (“the ministry”) recommended he be barred from unsupervised contact with the youth in a care facility has had his privacy complaint upheld by the Office of the Information and Privacy Commissioner. Robert Harrison complained that the ministry took no steps to ensure the accuracy of information concerning an old and unsubstantiated allegation of sexual abuse made against him before they used that information to recommend he be barred from unsupervised contact with the youth he was then employed to supervise. Adjudicator Mary Carlson found that the ministry breached its duty under section 28 of the Freedom of Information and Protection of Privacy Act, requiring them to take all reasonable steps to ensure that Mr. Harrison’s personal information was accurate and complete before they used it in the decision that directly affected him. [Source]