Gov’t Privacy News Summary – Jan 23 -31

My friend Fred puts together this awesome privacy news highlights and said I could cross-post…

So here we go:
Privacy News Highlights
23–31 January 2010

Contents:

US – NH House Passes Bill Banning Fingerprint IDs. 3

CA – B.C. Names Acting Privacy Commissioner 3

CA – Privacy Commissioner Launches New Facebook Probe. 3

CA – Canadians Wary of Online Privacy Promises: Government Survey. 3

WW – 20-Somethings and Privacy. 4

UK – Behavioral Targeting Faces Paradox. 4

US – Government Posting Wealth of Data to Internet 4

AU – Teachers Face Fines, Pay Docked Over Student Privacy on Data Portal 4

US – Ruling Backs Palin’s Use of Private E-Mail for State Work. 5

US – Poll: Citizens Don’t Trust Others with Medical Privacy. 5

US – Healthcare Data Thefts Increasing. 5

CA – Laptop Theft Highlights Security Issues. 6

EU – New EU Laws Will Focus on Privacy and Social Networking. 6

EU – EU Takes Legal Action Against Italy Over Databases for Telemarketing Purposes. 6

UK – ICO Warns UK Companies: Report Breaches or Else. 6

WW – Data Protection & Privacy Day Events. 6

US – Study Saw Breach Costs Rise Again in 2009, Malicious Attacks Double. 7

CN – China Mobile Assures Subscribers of Privacy. 7

EU – Transatlantic Bank Data Deal to Take Effect Next Week. 7

WW – Security Researchers Knock ‘Verified By Visa’ 7

US – Group Says Patient Privacy at Risk in Takeover 7

US – Feds to Boost Fines for Health Data Breaches. 8

UK – For Sale: Private Information on UK Gamblers. 8

US – Recovered UCSF Laptop Contained Thousands of Patient Files. 8

US – Vegas Hospital Admits Delay in Breach Action. 8

CA – Toronto Teacher Data Exposed by Laptop Theft 8

UK – UK Police Engage Print Industry to Stop Fake IDs. 9

US – Kids’ ID Theft in Focus. 9

WW – Sharing “TMI” on Social Media Sites Helps ID Thieves. 9

EU – Internet Companies Voice Alarm Over Italian Law.. 9

WW – Web Sites Let Online Lives Outlast the Dearly Departed. 9

UK – Kid’s TV Presenters Stopped by Police Whilst Wielding Hairdryers. 10

WW – Even Without Cookies, Browser Fingerprinting Provides Unique ID and Tracking. 10

WW – Startpage Launches Anonymous Web Search Service. 10

WW – Company Plans Release of Anonymous Browsing Tool 11

US – A Little ‘i’ Icon Unveiled to Teach About Online Privacy. 11

US – FTC Convenes Second Public Discussion on Online Privacy. 11

US – FTC Flash Focused at Roundtable. 11

US – FTC Encourages Self-Regulation Innovation. 11

US – Online Retailers Stop Sharing Customer Info. 12

US – New York Examines Web Marketing ‘Scam’ 12

UK – Defects in e-Passports Allow Real-Time Tracking. 12

CA – McMaster University Researching RFID in Public Transit 12

US – Turnabout as Bank Sues Customer Hit by Cybertheft 13

UK – EU to Assess Piracy Detection Software. 13

US – U.S. Pentagon Wants 3-D Surveillance. 13

US – IAB Asks FCC to Steer Clear of Online Privacy Issues. 13

WW – Mobile Phone Policies Undermining Privacy in Africa. 13

US – Congressman Close to Introducing Privacy Bill 14

US – Mass. Likely to be Lenient on Breach Law Enforcement 14

Biometrics

US – NH House Passes Bill Banning Fingerprint IDs
The New Hampshire House of Representatives has passed a bill that aims to ban fingerprinting as a “reasonable” mode of identification. The bill follows criticism of a Bank of America policy that requires noncustomers to provide fingerprint identification when cashing a check. The new bill, NH HB 299, would amend an existing state law that lays out acceptable required forms of identification. The bill will next come before the Senate. Meanwhile, Bank of America has voluntarily agreed to stop its fingerprinting in New Hampshire. A Telegraph editorial suggests that every state ban fingerprinting until adequate safeguards exist to protect customers’ biometric data. [Nashua Telegraph]

Canada

CA – B.C. Names Acting Privacy Commissioner
Six days after former Information and Privacy Commissioner David Loukidelis resigned to accept another post within the British Columbian government, the province has named an interim commissioner. Paul Fraser, former conflict of interest commissioner, will assume the privacy commissioner role until a permanent replacement is appointed when the legislature reconvenes in the spring. The six-day delay in replacing Loukidelis had prompted some to suggest that the government does not take privacy seriously enough, but BC House Speaker Bill Barisoff said the delay was not excessive in order to accommodate the right choice of replacement. Last week, the executive director of the privacy commission circulated a letter labelled “extremely urgent” that said the work in the office was becoming quickly backlogged and no acting commissioner had been named despite a direct request to Premier Gordon Campbell. “It has been necessary to suspend the entire operation of the Office,” Mary Carlson said in the letter made public. [Globe&Mail] [Source]and [B.C.’s privacy office frozen, leaked letter says]

CA – Privacy Commissioner Launches New Facebook Probe
The Office of the Privacy Commissioner (OPC) has announced it is once again launching an investigation into Facebook. The probe comes on the heels of the OPC’s extensive investigation last summer that resulted in Privacy Commissioner Jennifer Stoddart ordering Facebook to change its policies and practices to comply with Canada’s privacy law. The new investigation is focused on a complaint alleging a tool introduced last month requiring users to review their privacy settings–a change Facebook made in response to the commissioner’s first investigation–actually exposes more personal information. The new complaint “mirrors some of the concerns that our office has heard and expressed to Facebook in recent months,” says Assistant Privacy Commissioner Elizabeth Denham. [National Post]

Consumer

CA – Canadians Wary of Online Privacy Promises: Government Survey
A government-sponsored survey indicates that only 6% of Canadians trust social networking sites to protect their personal information, compared with 79% of Canadians who don’t trust them at all. Along with an overwhelming lack of trust in social networking sites, the survey, commissioned by Natural Resources Canada to gauge the public mood about privacy and geospacial information, also found a very tepid response to street-view images of private homes, such as Google Street View. When asked if these images should be allowed in Canada, only 26% agreed compared to 36% who said they should not be allowed; 36% were neutral on the subject. Meanwhile, a strong majority – 74% – think it’s important for the federal government to regulate images of private residences appearing on Internet mapping tools. The online survey of 2,200 Canadians was administered last fall, just before the Canadian launch of Google Street View with a company commitment to blur all faces that were captured in the images. The survey was also completed after Facebook announced new safeguards to protect the privacy of users in response to demands from Canada’s privacy commissioner. [National Post] [Source] [Details]

WW – 20-Somethings and Privacy
A researcher at Australia’s Curtin University of Technology has published a paper on how certain Facebook users understand and navigate privacy concerns. The paper, which appears on the peer-reviewed journal site First Monday, builds upon a Canadian ethnographic study about the privacy concerns of younger users. Specifically, the research explores how a 20-something community of Facebook users in Toronto perceives privacy and how the users’ privacy concerns differ from those of others. The paper also explores ways that users attempt to enhance their social privacy and why users remain active on the site despite their privacy concerns. [Source]

UK – Behavioral Targeting Faces Paradox
According to a new poll, 95% of the UK’s Internet users say they are interested in receiving online marketing tailored to their interests. That’s good news for the interactive marketing industry. However, 77% of those same people say they always opt out of Internet marketing campaigns. The study also reveals that a quarter of consumers are rebuffing communication from brands they know and trust, up from 18% a year ago. “Through well-publicized instances of data breaches and the mishandling of personal information by large organizations, consumers are sensibly becoming more selective about who they share their personal details with,” said the DMA. [Marketing Week]

E-Government

US – Government Posting Wealth of Data to Internet
The Obama administration on Friday is posting to the Internet a wealth of government data from all Cabinet-level departments, on topics ranging from child car seats to Medicare services. The mountain of newly available information comes a year and a day after President Barack Obama promised on his first full day on the job an open, transparent government. Under a Dec. 8 White House directive, each department must post online at least three collections of “high-value” government data that never have been previously disclosed. The Transportation Department will post ratings for 2,400 lines of tires for consumer safety based on tire tread wear, traction performance and temperature resistance. The Labor Department will release the names of 80,000 workplaces where injuries and illness have occurred over the past 10 years. The Medicare database has previously been available for a fee of $100 on CD ROM. Under the Obama initiative, it can be downloaded free, providing detailed breakdowns of payments for Medicare services. The Medicare data will be sortable by the type of medical service provided. A National Highway Traffic Safety Administration database rates car seats for ease of use, evaluating the simplicity of instruction sheets, labels, vehicle installation features and securing the child. “We’re democratizing data,” White House Chief Information Officer Vivek Kundra said Thursday in an interview. Open government groups are supportive. All the new data collections will be added to the government’s Web site, data.gov. Required to release the three new data sets are the departments of State, Treasury, Defense, Justice, Interior, Agriculture, Commerce, Labor, Health and Human Services, Housing and Urban Development, Transportation, Energy, Education, Veterans Affairs, Homeland Security and the Environmental Protection Agency, the offices of the U.S. Trade Representative and the U.S. ambassador to the United Nations and the Council of Economic Advisers. [Source]

AU – Teachers Face Fines, Pay Docked Over Student Privacy on Data Portal
Teachers in Queensland, Australia will face fines or a pay suspension if they interfere with a new Web site intended to provide access to student learning results. Julia Gillard, education minister, says she is sending a stern warning that the Rudd government will take “any necessary action” to ensure the site contains as much information as possible. Myschool.edu, to be launched nationally this week, aims to give parents access to students’ literacy and numeracy tests, as well as student-teacher ratios and attendance rates. [Courier-Mail] [www.myschool.edu.au] See also: [Professor’s Request for Advice Allegedly Violates FERPA]

E-Mail

US – Ruling Backs Palin’s Use of Private E-Mail for State Work
An Alaska judge has sided with former Gov. Sarah Palin in a lawsuit over e-mail messages, finding that state law does not forbid the use of private e-mail accounts to conduct state business. The ruling Friday by Judge Patrick J. McKay of Anchorage Superior Court stems from a lawsuit filed by a critic of Ms. Palin, Andree McLeod. Ms. McLeod argued that Ms. Palin and the governor’s office had a responsibility to save e-mail messages related to state business as public records, regardless of the accounts they were sent through. The issue arose from a 2008 records request by Ms. McLeod that showed that Ms. Palin and members of her staff had been using private e-mail accounts. The traffic uncovered, though, was heavily redacted for what were deemed reasons of privacy. Ms. McLeod argued through her lawyer that use of private accounts obstructed the people’s right to inspect public records. But Michael Mitchell, state assistant attorney general, told Judge McKay that state officials should be able to decide what is or is not subject to public disclosure. In urging that the case be thrown out, Mr. Mitchell said last month that if the use of private accounts were to be banned for state business, the Legislature, not a court, should say so. On Friday, Judge McKay agreed. “The language in our case is clear — the Legislature simply chose to give state agencies some discretion in determining which e-mails are worthy of preservation and which are not,” he wrote. A records retention plan through the state archives also makes distinctions, he noted, and classifies messages not required to be retained as “transitory” messages, meant mainly for informal communications. “The Legislature is free to take up the matter,” Judge McKay wrote, “but as the statutes are currently written, private e-mail accounts may be used to conduct state business, subject to the same laws and regulations related to preservation as e-mails originating from state servers.” He also lifted a ruling that the governor’s office preserve for the life of the lawsuit all e-mail messages related to state business, saying the office could return to the rules set out by state law and the archives’ system. The original ruling was in October 2008. [Source]

Electronic Records

US – Poll: Citizens Don’t Trust Others with Medical Privacy
A new study by the Ponemon Institute suggests that the American public is not comfortable with a government-controlled national healthcare network. In a poll of 868 voters, only 27% said they trusted government to protect the privacy of their health records. Respondents expressed similar mistrust of tech companies that offer medical information services. This in contrast with 71% who said they trusted hospitals and clinics with the same responsibility. “There’s a lot of angst around centralizing this information, no matter whether it’s managed by private enterprise or government,” said Ponemon Institute Chairman Larry Ponemon, CIPP. [Forbes]

US – Healthcare Data Thefts Increasing
According to managed security firm SecureWorks, incidents of medical information theft in the fourth quarter of 2009 were double the previous three quarters, InfoSecurity.com reported. In a statement, SecureWorks said hacks and botnet attacks were responsible for many of the thefts, and that healthcare organizations represent attractive targets for hackers not only because of the information they collect, but also because of their inherent vulnerabilities. “Because of the nature of their business, healthcare organizations have large attack surfaces,” said SecureWorks in an analysis of the healthcare attack figures. [InfoSecurity]

Encryption

CA – Laptop Theft Highlights Security Issues
The theft of computers containing private data on 8,600 Toronto teachers has highlighted the need to “encrypt” sensitive material on all portable computers, warns an Ontario privacy official. Information including addresses and social insurance numbers for the elementary teachers was stored on three laptops stolen Dec. 3 from an Ontario Teachers’ Insurance Plan office in Waterloo. While police have called the theft a simple “smash and grab,” OTIP, which had not encrypted the information to make it harder to decode, is offering affected teachers free advice on protecting their identity. [Source]

EU Developments

EU – New EU Laws Will Focus on Privacy and Social Networking
On Thursday, January 28—International Data Protection Day—Viviane Reding, the EU’s new commissioner in charge of fundamental rights, spelled out her agenda for Internet privacy. A comprehensive review of the 1995 Data Protection Directive will be among her first priorities. Reding said this week, “Whether we want it or not, almost every day we share personal data about ourselves.” Reding named social media, specifically, in outlining her goals for privacy protection. “Data are being collected without our consent and often without our knowledge. This is where European law comes in.” She is calling for “a change of approach” that focuses on protecting data and personal privacy right from the start rather than responding only after a new product or service is developed. [euobserver.com] [EurActive]

EU – EU Takes Legal Action Against Italy Over Databases for Telemarketing Purposes
The European Commission (EC) on Thursday took legal action against Italy for non-compliance with EU ePrivacy rules. The EC sent Italian authorities a formal notice for failing to notify individuals about the transfer of their personal information from phone directories to a marketing telecommunications database, the release states. “Not only is it worrying to see that Italian legislation does not comply with the privacy requirements set out in the [EU ePrivacy] Directive,” said EU Telecoms Commissioner Viviane Reding, the commission is also concerned that Italian authorities failed to gain the consent of those whose personal data was affected. Italy has two months to reply. [EU commission press release]

UK – ICO Warns UK Companies: Report Breaches or Else
The Information Commissioner’s Office (ICO) has issued a warning to UK businesses: report your breaches or face stiff sanctions. The ICO said that only 800 data breaches have been reported to its offices in the last two years, but that it is eager to work with companies that suffer a data breach to help address the situation. Deputy Commissioner David Smith said, “Talking to us may of course result in regulatory action. However, organizations must act responsibly; those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions.” [eGov Monitor]

Facts & Stats

WW – Data Protection & Privacy Day Events
January 28th was Data Protection and Privacy Day. Events around the world marked the occasion. In Brussels, the European Parliament, European Commission and EDPS hosted a variety of workshops and the winners of the “Think Privacy” competition will be unveiled. In Canada, events were held in Newfoundland and Labrador, Ontario, Alberta and elsewhere, with regulators and companies hosting various forums. For a comprehensive list of global events, visit the Data Privacy Day Web site. After hours, privacy pros will gather in cities across the world for IAPP Privacy After Hours events.

US – Study Saw Breach Costs Rise Again in 2009, Malicious Attacks Double
According to the Ponemon Institute’s annual Cost of a Data Breach study, released today, the financial impact of a privacy failure rose to a per-record average of $204 and a per-incident average of $6.75 million. Breach costs have risen every year since the study was first launched in 2005. The Ponemon Institute also found that breaches that were the result of malicious attacks doubled from 12% in 2008 to 24% last year, and for the first time, data-stealing malware was cited as the cause of a data breach. The Ponemon Institute’s study was derived from a case-study analysis of 45 actual data breaches affecting companies in a broad variety of industries. [CNET]

Filtering

CN – China Mobile Assures Subscribers of Privacy
China Mobile, China’s largest mobile communications service provider, is responding to allegations that it is filtering subscriber text messages in search of pornographic content by assuring the public that their privacy is safe. Concerns over filtering and surveillance arose after China Mobile installed a filtering system designed as a hedge against “unhealthy” Web content. “The freedom and privacy of individual users enjoys legal protection,” said Li Kang of China Mobile. “China Mobile will do its best to protect consumers’ rights and interests strictly in line with the relevant laws and regulations.” [CIOL.com] [China Mobile to Stop Vulgar Texts]

Finance

EU – Transatlantic Bank Data Deal to Take Effect Next Week
A financial data-sharing agreement between the U.S. and EU will go into effect next week despite the European Parliament’s request for a delay. The so-called SWIFT agreement, which gives American officials access to the banking transaction data of European citizens to aid counter-terrorism efforts, will take effect on February 1. Members of Parliament (MEPs) and European Data Protection Supervisor Peter Hustinx have expressed concerns about the deal’s privacy consequences, calling it a “privacy-intrusive” agreement that is insufficiently justified. MEPs will vote on the agreement the week of February 8. [European Voice] See also: [Swiss Court Prohibits Release of UBS Client Data]

WW – Security Researchers Knock ‘Verified By Visa’
The “Verified by Visa” credit-card authentication system has come under criticism from Cambridge University researchers, who say it is training online shoppers to adopt risky security habits. The researchers are concerned that online buyers have no visual verification that a pop-up box is a valid part of the credit-card transaction. [CNET] [Research Paper]

Health / Medical

US – Group Says Patient Privacy at Risk in Takeover
The Connecticut State Medical Society is asking Attorney General Richard Blumenthal to investigate the privacy implications of United Health Group’s takeover of HealthNet. The Medical Society alleges that the $510 million deal will give United Health wrongful access to the personal health records of hundreds of thousands of state customers, the report states. AG Blumenthal confirmed that his office had received the request and that the takeover “raises serious questions.” Blumenthal filed suit against HealthNet of Connecticut earlier this month for the company’s 2009 data breach that affected 446,000 people. [newstimes.com]

US – Feds to Boost Fines for Health Data Breaches
Breaches of health data security, such as recent episodes involving missing laptops or storage devices at Kaiser Permanente and Health Net, could be subject to tougher federal regulations by mid-February — including up to $1.5 million in fines for privacy violations. New federal mandates “make it much more risky to be non-compliant,” said Glen Day, a Booz Allen Hamilton consulting principal based in Los Angeles. Day said the new federal guidelines are on top of California’s own privacy rules, which are among the strictest in the nation. Under regulations attached to the federal stimulus package, if a health care organization suffers a breach involving more than 500 records, it has to inform enrollees about the incident through the media. Any breach of 50 or more records can be recorded on the U.S. Health and Human Services’ web site, Day said. A central objective of the new law is “to strengthen what’s already there,” and to encourage encryption of sensitive information. If encrypted data is lost, “the chance of it being (inappropriately) accessible is almost nil.” [Source]

Horror Stories

UK – For Sale: Private Information on UK Gamblers
A data theft has hit British bookmaker Ladbrokes, compromising the confidential data of 4.5 million of the gambling house’s customers. The Mail became aware of the theft when an individual identifying himself as “Daniel” contacted the paper and offered to sell information on 10,000 Ladbrokes’ customers. The paper said it immediately contacted Ladbrokes and the Information Commissioner’s Office, which has launched an investigation. “Daniel” claimed to be a former Ladbrokes computer security expert now working for DSS Enterprises in Melbourne, Australia. DSS founder Dinitha Subasinghe denied any involvement in the case. [Daily Mail]

US – Recovered UCSF Laptop Contained Thousands of Patient Files
The University of California San Francisco (UCSF) is alerting 4,400 patients that their medical files were potentially exposed after the November theft of an employee’s laptop, which was later recovered. The files contained patients’ names, medical record numbers, ages and clinical information. Patient records from the employee’s prior workplace, Beth Israel Deaconess Medical Center in Boston, are also at risk. Tougher federal regulations on breaches of health data may be enforced as of mid-February. [San Francisco Business Times]

US – Vegas Hospital Admits Delay in Breach Action
Officials at University Medical Center in Las Vegas have admitted that there was a protracted period of data theft occurring at the hospital and that they only took action after the Las Vegas Sun contacted them about the incident. The Sun reports that it contacted the hospital in November when it learned of an insider scheme to steal medical files and sell them to personal injury attorneys. The hospital responded by saying that the leaks had been stopped, and CEO Kathy Silver told the paper she thought the situation was a “non issue.” The hospital waited a month before notifying affected patients. The FBI is investigating the case for potential violations of HIPAA. [Source] See also: [US: Informing victims of identity theft] and see also: [Commerce Dept. slow to notify employees of security breach] and [BCBS of Tennessee Breach Costs $7m…and Rising]

CA – Toronto Teacher Data Exposed by Laptop Theft
More than 8,000 Toronto District School Board teachers have had their personally identifiable information exposed as a result of the theft of a laptop computer. The computer was stolen from the Waterloo offices of the Ontario Teachers Insurance Plan in what has been described as a “routine smash and grab” burglary. It is not known if the sensitive data has been accessed, but Ontario Assistant Privacy Commissioner Ken Anderson warns that some identity theft rings have become involved in the theft or trafficking of laptop computers specifically for the information they contain. [CBC]

Identity Issues

UK – UK Police Engage Print Industry to Stop Fake IDs
U.K. police are trying to get wider participation from printer manufacturers and makers of specialist equipment in a voluntary program designed to cut off criminals from the tools they need to make fraudulent passports and ID cards. The program asks distributors and resellers to profile their customers and tell police if they suspect equipment such as thermal card printers are being ordered under suspicious conditions. So far, 90 entities have agreed to abide by the police code of conduct, which includes not selling equipment if there are doubts as to how it will be used. Those 90 represent about 75% of the total industry. But the remaining 25 percent consists of up to 10,000 small businesses, distributors and resellers, and the goal is to get those organizations to agree to the code of conduct. Officials suggest that if more companies do not participate, the police would recommend that regulations be introduced in order to get higher compliance. Police are hoping for voluntary participation. The program is part of Genesius, a 2-year-old operation that has disrupted 14 criminal networks involved in generating fake identification. Companies participating have forwarded at least 400 tips to police about possible criminal activity. [Source]

US – Kids’ ID Theft in Focus
The Identity Theft Resource Center in Tucson is working on a proposal that would give police and credit bureaus access to a list of minors’ SSNs. The proposal is a response to an on-the-rise crime, in which parents use their children’s SSNs to obtain credit cards, loans or utility services. Arizona is recognized as the identity theft capital of America, the report states, and its child identity theft rate is more than double the national average. “It’s very hard to get a handle on it,” says Joanna Crane, identity theft program manager at the FTC. [Arizona Daily Star] See also: [US: Unthinkable ID thieves: Mom & Dad]

WW – Sharing “TMI” on Social Media Sites Helps ID Thieves
A recent study indicates that more than half of those ages 45 and older who use popular social networking sites could fall prey to identity thieves because they share too much information. The study, which polled more than 1,000 adults, found that 14% of respondents–and 20% of those over the age of 60—posted their full home addresses in their profiles, and about 50% revealed information that could tip thieves off to their bank account passwords. Experian, which commissioned the study, recommended avoiding posting specific personal details and being sure that online quizzes or games come from a reputable source. [San Francisco Chronicle]

Intellectual Property

EU – Internet Companies Voice Alarm Over Italian Law
Internet companies and civil liberty groups have voiced alarm over a proposed Italian law which would make online service providers responsible for their audiovisual content and copyright infringements by users. The draft, due to be approved next month, would make ISPs like Fastweb and Telecom Italia, and Web sites like Google’s YouTube, responsible for monitoring TV content on their pages, industry experts say. [Washington Post]

Internet / WWW

WW – Web Sites Let Online Lives Outlast the Dearly Departed
San Francisco-based Legacy Locker is one of a dozen Cloud-based businesses that have sprung up to help denizens of the digital world grapple with the thorny issues raised after their physical being leaves behind only its virtual reality. Internet experts and estate planners say a cybercrisis is brewing because popular Internet services have policies that, barring an order from a court, forbid accessing or transferring accounts – including recovering money – unless someone has the password. For an annual fee, the sites offer stores all passwords and log-in information and, when the worst happens, will be accessible to whomever is designated as digital executor. On its Web site, under serene pictures of clouds against a deep blue sky, the company calls its service “a digital safety deposit box.” [Source]

Law Enforcement

UK – Kid’s TV Presenters Stopped by Police Whilst Wielding Hairdryers
In one of those stories that highlights how paranoid and overbearing our state has become; two children’s TV presenters were stopped by police and had their details taken when they enacted a mock hunting scene for their morning show, Toonattik. Despite wearing colourful combat gear and being armed only with plastic toy walkie-talkies and glittery hairdryers (as well as being pursued by a camera crew) the police still felt the need to intervene. As Anna Williamson explained: “Jamie and I were kitted out in fake utility belts, we had the whole bulletproof flakjacket thing, we’ve got hairdryers in our belt, a kids’ £1.99 walkie-talkie, hairbrushes and all that kind of stuff, and we were being followed by a camera crew and a boom mike and we get literally pulled over by four policemen and we were issued with a warning ‘under the act of terrorism’.” Jamie Rickers, 32, added: “We were stopped, not arrested, but they had to say ‘we are holding you under the Anti-Terrorism Act because you’re running around in flak jackets and a utility belt’, and I said ‘and please put spangly blue hairdryer’ and he was, like, ‘all right’.” [Source]

Online Privacy

WW – Even Without Cookies, Browser Fingerprinting Provides Unique ID and Tracking
Those with no technical knowledge generally believe that they are anonymous when simply browsing the Web. Those who know more might recognize that IP addresses can be used to do some rough targeting, while browser cookies can be used to track someone across sessions and across IP addresses. But what if your browser itself—even with cookies off and IP addresses out of the picture—was leaving a digital fingerprint at every site you visit? That possibility lies behind a new experiment from the Electronic Frontier Foundation, something called “Panopticlick.” Panopticlick measures the unique characteristics of your particular browsing setup, logs them, and then tells you just how unique that signature is. The project has just started, but it has already racked up over 40,000 results. Even if you surf with cookies disabled, and even if you move locations to change my IP address, crafty advertising networks can still theoretically know exactly who you are. Browsers provide all sorts of details to websites that request them. There’s the well-known “user agent string” that specifies the browser and computing platform being used, of course, but my own user agent string was not particularly unique. Much more incriminating were the details of my particular browser plugins (only 1 in 20,830 browsers have an identical plugin load) and the list of my system fonts (1 in 13,886). Websites can also access data on time zone, screen size, color depth, and more. Together, the data can be surprisingly unique.[Source] [http://panopticlick.eff.org]

WW – Startpage Launches Anonymous Web Search Service
Search-engine company Startpage launched a service allowing users concerned about privacy to carry out Web searches and click on linked pages without being identified, tracked or recorded. Unlike mainstream search engines that gather commercially valuable information about user behaviour, privately held Startpage has focused on privacy since 2005. Startpage – also known as Ixquick outside the U.S. and Britain – had already offered private searching, but users would leave the company’s protection when they clicked on a search result and entered a third-party website. The new service offers use of a Startpage proxy that means the user is invisible to all websites, though pages load more slowly since Startpage must first retrieve the contents and then redisplay them. [Source]

WW – Company Plans Release of Anonymous Browsing Tool
Ixquick, the company that earned the respect of privacy advocates when it decided in 2006 to stop collecting IP data from users of its search tool, is again drawing praise for its planned release of a new proxy browsing service that the company says will allow users to visit Web pages without the site owner’s knowledge. The company said it decided to offer the service because of what it saw as an opportunity to respond to increased consumer concern over their privacy while surfing the Web. “People are more concerned about online data retention policies than ever before,” said CEO Robert Beens. “We wanted to offer them a useful tool and this proxy is a logical extension of our services.” [OUT-LAW.COM]

Privacy (US)

US – A Little ‘i’ Icon Unveiled to Teach About Online Privacy
A little blue symbol is carrying big implications. Trying to ward off regulators, the advertising industry has agreed on a standard icon — a little “i” — that it will add to most online ads that use demographics and behavioral data to tell consumers what is happening. Jules Polonetsky, the co-chairman and director of the Future of Privacy Forum, an advocacy group that helped create the symbol, compared it to the triangle made up of three arrows that tells consumers that something is recyclable. The idea was “to come up with a recycling symbol — people will look at it, and once they know what it is, they’ll get it, and always get it,” Mr. Polonetsky said. Most major companies running online ads are expected to begin adding the icon to their ads by midsummer, along with phrases like “Why did I get this ad?” When consumers click on the icon, a white “i” surrounded by a circle on a blue background, they will be taken to a page explaining how the advertiser uses their Web surfing history and demographic profile to send them certain ads. The symbol will be introduced by Mr. Polonetsky’s group and a coalition of trade groups that have been vocal about fending off government regulation. [Source: NYT]

US – FTC Convenes Second Public Discussion on Online Privacy
At the Federal Trade Commission’s second public discussion about online privacy in Berkeley, California on Thursday, panelists discussed the ways that digital-era technologies impact individuals’ privacy and what can be done about it. Experts explored Flash cookies, behavioral advertising, data matching, inadvertent sharing and other topics, and proposed solutions such as stricter regulations, greater oversight of third-party application developers and mandatory notice requirements. Others advocated for market-based solutions, saying that the market is already resolving many privacy problems and that privacy is becoming a competitive factor for businesses. The third and final FTC roundtable event will take place on March 17 in Washington, DC. [San Francisco Chronicle]

US – FTC Flash Focused at Roundtable
At the FTC privacy roundtable held at the UC Berkeley School of Law, interactive advertising and the use of “Flash cookies” in particular, came under harsh scrutiny by consumer protection chief David Vladeck, who said the FTC hoped “to announce law enforcement actions later this year” against companies that attempt to circumvent consumer opt-outs. Eric Goldman of the High Tech Law Institute at Santa Clara University said the use of Flash cookies is but one example of how technical innovation outpaces the ability of regulators to respond to privacy challenges. [MediaPost] [Roundtable Agenda]

US – FTC Encourages Self-Regulation Innovation
FTC COmmissioner Pamela Jones Harbour called on technology companies to encourage innovation to come up with new ways to protect consumer privacy at yesterday’s FTC privacy roundtable at the UC Berkeley School of Law. During a brainstorming session, part of a series of open forums held by the FTC in advance of its draft of new consumer protection regulations, Harbour suggested that Apple’s application-development process could serve as a model for privacy innovation. “Apple requires all developers to submit potential apps for review,” she said. “Through that process, the company could do more to regulate privacy disclosures.” [Source]

US – Online Retailers Stop Sharing Customer Info
Eight online retailers have announced they will no longer allow third-party marketing firms to offer discount memberships that result in retailers sharing consumers’ credit and debit card information without their knowledge. The third-party marketing firms recently announced they will soon require consumers to provide their full credit and debit card information to enroll in the discount clubs. The retailers that have discontinued the practice include Fandango, 1-800-Flowers, Priceline and several airlines. The investigation will continue, Senate Commerce Committee Chairman John (Jay) Rockefeller (D-WV) says, until other online retailers also do away with the practice. [Tech Daily Dose] See below for update

US – New York Examines Web Marketing ‘Scam’
New York Attorney General Andrew Cuomo has launched an investigation into the marketing practices of 22 online retailers, including Staples, 1-800-Flowers.com, and Orbitz. Cuomo’s office said it issued subpoenas to the merchants and requested information about the retailers’ relationships with three marketing companies, Webloyalty, Affinion, and Vertrue. These firms have allegedly misled consumers for years into joining membership programs and paying monthly fees. [CNET]

RFID

UK – Defects in e-Passports Allow Real-Time Tracking
Computer scientists in Britain have uncovered weaknesses in electronic passports issued by the US, UK, and some 50 other countries that allow attackers to trace the movements of individuals as they enter or exit buildings. The so-called traceability attack is the only exploit of an e-passport that allows attackers to remotely track a given credential in real time without first knowing the cryptographic keys that protect it, the scientists from University of Birmingham said. What’s more, RFID data in the passports can’t be turned off, making the threat persistent unless the holder shields the government-mandated identity document in a special pouch. To exploit the weakness, attackers would need to observe the targeted passport as it interacted with an authorized RFID reader at a border crossing or other official location. They could then build a special device that detects the credential each time it comes into range. The scientists estimated the device could have a reach of about 20 inches. Chothia and Smirnov of the University of Birmingham’s School of Computer Science said the security hole can be closed by standardizing error messages and “padding” response times in future e-passports. But that will do nothing to protect holders of more than 30 million passports from more than 50 countries who are vulnerable now, they said. [PDF of the paper] [Source]

CA – McMaster University Researching RFID in Public Transit
McMaster University is working on a RFID application that would let public transit operators track the location of crews working on subway tracks. Since October, MRAL has been working on a $1.4 million project, $600,000 of which was provided the Ontario Centres of Excellence, a government-funded group that helps organizations commercialize technology. Other contributors include Montreal-based Bombardier, whose products include subway and commuter trains. Officials from the Toronto Transit Commission did not respond when asked if their organization was involved in the project, but Toronto is the closest Canadian city to MRAL that operates a subway system. [Source]

Security

US – Turnabout as Bank Sues Customer Hit by Cybertheft
PlainsCapital Bank of Lubbock, Texas, has filed a lawsuit against its customer, Plano-based Hillary Machinery, following the theft of $800,000 from the company by cyberthieves operating out of Italy and Romania. The lawsuit followed Hillary Machinery’s demands that the bank repay it for the balance of funds not recovered after the crime was detected. In the suit, PlainsCapital is seeking for the courts to affirm that the bank was not negligent in security procedures and that it did not breach its contract with the company. Hillary Vice President Troy Owen said that the suit is an attempt to deny culpability through “bullying.” [Computerworld]

Surveillance

UK – EU to Assess Piracy Detection Software
Privacy International has asked the European Commission to look into the legality of anti-piracy software used by some ISPs to monitor for illegal file sharing. Specifically, Privacy International is concerned about software developed by Detica, in use by Virgin Media, that employs deep packet inspection techniques to identify offending files transmitted over Virgin’s network. Privacy International believes deep packet inspection poses a threat to privacy because of its ability to identify actual file names. Industry observers say as many as 40 percent of Virgin’s customers may be subject to monitoring with the software, but Virgin said that subscriber privacy is not at risk. [BBC]

US – U.S. Pentagon Wants 3-D Surveillance
Think Avatar for military spies. Pentagon far-out research arm DARPA wants to turn surveillance into a 3-D experience for troops. It has launched the Fine Detail Optical Surveillance (FDOS) Program, and are requesting proposals for prototypes of optical imaging systems that would use “advanced high-resolution 3-D imaging technology.” Darpa wants two kinds of surveillance systems: portable units for active battle and drone-ready systems for unmanned planes. The agency wants proposals that start from scratch, using a fundamentally new model for obtaining video footage. The 3-D surveillance should be able to monitor moving targets with high resolution, from different ranges, and without the need for users to do much legwork, like scanning or refocusing on a target. DARPA anticipates that 3-D surveillance would boost field of vision and depth of vision “by over 100X” compared to existing systems. [Source]

Telecom / TV

US – IAB Asks FCC to Steer Clear of Online Privacy Issues
The Interactive Advertising Bureau (IAB) has called on the Federal Communications Commission (FCC) to take a hands-off approach to the broadband privacy debate, saying that the commission risks creating confusion by introducing restrictions and potentially conflicting privacy regulations that could hamper commercial activity online. The IAB’s statement came in response to a request for public comment from the Center for Democracy and Technology as the federal government considers the privacy implications of new broadband technologies. In a letter, the IAB said, “Existing robust self-regulatory principles provide consumers with strong protections in a manner that has allowed the Internet to thrive, thereby benefiting the U.S. economy.” [MediaPost News]

WW – Mobile Phone Policies Undermining Privacy in Africa
New anti-crime policies in Ghana and Nigeria requiring mobile phone service subscribers to register their phones with the user’s verified name and address are raising questions about personal privacy on the African continent. Similar laws have been passed in Tanzania, South Africa and Mauritius, and proponents say the policies are needed to help prevent phone-based fraud schemes as well as malicious texting. [BBC]

US Government Programs

US – Congressman Close to Introducing Privacy Bill
Representative Rick Boucher (D-VA) is close to introducing a privacy bill to the House of Representatives that is focused on opt-in/opt-out requirements for collecting data from Internet users. The bill has bipartisan co-sponsorship and seeks to codify recognized best practices from the interactive advertising industry. Earlier this week Boucher explained that, “Our goal in doing this is to enhance the confidence that Internet users have that their experience on the Web is secure.” Boucher is a member of the Energy and Commerce Committee, which has been gathering information from a number of privacy stakeholders in recent weeks. [eSecurity Planet]

US Legislation

US – Mass. Likely to be Lenient on Breach Law Enforcement
Two Massachusetts officials updated Bay State businesses this week on the Commonwealth’s new data breach law, MA 201 CMR 17, which goes into effect March 1. Diane Lawton, general counsel for the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) and Scott D. Schafer, chief of the consumer protection division at the state’s office of the attorney general, said that prompt notice and cooperation with the state could help companies avoid prosecution if a breach occurs. “What we don’t want to read about in the [newspapers] is a breach that we should’ve been notified about,” Schafer said. “That’s going to cause problems.” The two appeared in Springfield at the Massachusetts Information Security Summit. [SearchSecurity] [Massachusetts Data Law Changing]

+++