GovLoop

Privacy News Highlights – August 15th

Some top privacy news

Biometrics

US – U.S. Scans Afghan Inmates for Biometric Database

Wired reports on the U.S. military’s new detention facility in Parwan, Afghanistan, as “an emerging datafarm” where all
detainees
brought to the facility are given medical exams and have their irises
scanned
and fingerprints taken to be stored in a military database called the
Automated
Biometric Information System. The report cautions that given
Afghanistan’s “shaky commitment to the rule of law, those identifiers
could become weapons.” Human
rights advocates are raising concerns about privacy, including the fear
that
when Parwan is turned over to Afghanistan, the nation’s leaders will use
the
facility to lock up individuals against their will to collect biometric
data. [Source]

US – Student DNA Testing Scaled Back at University of California, Berkeley

A plan to analyze the DNA of incoming students at the University of California, Berkeley and give them personalized results was recently
scaled back
amid concerns that such research amounts to a medical diagnosis – a
violation
of state and federal laws. The university has already sent more than
5,000
genetic testing kits to incoming students for the voluntary, anonymous
program,
which involves testing three common gene variants that would “reveal
aspects of
how an individual metabolizes milk, alcohol and vitamin B9 [folic
acid].” About
600 students consented to the test and provided their saliva samples,
according
to the university, which contests the state’s position that the program
violates any statutes. “The change to UC Berkeley’s program was
necessitated
because the California Department of Public Health [CDPH] insisted that
since
students would have been given access to their own test results, the
academic
exercise was not exempt from laws designed to assure the accuracy and
quality
of diagnostic tests used in providing medical care to patients,” a
university
press release stated. [Government
Technology
]

SK – Fingerprint Scans for South Korea

South Korea will introduce fingerprint scans at airports and ports in a bid to stop suspected criminals and foreign visitors with forged documents, officials said. Immigration officials will scan the fingerprints of suspect arrivals to
check against databases for possible criminal records, the justice ministry
said. A facial recognition programme would be used as a secondary device.
Anyone with a criminal record in South Korea or travelling on a fake passport
would be banned from entering the country, the ministry said. [Source]

WW – City to Track People With Eye Scanners

Imagine a public eye-scanner that can identify 50 people per minute, in motion. Now imagine the government installed these scanner systems all across an entire city. Leon, Mexico, is doing exactly that,
installing real-time iris scanners from biometrics research and development
firm Global Rainmakers Inc. These retinal scanners don’t require people to stop
and put their eyes in front of a camera. They work in real time, as people
walk…[embedded video] There are different kinds of machines being installed
across Leon – from large scanners capable of identifying 50 people per minute
in motion, to smaller ones like the EyeSwipe…that range from 15 to 30 people
per minute. These devices are being installed in public places, like train and
bus stations and connected to a database that will track people across the
city. The retinal scanning of Leon’s one million population has started already
with its convicted criminals. Citizens with no criminal records have been
offered the opportunity to “voluntarily” scan their retinas. This, however, is
just the beginning. According to Carter, everyone in the planet should be
connected to the iris-tracking system in 10 years: “In the future, whether it’s
entering your home, opening your car, entering your workspace, getting a
pharmacy prescription refilled, or having your medical records pulled up,
everything will come off that unique key that is your iris. Every person,
place, and thing on this planet will be connected within the next 10 years.” [Gizmodo]

Canada

CA – CanadaJoins APEC Privacy Enforcement Initiative

Canadahas been accepted as a participant in a new Asia-Pacific Economic Cooperation (APEC) mechanism for cross-border cooperation on data privacy enforcement. The
initiative – the APEC Cross-border Privacy Enforcement Arrangement – was
developed to facilitate information sharing and cooperation between authorities
responsible for data and consumer protection in the APEC region. Privacy
Commissioner of Canada, Jennifer Stoddart, says the arrangement is an important
step forward in addressing new challenges for privacy in a globalized, online
world. The arrangement establishes a process under which participating
authorities may contact each other for help with collecting evidence, sharing
information on an organisation or matter being investigated, enforcing actions,
and transferring complaints to another jurisdiction. It also encourages
cooperation between privacy enforcement authorities in APEC and their
international, non-APEC counterparts as the arrangement has been designed to
work seamlessly with other regional and global schemes. The arrangement was
developed by a volunteer group of APEC member economies with input from civil
society and business groups. To date, the participants in the arrangement also
include the Office of the Privacy Commissioner of Australia, Hong Kong’s Office
of the Privacy Commissioner for Personal Data, the Office of the Privacy
Commissioner of New Zealand and the U.S. Federal Trade Commission. Additional
privacy enforcement authorities from APEC member economies are also expected to
join. [Source]

NZ – Fingerprint-Sharing Begins With Aussie on Migrant Fraudsters

Immigration authorities in New Zealand and Australia have begun sharing fingerprints of asylum seekers and people they suspect of
lying about their identity. The move could be a first step towards the
much
more widespread sharing of visa applicants’ fingerprints with Australia,
the United States, Canada and Britain. Immigration NZ identity manager
Arron Baker said
that, for now, the checks were being done on only “very specific
categories of
clients” awaiting immigration decisions. New Zealand and Australia have
agreed to share the fingerprints of up to 3000 people each year. At
present, the
checks need to be carried out manually. But Mr Baker said the long-term
intent
of the 2009 Immigration Act was that biometrics would be used more
routinely to verify the identities of visa applicants. Both countries expect to
sign similar agreements with the US, Britain and Canada, and work has begun on
developing software that could allow for the automated matching of
fingerprints. That software could allow for up to 30,000 fingerprint checks to
be carried out each year with each country. [Dominion Post]

CA – Saskatchewan Privacy Commissioner Concerned About Health Card Requests

Renting a movie and getting a big game hunting licence are not occasions where you should be asked for your health card, says
Saskatchewan’s privacy commissioner, Gary Dickson, who said they can and
have been used
inappropriately. It’s not illegal for a customer to voluntarily hand
over their
health card, but it is against the law for the business to ask for it or
require it if it’s not administering health services. That store and
every
other private business in Saskatchewan is also subject to a federal
privacy law
safeguards how our private information is copied and stored. Dickson
says the
province is slowly building an electronic health record system and it’s
important residents can feel confident their information is safe. [Source]

Consumer

CA – Canadians Concerned About Privacy and Security: Survey

KPMG International’s annual Consumers and Convergence survey found that about two-thirds, or 63%, of Canadians are concerned about privacy when using a mobile device. More than half, 58%, are worried about
security. That’s not far off other respondents around the world. However,
Canadians are also less likely to use mobile devices for buying goods or
services and banking. Only 19% of Canadians feel comfortable using their mobile
phone for financial transactions, compared to 34% of global respondents, the
survey found. Just 8% of Canadians have made purchases using a mobile phone
through a retailer’s site. That’s double the amount from last year, but
significantly less than global consumers at 28%. About 15% of Canadians have
done banking through a mobile device, compared to 45% globally. “These consumer
concerns over privacy and security are pivotal to the continued adoption of
e-commerce and mobile commerce. Companies that implement robust policies and safeguards
and provide for full disclosure of these measures are likely to reap the
rewards through enhanced customer attraction and retention.” Nearly half, or
45% of Canadians would welcome advertising on their personal computer in
exchange for lower prices or free content. Only 21% feel the same when it comes
to their mobile phone. That compares to 56% and 42% of global respondents
indicating they would accept advertising on their computer and mobile phones,
respectively. [Source]

E-Government

CA – OttawaInvestigating Wikipedia Edits

The federal government is conducting two investigations into federal employees who have taken to Wikipedia to
express
their opinion on federal policies and bitter political debates. The
Correctional Service of Canada began a probe after learning one of its
computers, apparently in Ottawa, had been used to change the online
encyclopedia’s entry on the Official Languages Act – the law allowing
Canadians
to receive federal services in the language of their choice – as the
“Quebec
Nazi Act.” That online outburst would likely result in the suspension or
dismissal, and it may even be a crime in the view of at least one Quebec
politician, who suggested the comment amounted to hate propaganda. [Source]

E-Mail

WW – Google Tests a Hidden ‘Instant Regrets’ Email Button

Google Labs is testing an “undo” button on Gmail that gives you 30 long seconds to stop an email from reaching your boss, your husband or your soon-to-be-former best friend. Being a Google Labs feature, it comes
with the caveat that it “may break at any time” or “disappear temporarily or
permanently.” “Undo send” is one of a dozen or more experimental features that
Gmail users can try out by burrowing into the Settings page on the Gmail Labs
website and enabling the feature. The feature, which could also be called the “second
thoughts” button, used to give you only five seconds to rewrite your personal
history. Now you can tailor it to just how skittish you’re feeling each day. [Source]

Encryption

IN – BlackBerry Gets Two Month Reprieve in India

Indian authorities have postponed a planned ban on BlackBerry services for 60 days while they study and test a proposal from Blackberry parent company Research in Motion (RIM) to allow security agencies
more access to certain Blackberry communications. India has asked for real-time
access to encrypted corporate email; RIM says it is impossible to grant the
request because they do not have the encryption keys. RIM competitor Nokia has
agreed to place a server in India to allow government monitoring of
communications. [NY
Times
] [CNN]
[FT]
[ComputerWorld]
[Google
News
] and [RIM
Offers Indian Government Some Message Monitoring Capability
]

EU Developments

UK– MoJ Responds to EC on Data Protection

The UK Ministry of Justice said today it has responded to the European Commission on demands that it bring British data protection in line with European law. In June, the EC gave the UK government two months to
respond to its demand that the government come into line with Europe’s Data
Protection Directive of 1995. Specifically, the EC wants the information
commissioner’s powers strengthened. “Having a watchdog with insufficient powers
is like keeping your guard dog tied up in the basement,” EU justice
commissioner Viviane Reding said in June. [The
Register
]

Facts & Stats

WW – Businesses Cash In on Web Privacy Concerns

As online data breaches increase to 100 million in the U.S. alone, the numbers of data protection startups are increasing as well, thanks to the investments of entrepreneurs and venture capitalists. Protecting
online identity is a $2.5 billion market, according to Forrester Research,
growing 12 to 15 percent annually. Among the new companies in the space are
those that allow parents to monitor their children’s online activities, which
is expected to become a $1.5 billion industry and as popular as anti-virus
software. Also growing are startups allowing individuals to manage their online
reputation. One such company charges between $100 and $1,000 annually to
control what users see about clients when they are searched online. [CNBC]

Finance

UK – Zurich Insurance Fined Over Data Loss

The UK’s Financial Services Authority has fined the UK branch of Zurich Insurance GBP 2.27 million (US $3.53 million) for losing data of 46,000
customers. The data were on an unencrypted backup tape that was lost en
route
to a data storage center in August 2008; the company did not become
aware of
the missing tape for a year. The information includes names and bank
account,
credit card and other financial data. The fine was less than it could
have
been; had the company not agreed early on to settle, it would have been
fined
GBP 3.25 million (US $5.05 million). [Heise
Online
] [BBC]

US – Insurance Dept. Mandates 5-Day Breach Notifications

Following a string of incidents involving the exposure of residents’ personal information, insurance regulators in the state of
Connecticut are placing notification requirements on insurers and their
agents, requiring
that they let the state insurance commissioner know within five days of
discovering a breach. In a bulletin sent to state entities this month,
officials said, “The Department’s concern is to make certain that in
addition
to minimizing these incidents, licensees and registrants react quickly
and
affirmatively to let affected Connecticut consumers know that they may
be at
risk and what is being done to protect sensitive and confidential
information.”
[Insurance
Journal
]

FOI

CA – N.B. Teen’s Prison Files to Be Released

Corrections Canada has dropped its bid to keep the personal files of a teenage inmate who killed herself under wraps. Ashley Smith of Moncton, N.B., choked herself with a piece of cloth in October 2007 while
guards, under orders not to intervene, looked on. She was 19. The Canadian
Association of Elizabeth Fry Societies, a non-profit advocacy group for
federally sentenced women, had applied for the documents on Smith’s behalf
before she died in prison in Kitchener, Ont. In April, Federal Court Justice
Michael Kelen ordered the Correctional Service to hand over the nearly 300
pages of records about Smith, including numerous assessments, her transfer and
violent-incident records, criminal charge sheet and documents about her “maximum”
security risk classification. He said Corrections Canada had breached the Privacy
Act
in not giving Smith her records. Smith’s death and the subsequent RCMP
investigation into the conduct of prison staff were not valid reasons to
withhold the documents from the Elizabeth Fry Societies, the judge said. Smith
had complained of poor treatment by the Correctional Service, alleging an
assault, lack of psychiatric care and frequent transfers among prisons and
treatment facilities across Canada. Smith’s death was the “entirely preventable”
result of a series of systemic failures. Privacy requests are supposed to be
answered within 30 days, but the service took a 30-day extension. It missed
that deadline, and the request had gone unanswered when Smith died — 123 days
after her initial application. The Correctional Service told the court such
delays “happen all the time.” [Source]

Genetics

US – Prosecutors Urged to Collect DNA in Plea Bargains

New York prosecutors are being urged to collect DNA samples as part of plea bargains in all misdemeanor cases after a bill proposing to do just that got stuck in the legislature. The Department of Criminal Justice Services’ acting
commissioner wrote to 62 county district attorneys last week encouraging the
idea, which is aimed at preventing violent crimes. The New York Civil Liberties
Union opposes the idea, which would roughly double the current state database. “DAs
must resist this kind of pressure and continue reaching plea bargaining
agreements as they always have,” a spokeswoman said. [Associated
Press
]

Health / Medical

US – Panel Drafts Privacy Recommendations for Health Data Exchanges

A “tiger team“ that advises the federally chartered Health IT Policy Committee will submit a list
of recommendations
for ensuring the privacy and security of personally
identifiable health information in health data exchanges. The recommendations
were developed in response to a specific set of privacy-related questions
raised by the Office of the National Coordinator for Health Information
Technology. They touch upon and clarify topics such as patient consent and the
use of third-party service providers in the exchange of personally identifiable
health information. A 19-page letter, detailing all of the recommendations is
scheduled to be submitted to David Blumenthal, chairman of the HIT Policy
Committee. One of the bigger recommendations relates to patient consent. The
direct exchange of electronic patient data between health providers for
treatment purposes does not require any additional patient consent, the panel
noted. The same rules that apply to paper or faxed exchanges of health
information should apply in the electronic realm as well. However, any data
exchange that involves a third party does require specific and “meaningful”
patient consent, the letter noted. Any such consent also needs to be
transparently and easily revocable by the patient at any time, the panel said. The
letter also recommended further exploration of technologies that allow
individuals to exercise more granular control over the data – for instance,
they should be able to permit the exchange of certain kinds of health data, but
not all. Third-party service organizations should also not be allowed to
collect, use or share personal health data for any purposes other what’s
specified in their service agreements, the panel recommended. Third parties
should also be required to retain personal health data only for as long as it
is reasonably needed, and once they no longer need the data they should then be
required to destroy it, the panel said. The tiger team’s proposals will need to
be reviewed and approved by the HIT Policy Committee before they can go into
effect. [Source]
[Recommendations]

CA – Privacy Boss Watching Access to Alberta Health Files

A move that will allow more health-care professionals access to patient information — in an effort to create a seamless health-care system — is a boon and a concern to the province’s privacy commissioner.
Amendments to the Health Care Information Act go into effect Sept. 1, including
a change that will give more regulated members of health-care professions, such
as pharmacists, podiatrists, optometrists and dental hygienists, access to
patient information through Netcare, the provincewide electronic health
database. The changes are expected to make the health-care system more
seamless, allowing people to move through along with their information, said
Information and Privacy Commissioner Frank Work. Yet more people using the
system may also mean an increase in the number of incidents of people using it
improperly. If anything looks suspicious, Albertans can report their concerns
to his office. “They have the right to know who’s looking at their information,”
he said [Source]

Horror Stories

EU – Drugstore Customers’ Data Exposed

German drugstore chain Schlecker has confirmed that, for an unspecified amount of time, the personal details of about 150,000 customers were exposed on the Internet. An external service provider was
responsible for the error, according to the report. Schlecker is investigating
how the names, profiles and e-mail addresses of customers were exposed.
Customer account numbers and passwords were not affected. The e-mail addresses
of an additional 7.1 million company newsletter subscribers were also exposed
in the breach. “We are in close contact with our service provider,” a Schlecker
spokesperson said. [Source]

US – Settlement Reached in Security Breach Case

A federal judge has approved a settlement between Countrywide Financial Corp. and millions of customers whose information was exposed in what has been described as “the biggest reported case of data theft
by a financial insider.” The company will provide free credit monitoring for up
to 17 million customers who obtained a mortgage or used Countrywide to service
a mortgage before July 1, 2008, and individuals could be reimbursed up to
$50,000 for each instance of identity theft stemming from the breach.
Countrywide has said it worked with federal investigators on the case, and it
does not appear that any identities have been stolen. [Associated
Press
]

Identity Issues

AU – Coalition to Revive Identity Card

A coalition government would revive the controversial Howard-era plan for a national access card to identify every individual receiving government benefits, shadow treasurer Joe Hockey has revealed. On the
eve of a “cliffhanger” federal election, Mr Hockey has told The Age that
giving everyone a single identifier for access to health and welfare benefits
could lead to “massive improvements in productivity in health and welfare”. But
instead of everyone having a card, this time the identifier could be in
electronic form… In recent months Health Minister Nicola Roxon and Human
Services Minister Chris Bowen have revived aspects of the access card plan,
floating a single system to store individuals’ health information, and to allow
government agencies to share a single IT platform. [Full article]

US – Attorney Files Lawsuits Over Disney Flash Cookies

Privacy attorney Joseph Malley has filed a lawsuit against Specificmedia for using technology to respawn cookies that users have deleted. Malley has filed two other similar lawsuits: one against a number of
companies, including MTV and Hulu, for using Quantcast technology to recreate
cookies and another against Disney and Demand media for using a Clearspring
Technology widget that does the same thing. All the technologies use Adobe
Flash to store copies of browser cookies; while clearing regular cookies is
fairly straightforward, clearing Flash cookies can be complicated because they
cannot be managed through browser privacy controls. According to the lawsuits,
the companies did not inform users about the use of Flash to store the
information; the suits allege that using Flash in this way violates state and
federal privacy and computer security laws. Flash cookies allow websites to
store 25 times more information than traditional cookies hold. [Wired]
[ZDNet]
[Wired]
[The Register]

Intellectual Property

US – New iPhone Security Patent App: User Protection or 1984 iSpy?

Your next iPhone might listen to your heartbeat or scan your face to identify its rightful owner — and it could react with anti-theft measures if it ended up in the wrong hands, according to a patent
application recently filed by Apple. Filed in February and made public this
month, the patent application describes an invention that uses several methods
to detect “unauthorized” usage of a device, such as voice and facial
recognition or a heart rate monitor. Possible anti-theft measures include
restricting access to some applications, gathering location data about the
unauthorized user or shutting down the device remotely. One method the patent
describes for detecting a stolen iPhone is checking whether it’s been hacked
(aka “jailbroken”) or its SIM card has been yanked out — things a clever thief
would do to override the iPhone’s security. The up-close-and-personal security
patent has some concerned journalists screaming “1984,” interpreting the patent
application as a draconian move by Apple to spy on users and punish customers
who hack their iPhones. [Source]

Internet / WWW

US – CIO Council Releases Cloud Computing Framework

The federal CIO Council says agencies must be aware of the privacy concerns involved in storing personally identifiable information on the cloud. In a new document outlining a proposed policy framework on privacy
and the cloud, the CIOs warn that federal agencies should seek legal and
privacy team counsel before moving data to the cloud, as providers are not
necessarily bound by the same laws and regulations as the federal government
when it comes to storing personally identifiable information. The document
recommends agencies conduct a “Privacy Threshold Analysis” to determine whether
a new system creates privacy risks, the report states. The council says a “thoughtfully
considered” move to the cloud may actually enhance privacy. [InformationWeek
] [Document]

UK– One in Three Have ‘Stalked’ Celebs on Street View

More than a third of Brits (34%) have attempted to take a sneak peek at where their favourite celebrity lives by ‘stalking’ them on Google’s Street View. Research by double glazing firm Central Scotland
Joinery revealed the White House, home of US President Barack Obama, is the
most searched property on Google Street View, with 19% of Brits admitting they
want to take a sneak peek around the Presidential residence. Hugh Hefner’s home
in Los Angeles came second with 17% of web users admitting to searching for the
Playboy Mansion on the Google Maps add-on. Nearly a quarter of those that
admitting to looking at Hefner’s LA residence on Street View, said it was
because they wanted to catch a glimpse of a Playboy Bunny. The home of Apple
boss Steve Jobs was the third-most searched for property on Google Street View.
Jobs beat Microsoft boss Bill Gates, whose house was the sixth most search-for
property. Celebrity couples David and Victoria Beckham, Jay-Z and Beyonce, and
Katie Price and Alex Reid also appeared in the list of the ten most
searched-for homes on Google Street View. Furthermore, 16% of Google Street
View users said they had searched for an ex-partner’s house while nearly half
(47%) said they’d looked for their childhood home. [Source]

Law Enforcement

US – States Use K-9s to Search for Smuggled Cell Phones

Dogs are being deployed in prisons to help curb one of the most serious problems confronting corrections officials: smuggled
cell
phones. It turns out that cell phones smell. And their distinct odor can
lead a
well-trained canine to a device hidden under a mattress, stashed into a
wall or
tucked into a fan or radio. Inmates use them to arrange drug deals, plot
escapes and attacks, coordinate riots and harass victims. “They have 24
hours a
day to figure out how to hide these from us,” said Sgt. Wayne Conrad,
who leads
the K-9 program in California. “I couldn’t tell you how long it would
take me
to go through every nook and cranny in a cell. But when these dogs work,
they
pick up the odor and go right to it.” There are currently 14 dogs
working in California’s 33 prisons. Five of them are specifically
trained as cell phone sleuths. By
the end of the summer, the K-9 unit will have 23 dogs trained, about
half in
finding cell phones, the other half in narcotics. As of May of this
year, California prison officials had already confiscated 4,800 cell
phones through the K-9
program and other random searches. They seized nearly 7,000 last year,
up from
just 261 in 2006. [Source]

US – Cell Phone Privacy – Not at This School

A school district in Washington state wants to clamp down on cyber bullying and sexting. But the district could be running right into a constitutional controversy. Oak Harbor school district wants to be able
to search a student’s electronic items like cell phones. This crackdown could
have school administrators looking through anything on the student’s phone,
like pictures, text messages and videos. School officials view is as a
protective measure, but some parents call it an outright invasion of privacy.
The first reading of the proposal passed the school board unanimously. A final
approval could happen by the end of the month. [Source]

Location

WW – Facebook Places Location Tool Unveiled, Sparking Fresh Privacy Concerns

Facebook risks a privacy backlash today when it launches a feature that automatically shares information on the location of users with their online friends. The feature allows users to “check in” at
locations which will then be shared with their friends and Facebook network but
it is likely to raise concerns over safety. Users will also be able to browse
shops, clubs and nearby venues to see which friends are nearby, leading to
concerns it could put individual’s security at risk. The service will launch in
the US only at first. Reitman said users should be particularly judicious about
who they accept as friends, and be aware that even information shared with an
intimate network could be copied and pasted elsewhere. “Don’t post anything
online you wouldn’t want to get out publicity to anyone.” Critics will note
that the primary location setting is switched on by default, which means any “places”
tags automatically being shared with immediate friends. [Source] See also: [Town Uses Google
Maps to Check for Illegal Pools
]

WW – Mixed Reactions to Social Network’s Location Feature

The Wall Street Journal reports on reactions to Facebook’s new location feature, “Places,” which range from concerns about privacy to nods to the company for improvement over past
privacy-related issues. Among those who are still concerned about the feature,
which allows users to share their physical location and that of friends who
have not opted out of Places, is Ireland’s Data Protection Commissioner, which
has announced
it will be monitoring its privacy implications. Facebook has defended
the new
feature, stating it consulted numerous privacy and safety groups before
it went
live, the report states. However, advocacy groups including the
Electronic Privacy Information Center have said the company has not
given users adequate
controls. [Wall
Street Journal
]

WW – Free Android Game Gathers GPS Data

A free game application available in Google’s Android Market reportedly includes a Trojan horse program. The game, called Tapsnake, is a version of the well-known game Snake. While in play, a satellite icon
appearing in the menu bar indicates that the application is harvesting GPS
data. The information is uploaded to a remote server, so the location of the
user playing the game can be tracked. To receive the GPS information, users
aiming to track others need another application called “GPS Spy, which is
available for US $4.99.” To use the application’s tracking feature maliciously,
people would need access to both Android devices to enter specific information;
however, the application is being considered malicious because it does not
disclose the tracking activity. The application also continues to run in the
background even after users attempt to kill the app. [SC
Magazine
] [The
Register
]

Offshore

IN – Survey: Many Organizations Not Confident in Data Protection

Almost half of Indian organizations polled in a recent survey said they’ve experienced at least one internal security breach within the last year. 32% said their information security professionals are missing
competencies to handle existing and foreseeable security requirements, the
report states, though 66% of organizations said they are very confident or
extremely confident in their ability to thwart external attacks. Deloitte’s “2010
Global Security Survey-India Report,” polled 62 Indian organizations. “While
organizations have taken a step in the right direction by reinforcing budgets
towards information security, current strategies may still be inadequate to
close the gaps,” said a Deloitte spokesperson. [India
Blooms
]

Online Privacy

WW – Google CEO Discusses Privacy Trends

In an interview with The Wall Street Journal, Google CEO Eric Schmidt describes a future where the transition from childhood to adulthood could include an option where adults can change their names to
protect their privacy later in life. CRN reports on his point of view that “as
our private information becomes ubiquitous on the Internet due to postings on
social media sites such as Facebook, young people should be entitled to
automatically change their name on reaching adulthood.” Schmidt also discussed
Google’s ongoing privacy-related issues across the globe, stating it will do
what is “good for consumers” and “fair” to competitors. [Source]

CA – Facebook Falls Short of Privacy Obligations to Canada, Says Law Group

Facebook has failed to meet the Privacy Commissioner of Canada’s requirements to improve user privacy controls before the Sept. 1 deadline, according to a University of Ottawa-based law group. The Canadian
Internet Policy and Public Interest Clinic (CIPPIC) lodged the original
complaint with the Privacy Commissioner’s office that led to the original
investigation. At its conclusion, Facebook agreed to a long list of changes
requested by the commissioner. That included revamping its privacy policies,
making it easier to delete an account, and how it treats the accounts of
deceased users. But by far the most complex changes it committed to was
reworking its third-party application programming interface. Facebook agreed to
give users more granular controls over what sort of information outside
application developers could access, and limit it to only what was required for
the purposes of the application. Now letters that were exchanged between the
Privacy Commissioner’s office and Facebook suggest a disagreement on exactly
what user information should be up for grabs. The correspondence was acquired
by CIPPIC through an Access to Information request. Facebook says it has made a
number of changes to address the commissioner’s concerns. That includes updating
user notifications, a rewritten privacy policy, as well as the new
authorization process for applications. In November and December, Facebook
rolled out changes to all users’ privacy settings as it disposed of regional
networks. At the same time, it changed the default privacy setting for many
information categories to “Everyone”, meaning it was public to the entire
Internet. That meant that application developers would automatically have
access to this information, with no authorization being presented to users. [Source] See also: [Posting nude Facebook pics of ex gets man
jail time
]

US – Is ‘Private’ Data on Social Networks Discoverable?

A U.S. district court opinion appears to offer the first in-depth analysis on social network privacy settings and whether user information is protected from discovery by the Stored Communications Act (SCA)
of 1986. The court’s decision determined that “the SCA’s protections reach at
least some of the content” on social networks and suggested that users’ privacy
settings do matter. It found that “private messages as well as comments visible
to a restricted set of Facebook or MySpace users were held in ‘electronic
storage,’ but its analysis was complicated by novel features of these
technologies,” the report states. Questions remain related to what forms of
content the SCA protects and how much users need to restrict their content for
it to be designated as private. [Law
Technology News
]

US – Online ‘Sextortion’ of Teens on the Rise in U.S.

Federal prosecutors and child safety advocates say they’re seeing an upswing in cases of online sexual extortion. They say teens who text nude cellphone photos of themselves or show off their bodies on the
Internet are being contacted by pornographers who threaten to expose their
behaviour to friends and family unless they pose for more explicit porn,
creating a vicious cycle of exploitation. One federal affidavit includes a
special term for the crime: “sextortion.” [Source]

Other Jurisdictions

AU – Companies Cry Foul Over Reforms to Privacy Laws

Some of Australia’s largest companies fear a big increase in compliance costs from proposed reforms to the country’s privacy laws. Companies including Coles Supermarkets, National Australia Bank, Telstra
and Westpac say the proposals must be softened to ease the cost burden. A
Senate committee is examining draft laws that would introduce a new set of
privacy principles after the Australian Law Reform Commission in 2008 made 295
recommendations for change. If the proposals pass into law, companies would
have to consider whether they can continue to transfer personal information
overseas as the proposals could see them held liable for privacy breaches
offshore, and may also have to overhaul their direct marketing practices. The
proposals would also require companies to be able to identify the source of
personal information if a customer later asks, which worries Coles Supermarkets
as it collects such material from the internet, loyalty programs, competitions
and emails. And while these all have privacy notices attached, Coles would not
be able to work out where the information came from at a later point without
making “prohibitively expensive” changes to its computer systems. [Source]

NZ – Anti-Fraud Data Sharing Laws Introduced

The Department of Internal Affairs has developed an electronic data validation service to combat identity fraud. Internal Affairs Minister Nathan Guy said it would be extended to banks and other institutions
on a ‘‘strictly need to know basis.’’ Private sector agencies will be able to
enter customer information into a website which will confirm if it is
consistent with other personal details held by the Government. It includes
details on citizenship, passports and information from births, deaths and
marriages registers. Opening up the service would allow financial institutions
to comply with laws on the financing of terrorism and money laundering, Mr Guy
said. “This service will help ensure compliance with the Anti-Money Laundering
and Countering Financing of Terrorism Act 2009, which requires banks and other
financial institutions to undertake more comprehensive ‘know your customer’
checks.’’ In April Mr Guy said the Government was mindful of privacy concerns
and the records would not include sensitive information such as income, travel
details or criminal records. The service will be monitored by Privacy
Commissioner Marie Shroff. “Any agency using this tool must have the consent of
customers – it is up to individuals whether or not to give permission. The tool
only confirms whether the information provided by customers is accurate and
does not give out any additional information about the person. The Data
Validation Service will be available only to organisations which meet strict
security, privacy and integrity criteria. The Government has also agreed that
the Privacy Commissioner will monitor this service.” [Source]

NZ – Privacy Concerns Not Warranted

An email doing the rounds warning that personal information could be handed out to anyone who has someone’s licence plate number, is “misleading”, according to the New Zealand Transport Agency (NZTA).
The email states “As of 1 November 2010, a new law comes into effect which
allows third parties access to your name and address details via your vehicle
registration plates.” The email tells recipients to opt-out of the scheme
online on the NZTA website. But the NZTA’s media manager Andy Knackstedt said
the email creates a false impression, and that the situation is the opposite. “People’s
details have in fact been publicly accessible from the Motor Vehicle Register
for decades. When the new legislation comes into force it will significantly
restrict access to this information,” Knackstedt said. He said under the new
law, the release of personal information will only be permitted for the
following purposes: Enforcement of the law, maintenance of the security of New
Zealand, collection of charges imposed or authorised by an enactment; and the
administration and development of transport law and policy. Anyone seeking
names and addresses held on the Motor Vehicle Register outside of these
purposes after the new law comes into force will have to make an Official
Information Act request to the NZTA. But anybody can seek a special “authorisation”
from the Secretary for Transport to obtain information from the register,
unless that person has ‘opted out’ of the scheme on the NZTA website. [Source]

Privacy (US)

US – Google Privacy Lawsuits Consolidated

Eight class action lawsuits filed against Google over its Street View wireless data collection have been consolidated and transferred to a California judge. Five additional cases may join the already consolidated
case. The suits allege that Google violated federal and state privacy laws when
it collected snippets of wireless data from unencrypted wireless networks while
gathering data for Street View. [Wired]
[Consolidation
Decision
] See also: [NYC woman to
Google: Who’s posting trash about me? She asks court to get users unmasked
]

US – No Criminal Charges in Pennsylvania High School Web Cam Case

There will be no criminal charges in the case involving the Lower Merion (Pennsylvania) School District’s use of remotely activated webcams on laptops issued to high school students. Instead, the issue
will be resolved in civil court. The issue was brought to light earlier this
year when the family of a student filed a lawsuit alleging the technology had
been used to take pictures of the student in his home. A second lawsuit with
similar allegations was filed last month. The technology was supposed to be
used to locate missing computers, but was activated and remained on, taking
pictures and screenshots for weeks, or in some cases, months. A new policy
adopted by the school board prohibits school employees from accessing the
laptops remotely without written permission from the family. [Philly]
[MSNBC]
[Wired]

US– Man Who Recorded Conversation on iPhone Did Not Violate Wiretap Act

A federal appeals court in New York has ruled that David Weintraub did not violate the federal Wiretap Act when he used an application on his iPhone to record a family discussion about his dying mother’s
wishes regarding her estate. The conversation involved Weintraub, his mother,
Elizabeth Caro, his stepfather, Marshall Caro, and other family members.
Elizabeth Caro died. The stepfather sued for violation of the Wiretap Act, but
the judge in that case dismissed the stepfather’s claim and agreed that
Weintraub was party to the conversation and that the conversation was not
private. For Weintraub to be guilty of violating the Wiretap Act, he must have
had criminal intent when he began recording the conversation; the court ruled
he did not. The stepfather appealed, but the lower court’s ruling was upheld. [Courthouse News]
[Wired]

US – Lottery Winner Sues Texas for Privacy

A Texas lottery winner sued the state to keep his identity private, for the privacy and safety of his family. After the Lottery Commission claimed that it had received a freedom of information request about
the winner, Attorney General Greg Abbott ruled that information about John Doe
should be released without redactions. State lotteries customarily use
information about winners, including photos, to advertise the gambling games. [Source]

Privacy Enhancing Technologies (PETs)

US– Boyd: Privacy Is Not Dead

In the MIT Technology Review, researcher danah boyd says that the way privacy is encoded into software doesn’t match the way we handle it in real life and that, as social media mature, “we must rethink how
we encode privacy into our systems.” As social media become more embedded in
everyday society, Boyd says, “the mismatch between the rule-based privacy that
software offers and the subtler, intuitive ways that humans understand the
concept will increasingly cause cultural collisions” and users will have to
work harder to gain privacy. “Instead of forcing users to do that,” Boyd asks, “why
not make our social software support the way we naturally handle privacy?” [Source]

CA – Concept of Privacy in Danger: Information Commissioner

The world has less than a decade to make the protection of personal information and online privacy a priority before
the two
concepts are lost forever, according to Ontario’s Information and
Privacy
Commissioner. Speaking at a conference held at the University of Ottawa,
Ann Cavoukian said that information is already flowing freely and
technology is
advancing at a pace at which legislation pertaining to privacy rights
can no
longer keep up. Cavoukian argued now is the time for governments to
radically
change the way they police the sharing of personal information.
Government’s
around the world must adopt a “privacy first” mantra and encourage
businesses
to make personal information private, she said. “Reactive models won’t
work in
the future,” said Cavoukian. “Unless we adopt Privacy by Design now, in
10
years time we will not have any privacy.” [Source]

CA – Sensors and In-Home Collection of Health Data: A Privacy by Design Approach

In-home health care monitoring devices are gaining in prominence. Technological improvements in networking, wireless communications, and the miniaturization of electronics have resulted in a suite of emerging
technologies that rely on the collection of information from within the home,
from an individual’s body, or both. This new technology brings with it
significant potential benefits for both society as a whole and individual
citizens, such as reducing strain on health care systems through a more
preventative (rather than reactive) approach to potential health care problems,
which generally improves an individual’s clinical outcomes and/or independence.
In order to create these benefits, however, significant and continuous data
collection about the individual is required. Until now, these data have not
been accessible, as technologies were not sufficiently advanced to collect
necessary information accurately, reliably, and securely. It is important to
recognise that these data tend to be of a highly sensitive nature, as they are
collected either directly about the individual or about actions taken within
his or her home (traditionally the most privacy protected location in one’s
daily life). As such, people’s privacy must be at the forefront of these new
technologies and be strongly protected. In this white paper, we describe a
general technology that is commonly used to collect data for in-home health
care monitoring systems – sensors and sensor networks. We then identify the
points of interest within such a system with regard to privacy, and describe
some of the considerations that might be made when determining appropriate
privacy protections. To demonstrate this approach, we will describe examples of
devices being developed by the Univeristy of Toronto’s Intelligent Assistive
Technology and Systems Lab (IATSL). [Full
White Paper
]

WW – S.N.A.P. App Locks Down Facebook Privacy

S.N.A.P. is an iPhone and iPod Touch app that does what desktop Facebook privacy scanners do, only using your phone. The app scans your Facebook Profile and checks your privacy and security settings to see what
you make public and what information you keep private. Once the scan is
complete, the app gives you a grade, and walks you through the process of
locking down your account. S.N.A.P. is designed for use by anyone, and features
easy-to-understand descriptions and icons that will work well even for people
who aren’t terribly concerned about privacy in theory, but want to make sure
they don’t get themselves in trouble by sharing something they shouldn’t with
the world. The app is free in the iTunes Music Store. The app also allows you
to keyword search your entire Facebook account for terms like “beer” and “party,”
and if the app finds the term, you can see where the term was found in your
account, so you can see if it’s a private status update for example, or a
public tagged photo you’ll want to edit. [PC
Mag
]

RFID

EU – Germany to Roll Out ID Cards With Embedded RFID

The production of the RFID chips, an integral element of the new generation of German identity cards, has started after the
government gave a 10 year contract to the chipmaker NXP in the
Netherlands. Citizens will receive the mandatory new ID cards from the
first of November.
The new ID card will contain all personal data on the security chip that
can be
accessed over a wireless connection. The new card allows German
authorities to
identify people with speed and accuracy, the government said. These
authorities
include the police, customs and tax authorities and of course the local
registration and passport granting authorities. The new electronic ID
card,
which will gradually replace the old mandatory German ID cards, is one
of the
largest scale roll-outs of RFID cards with extended official and
identification
functionality. The card will also have extended functionality, including
the
ability to enable citizens to identify themselves in the internet by
using the
ID card with a reading device at home. After registering an online
account
bonded to the ID card, are able to do secure online shopping,
downloading music
and most importantly interact with government authorities online, for
example.
There are some concerns that the use of RFID chips will pose a security
or
privacy risk, however. Early versions of the electronic passports, using
RFID
chips with a protocol called “basic access control” (BAC), where
successfully
hacked by university researchers and security experts. The German ID
card is
using the BAC protocol as well, but only for the basic data which is
printed on
the front of the card, the picture and the name. Other fields are
protected by
a stronger proprietary protocol. [Source]

WW – Researcher: RFID Tags Can Spy on Consumers

The electronic tracking tags some retailers are putting in their products could threaten consumers’ privacy, says a researcher from Purdue University. One major retailer is planning on attaching the tags to
some of its products starting this month, raising concerns among some privacy
advocates that the discarded RFID tags could be tracked and even reveal what
products are in a consumer’s home. Information security expert Eugene Spafford
says companies can use the tags to track what consumers have purchased without
alerting them that they’re being spied on, and relatively inexpensive devices
can read tags from hundreds of feet away. [The
Chicago Tribune
]

US – Connecticut Schools Consider RFID Program

One Connecticut community is considering RFID monitoring in an effort to “keep students safe and save the district
money.” New Canaan, CT, is considering embedding RFID into student ID
cards to monitor student
locations, the report states. According to New Canaan Board of Education
Chair
Nick Williams, the primary use of RFID would be student safety as the
school
has an open campus. Privacy of RFID is a major concern, said Assistant
Superintendent of Schools Steven Swerdlick, noting, “We will have to be
thoroughly satisfied there is no negative impact on privacy and safety.”
Participation
in the program would be voluntary, the report states. [New
Canaan Patch
]

Security

US – DARPA Seeks Proposals for Detecting Insider Threats

The Defense Advanced Research Projects Agency (DARPA) is seeking proposals for technologies to help detect insider threats quickly. Dubbed the CINDER program, the effort aims to “greatly increase the accuracy,
rate and speed of detection [of insider threats … and to] impede the ability
of adversaries to operate undetected within government and military interest
networks.” Abstract proposals are due by September 17; final versions of the
proposals are due by October 22, 2010. DARPA has not drawn a connection between
the project and the leak of thousands of military documents through Wikileaks,
but the project has been described as being able to “detect a Defense employee
or service member who conducts a network search or probes file index systems,
and then copies information to their computer.” [InfoSecurity]
[NextGov]

US – GAO Report Finds Poor Public-Private Cyber Threat Information Sharing

According to a report from the Government Accountability Office (GAO), expectations for information sharing between the government and industry have fallen short of expectations. Private entities
said the government is not providing them with “usable, timely and actionable
cyber threat information and alerts,” and that when they do get information, it
is often too vague to be useful. Part of the problem can be attributed to
restrictions on what information the government is permitted to share with the
private sector. The public/private information sharing is necessary because the
majority of the country’s critical infrastructure is privately held. The
information sharing audit was conducted between June 2009 and July 2010. [FCW]
[NextGov]
[GAO Report]

Surveillance

UK– Dog Squad: Police Train CCTV Cameras on Pet Owners

Police have ordered a CCTV blitz on dog walkers who let their animals foul the streets, it emerged last night. Camera operators have been instructed to watch for anyone walking their pet in case they do not
clean up after them. Those caught failing to do so will be tracked down and hit
with an on-the-spot fine. Civil liberties groups and residents attacked the
action by Surrey Police, calling it intrusive and a waste of time and money.
They said officers should be focused on cutting crimes such as burglary instead
of snooping on dog walkers. However other forces, including the Metropolitan
Police, last night said they could follow Surrey’s lead. [Source] See also: [Vancouver bar’s urinal TVs raise concern]

UK– Woman Who Tossed Cat in Garbage Bin Has Police Protection

A U.K. woman filmed throwing a cat into a garbage bin now has police officers stationed outside her house. Not to protect her from angry animal lovers baying for her blood on Facebook. “There are a number of
officers outside her house. But that’s just to manage all the media who are
standing there,” a Police spokesperson said. [Source]

US Government Programs

US – Legislators Seek Answers from US Marshalls About Stored Body Scan Images

US legislators want to know why US Marshalls Service stored images of body scans taken
at a Florida courthouse. Senators Joe Lieberman (I-Conn.) and Susan
Collins (R-Maine) sent a
letter to the agency expressing their concern that citizens’ privacy may
have
been violated. The letter was also signed by Senators Daniel Akaka
(D-Hawaii),
Thomas Carper (D-Delaware), Saxby Chambliss (R-Georgia) and Johnny
Isakson
(R-Georgia). The images stored were not accessed until the agency
received a Freedom
of Information Act
(FOIA) request from the Electronic Privacy Information
Center (EPIC). The Marshalls service says the images are not available without
an administrative password. Despite the Marshall Service assurance that details
were fuzzy enough so that people could not be identified, even by gender, the
legislators want to know why the images were saved, if there are any other
locations where full body imaging technology is being used, whether images from
those locations are being stored, and if so, why. [NextGov]
[Senate]
See [Feds
Admit that Body Scanner Machines Store Photos
] [EPIC v. DOJ, EPIC’s
Complaint
] [EPIC v.
DHS (FOIA)
] [EPIC
v. DHS (Suspension of Body Scanner Program)
]

US – ‘Enhanced Patdown’ Tested at 2 Airports

Federal security screeners at two airports are using an “enhanced patdown” on passengers who decline to go through full-body
scanning machines, a technique that is renewing the debate over how to
balance
privacy and security. The Transportation Security Administration says
the
technique — a palms-forward, slide-down search — is being tested at
Logan International Airport in Boston and at McCarran International
Airport in Las Vegas before a national rollout. It replaces the old
back-of-the-hand patdown. The
American Civil Liberties Union of Massachusetts is questioning whether
the new
technique is effective enough to justify what it calls a “seemingly
constant
erosion of privacy.” [Source]

US Legislation

US – California Legislators Send Improved Breach Notification Bill to Governor Again

California legislators have passed a bill that would specify what information companies must include in data breach notification letters. The measure now goes before Governor Schwarzenegger, who vetoed a similar measure last year. If
passed, the legislation would require breach notification letters to include
the type of information compromised, the date of the incident, a description of
the incident and phone numbers of credit reporting agencies. In addition, the
companies would have to explain what steps they are now taking to protect
affected customers and provide suggestions about what customers can do to
protect themselves. If the breach affects 500 or more people, the companies
would be required to send an electronic copy of the notification letter to the
state’s Attorney General. The measure would put California breach notification
laws in line with the Health Information Technology for Economic and Clinical
Health (HITECH) Act’s notification requirements. [Dark
Reading
] [SC
Magazine
]

US – California Bill Would Protect Privacy of FasTrak Users

Drivers who use FasTrak or other automatic systems to pay tolls would enjoy more privacy under a bill passed Monday by the California Assembly. The bill, SB1268, would prohibit transportation agencies from selling
or sharing personal data and set penalties for those that violate the rules.
The bill also would require agencies to destroy data that could be linked to
specific drivers. Democratic Senator Joe Simitian of Palo Alto says there’s no
reason for government agencies to track the movements of Californians or store
that information in a database. The bill now returns to the Senate for final
action. [Associated
Press
]

US – Law Would Challenge Stop and Frisk Database

Two New York state lawmakers are introducing a bill that would bar the police from keeping the personal information of people who are stopped, questioned and frisked but not arrested. Assemblyman Hakeem
Jeffries and Sen. Eric Adams said they will introduce legislation that targets
the New York Police Department’s database of hundreds of thousands of people
who have been stopped by officers over the last several years. The New York
Civil Liberties Union filed a lawsuit last week asking that names and addresses
of people in the database be sealed. [The
Chronicle
]

Workplace Privacy

EU – Law Would Ban Employers from Social Networking Site Research

Germany is drafting a law that would prevent employers from looking at job applicants’ social networking activities during the hiring process. The law, drafted by Interior Minister Thomas de Maiziére and expected to pass after the
German cabinet vote, would radically restrict the information bosses can
legally collect, though general information about the candidate available on
the Internet would not be forbidden. The law would also restrict certain video
surveillance in the workplace E-mail and telephone communication surveillance
would be permitted only under certain conditions. Meanwhile, privacy advocates
are voicing concern over the country’s plan to require citizens to carry
RFID-equipped identification cards. [Der
Speigel
]

CA – Corrections to Pay Victims Of Breach Of Privacy

More than 360 people who worked at a federal prison in Kingston will get at least $1,000 each after a precedent-setting, six-year legal fight over a breach of their privacy. Correctional Service Canada has
agreed to the payments to 366 people whose names appeared on a staff list at
Joyceville Institution. The list, which included home addresses, home phone
numbers, and the names of spouses, fell into the hands of convicts at the
prison in 2003. This week, a Superior Court judge in Kingston endorsed the deal
that puts an end to the class-action lawsuit launched in 2004 by staff. It
originally sought $15 million in damages in a novel area where there have been
only a handful of cases in Canada. In addition to the tax-free $1,000 payments,
staff and their spouses who can establish they suffered serious psychological
harm can seek bigger payments. Corrections also has to pay the legal bills of
the plaintiffs, which will total more than $140,000, but it does not admit
liability. “It is titled a compromise payment,” Edwards said. “They were very
careful to negotiate it on that basis; there is no admission that there was a
breach of privacy or that damages were warranted.” [Source]

Exit mobile version