Privacy News Highlights – Feb 13 – 28

Privacy News Highlights

13–28 February 2010

Contents:

EU – Legality of Fingerprint Database to be Tested in Netherlands Court 3

CA – Alberta Retailer Ordered to Stop Credit Checks. 3

CA – Privacy Commissioner Cites Sobeys for Collecting Personal Info. 3

CA – Saskatchewan Privacy Boss Decries Denial of New Staff 4

CA – Commissioners Call for Appeals of Newfoundland and Labrador Ruling. 4

CA – Alberta Court of Appeal Decision Expected to Have Significant Privacy Implications. 4

CA – Privacy Commissioner of Canada: Cloud Computing Conversation to Commence. 4

CA – Privacy Commissioner of Canada Announces Consumer Privacy Consultations. 4

US – Yahoo! Deal With Nectar Will Link Online Ads With Offline Purchases. 5

US – Microsoft Unveils Dedicated Cloud for Government 5

UK – Britons are Fearing for Their Rights. 5

US – CNN Poll: Majority Says Government a Threat to Citizens’ Rights. 6

CA – BC’s Massive Interconnected Database: Bureaucrats Will Know All About You. 6

US – White House says Data Mining to Focus Only on Government Files. 6

CA – B.C. A-G to Watch Planned $222-Million Electronic Health-Records System.. 7

EU – EU Ministers Want New U.S. Bank Data-Sharing Deal 7

EU – Facebook Comes Under German Law.. 7

UK – Random Stop and Search Plumets After Political Outcry. 7

UK – ICO to Study Extent Of Day-To-Day Surveillance Brit’s Face. 8

EU – Largest Ever Finnish Data Breach Exposes Thousands of Payment Cards. 8

EU – Data Leaked From Latvian State Revenue Service Database. 8

US – NYC Bar Urges Redaction. 8

UK – No Privacy Laws, but the Media Must Behave, Say MPs. 9

WW – Anonymized Genetic Research Data Still Carries Privacy Risks: Study. 9

US – Suit Possible Over Baby DNA Sent to Military Lab for National Database. 9

US – HHS Posts List of Reported Health Data Breaches. 10

US – University Data Compromised. 10

AU – Every Australian Child to be Numbered & Tracked Through School Life. 10

EU – Commissioner: ACTA Will Not Ignore Data Protection. 10

US – Judge Puts Off Ruling on Google’s Proposed Digital Book Settlement 10

EU – Italian Google Verdict Casts Shadow on Freedom of Speech. 11

CA – RCMP Should Wear Body-Mounted Video Cameras, Grit Senators Argue. 11

US – EPIC Urges Congress to Adopt Privacy Safeguards for Locational Data. 11

US – Congress Reviews Concerns over Location-Based Mobile Data. 11

HK – Newborns’ ID Tags to be Alarmed. 12

WW – PleaseRobMe Website Reveals Dangers of Social Networks. 12

WW – Firefox Private Browsing Mode Is Broken. 12

US – Facebook Hit With Class Action Over Privacy Changes. 12

BG – Parliament Approves Amended Act 13

TH – Thai Data Law Draft Raises Fears Over User Privacy. 13

US – EPIC Files Complaint with FTC Seeking Privacy-Related Changes to Google Buzz. 13

US – Privacy Seal Provider Settles FTC Charges. 13

US – States Eye Ban on Public Release of 911 Calls. 13

US – Govt Can be Sued for Emotional Distress over Medical Records Incident: Court 14

US – NIST Issues Report on Smart Grid Security and Privacy. 14

WW – Skymeter Protects All Your Driving Secrets. 14

WW – USB Fingerprints Identify ‘Pod Slurping’ Data Thieves. 14

US – FTC Tells Organizations They’re Leaking Data Through P2P Networks. 15

US – Military to Allow Limited Use of USB Drives. 15

US – Senate Committee Hears of Nation’s Unpreparedness for Cyber Warfare. 15

WW – Symantec’s 2010 State of Enterprise Security Study. 15

CA – Body Scanners Operating at Winnipeg Airport 15

WW – New Virus Has Breached 75,000 Computers: Study. 16

US – Cell Phone Tracking at Issue. 16

EU – Google Warned By EU Over Street View Map Photos. 16

US – FBI Investigating School District’s Remote Webcam Use. 16

US – AT&T Lauded for Protecting Privacy by Ponemon Study?. 17

EU – Deutsche Telekom Hit by Fresh Data Protection Allegations. 17

US – Our Cellphones Prove We’re Creatures of Habit 17

US – DHHS Addressing HITECH Privacy Requirements. 18

US – Senate Extends Expiring Surveillance Provisions of USA Patriot Act for 1 Year 18

US – Bill Would Make Public Employees’ Birth Dates Confidential 18

US – P2P Privacy Target of New Legislation. 18

US – Court: Feds Can Search, Seize P2P Files Without Warrant 18

US – USSC Sets Date for Employee Privacy Case Review.. 19

Biometrics

EU – Legality of Fingerprint Database to be Tested in Netherlands Court

Utrecht law student Aaron Boudewijn was the first to refuse to give up his fingerprints for the new biometric passport introduced in the Netherlands last September. He is now appealing a government decision to deny him a new passport. Boudewijn tried to acquire a fingerprint-free passport in September last year, apparently just after September 21, the last day these passports could be requested. However, the lengthy appeals process for municipal decisions – passports are issued by city authorities – meant the student could only take the matter to court this week. Boudewijn is not opposed his prints being included in the passport, a requirement under European regulations. He is challenging the Netherlands’ decision to store all fingerprints in a separate database. The student is supported by privacy watchdog Vrijbit, which had already filed a complaint against the Dutch state with the European Court of Human Rights in Strasbourg last year. The organisation argues that citizens who regret submitting fingerprints will be unable to have them stricken from the record. An earlier attempt to stop the Dutch state from setting up the database was rejected by the court. Vrijbit, along with a similar foundation named Privacy First, has set up an online petition protesting the passport law. So far 6,400 people have signed this petition. Boudewijn has yet to file his appeal, but he plans to cite the same case law Vrijbit used when it sued the Dutch government in the European Court: S. and Marper v. United Kingdom. [NRC International] Also see: [Fingerprints in passports can’t be used by the police – yet]

Canada

CA – Alberta Retailer Ordered to Stop Credit Checks

Alberta’s privacy commissioner has ordered Mark’s Work Wearhouse stop conducting pre-employment credit checks on job candidates. The Office of the Information and Privacy Commissioner investigated the retailer after a job applicant filed a complaint and it found the retailer contravened the province’s Personal Information Protection Act by running pre-employment credit checks. The complainant applied for a job with Mark’s Work Wearhouse as a sales associate and agreed to a credit check during the interview. He didn’t get the job after the credit check revealed a credit issue, which he said was an error that he didn’t have the resources to resolve. The retailer told the investigator it conducted a pre-employment credit check because the information provides an assessment of how job applicants will handle financial responsibilities and whether job applicants have a probable risk of in-store theft or fraud. But the commissioner found the personal credit information collected by retailer was not reasonably required to assess the complainant’s ability to perform the duties of a sales associate or to assess whether he might have a tendency towards committing in-store theft. Mark’s Work Wearhouse agreed to cease the collection of personal credit information of sales associate applicants as part of its hiring process. [Source] See also: [BC Privacy commissioner will probe bank’s handling of documents] and [Privacy in the workplace – Australian Industrial Relations Commission decision]

CA – Privacy Commissioner Cites Sobeys for Collecting Personal Info

Canada’s privacy commissioner is taking the national grocery chain Sobeys to court over its practice of collecting information about the age of customers who purchase tobacco products. Commissioner Jennifer Stoddart says Sobeys doesn’t need to store in its cash registers the date of birth of customers who buy tobacco and who are clearly age 25. In an application filed this week, Stoddart’s office asked the Federal Court of Canada to order Sobeys to develop alternative procedures that don’t require collecting birth dates. Sobeys has yet to file a response. The action comes after Stoddart’s office investigated a complaint against Sobeys and found the chain was breaching the Personal Information Protection and Electronic Documents Act (PIPEDA). The company told investigators that sales clerks in Ontario stores must enter the birth dates of all customers into the cash registers when tobacco is sold. Although names are not recorded, the birth dates become linked with their purchase history, according to Stoddart’s application. [Source] See also:

CA – Saskatchewan Privacy Boss Decries Denial of New Staff

Saskatchewan privacy commissioner Gary Dickson says a government decision to not hire new staff for his office will ultimately diminish accountability in the province. Dickson is speaking out over the government’s refusal to hire an extra investigator for his office for the third year in a row. Despite a rise in demand from the public for the office’s services — and a corresponding hike in wait times — he’ll now be forced to make cutbacks. Dickson, a former Alberta MLA, said since the government’s privacy commissioner’s office was turned into a full-time venture in late 2003, the number of requests from the public for assistance have skyrocketed:

· Reviews and complaints are up 113% over 2008 levels.

· Opinions to public agencies and health trustees are up 26% in the same period.

· General inquiries from the public, public agencies and health trustees are up 14% since 2008.

Dickson said the ideal wait time for his office to handle a case is five months. In some other Canadian provinces, legislation limits wait times to 90 days, he said. In a statement issued Monday, Dickson said the office is staffed by three investigators carrying an open caseload of 376 reviews and investigations. [Read more] [Source]

CA – Commissioners Call for Appeals of Newfoundland and Labrador Ruling

Information Commissioner Suzanne Legault, like her Newfoundland and Labrador counterpart, is raising concerns about two recent court decisions that limit the provincial commissioner’s powers. “We are definitely following this closely and we’re certainly hoping that these decisions will be appealed,” Legault said in a recent interview. The Newfoundland and Labrador Supreme Court ruled that the information commissioner’s office may not examine any information the government deems to be legal advice. Newfoundland and Labrador Information Commissioner Ed Ring said he plans to meet with key staff and legal advisors on the matter and “will consider all options for redress/solutions available and proceed from there.” [The Telegram]

CA – Alberta Court of Appeal Decision Expected to Have Significant Privacy Implications

Information and Privacy Commissioner Frank Work has said that “likely hundreds of Albertans will lose the privacy remedies they thought they received in response to their complaints” as a result of a recent Alberta Court of Appeal’s decision that found the IPC cannot extend investigation time limits imposed by the Personal Information Protection Act (PIPA). An analysis featured this week in ABlawg: The University of Calgary Faculty of Law Blog on Developments in Alberta Law offers a similar interpretation. “It seems patently unfair that complainants will not have their complaints adjudicated for reasons over which they have no control,” the analysis states. Work is considering appealing the decision to the Supreme Court of Canada and has stated he will be asking the Alberta Legislature to amend PIPA to address the situation. [Source]

CA – Privacy Commissioner of Canada: Cloud Computing Conversation to Commence

Despite its increasing popularity, cloud computing continues to raise data privacy concerns, reports CityNews. Earlier this month, the Office of the Privacy Commissioner (OPC) announced that it will hold public consultations on cloud computing and its impact on personal information. Colin McKay, the director of research at the OPC, says that although there are many benefits to moving to the cloud, there are also many questions that need to be answered. “The conversation has been growing louder and louder from a number of viewpoints when we’re talking about cloud computing,” McKay said. [Source]

CA – Privacy Commissioner of Canada Announces Consumer Privacy Consultations

Provides dates and preliminary programs for Online Tracking, Profiling and Targeting events in Toronto (April 29, 2010) and Montreal (May 19, 2010), and Privacy Implications of Cloud Computing event in Calgary (June 21, 2010). [Source]

Consumer

US – Yahoo! Deal With Nectar Will Link Online Ads With Offline Purchases

Shoppers will have internet adverts displayed to them based on their offline shopping habits in a new scheme being developed by internet publisher Yahoo! and customer loyalty scheme Nectar. The two companies will link their databases in a bid to better target consumers with relevant adverts and to improve the tracking of ads’ effectiveness in persuading consumers to buy goods. The system will help advertisers to target people according to their shopping habits offline as well as online and will help to determine when they have bought advertised goods in shops as well as online retail sites. The system is an opt-in one, meaning that consumers have to actively choose to allow their data to be used in this way. Nectar is offering some of its points as an incentive for consumers to participate and 20,000 have already signed up, according to press reports. Nectar and Yahoo! did not respond to requests for comment on the scheme. [Source]

E-Government

US – Microsoft Unveils Dedicated Cloud for Government

Government cloud computing continues to move away from the theoretical and toward the practical as Microsoft announced the launch of a dedicated government cloud based on the company’s Business Productivity Online Suite (BPOS). The announcement was made at the company’s annual U.S. Public Sector CIO Summit. The cloud offering, known as BPOS Federal, was designed to meet stringent security standards. BPOS Federal, she said, is expected to attain Federal Information Security Management Act (FISMA) certification. In a speech last week, corporate vice president Ron Markezich said FISMA certification is expected in six months. Thomas-Flynn also said the suite will be compliant with International Traffic in Arms Regulations (ITARS), meaning physical access to systems will be controlled by biometrics and limited to U.S. citizens who have undergone an extensive background investigation. [Source] See also: [Will Facebook Replace Traditional Government Web Sites? ]

UK – Britons are Fearing for Their Rights

A new ICM poll shows that the British are much more concerned about the state holding information on them than they were four years ago, when the last state of the nation poll was commissioned by the Joseph Rowntree Reform Trust. And concern expressed by a very large majority of British about rights is far sharper than in polls of the last few years. The most fascinating results came when people were asked what rights should be included in a bill of rights. In the week where a defendant escaped from the first criminal trial without a jury and an official report condemned the incarceration of the children of asylum seekers who have done nothing wrong, 88% of people said the fair trial before a jury was the most important right, which was one percentage point ahead of the right to be treated on the NHS within reasonable time. As surprising are the next five rights people favour in descending order: the right to know what information government departments hold on you – 81%; the right to privacy in your phone, mail and email communications – 79%; the right to join a legal strike without losing your job – 76%; the right to obtain information from government bodies about their activities – 75%; and the right to free and peaceful assembly – 72%. You couldn’t get a clearer, more encouraging picture of a nation that is still fundamentally committed to a free society. Released by Power 2010, which is currently asking the public to choose its top five priorities for political reform, the poll revealed that 80% agreed with the need for a bill of rights, 52% strongly. The last state of the nation poll revealed that only 33% of people opposed ID cards. Now 53% declare them to be a bad, or very bad, idea, while 63% – up from 53% – worry about the government holding information on them. It’s important for the Home Office and senior figures in all parties to understand the British public is rejecting the idea of massive centralised power over which they have no control. Some 56% thought government power was too centralised, with 88% saying that local communities should have more say over decisions that affect them. [Source] [State of the Nation Poll 2010 – Full results of a poll carried out 20th January-7th February 2010] [UK: Gov’t Admits Nationalo ContactPoint “Kids” Database Not Stable and Filled with Errors]

US – CNN Poll: Majority Says Government a Threat to Citizens’ Rights

A majority of Americans think the federal government poses a threat to rights of Americans, according to a new national poll. 56% of people questioned in a CNN/Opinion Research Corporation survey released Friday say they think the federal government’s become so large and powerful that it poses an immediate threat to the rights and freedoms of ordinary citizens. 44% of those polled disagree. The survey indicates a partisan divide on the question: only 37% of Democrats, 63% of Independents and nearly 7 in 10 Republicans say the federal government poses a threat to the rights of Americans. According to CNN poll numbers released last week, Americans overwhelmingly think that the U.S. government is broken – though the public overwhelmingly holds out hope that what’s broken can be fixed. [Source] Also see: [Feb 21, 2010 – CNN Poll: Majority think government is broken]

CA – BC’s Massive Interconnected Database: Bureaucrats Will Know All About You

The provincial government has announced plans for a computer system that will give its employees unprecedented access to citizens’ personal information. The system will combine everything the government knows about citizens from a wide range of interactions. Called file-linking, the project will bring together data from income assistance, employment services, child welfare, family development, child mental health and youth justice. More than 50 databases will be linked. In later phases, personal files held by the ministries of health, education and the attorney general will be added. The project is expected to cost $180 million, and take six years to complete. Not surprisingly, privacy experts are alarmed. Some of the information to be centralized, like names and addresses and family income or health status, is confidential. However, the new computer system will make your tax files potentially accessible to staff in all the areas listed above. The government’s response is that employees will only be allowed entry to that portion of the database they need for their job. But the stated objective of the project is to give government workers a “holistic view of each citizen.” Doesn’t that imply widening their access to files? The dangers are obvious. At a minimum, combining huge caches of personal information in one location invites theft. But there is a far more serious objection to this project. Whose interest is the government serving, when it sets out to develop a “holistic view of each citizen?” It cannot be ours. If it were, we would be offered the choice of opting out. But a government representative said that choice will not be given. Our files will be placed in the system, whether we like it or not. The digital persona thus created will be the government’s picture of us, not our own. It might be one-sided or distorted. It may contain omissions or falsehoods. It will rest on the judgment of officials we might never meet or whom we encounter in prejudicial or anguished moments. But it will carry immense weight, because of its apparently comprehensive nature. The B.C. Freedom of Information and Privacy Association has written to the premier, asking him to halt the project and hold public discussions. [Victoria Times Colonist]

US – White House says Data Mining to Focus Only on Government Files

White House officials said a January memo aimed at encouraging information sharing and issued in response to the Christmas Day attempted bombing of a commercial jet, should not be perceived as a revival of the controversial data-sifting program that the Bush administration launched after the 9/11 terrorist attacks. The comment came in response to a public interchange last week among three security and information technology specialists who said President Obama’s plan for “knowledge discovery,” a term included in the memo, resembles the Total Information Awareness program, which the Defense Advanced Research Projects Agency initiated unsuccessfully in 2002. Privacy advocates said language in the memo is disconcerting, given that government data does not exclude private information collected legally under what they believe are the nation’s loose privacy laws. Other civil liberties groups said Obama’s memo should have specified what kind of information would be analyzed during knowledge discovery. After hearing the Obama administration’s response to concerns about another TIA, ACLU’s Jay Stanley said, “I’m not sure that I am reassured — just because the national security establishment is a large and sprawling thing and we do know there is a large context of interest in data mining and weak privacy laws.” [Nextgov] see also: [Obama order resembles controversial Bush-era data-mining tool]

Electronic Records

CA – B.C. A-G to Watch Planned $222-Million Electronic Health-Records System

B.C.’s auditor general says he wants progress reports from the provincial government every six months on a planned $222-million electronic health-records system because of significant risks and costs associated with the mammoth project. In an audit released yesterday, John Doyle said the government dropped the ball five years ago when it started planning the electronic system for medical records, and is only now recovering from those mistakes. Because the benefits to British Columbians are unclear, Doyle wants to keep a close eye on how the project is handled. Doyle’s audit is part of a cross-Canada investigation by provincial auditors into eHealth programs. A national report is expected in April. [Source] [Auditor-General Report: Electronic Health Record Implementation in British Columbia]

EU Developments

EU – EU Ministers Want New U.S. Bank Data-Sharing Deal

EU interior ministers have announced they support negotiating a new agreement with the U.S. on bank data transfers. “We want something for Europe as a whole, an agreement that includes restrictions and allays concerns of the European Parliament,” Spanish Interior Minister Alfredo Rubalcaba said at a press conference held Thursday. MEPs voted against the interim SWIFT agreement with the U.S. by a margin of 378 to 196 on February 11, stating the deal violated data protection law. While the U.S. has indicated it could opt for bilateral deals with specific European nations, the Council of Ministers sees such a move as offering fewer data protection guarantees than an EU agreement, the report states. [EU Observer]

EU – Facebook Comes Under German Law

The internet social network Facebook can now face prosecution in Germany in the case of privacy violations, the country’s data protection commissioner Peter Schaar confirmed. Since Facebook had opened an office in Hamburg on February 11, Schaar said that the company was now subject to Germany’s strict data protection laws, the federal government official told broadcaster Deutschlandradio. Facebook has access to the personal data of its users, but up until now, those living in Germany have had no legal protection from the unwanted use of that information. But Schaar emphasised that the “first responsibility” lay with Facebook users, and advised them to read the terms and conditions of the social network website. [Source] See also: [US: Indicted Cop Challenges Facebook’s Privacy Rights]

UK – Random Stop and Search Plumets After Political Outcry

Section 44 of the Terrorism Act 2000 allows police officers to randomly stop and search pedestrians and vehicles within designated areas. But civil liberties groups complained that it was being used excessively and the Metropolitan Police, which conducts 96% of such searches, was forced to limit the searches to smaller geographical areas. Tourists and photographers have complained that the measures have been used to stop them photographing iconic buildings. New statistics show the use of section 44 powers fell by 53% in the period from July to September 2009 compared to the same period the previous year. In response there have been calls for more profiling of those subjected to stop and search after anecdotal evidence suggested that middle aged white people unlikely to be terrorists were being routinely stopped to balance statistics. The Home Office statistics also show that only 0.5% of the 200,444 searches across the whole country in the year ending September 30 2009 resulted in arrests. The arrest rate was even smaller for searches made under section 43 of the act, where there has to be reasonable suspicion that an act of terrorism may be involved. In the year ending September 2009, the Metropolitan Police used the powers 1,896 times and arrested four people, a rate of just 0.2%. In January the European Court of Human Rights said random stop and search breached the right to privacy. The Home Office is appealing. [Telegraph.co.uk]

Facts & Stats

UK – ICO to Study Extent Of Day-To-Day Surveillance Brit’s Face

Privacy watchdog the Information Commissioner’s Office (ICO) will report to Parliament later this year on the degree to which UK citizens are put under surveillance. The study will be a follow up to a previous ICO report which said that citizens were at risk from growing pressure in Government to share information between departments and even with the private sector, and that companies’ data gathering threatened to create a two-tier consumer society. Parliament’s Home Affairs Select Committee has asked the ICO to make the surveillance report. The Surveillance Studies Network (SSN) will produce the study on which the ICO will base its findings. SSN, which is a charitable company, will produce the factual analysis on the ways and the degree to which ordinary UK citizens are put under surveillance. An ICO statement said that the report would be “an analysis of developments in surveillance and the collection of information about individuals since the report, A Surveillance Society, was produced for the ICO in 2006”. The ICO said that the new report should concentrate on the day-to-day monitoring of everyday activity, rather than the kind of specific, covert surveillance that individuals might experience in exceptional circumstances. “The study should take account of the developments in technology, policy, law and practice but should be focussed on the practical consequences of these developments for individuals and society now and in the immediate future,” said the invitation to tender for the research. “The focus should be more on the surveillance that individuals face as they live their everyday lives rather than the specific covert surveillance activities.” [Hear: Surveillance is ever-present, OUT-LAW Radio] [OUT-Law]

Finance

EU – Largest Ever Finnish Data Breach Exposes Thousands of Payment Cards

Police in Finland are investigating a data security breach that exposed more than 100,000 payment cards. A small number of the compromised cards has been used to conduct fraudulent transactions. The data were stolen from an unnamed Helsinki business; the attackers accessed the organization’s system several times in January 2010. This is the largest reported case of payment card theft in Finland. [Source]

EU – Data Leaked From Latvian State Revenue Service Database

Latvia’s State Revenue Service (VID) has acknowledged that a cyber security breach may have compromised 120 gigabytes of data. The hole in the VID’s electronic tax declaration system appears to have been deliberately created. The compromised data leaked from the VID’s database include millions of documents that contain information about businesses, individuals, and public figures. Police are investigating the incident. [Source] SEE ALSO: [US: Customer Vs. Bank: Who is Liable for Fraud Losses? Comerica/EMI Case Raises Key Questions About Responsibility, Security]

FOI

US – NYC Bar Urges Redaction

The New York City Bar proposes that courts adopt a statewide rule that would limit the amount of sensitive personal information in civil court filings. The bar’s subcommittee on electronic records issued a report last week that says the “reality is that the notion of privacy of court records is a misnomer.” The proposal would hold those filing civil court documents responsible for redacting nine categories of information, including government-issued identification numbers and bank account numbers. The proposal aims to help prevent identity theft and “the unnecessary disclosure of an individual’s sensitive personal information in civil court filings as an abusive litigation tactic.” [Law Technology News]

UK – No Privacy Laws, but the Media Must Behave, Say MPs

Newspapers and broadcasters run the risk of increased damages in privacy actions if they fail to tell people they will be exposing them, MPs say. But the Culture, Media and Sport Committee has come down against making prior notification mandatory. The MPs also rule out legislation on privacy but urge a new fast-track procedure to allow temporary injunctions on stories. The media should also have a new statutory “public interest” defence to protect responsible investigative journalism and would not have to tell the subject of a story in advance if there was a pressing public interest not to do so, the MPs say. The proposals are part of a package of reforms drawn up by the committee under John Whittingdale, who said: “A healthy democracy requires a free press. It is essential that newspapers should be able to report and comment on events, public figures and institutions, to be critical of them and to be a platform for dissenting views. At the same time the press must be seen to uphold certain standards, to be mindful of the rights of those who are written about and, as far as possible, be accurate in what they report.” Rules for reporting

· No legislation on privacy

· Press Complaints Commission to recommend prior notification to the subject of articles,
subject to a “public interest” test

· A new law to clarify Parliamentary privilege and ensure free and fair reporting

· The burden of proof should be reversed in the case of big corporations so that they must prove libel and not the defendant

· Action to curb the use of super-injunctions and research to discover the extent of their use

· A new regulator, a Press Complaints and Standards Commission, with powers to fine and halt publications. [Source]

Genetics

WW – Anonymized Genetic Research Data Still Carries Privacy Risks: Study

Current methods for sharing genetic data for research purposes pose privacy risks to those who have volunteered their DNA. For example, researchers have designed tools making it possible to determine whether or not individuals were present in any given Genome-Wide Association Study (GWAS), as well as exposing whether they belong to a population affected by a particular genetic disorder or if DNA from close family members has been used in the same experiment. With the risk of privacy breaches “likely to increase with the ever-expanding volume of genetic data available,” the report stresses that researchers have an obligation to protect the privacy of volunteers in DNA studies. [Ars Technica] [Study]

US – Suit Possible Over Baby DNA Sent to Military Lab for National Database

An Austin lawyer threatened to pursue a new federal lawsuit Monday after learning that some newborn blood samples in Texas went to the U.S. military for potential use in a database for law enforcement purposes. The Department of State Health Services never mentioned the database to Jim Harrington, director of the Texas Civil Rights Project, who settled a lawsuit in December with the state over the indefinite storage of newborn blood without parental consent, or to the American-Statesman, which first reported on the little-known blood storage practice last spring. Harrington said he thought another suit was likely unless the health department destroys the information obtained from the blood samples or obtains consent. “This is the worst case of bad faith I have dealt with as a lawyer,” he said Monday. [Source] See also: [Redefining privacy in the era of personal genomics] and also: [Can DNA Falsely Convict You? The Chances Are Higher Than You Think] and [Should cops be required to submit samples for Gov’t DNA database? ]

Health / Medical

US – HHS Posts List of Reported Health Data Breaches

The US Department of Health and Human Services (HHS) has posted a list of organizations that have suffered breaches of unsecured protected health information affecting 500 or more individuals. The posting of the list is required under the HITECH Act. HHS breach notification rules require that organizations report such breaches to HHS and the media within 60 days. Breaches affecting fewer than 500 people must be reported annually. The list includes 36 separate breaches and affects more than 1 million individuals; the majority of the breaches involved computer theft, unauthorized access and missing or stolen data storage devices. [Health Data Management] [HHS.gov] See also: [Health Records Held for Fee After Saskatchewan Doctor Quits]

Horror Stories

US – University Data Compromised

A Georgia university is alerting some 170,000 students and staff that their Social Security numbers may have been exposed. Valdosta State University says a hacker accessed a university server. “An initial investigation has found no evidence that any personal data was accessed or transferred,” said Joe Newton, Valdosta director of information technology. He added that the school will continue to work with university police and the Georgia Bureau of Investigation, and will review its procedures and practices to minimize the risk of another breach. A Valdosta server was hacked into in December 2009, as well. [SC Magazine]

Identity Issues

AU – Every Australian Child to be Numbered & Tracked Through School Life

A program in which every school child in Australia would be given an identity number so their academic progress could be tracked through their school life is expected to be announced by the federal government this week. The number, to be known as a ‘‘unique student identifier’’, will be annexed to the My School program, which publishes the performance of individual schools on the internet. The ‘‘unique student identifier’’ is expected to cause controversy and raise privacy concerns. [Source] See also: [UK: Gov’t Admits Nationalo ContactPoint “Kids” Database Not Stable and Filled with Errors]

Intellectual Property

EU – Commissioner: ACTA Will Not Ignore Data Protection

A spokesman for office of trade commissioner Karel De Gucht said that an international anti-counterfeiting trade agreement (ACTA) being negotiated will not ignore data protection. European Data Protection Supervisor Peter Hustinx released an opinion on ACTA earlier this week that stated, “Intellectual property is important to society and must be protected [but] it should not be placed above individuals’ fundamental rights to privacy and data protection.” Spokesperson John Clancy said yesterday that those in negotiations were “neither willing nor able to do that…” Clancy said “The EU already has very stringent laws that defend individuals’ civil liberties and personal data protection…they cannot be overruled or ignored by this international treaty.” [ZD Net] [Coverage of EDPS Opinion on ACTA]

US – Judge Puts Off Ruling on Google’s Proposed Digital Book Settlement

Google confronted a barrage of criticism from opponents of its proposed digital book settlement last week as the Internet search giant tried to persuade a federal judge to approve a deal that would allow it to create the world’s largest online library. During a marathon hearing before U.S. District Judge Denny Chin, lawyers representing the Justice Department, children’s book authors, privacy advocates and business competitors said Google’s agreement with some authors and publishers should be rejected because it would violate copyright laws. The opponents also argued that the $125 million settlement – which would allow Google to scan and publish millions of out-of-print titles – could give the company an unfair edge over other online publishers in the nascent but exploding market for digital books. After the hearing, Google issued a statement acknowledging its critics but defending the settlement. “We appreciate the concerns voiced, but we believe the settlement strikes the right balance and should not be destroyed to satisfy the particular interests of the objectors,” the company said. [Source]

Internet / WWW

EU – Italian Google Verdict Casts Shadow on Freedom of Speech

An Italian court has found three Google executives guilty of violating Italian privacy laws in a case involving the posting of a disturbing video. The decision holds the men liable for content posted on the company’s system. Prosecutors said the men did not act quickly enough to remove a video of teenagers bullying an autistic boy. The video was removed within two hours of receiving a formal complaint from Italian police, but the video had been available for two months. The three men each received six-month suspended sentences. The ruling has generated strong responses worldwide. The decision has been compared to “prosecuting the post office for hate mail that is sent in the post.” [NY Times] [BBC] [Tech News Daily] [Information Week] See commentary: [Google privacy convictions in Italy spark outrage] [Does Italy’s Google Conviction Portend More Censorship?] and also: [Apple’s purge of sexy apps comes amid confusion over Internet regulation]

Law Enforcement

CA – RCMP Should Wear Body-Mounted Video Cameras, Grit Senators Argue

A group of senators has argued that Canada’s federal police force needs to submit to greater scrutiny by wearing body-mounted video cameras that record what they do at all times. “RCMP-marked vehicles and uniformed officers should be equipped with miniature cameras that would enhance transparency for both officers and citizens from false accusations of improper behaviour,” says a 102-page position paper released by a group of Liberal senators, joining the chorus of voices calling for greater police oversight. [Source]

Location

US – EPIC Urges Congress to Adopt Privacy Safeguards for Locational Data

EPIC has submitted comments for an upcoming joint hearing on “The Collection and Use of Location Information for Commercial Purposes.” EPIC cited the growing uses of location data for advertising and tracking purposes, typically without any legal protections, and noted widespread support among US and European consumer organizations for clear protections. EPIC recommended that Congress establish strong rules, similar to those in the European Union Eprivacy Directive, that would give users meaningful control over their locational data. EPIC had previously recommended that the F.C.C. establish guidelines for the protection of users’ locational privacy. [Source]

US – Congress Reviews Concerns over Location-Based Mobile Data

Congress is taking a closer look at location-based technologies and their potential impact on consumer privacy and safety. During the House Subcommittee on Communications, Technology, and the Internet’s joint hearing with the Subcommittee on Commerce, Trade, and Consumer Protection Wednesday, several witnesses advocated for privacy legislation to regulate commercial use of location-based mobile data. Some legislators stressed that new regulations must not inhibit industry innovation, while others said it is more important to have easily accessible privacy controls available to consumers. “I think you can expect to see this emerge as part of a larger legislative item,” said Rep. Rick Boucher, chairman of the Communications, Technology, and the Internet subcommittee. [Clickz] See also: CATO Institute: On Fourth Amendment Privacy: Everybody’s Wrong]

Offshore

HK – Newborns’ ID Tags to be Alarmed

The Privacy Commissioner for Personal Data has welcomed a Hospital Authority pilot program aimed at increasing newborns’ safety. The program will don newborn babies with smaller and tighter identification tags, the commissioner’s office reports. The tags will set off an alarm if an unauthorized person carries a baby out of the hospital ward. The program comes after an incident last year involving the mix-up of two babies’ identities. “The Personal Data (Privacy) Ordinance was enacted to protect the personal data of all living individuals no matter how young they are,” Commissioner Roderick Woo said. [Source]

Online Privacy

WW – PleaseRobMe Website Reveals Dangers of Social Networks

A website called PleaseRobMe claims to reveal the location of empty homes based on what people post online. The Dutch developers told BBC News the site was designed to prove a point about the dangers of sharing precise location information on the internet. The site scrutinises players of online game Foursquare, which is based on a person’s location in the real world. PleaseRobMe extracts information from players who have chosen to post their whereabouts automatically onto Twitter. Mr Van Amstel, Frank Groeneveld and Barry Borsboom realised that not only were people sharing detailed location information about themselves and their friends, they were also by default broadcasting when they were away from their own home. “We urge users of Twitter, Facebook or other social networks to stop and think before posting personal details online that could leave them vulnerable to crimes including burglary and identity theft,” said a spokesperson. “Details posted online are available for the world to see; you wouldn’t hang a sign on your door saying you’re out, so why would you post it online?” [Source] See also: [Microsoft ‘Spy Guide’ Is Worth a Read]

WW – Firefox Private Browsing Mode Is Broken

Firefox’s Private Browsing Mode enables users to browse the web privately. It empowers users to surf websites without storing browsing data (URLs, cookies, page content etc.). But, now Mozilla has discovered that Private Browsing Mode (PBM) in Firefox is partially broken, and browsing data get stored even if a user has enabled PBM. According to a blog post on official Mozilla Add-ons blog, this flaw generates because of Firefox Add-ons, which have the ability to obtain and store browsing data, and some of these add-ons may not be taking PBM into account. Mozilla has announced to update user privacy policies soon. To overcome this problem, Mozilla has planned two different “levels” of privacy support. [Source]

US – Facebook Hit With Class Action Over Privacy Changes

A class action lawsuit has been filed against Facebook over changes that the social networking site made to its privacy settings last November and December. The lawsuit, filed in U.S. District Court for the Northern District of California, alleges that the modifications have in reality reduced privacy protections for Facebook users rather than increasing it, as the company had claimed it would. “Changes to the privacy settings that Facebook implemented and represented to increase User privacy had the outright opposite effect of resulting in the public dissemination of personal information that was originally private,” the lawsuit claimed. Facebook’s messaging around the changes were “misleading, confusing and disingenuous,” said the lawsuit, which seeks unspecified monetary damages from the company. Facebook did not respond immediately for a request for comment. [Source]

Other Jurisdictions

BG – Parliament Approves Amended Act

Bulgaria’s Parliament approved the second reading of amendments to the Electronic Communications Act after concessions were made to quell privacy concerns, reports the. Under the amended act, police will be able to access citizens’ communications data related to computer crimes and crimes that carry a minimum jail sentence of five years, the report states. The amended act also specifies data retention and destruction terms. Privacy advocates have criticized the bill, describing it as a “backdoor” for the Interior Ministry to access personal communications data. Under the amendments, a parliamentary committee will oversee data access procedures, and the Commission for Personal Data Protection will submit an annual report to Parliament and the European Commission. [Sofia Echo] [Abuse of personal data in Bulgaria continues, official says]

TH – Thai Data Law Draft Raises Fears Over User Privacy

Law experts have raised criticisms of Thailand’s Data Protection Law draft, saying that there are several issues requiring amendment, especially concerns over abuse of power. As it stands, the draft does not allow for citizens to sue the Government, and critics also contend that the data privacy committee should be an independent body, not comprised of members of Government authorities. [Bangkok Post]

Privacy (US)

US – EPIC Files Complaint with FTC Seeking Privacy-Related Changes to Google Buzz

The Electronic Privacy Information Center (EPIC) has filed a complaint with the Federal Trade Commission (FTC) regarding Google’s newly-introduced social networking service Buzz. The “complaint concerns an attempt by Google … to convert the private, personal information of Gmail subscribers into public information for … Buzz.” The complaint alleges that Google “violated user privacy expectations, diminished user privacy, contradicted Google’s own privacy policy, and may have also violated federal wiretap laws.” EPIC wants to compel Google to make Buzz a completely opt-in service, stop using Gmail users’ contact lists to create Buzz contact lists, and give Buzz users more control over their own information. [CNET] [EPIC Complaint] See also: [NYT: Anger Leads to Apology From Google About Buzz] [Canadian Federal Privacy Commissioner challenges Google Buzz over privacy concerns] and [Are Buzz, Facebook and Twitter creating ‘social insecurity’?] and [Woman convicted for exposing friend’s semi-nude Facebook photos] and [Facebook Glitch Sends Wrong Messages] and [Microsoft investigates Hotmail privacy breach]

US – Privacy Seal Provider Settles FTC Charges

A privacy and security certification program has settled Federal Trade Commission charges that it misled consumers about its Web site monitoring and verification practices. According to an FTC press release, the commission found that ControlScan, a provider of privacy and security seals, issued seals to Web sites with “little or no verification” of the sites’ privacy protections, among other misdoings. The settlement bars future misrepresentations and requires that ControlScan notify its seal-bearers of the FTC action. The company’s founder and former chief executive officer entered a separate agreement that requires him to give up $102,000 in ill-gotten gains, the report states. [FTC Press Release] [Dark Reading: Security And Privacy Certification Service Nailed For Misleading Customers]

US – States Eye Ban on Public Release of 911 Calls

Linda Casey dialed 911 and screamed, “Oh, God!” over and over again into the phone after finding her daughter beaten to death in the driveway of their North Carolina home. Later that day, she heard the 911 recording on the local news and vomited. “This was not only the most painful thing I have ever been through, it should have been the most private,” she said in an e-mail. Because of situations like Casey’s, lawmakers in Alabama, Ohio and Wisconsin are deciding whether to bar the public release of 911 calls. Missouri, Pennsylvania, Rhode Island and Wyoming already keep such recordings private. But generally, most states consider emergency calls public records available on request, with exceptions sometimes made for privacy reasons or to protect a police investigation. “Nationally there is a growing concern about the release of audiotapes that don’t involve newsworthy people or events – just things that people like to hear because of their sensational nature,” said Sonny Brasfield, executive director of the Association of County Commissions of Alabama, which drafted legislation in the state to bar the release of 911 recordings. “There is a concern nationally that these kinds of things are having a chilling effect on people’s willingness to call 911.” Open-government advocates disagree and say that prohibiting the release of the recordings takes away a valuable tool that has exposed botched calls. [Source] See also:

US – Govt Can be Sued for Emotional Distress over Medical Records Incident: Court

The Ninth Circuit Court of Appeals has ruled that a pilot who lost his license for failing to disclose his HIV status to the Federal Aviation Administration has the right to sue for emotional distress caused by the Social Security Administration releasing his medical records without his permission. The case is linked to a criminal investigation in which the pilot pleaded guilty to a misdemeanor charge of making a false statement but later sued the federal government for violating the Privacy Act by sharing his medical records. While a district court judge agreed the records were improperly handled, he dismissed the case because the claim alleged only emotional distress. On Monday, the appeals court judges ruled unanimously that emotional distress constitutes actual damages and reinstated the lawsuit. [Washington Post] [US: Appeals court: Feds wrong to disclose pilot’s HIV]

US – NIST Issues Report on Smart Grid Security and Privacy

In Washington, where big brains often confront such matters, it’s understood that a smart grid rollout could overwhelm current safeguards for privacy and data security. One of the solutions on the table is a strategy and requirements project managed by the National Institute of Standards and Technology, which this month released a report that makes the collective privacy and security recommendations of about 350 experts available for review and comment. The 300-page draft, “Smart Grid Cyber Security Strategy and Requirements,” identifies the types of personal and business information that can be collected via SG technology, suggests practices that could be codified to address security issues, describes the known actors and interfaces in the “logical architecture” of the SG, discusses various categories of vulnerability to the grid based on comments received on an earlier draft, and identifies security/privacy “thematic issues” requiring immediate research and development. The NIST report’s collective authorship includes representatives of vendors, service providers, academics, regulators and federal agencies convening as the Smart Grid Interoperability Panel. The draft’s focus on privacy coincides with mounting concern about the ability of data miners to piece together highly detailed information about individuals from unconnected and “anonymized” sources. [GreentechMedia] [NIST Report]

Privacy Enhancing Technologies (PETs)

WW – Skymeter Protects All Your Driving Secrets

Visualize a global positioning system (GPS) device that knows where you’ve parked, and for how long. Imagine it can send this information directly to a company that will bill you, without allowing that company to spy on you. Skymeter – a GPS-enabled device that’s in direct communication with a satellite orbiting the Earth – offers all that, according to Bern Grush, founder of Toronto-based Skymeter Corp., and chief scientist at the firm. The GPS functionality used by this little black box enables drivers to conveniently (and accurately) make good their bills for services such as parking, toll road use, and pay-as-you-go insurance, he says. [Source]

WW – USB Fingerprints Identify ‘Pod Slurping’ Data Thieves

Intellectual property thieves who engage in so-called pod-slurping attacks leave a “USB fingerprint,” according to Vasilios Katos and Theodoros Kavallaris of the Democritus University of Thrace in Greece. The researchers found that every USB stick and iPod or iPhone has a distinctive transfer rate when copying data from a PC’s hard drive, due to differences in microcircuitry and the components of each device. By consulting the Windows registry, a company would be able to determine whether its files have been copied. Document folders for any file can be checked after a USB device has been plugged in as the computer registry counts copying as file access. A pod-slurping attack can be assumed to have taken place when the time it took to access all files matches the transfer rate of the USB stick or iPod plugged into the PC at that point. Kavallaris plans to automate Windows registry trawling, which would make it easier to determine which files have been copied. [New Scientist]

Security

US – FTC Tells Organizations They’re Leaking Data Through P2P Networks

The US FTC has notified nearly 100 public and private organizations that they are leaking sensitive data through peer-to-peer (P2P) file sharing networks. The compromised data include health information, financial records and license numbers of employees and customers. If companies do not take adequate measures to protect sensitive data from exposure, they could be found in violation of US data protection laws, such as the Gramm-Leach-Bliley Act and Section 5 of the FTC Act. [Dark Reading]

US – Military to Allow Limited Use of USB Drives

More than a year after banning the use of USB drives, the US military says it is allowing “a return to limited use of removable devices under very specific circumstances and guidelines.” The ban was initiated after infected drives began infecting military networks in late 2008. The new guidelines allow the use of secure USB drives and other removable storage media only as “a last resort for operational mission requirements.” Troops wishing to use the devices must obtain specific approval and use only devices that are properly inventoried and government procured and owned. Personally owned devices are prohibited.

The approved devices will be password-protected and will encrypt all data that are stored on them. They also may have features that prevent information from being copied or forwarded and prevent certain information from being stored on the drive altogether. [Defense News] [NextGov] [DarkReading]

US – Senate Committee Hears of Nation’s Unpreparedness for Cyber Warfare

Former US Director of National Intelligence Admiral Mike McConnell told the Senate committee overseeing on commerce, transportation and technology, that if the nation was attacked today in a cyber war, “we would lose.” McConnell told them that it will take a catastrophic cyber attack to force the country to take action to protect IT systems. Jim Lewis, chair of the CSIS Commission on Cybersecurity for the President echoed McConnell’s sentiments that private industry needs to take decisive steps to protect IT systems that support the country’s critical infrastructure from attacks and that they won’t do it until they are forced to do so, through federal procurement and regulation. [Washington Post] [Information Week] See also: [Mike McConnell’s Strategy to Win a Cyber War]

WW – Symantec’s 2010 State of Enterprise Security Study

According to Symantec’s 2010 State of Enterprise Security study, 75% of responding organizations experienced a cyber security attack within the last year; of those, more than one-third said the attacks were “somewhat/highly effective.” The statistics indicate a 29% increase in attacks reported over last year. All respondents said they had experienced some sort of cyber loss in 2009. However, just 42% of the organizations said that security was their most important issue. The study surveyed 2,100 CIOs, CISOs and IT managers in 27 countries in January 2010. [Symantec] [SC Magazine] [Net Security] [v3.co.uk]

CA – Body Scanners Operating at Winnipeg Airport

Some passengers at Winnipeg’s airport are now subjected to a new security measure — a full body scanner. The scanner went live at the James A. Richardson International Airport on Saturday, according to the Canadian Air Transport Security Authority (CATSA). Only passengers bound for destinations in the United States are required to go through the scanner and only if they are selected for a secondary security screening, said CATSA spokesperson Mathieu Larocque. The machines, which can scan through clothing, have also been installed in Vancouver, Calgary, Edmonton, Toronto, Ottawa, Montreal and Halifax. [Read more] [Source] See also: [Pope sounds warning over airport body scans]

WW – New Virus Has Breached 75,000 Computers: Study

A new type of computer virus is known to have breached almost 75,000 computers in 2,500 organizations around the world, including user accounts of popular social network websites, according Internet security firm NetWitness. The latest virus — known as “Kneber botnet” — gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information back to hackers, NetWitness said in a statement. Further investigation by the Herndon, Virginia-based software security firm revealed that many commercial and government systems were compromised, including 68,000 corporate login credentials and access to email systems, online banking sites, Yahoo, Hotmail and social networks such as Facebook. “Conventional malware protection and signature-based intrusion detection systems are, by definition, inadequate for addressing Kneber or most other advanced threats,” Chief Executive Amit Yoran said in a statement. [Source]

Surveillance

US – Cell Phone Tracking at Issue

Should the government be allowed to track a person’s movements based on cell phone records, without evidence of criminal wrongdoing? A showdown on the issue unfolded last week in a federal appeals court in Philadelphia, as the Justice Department battled electronic-privacy groups. The privacy groups say the information could reveal when someone goes to a religious service, medical clinic or political rally, or is having an extramarital affair. Third U.S. Circuit Judge Dolores Sloviter seemed to share that concern. “You know there are governments in the world that would like to know where some of their people are or have been,” Sloviter challenged Justice Department lawyer Mark Eckenwiler, an associate director of criminal enforcement operations. Law enforcement agencies hope to obtain cell phone location data from cellular providers without first showing probable cause of a crime — and without the customer’s knowledge. The data comes from cell phone towers, and in densely populated cities can pinpoint a person’s location to within a few hundred yards. The issue is not whether the government can obtain the information, but whether a probable-cause warrant should be required first. After Friday’s hearing, Senate Judiciary Chairman Patrick Leahy, D-Vt., chief author of the 1986 law, said his committee would revisit the legislation this year. [Source]

EU – Google Warned By EU Over Street View Map Photos

European Union data privacy regulators are telling Google Inc. to warn people before it sends cameras out into cities to take pictures for its Street View maps, adding to the company’s legal worries in Europe. Google should shorten the time it keeps the original photos from one year to six months, regulators also said in a letter to the company. In a statement, Google said its need to retain Street View images for one year is “legitimate and justified.” The company, based in Mountain View, Calif., said it also already posts notifications on its Web site about where its Street View cameras are clicking. [Source] See also: [Finnish police probe Google for Streetview privacy breach] and [Google wins Pittsburgh Street View privacy suit]

US – FBI Investigating School District’s Remote Webcam Use

The FBI is investigating allegations that the Lower Merion School District, in Ardmore, Pennsylvania has been using built-in cameras in school-issued MacBook laptop computers to spy on students at home. Michael and Holly Robbins, parents of a district high school student, have asked a federal judge to bar the district from turning on the webcams. They also want the judge to prevent the district from recalling the computers from students because they fear students will wipe evidence of the cameras’ use from the machines. The district maintained it was using the webcam to locate missing computers, and disabled the function two days after the Robbinses filed their suit. According to the lawsuit, the Robbinses’ son “was at home using a school issued laptop that was neither reported lost nor stolen when his image was captured by Defendants without his or his parents’ permission.” The Robbinses’ lawsuit is seeking class action status. [ComputerWorld] [CNN] [InformationWeek] [School official defended in webcam spy case]

Telecom / TV

US – AT&T Lauded for Protecting Privacy by Ponemon Study?

AT&T was named as a “most trusted company in privacy” by a survey of 99,000 consumers, according to the Ponemon Institute, an information security research company. AT&T ranked No. 20 in a survey conducted during the fourth quarter of last year. AT&T was the company called out in 2005 for illegal wiretapping on behalf of the U.S. government. AT&T attributes it all – not to federal immunity and short-term memory loss on behalf of those surveyed – but to improvements to its labyrinthine privacy policies. Last summer Ma Bell replaced 17 separate privacy policies with one and now they link to it on every single page of the web site. AT&T even asked its users to comment on the policy before it went into effect. You know, kind of like Facebook did. It also has videos and cut the privacy policy down by 29,000 words. And the revised privacy policies aren’t terrible (the policy promises an opt-in prior to using deep packet inspection to monitor web surfing), although in most cases the policies adhere to existing federal and state privacy rules rather than go above and beyond them. However, this is a company that blatantly abused its power at the request of the U.S,. government and even sent emails and web-surfing history to federal officials without telling customers and sans a court order. Is a fresh face on standard privacy policies enough to warrant commendations? Regardless, looks like AT&T’s dollars to found the Future of Privacy think tank is money well-spent. [Source] [Source]

EU – Deutsche Telekom Hit by Fresh Data Protection Allegations

The federal privacy commissioner is reportedly planning an investigation into allegations that Deutsche Telekom shared another carrier’s customer data. CEO Rene Obermann is accused of divulging the data of 16 million T-Mobile Germany customers to the mobile phone retailer The Phone House, according to the report. [TMCnet]

US – Our Cellphones Prove We’re Creatures of Habit

Northeastern University researchers used the cell phone billing data of 50,000 Europeans to determine people’s predictability. The work of Professor Laszio Barabasi, who says the researchers did not have subscribers’ names, phone numbers or characteristics, other than the location data their phones sent to towers. The study found that people’s movements were 93% predictable during the week and on the weekend, regardless of whether they were homebodies or big travellers. City planners could use information like that to restructure how they design traffic patterns and transit systems, said the study’s author. Health officials could use it to predict the spread of something like the H1N1 virus not just to a city but within the city itself. Women were slightly more predictable than men, by about 6%, and age didn’t change the data much. It is one example of an emerging field of social science research that relies on data from major carriers. The results of such projects are expected to aid public policy. A U.S. House subcommittee will hold a joint hearing on the use of location data for commercial purposes on Wednesday. [Source] [National Public Radio Transcript]

US Government Programs

US – DHHS Addressing HITECH Privacy Requirements

The Department of Health and Human Services (HHS) has taken two steps to implement privacy and security provisions included in the HITECH (Health Information Technology for Economic and Clinical Health) Act within the past week. The Office of National Coordinator for Health IT (ONC) appointed its first chief privacy officer, and HHS posted a synopsis of a preliminary solicitation for a contractor “to carry out a sequence of related activities with the goal of understanding security risks to Health Information Technology.” The proposal states that “the assurance of safety and security” is essential to moving forward with Health IT. [InformationWeek]

US Legislation

US – Senate Extends Expiring Surveillance Provisions of USA Patriot Act for 1 Year

The Senate has voted to extend for a year key provisions of the nation’s counterterrorism surveillance law that are scheduled to expire at the end of the month. In agreeing to pass the bill, Senate Democrats retreated from adding new privacy protections to the USA Patriot Act. The Senate approved the bill on a voice vote with no debate. It now goes to the House. Three important sections of the Patriot Act are to expire at the end of this month. One authorizes court-approved roving wiretaps that permit surveillance on multiple phones. A second allows court-approved seizure of records and property in anti-terrorism operations. A third permits surveillance against a so-called lone wolf, a non-U.S. citizen suspected of engaging in terrorism who may not be part of a recognized terrorist group. “I would have preferred to add oversight and judicial review improvements to any extension of expiring provisions in the USA Patriot Act,” said Sen. Patrick Leahy, D-Vt., chairman of the Senate Judiciary Committee. “But I understand some Republican senators objected.” [Source] UPDATE: [Patriot Act extension passes House and Senate] and [Washington Post: Democrats retreat in face of PATRIOT Act, abandon new privacy protections]

US – Bill Would Make Public Employees’ Birth Dates Confidential

A new bill passed in Oklahoma’s Senate yesterday would keep the birth dates of public employees confidential. The bill, which passed with a 44-0 vote and now goes to the House, aims to prevent criminals from easily accessing information about state employees. However, the executive director of the Oklahoma Press Association says the bill would violate right-to-know laws. “This is not like a Social Security number, it’s a date on the calendar that we use to decide if somebody can vote, if they can serve in the military and a host of other things,” he said. The bill’s author, Rep. Randy Terrill, said he plans to develop criteria to address this. [NEWSOK]

US – P2P Privacy Target of New Legislation

The P2P Cyber Protection and Informed User Act aims to fight data breaches by making consumers “aware of the privacy and security threats associated with some peer-to-peer file-sharing programs,” explains Sen. John Thune (R-SD), who sponsored the bill with Sen. Amy Klobuchar (D-MN). The proposed legislation, which follows the FTC’s notification about recent P2P data breaches, would prohibit file-sharing programs from being installed without user consent and require software developers to inform users when their files are made available to others. Klobuchar says the bill aims to stop the unintentional exchange of “private files like tax returns, legal documents, medical records and home movies” via peer-to-peer networks by making sure that “people know–in a way that they can understand–that their personal files are being shared with complete strangers.” [eWeek]

US – Court: Feds Can Search, Seize P2P Files Without Warrant

The authorities do not need court warrants to view and download files traded on peer-to-peer networks, a federal appeals court says. Lasst week’s 3-0 ruling by the 9th U.S. Circuit Court of Appeals concerned a Nevada man convicted of possessing child pornography as part of an FBI investigation. Defendant Charles Borowy claimed the Fourth Amendment required court authorization to search and seize his LimeWire files in 2007. The San Francisco-based appeals court, however, cited the nation’s legal standard, reiterating that warrants are required if a search “violates a reasonable expectation of privacy.” [PDF] Borowy, the court noted, “was clearly aware that LimeWire was a file-sharing program that would allow the public at large to access files in his shared folder unless he took steps to avoid it.” The defendant, however, claimed he had a reasonable expectation of privacy because he thought he had turned off LimeWire’s share feature. He was sentenced to 45 months in prison after pleading guilty to child-porn charges. The deal allowed him to appeal whether the search and seizure of his computer files was unlawful. Ultimately, a forensic examination conducted with a search warrant found 600 images of child pornography, as well as 75 videos on his computer or in his house. Two other federal circuits, the 8th and 10th, have recently issued similar rulings. The 8th U.S. Circuit Court of Appeals’ 2009 opinion is on appeal to the Supreme Court. [Source]

Workplace Privacy

US – USSC Sets Date for Employee Privacy Case Review

The U.S. Supreme Court will soon begin its review of a Ninth Circuit decision that has implications for employee privacy. The USSC has set oral argument for April 19. The court will review the Ninth Circuit’s 2008 decision in Quon v. Arch Wireless Operating Co. which, according to the blog, has “forced private employers to renew their focus on ensuring robust and consistent enforcement of employee monitoring policies.” Among other considerations, the Supreme Court will determine whether a municipal police officer has a reasonable expectation of privacy in text messages transmitted on a department-issued pager. [Hunton & Williams Privacy and Information Security Law Blog] See also [Mondaq: Whose E-Mail Is It Anyway? It Depends…]

+++