CA – Airport Fingerprinting Will Bog Down Check-In, Carrier Says

Canadians flying home from the U.S. could find themselves standing in longer lineups at airport check-in counters if a U.S. proposal to fingerprint some exiting foreigners is adopted, warns Air Canada. In a recent U.S. filing, Air Canada said the DHS’s plan to expand a fingerprinting program to include passengers leaving the country by 2009 would be a “big step backward” for airlines, bogging down a check-in process that’s becoming increasingly automated. So far, the focus of U.S. authorities has been on identifying incoming visitors, but now officials want to set up a system to record exits as well. Airlines argue that recording and storing passengers’ fingerprints is the government’s job. Air Canada said it is also concerned that collecting and storing passenger fingerprints could be inconsistent with Canadian privacy laws. And it questioned whether the program would meaningfully enhance security since it is not being applied to land crossings. [Source]

CA – Canadian Supreme Court Rejects Privacy Commissioner Appeal

The Supreme Court of Canada refused to give wide latitude to the federal privacy commissioner in a quest to view confidential correspondence between a lawyer and a client as part of a probe into whether a sacked employee’s privacy rights had been violated. In a unanimous decision, the court reinforced a long-held position that solicitor-client confidences should remain as close to absolute as possible, a limit that does not include allowing the privacy commissioner to “pierce” the bedrock legal principle. [Canwest]

US – OMB Reports Progress on the Trusted Internet Connection Initiative

According to the Office of Management and Budget government agencies are making progress in reducing the number of internet gateways serving the federal government under the Trusted Internet Connection (TIC) initiative. The TIC is due for completion towards the end of 2009 with the target being there will be less than 100 gateways to the internet. These gateways will be provided by the agencies themselves or by the services of TIC Access Providers. When the initiative started in January there were 4,300 external connections to the Internet. By May this number had reduced to 2,758. Agencies in the initiative will also deploy Einstein technology to continuously monitor traffic at the trusted internet gateways. [Source] [Source]

US – CAN-SPAM Updates Take Effect

E-mail marketers are now responsible for making opting out a one-step process, as new updates to the federal CAN-SPAM Act of 2003 take effect. In a move to clarify the original 2003 Act’s requirements, the FTC has enacted four new provisions: two revised definitions for sender and “person,” broadening recipients to include a variety of company entities; the allowance that PO boxes can satisfy the postal address requirement; more specific guidelines surrounding opt-out procedures; and a rule that encourages affiliates to take responsibility for clean e-mail lists and clear communication among marketing partners. The provisions that will affect e-mail marketers’ daily practices the most surround the opt-out procedure. Consumers must be able to opt out of receiving e-mail marketing communications in one step and a consumer must only have to enter an e-mail address to do so. [Source]

CA – Tough E-Mail Archiving Laws Coming Soon to Canada

By the end of 2008, Canadian financial services firms – including securities dealers and portfolio managers – will be subject to tough, new e-mail storage and retrieval rules. Non-compliance could involve multi-million dollar fines and criminal indictments. The Canadian Securities Administrators, a forum for the 13 Canadian securities regulators to co-ordinate and harmonize regulation of Canadian capital markets, has proposed new e-mail storage and retrieval rules defined in National Instrument 31-103 (NI 31-103). Among other requirements, NI 31-103 mandates that registered firms keep their records - including electronic messages - in a durable form that can be “promptly” provided to regulators if a record is requested within two years of its creation. After two years, requested records must be delivered in a “reasonable period of time.” In fact, NI 31-103 requires firms to keep some records for seven years after the departure of a client. [Source]

US – Medicaid Patient Records Now Online

The medical histories of 800,000 South Carolina Medicaid patients are now online. The S.C. Department of Health & Human Services houses the encrypted data and bounces information to clinics and doctors’ offices upon request and at no charge. The system was developed by the S.C. Office of Research & Statistics. It aims to improve medical care by enabling quick and comprehensive access to a patient’s history, allowing doctors to better identify patterns and prescribe treatments. Patients may opt-out of the system, a feature that pleases privacy advocates such as Graham Boyd of the state’s ACLU. [Source]

WW – Millions Believe Personal Medical Records Have Been Compromised: Survey

Results of the The Harris Poll of 2,454 adults surveyed online in June, include:

· 7% believe that either they (or a family member) may have had their personal medical records lost or stolen. This represents about 4% of all adults or approximately 9 million people.

· 69% of adults have either read or heard about medical records being lost or stolen from doctor’s offices, clinics, hospitals, health insurers, employers or government agencies.

For over two-thirds of the general public to recall hearing about medical data breaches is a very high topic awareness figure. When asked which medical records – computerized or paper – they believe may be lost or stolen most often, just under half (47%) think it is computerized records. [Source] See also: [Canada Health Infoway invests billions in national electronic health record system]

WW – Researchers Find Partially Encrypted Disks Leak Data

A joint research team consisting of members from the University of Washington and British Telecom, and which included Bruce Schneier, have discovered that applications such as Microsoft Word and Google Desktop can leave data exposed even when it is stored on a partially encrypted drive. Users employing full disk encryption do not face the same issue. The problem appears to be in the way certain applications temporarily stores files in non-encrypted parts of the disk making that data available for recovery with forensic tools. The problems were discovered when examining TrueCrypt’s implementation of the ‘Deniable File System’ (DFS). The data leakage was discovered in version 5.1a of TrueCrypt and appears to be addressed in TrueCrypt 6.0. [Source] [Source] [Source] [Source]

EU – First European Privacy Seal Awarded

EU Data Protection Supervisor Peter Hustinx awarded the first-ever European Privacy Seal for ICT products and IT-based services. Created by EuroPriSe, a consortium of European data protection authorities, the seal guarantees compliance with EU laws and regulations on data security and privacy. It was awarded to meta-search engine Ixquick. “[This award] underlines that a balance between the open nature of the Internet, providers’ interests and the protection of personal data of Internet users is possible,” said EU Commissioner Viviane Reding. “There are many merits to a European Privacy Seal,” said Ixquick. “Most importantly, it officially confirms that privacy promises we make to our users. We are very proud to have received this award today.” [Source] Details at www.european-privacy-seal.eu

UK – Information Commissioner Files Enforcement Notices Due to Govt Data Breaches

UK Information Commissioner Richard Thomas said that government plans for a communications database are a step too far and need proper public debate. Speaking at the launch of the regulator’s annual report Thomas said: “I am absolutely clear that the targeted, and duly authorised, interception of the communications of suspects can be invaluable in the fight against terrorism and other serious crime. But there needs to be the fullest public debate about the justification for, and implications of, a specially-created database potentially accessible to a wide range of law enforcement authorities holding details of everyone s telephone and internet communications.” Thomas said recent examples such as the extension of the DNA database and increasing use of ANPR cameras showed the government was grabbing more and more private data without proper public, or Parliamentary debate. The ICO is filing enforcement notices to Her Majesty’s Revenue and Customs and the Ministry of Defence asking what progress they have made to tighten up procedures following their recent data breaches. The annual report also revealed the regulator received 2,646 complaints in the year. Freedom of Information requests closed in the period were mostly to government. Public awareness of the issues seem to be improving - the ICO reckons 90% of people are aware that they have a right to see information held about them. [ICO annual report]

UK – UK Councils Sell Voters’ Addresses

A report from the UK’s Information Commissioner and the Wellcome Trust has called on the practice whereby local councils sell voter details to commercial companies to end. Under current legislation councils are able to sell details of voters held on the electoral roll to commercial marketing companies for as little as GBP 5, US $10, per 1,000 names. While individuals can opt out of having their details passed on to third parties, many fail to do so. [Source] [Source]

EU – Liechtenstein Adopts Reform of Financial Privacy Law – Entry into Force in 2009

Liechtenstein has carried out a reform of its law governing Liechtenstein foundations. Following the Government’s requirements, this reform meets international standards and at the same time is based on Liechtenstein’s legal tradition with a strong protection of the private sphere. The new foundation law will enter into force on 1 April 2009. [Source] [Source]

EU – German Court Says Wi-Fi Providers Not Liable For Others’ Infringements

A German court has said that the owner of a home wireless network is not responsible for the activity of other people on that network. The decision overturns a lower court’s ruling that the network owner was responsible for the copyright infringement. The news comes as British law firm Davenport Lyons says that it is sending out more notices of action over alleged file-sharing of computer games. Many home internet users now operate wireless networks which distribute their internet signal around the house. If these are not secured then others can use those signals and the ISP cannot tell whether use is by the owner of the network or a third party. Frankfurt’s Higher Regional Court has now ruled that the owner of a network is not responsible for the actions of third parties on it. [Source]

EU – Privacy Watchdogs Try to Ease Data Sharing Compliance for Multinationals

A committee of data protection regulators has developed a toolkit to help global companies comply with EU laws that control overseas transfers of personal data within their groups. The toolkit encourages use of so-called Binding Corporate Rules (BCRs). The Data Protection Directive prohibits the transfer of personal information to countries outside the European Economic Area (EEA) unless there is adequate data protection in place. Some non-EEA countries are recognised as having adequate data protection, including Switzerland, Canada, Argentina, the Isle of Man and Guernsey, making transfers to these countries lawful. For transfers elsewhere, adequacy must be ensured by other means. These include including the consent of the data subject and the use of Commission-authored model contractual clauses. Another, less popular means of compliance is the use of binding corporate rules (BCRs). The Article 29 WP has now developed what it describes as a toolkit, to encourage the adoption of BCRs. The new set of documents aims to help companies formulate their BCRs. One of those is a framework document which outlines how BCRs should be structured and what should be in them. Another is a table which acts as a checklist for what rules should contain. [Source] Framework for the structure of Binding Corporate Rules] [FAQs on Binding Corporate Rules] [Table of elements and principles to be found in Binding Corporate Rules ]

US – Data Doesn’t Add Up on Study of Missing Laptops at U.S. Airports

The findings of a study recently released by Dell and the Ponemon Institute that claims 12,000 laptops are lost, missing or stolen each week at U.S. airports aren’t easily supported by data reported by three of the airports in the study – or by TSA data. The study was based on “a confidential field survey” of airport personnel not identified in the report. One airport, Miami International, was identified in the report as having approximately 1,000 laptops lost, missing or stolen each week, the second highest laptop loss frequency among all airports after L.A. International, at 1,200 a week. Miami International officials’ data shows that for all of 2007, 68 laptops were reported stolen and 480 were turned in to the airport’s lost and found. The TSA says that, nationally, about 75 laptops are reported lost or missing each month. More than 2 million passengers go through TSA checkpoints each day. Ponemon said he stands by his finding that 12,000 laptops are lost at airports each week, but he said he plans to revise the study to better explain its methodology. He also said there is a need to clarify the report’s assertion that “only 33% of the laptops lost and found in airports are reclaimed.” Ponemon said he believes the recovery rate of lost laptops may be as high as 85% because laptop owners who are temporarily separated from their computers are likely to be reunited with them. Ponemon said he is planning a second study to help validate the results of this laptop loss study by surveying business travelers about their own experiences with laptops. [Source] See also: [Lost laptop horror story] and [New service tracks missing laptops for free]

US – CDT Applauds Appeals Court Ruling In COPA Case

The 3rd U.S. Circuit Court of Appeals has upheld a lower court ruling striking down the controversial Child Online Protection Act (COPA) that required Web operators to restrict access to large amounts of constitutionally protected speech. COPA placed severe restrictions on a wide range of legal, socially valuable speech, including content relating to sexual identity, health and art. CDT, which has filed friend-of-the-court briefs opposing COPA and supporting parental empowerment technology, applauds the ruling. July 22, 2008 [CDT Statement on Ruling, July 22, 2008] [3rd U.S. Circuit Court of Appeals Decision in COPA, July 22, 2008] [CDT Policy Post on COPA, March 23, 2007]

US – IRS Claims Tax-related Identity Theft Rose 644%

A report released by the U.S. IRS states that tax-related identity theft has had a seven fold increase over a four year period ending September 07. The report also highlights that efforts by the IRS to deal with the victims of the crime can often exasperate the problem. The number of cases where criminals use the SSNs of their victims to seek fraudulent claims or employment has risen 644% since 2004. The IRS’ attempts to deal with the problem often results in delays or frozen refunds to the victims or with them facing collection actions such as liens and levies. Nina Olson, the National Taxpayer Advocate, says “While the IRS is reforming some aspects of its approach to identity theft, its procedures for dealing with victims have been a significant part of the problem,” [Source]

NZ – Watchdog Warns Against Posting Signatures Online

The New Zealand Privacy Commissioner Marie Shroff says the posting of signatures in online registers is a matter of concern, after an Auckland-based IT contractor found his published and available to anyone at the Charities Commission website. Shroff encourages agencies to obscure, suppress or pixelate them wherever possible. “There are risks of identity fraud or other security-related issues if a signature and supporting information is publicly available and can then be copied,” she says. “In the case of scanned documents that are added to websites, it would seem a straightforward measure to obscure the signature before the document is scanned.” [Source]

UK – Lords Overrule Courts, Criticise Scottish Information Commissioner

The House of Lords has overturned decisions of the Court of Session and the Scottish Information Commissioner and required the Commissioner to re-examine a request for access to medical statistics. The Commissioner, with the support of the Court of Session, had decided that, as a matter of fact, a set of anonymised medical statistics were not personal data and had ordered their release under Freedom of Information (FOI) laws. According to one expert, the Lords’ judgment shows that the Commissioner had failed to appreciate that the degree of anonymisation employed was very likely to be insufficient to protect anonymity. The Lords overturned decisions of the Court of Session and the Scottish Information Commissioner and required the Commissioner to re-examine the original request. The Lords conducted a two day hearing in April on a case which directly pitted the Scottish Freedom of Information Act against the Data Protection Act. [Source] [Text of Ruling]

UK – NHS Trusts to Have Third Party Audits

National Health Service Trusts in the U.K. are being urged to engage with independent auditors to ensure appropriate data-handling techniques are being employed by staff. Currently each trust is required to carry out its own “information governance assurance” self-assessments. NHS Trusts are currently rolling our encryption to all computers containing patients’ personal data, but acknowledge that they will not have completed the project on time. [Source]

HK – Privacy Commissioner Recommends Systemic Patients-Privacy Audits, Training

The Hong Kong Hospital Authority (HA) will set up a dedicated team to improve patient data security at all hospitals in the region based on recommendations made by Privacy Commissioner Roderick Woo. In his inspection report published, Mr. Woo recommended the HA set up a systematic privacy audit approach to detect potential data breaches or issues of non-compliance. Woo also recommended the HA provide training and education for staff in order to raise the level of privacy awareness. In all, Woo made 37 recommendations to help the HA improve patients’ data management and privacy. [Source]

US – Patient Privacy Toolkit Helps Citizens Protect Their Medical Records

In an effort to make medical record privacy information more accessible to the public, Patient Privacy Rights, a non-profit group whose mission is to ensure that Americans control all access to their health records, created the Patient Privacy Toolkit. “The move to electronic health records, the lack of protection for personal health records, and the ineffectiveness of HIPPA (sic) can cause serious consequences for citizens, including discrimination against people with a genetic predisposition or a previous illness,” said Katherine Johnson, the program and outreach coordinator of Patient Privacy Rights. The toolkit includes important information and documents, such as forms to opt out of the American Medical Association’s database, a summary of health privacy laws in each state, and consent forms to request that a doctor only disclose medical information with the patient’s consent. It is available for free on the Patient Privacy Rights website. [Patient Privacy Rights] [Patient Privacy Toolkit] [EPIC’s Medical Records Privacy Site] [EPIC’s comments on the discussion draft on medical records privacy] [Bill to Amend the Public Health Service Act to Promote the Adoption of Health Information Technology, and for Other Purposes]

WW – Remote Patient Monitoring Raises Privacy Concerns

A new market assessment by analysts Frost & Sullivan says that a growing market in the U.K. for remote patient monitoring may put patient privacy at greater risk,. While the cost advantages inherent with remote patient monitoring may be attractive to many hospitals, the report says that issues of patient privacy and confidentiality are complicating the market. A Frost & Sullivan analyst said “[C]onnecting personal health information to the Internet exposes this data to more hostile attacks than paper-based medical records.” [Source]

WW – Identity Theft News: 2008 Data Breach Count is 69% Greater than 2007

Identity theft experts at The Identity Theft Resource Center (ITRC) found that the data breach count has reached an all-time high. Between January 1st and June 27th, the total number of data breaches recorded by the ITRC is 342, more than 69% greater than the same time period in 2007. The ITRC breach report sub-divides and tracks all breaches into five categories: Business; Educational; Government/Military; Health/Medical; and Banking/Financial/Credit. They noted that the number of affected records is increasingly being disclosed. Electronic data breaches account for 80.7% of breach events, and paper breaches are 19.3%. ITRC further categorizes data into five types of data breach scenarios. While human error and poor data handling policies and procedures certainly played a role in the 2008 data exposures, it appears that theft of data, either by external or internal sources, is the primary way information has been compromised. Some stats: Insider Theft: 15%; Data on the Move: 20.2%; Subcontractor: 13.5%; Hacking: 11.7%; and Accidental Exposure: 15.2%. The Identity Theft Resource Center only included verified breaches listed in newspapers and websites. [ITRC website reports] [Source]

US – UMD Releases Students’ Social Security Numbers on Mailing Label

Officials at the University of Maryland have apologized to 23,000 students for mailing a parking brochure with their SSNs printed on the address label. The brochures were sent through U.S. Postal Service third-class mail on July 1. Officials discovered the problem on July 8. “We are initiating immediate action to ensure that this error does not recur,” said a university spokesperson in an e-mail to the students. “We strongly recommend that you take appropriate precautions to mask, black out or destroy this document after use.” The university is offering free credit reports to those affected. [Source]

US – Post-Breach Protections Come at Cost

Officials at the California Department of Consumer Affairs say reparations for last month’s security breach could cost taxpayers as much as $122,000. The department is providing identity theft protection services to more than 5,000 employees whose names and SSNs were compromised when an employee downloaded a roster containing the information and forwarded the file to her personal e-mail account. Those affected have been offered free credit monitoring, fraud insurance and toll-free access to identity restoration services for the next year if their identities are misused. [Source]

US – Open Security Foundation to Maintain Data Loss DataBase

Attrition.org has announced that, going forward, their Data Loss Database will be taken over and maintained by the Open Security Foundation as an ongoing project under the OSF umbrella organization as of July 15, 2008. The project’s core mission is to track the loss or theft of personally identifying information not just from the United States, but across the world. As of June 4, 2008, DataLossDB contains information on over 1,000 breaches of personal identifying information covering over 330 million records. The DataLossDB will be free for download and use in non-profit work and research. The new website launch builds off of the current data set and provides an extensive list of new features.” [Source] [Source] www.datalossdb.org

CA – New Quebec Licences Will Prove Canadian Citizenship

Quebec’s new, enhanced driver’s licence will probably bear a Canadian flag to signify the card is also proof of Canadian citizenship. The new licence, which is still under development, will cost about $30 more than a standard driver’s licence, which only shows the blue-and-white Quebec flag. It will be an alternative to the Canadian passport, required starting next June 1 for land and water crossings into the U.S. Passports are already required to fly into the U.S.. A spokesman for the Societe de l’assurance automobile du Quebec, said the new licence, available only to those who ask for one, will have a “symbol” to signify Canadian citizenship. “It’s under discussion,” he said. [Source]

US – NC House Rebuffs Federal Plan to Secure State IDs

The North Carolina House voted to rebuff a congressional mandate that the state make its driver’s licenses more secure because the federal government did not provide money to enact the changes. The measure, tentatively approved on a 72-43 vote after a heated debate, effectively says North Carolina will not comply with the REAL ID Act without federal funding. [Source] See also: [Ontario Privacy Commissioner Cavoukian seeking input on new ID plan]

US – “Red Flag” to Take Effect in November

The FTC has outlined the new Red Flag Rules financial institutions and other financial service providers must follow in order to help identify potential cases of identity theft. The new rules will go into effect this November. The FTC reports that banks and financial institutions are involved in about half of all cases of identity theft, and the new Red Flag Rules will require such organizations to develop and implement written policies designed to help catch fraud by identifying suspicious activity that would trigger anti-fraud action. Penalties for non-compliance with Red Flag Rules have not been outlined as of yet. [Source]

EU – EU to Introduce New Music Rights System Despite Fierce Lobbying

The European Commission will defy a high-profile lobbying campaign by composers and songwriters and order a new pan-European system of selling online music rights. The Commission case has won the backing of trade lobby European Digital Media Association, which embraces firms such as Amazon, Google, and Microsoft. It insists that collecting societies are vital in ensuring that songwriters/composers are paid fairly and efficiently but have been guilty of anti-competitive behaviour. [Guardian]

WW – Stolen Bank Data Gets Cheaper On Web

Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says. Researchers for Finjan, a Web security firm, said the high volumes traded had led to bank and credit card information becoming “commoditised” – account details with PIN codes that once fetched $100 or more each might now go for $10 or $20. In its latest quarterly survey of Web trends, the company said cybercrime had evolved into “a major shadow economy ruled by business rules and logic that closely mimics the legitimate business world”. New types of stolen data were now commanding a premium, such as patient healthcare information that can be used for insurance fraud or to illicitly acquire and sell medicines. Other premium data includes business information, company personnel files, and intercepted commercial e-mails. [Source]

CA – Canadian ISPs Under Fire for Traffic Shaping

Canadian ISPs are drawing criticism from advocacy groups over the practice of “traffic shaping,” a technique that limits available bandwidth for certain services, such as peer-to-peer file sharing, in order to provide a more consistent speed of service for all customers. The Campaign for Democratic Media is calling upon the Canadian Radio and Telecommunications Commission to examine the practice, which the group claims can be used by facilities-based ISPs to hamper providers who lease bandwidth from carriers. Bell Canada Enterprises and Rogers Communications Inc., two of Canada’s largest facilities-based service providers, have both said they use traffic shaping to manage service delivery. [Source]

UK – Police Data Retention Practices Dealt One-Two Punch

The UK’s Information Tribunal, formerly known as the Data Protection Tribunal, has ruled that individuals with years old trivial offenses may have the information wiped from police computers; presently all convictions remain in the database for 100 years. The Tribunal’s judgment refers to five specific cases in which the offenses were many years in the past and have had needlessly negative effects on the individuals’ efforts to pursue their careers. The ruling opens the door for anyone who has a conviction for a minor offense in his or her youth and has since remained out of trouble to petition to have the information stricken from the Police National Computer. In addition, the Ethics Group, a government appointed advisory body, said that keeping DNA samples from people arrested but never convicted or charged with a crime is a potential violation of human rights. [Source] [Source] [Source] [Source] [UK Ruling could wipe out tens of thousands of criminal records] See also: [Criminal record: The stain that won’t go away]

EU – New Bavarian Law Allows Police to Physically Install Spyware

Legislators in the German state of Bavaria have approved a law that would allow police to place spyware on the computers of individuals suspected of being terrorists or posing other serious criminal threats. The measure goes beyond federal laws, which allow authorities to place spyware on suspects’ computers remotely. The Bavarian law allows authorities to enter suspects’ homes and physically place the spyware on the computer if remote installations do not work. Judicial warrants would not be required. Authorities would also be permitted to conduct searches of the homes. Opponents of the measure say it is unconstitutional. [Source]

US – Maryland Police Infiltrated Activist Organizations

According to documents obtained through a Maryland Public Information Act lawsuit, Maryland state police have been infiltrating peace and anti-death penalty activist organizations and in some instances, entering the names of some of the members into a law enforcement database of suspected terrorists and drug traffickers, even though the individuals’ actions were lawful. Nowhere in the documents is there any indication that the protesters engaged in criminal intent or activity. State police officials maintain that individuals’ civil rights were not violated. [Source]

WW – Viacom Seeks YouTube Viewing Database

YouTube has been ordered to turn over its logging database of users’ viewing habits. The order stems from a lawsuit brought by Viacom against Google, which owns YouTube. The lawsuit alleges that YouTube users are encouraged to upload pirated content from Viacom-owned networks, including MTV, VH1 and Nickelodeon. The suit aims to demonstrate that the pirated clips are viewed more frequently than are clips of amateur content uploaded to YouTube. The database includes viewers’ usernames and IP addresses. YouTube has asked permission to remove the usernames and IP addresses before submitting the information. Viacom says the company is not pursuing individual viewers, but instead wants the information to prove its contention that the pirated content is more popular than non-pirated content. Privacy advocates are concerned that even with user names and IP addresses removed, other data could be used to identify individual users. The judge did refuse to grant Viacom’s request for access to the Google search engine source code. [Source] [Source] [Source] [Source] [Source] [Commissioner Cavoukian’s July 8 2008 letter urging Google to appeal the disclosure to Viacom] and [Irish Commissioner Critical of YouTube Ruling]

WW – Google Will Anonymize Personal Data

Google has reached an agreement with Viacom regarding the release of YouTube user information in Viacom’s $1 billion copyright infringement lawsuit against that company. Earlier this month, a U.S. District Court judge ordered Google to release to Viacom the Internet addresses, usernames and video viewing habits of hundreds of millions of YouTube users, a move that spurred arguments from users, privacy activists and the Ontario Information and Privacy Commissioner, among others. A Google spokesman said that Viacom has agreed to receive an anonymized list of users. Google will blank out the usernames and IP addresses, which could be used to identify individual viewers, before sharing. [Source] [Lawyers in YouTube lawsuit reach user privacy deal] [Full text of Agreement] [IPC July 15 Press release: Commissioner Cavoukian Applauds Agreement Protecting YouTube Users’ Privacy]

WW – Targeted Ads Raise Privacy Concerns

Cable and phone companies say their growth increasingly depends on being able to deliver targeted advertising to their Internet and TV customers, but criticism from privacy advocates is threatening that strategy. In the past few weeks, phone operator CenturyTel Inc. and cable provider Charter Communications Inc. shelved plans to use ad-targeting technology from Silicon Valley start-up NebuAd due to privacy concerns raised by their customers and lawmakers. [WSJ] See also: [Ways consumers can safeguard personal data on Web] See also: [Senate All Ears on Behavioral Tracking] [US Senate Grapples With Web Privacy Issues in Online Advertising at Workshop] and [Microsoft, Google back broad privacy legislation]

US – Lawmaker Wants Opt-in Requirement

Rep. Edward Markey (D-MA) says ISPs should be required to get “opt-in” consent from customers in order to track their Web habits for the purpose of serving tailored advertisements. Reuters reports that, in a statement before the House subcommittee on telecommunications and the Internet, Markey cited the increasing sophistication of deep-packet inspection technology and the sensitivity of the user information that can be gleaned from this type of behavioral monitoring as key reasons to make the practice dependent on users’ voluntary opt-in. Markey is chairman of the subcommittee. [Source]

EU – EU Commission Wants UK Government to Probe Targeted Advertising

Viviane Reding, the EU commissioner for information society and media, has warned the UK government that it needs to take actions to safeguard consumer privacy in relation to behavioral ad targeting technology such as that provided by Phorm. Phorm’s technology can be used by ISPs to track end user activity on the Internet and place advertisements based on their online activity. Phorm already has agreements in place with some of the U.K.’s top ISPs such as the BT Group PLC (BT), Carphone Warehouse’s (CPW.LN) Talk Talk and Virgin Media. In a letter to the U.K. government Ms Reding said “It is very clear in E.U. directives that unless someone specifically gives authorization (to track consumer activity on the Web) then you don’t have the right to do that.” She went on to say that if the U.K. government didn’t resolve the issue, the commission could take it to the European Court of Justice. [Source] [Source]

US – Vermont Library Patrons’ Privacy Upheld

The search for a missing 12-year-old Vermont girl tested the U.S. Patriot Act recently when librarians at the Kimball Public Library refused to allow police detectives’ seizure of the library’s public-access computers without a warrant. The officers were acting on a tip that the missing girl had used the library’s computers to access her MySpace account, but librarians turned them away until they could provide the required paperwork. Vermont State Police Col. James Baker said: “We had to balance [the information we had] with protecting the civil liberties of everybody else, and this was not an easy decision to make.” Indiana University law professor and cybersecurity expert Fred Cate said the librarians acted appropriately. “If you’ve told all your patrons ‘We won’t hand over your records unless we’re ordered to by a court,’ and then you turn them over voluntarily, you’re liable for anything that goes wrong.” [Source] See also: [Local Library uses RFID to Manage Materials, but Privacy Concerns Abound]

WW – Facebook Redesign to Give Users More Control

Facebook is making sweeping changes to the world’s largest social networking site, aiming to give users more control and to curb new forms of spam. Facebook’s redesign aims to make user profiles more dynamic by giving more prominence to the newest information, and it is cracking down on applications that violate privacy or user-control guidelines. “Users should have control of their information when and where they want,” said the head of Facebook’s platform product management. “Users should share things because they want to share them.” [Source] See also: [Web networking photos come back to bite defendants]

WW – Facebook Bug Exposes Birthdays

Facebook users who limit access to their personal information may have been surprised to see their dates of birth viewable on the site last weekend. A bug in the beta version of Facebook’s site redesign inadvertently exposed the birthdays of some of its 80 million users. The beta site was intended only for developers, but users had access to it for an undetermined amount of time over the weekend. Dates of birth can be valuable to identity thieves and Facebook patched the bug within hours of its discovery. The Sophos technology consultant who discovered the problem told Computerworld he didn’t feel the incident was a major data breach, but that “it raises a more serious question, which is, ‘Can you trust these social networks to look after your data properly?’ [Source] [Source]

US – Social Networking Site Divulges Child’s Personal Data

Reunion.com previously linked to other data providers when users searched its site for names. Last month, the site decided to build its own database by acquiring files on as many as 260 million people from a private data broker. A mother was upset to find the name of her 4-year-old son. [Source] See also: [Privacy and the red pill]

WW – Google Bows to Pressure, Adds Privacy Link to Home Page

Google has added a link to its privacy policy from its sparse front page, bowing to pressure from privacy activists. Google founders Larry Page and Sergey Brin were involved in the decision, according to a Google executive. [Source]

US – TRUSTe Secures Major VC Funding

Silicon Valley venture capital firm Accel Partners has invested in privacy protection. The firm completed first-round financing with TRUSTe, the online privacy monitor and certifier. With the funds, TRUSTe will broaden its market reach and add new services to its existing suite of privacy protection solutions. The company will also address emerging issues such as behavioral targeting, social networking and mobile location-based services using the funds. Accel’s Andrew Braccia said that TRUSTe’s leadership in privacy assurance makes them well positioned to accelerate the adoption of privacy best practices among more businesses and consumers. “This investment from Accel Partners will help us further our mission of building trust on the Internet,” said Fran Maier, CEO of TRUSTe. [Source]

UK – Govt Review of ‘Criminality Information’ Highlights Problems in Data Sharing

In the UK, Sir Ian Magee has published his Review of Criminality Information which looks at the way in which criminality information is shared between agencies both here and abroad. The Review focuses on the problems in information sharing and what needs to be done to better protect the public from harm. Sir Ian has recommended a package of measures to improve public protection, one of them being a Commission for Public Protection Information. The Commission will advise Ministers on the sharing of criminality information, as well as monitor the Government’s progress. The Review has been sent to the Home Office’s Home Secretary, who will lead the Government in implementing the Review. His recommendations to improve links between those who hold criminality information recognise the importance of getting the balance right between protection from harm and protection of privacy. However, the Review is clear that it is necessary when considering criminality information to focus on public protection rather than on individual agencies and their needs. [Full report] [Executive Summary] [Source] See also: [ICO: Gov’t ignoring data-sharing hazards] [Added Powers for ICO Considered]

US – Vermont Publishes Taxpaper Income in the Public Domain

Vermont’s year-old structure for paying school taxes is raising privacy concerns. The system, in which property owners pay school taxes on an income-based sliding scale, raises the question of whether residents’ tax information, which now includes income information, is public or private. The state attorney general has said that tax bills should remain public, while the secretary of state has suggested otherwise. The Vermont ACLU said it will sue, if necessary, to protect the privacy of residents’ income information. Cities and town remain uncertain. In speaking of the legislature’s failure to iron out the matter before the new system went into effect, one Vermont lawmaker said, “We really punted on the issue.’ [Source] See also: [Privacy: Agencies Struggle to Redact Personal Data from Online Public Docs]

US – Texas AG Settles with Select Medical, RadioShack on ID Theft Charges

The Texas Attorney General’s office (AG) has settled with two defendants accused of violating the state’s Identity Theft Enforcement and Protection Act. RadioShack and Select Medical Corp. will pay a combined $1.5 million in the agreement. Both companies were charged with failing to protect customers from identity theft by improperly disposing of sensitive customer information. During separate investigations, authorities discovered the companies had discarded customer data into publicly accessible trash bins. Fines collected by the AG will be directed to future identity theft investigations and prosecutions. [Source]

EU – Dutch University Sued by RFID Chip Manufacturer

NXP Semiconductors is suing Radboud University in a bid to prevent the university presenting a paper on cracking the Oyster smartcard, used widely on the London public transport network. Researchers at the university plan to reveal how they hacked and cloned the NXP manufactured MiFare RFID chip used in the Oyster Card at an upcoming security conference to be held in October in Spain. NXP Semiconductors wishes to stop the paper from being published for “safety reasons.” [Source] [Source]

EU – Judge Rules Dutch Univ. Researchers May Publish Report of RFID Chip Hack

A Dutch judge has ruled that researchers at Radboud University in Holland may publish their research about the Mifare Classic (Oyster) RFID chip. The researchers do not plan to include details about how to clone cards that use the chip. The chip is used in Oyster cards, a prepaid smart card system in the UK, as well as in Hong Kong’s travel card and the Dutch Rijkspas smartcard. In his ruling, the judge indicated that freedom of speech trumps NXP’s commercial interests: “Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.” [Source] [Source]

US – NIST Release Draft Paper on Mobile Computing Security

The US National Institute of Standards and Technology have released a paper containing draft guidelines on how to address the risks posed by mobile phones and other portable computing devices. NIST is seeking comments on the draft before final publication. [Source] [Source] [Source]

US – Defence Dep’t Issues Information Assurance Certification Guidelines

The U.S Department of Defense’s “Information Assurance Workforce Improvement Program” details the industry standard certifications that technical and management personnel must attain if they are responsible for running a governmental organization’s Information Assurance program. Some people feel that this is an important development as these requirements will also become de-facto standards for the private sector. [Source] [Source]

WW – Unpatched Windows PCs “Own3d” In Less Than 4 Minutes

Researchers at the Internet Storm Center estimate that it takes about four minutes for an unpatched Windows PC to be compromised once it connects to the Internet. The survival time has consistently dropped over the past years due to the increasing number of worms and viruses and hackers using more and more automated attacking tools. However, a researcher with the German Honeypot Project claims the survival time is much higher than 4 minutes and in fact is nearer 16 hours. Either way, both researchers agree that systems that are not set up with a secure configuration, fully patched, and protected appropriately should not be connected to the Internet. [Source] [Source] See also: [Supreme Court Justice Among Victims of P2P Breach]

US – District of Columbia Rolls Out First-of-its-kind Unified ID Card

This summer, the District of Columbia will begin distributing the “DC One Card”, an all-in-one ID card for residents and workers. The card will eventually incorporate several forms of credentials, including public transit fare cards, library cards, and student IDs; it will also be required in order to access government, park, and community facilities. Although government officials claim that there are no current plans to track cardholders, they also admit that personal data will be collected and retained. The government will maintain a database that contains personally identifiable information about all card holders, including name, address, telephone number, date of birth, a part of the SSN, and the various agencies and programs at which the card has been registered. [The DC One Card Website]

US – Lawsuit Filed Challenging FISA Act

A number of civil liberties groups, including the American Civil Liberties Union (ACLU) and Amnesty International, have filed a lawsuit challenging the newly signed law, the Foreign Intelligence Surveillance Act (FISA) Amendments Act. FISA allows for warrantless surveillance of telecommunications and immunity from subsequent lawsuits served against the telecommunications companies facilitating the surveillance. The lawsuit claims that FISA breaches the Fourth Amendment of the U.S. Constitution, which prevents the government from unreasonable searches and seizures. Supporters of the law claim it is a vital weapon in the fight against terrorism. [Source] [Source]

EU – New Swedish Surveillance Law to be Tried in European Court

The Swedish government will have to defend its introduction of a recent telecommunications surveillance law. An independent group, the Centrum for Rattvisa (CFR) or Justice Center, claims the bill violates Articles 8 and 13 of the European Convention on Human Rights. Article 8 guarantees European citizens the right to privacy, while Article 13 gives them the right to hold authorities accountable for violations of the human rights convention. The controversial law was narrowly voted in last month and allows Swedish security services to eavesdrop on all international calls into and out of Sweden. “We want them to decide where the limits are between the need for state security and the right to privacy,” said Clarence Crafoord of CFR. CFR contends that the new FRA law is not specific enough and “too flossy” in its formulation. Moreover, the group sees the law’s description of the threats to be controlled and the types of communication that can be monitored as too vague. In response to the new law TeliaSonera, the Finnish-Swedish telecoms operator, has moved its servers from Sweden to Finland and Google is also considering a similar course of action. [Source] [Source] [Source]

WW – Printer Tracking Technology Raises Privacy Concerns.

A feature built into many modern laser printers is raising concerns among civil liberties groups that individuals’ privacy may be eroded. The feature uses technology to print hidden yellow dots that are unique to the printer onto each page. These dots are invisible to the eye, but when viewed under a blue LED light they can identify the printer. The technology is used to track those who attempt to use color laser printers to create counterfeit money. However, privacy advocates are concerned that the technology could be misused to track and identify whistleblowers or dissidents in totalitarian regimes. [Source] [EFF DocuColor Tracking Dot Decoding Guide]

UK – Big Brother is Bluetoothing You

A controversial new study that uses Bluetooth technology to track UK citizens, without their knowledge, has come under fire from privacy campaigners. The Cityware study - has been set up with the objective “to develop theory, principles, tools and techniques for the design, implementation and evaluation of city-scale pervasive systems as integral facets of the urban landscape.” Cityware researchers at Bath University have “installed scanners at secret locations in offices, campuses, streets and pubs to pinpoint people’s whereabouts… The scanners, the first 10 of which were installed in Bath three years ago, are capturing Bluetooth radio signals transmitted from devices such as mobile phones, laptops and digital cameras, and using the data to follow unwitting targets without their permission.” Cityware’s director claims that his study is not interested in tracking individuals but is more “interested in the aggregate behaviour of city dwellers as a whole,” adding that the “notion that any agency would seriously consider Bluetooth scanning as a surveillance technique is ludicrous.” However, certain privacy campaigners strongly disagree, with Simon Davies, director of Privacy International responding: “This is yet another example of moronic use of technology. “For Bath University to assert that there aren’t privacy implications demonstrates an astonishing disregard for consumer rights. If the technology is as safe as they claim, then all the technical specifications should be published and people should be informed when they are being tracked. “This technology could well become the CCTV of the mobile industry. It would not take much adjustment to make this system a ubiquitous surveillance infrastructure over which we have no control.” [Source]

WW – MMA Privacy Code of Conduct Released

Mobile marketers have a new roadmap for privacy thanks to the Mobile Marketing Association’s (MMA) release of new 1-page global privacy guidelines this week. The MMA’s new Global Code of Conduct expands on the privacy rules the organization issued last year to include input from Latin America, Asia-Pacific, Europe, Middle East and African partners. The new privacy code includes guidelines on notice, choice and consent, customization and constraint, security, enforcement and accountability. Mobile marketers are expected to self-evaluate to ensure compliance with the privacy guidelines until a third-party enforcement organization can assume that role. [Source] [Source] [Source] [Code of Coinduct]

CA – Bell Denies Privacy Invasion

In a submission to the Canadian Radio-television and Telecommunications Commission (CRTC), Bell asserted that it does not violate the privacy of customers when using deep packet inspection technology. The company is under investigation by the federal telecom regulator for complaints that it uses “throttling”--the practice of slowing the Internet speeds of users who share files via peer-to-peer networks such as Kazaa or Gnutella. Bell says it uses the deep packet method to determine what kinds of data are being transmitted, but does not look at the contents of users’ communications. [Source]

EU – European Parliament Backs Controversial Telecom Plan

European politicians have voted in favor of amendments to telecoms law which campaigners say could be used to curb privacy online and file-sharing. Digital rights groups in Europe have formed a loose coalition to highlight their opposition to the amendments. [BBC]

CA – Canadian Wireless Spectrum Auction Concludes

The Canadian government is $4.2 billion richer with the conclusion of the cellphone spectrum auction on Monday, while customers stand to win as five new companies are now well positioned to launch services over the next few years. The windfall is considerably larger than the original $1.5 billion many industry analysts had predicted before the auction began on May 27. [CBC]

US – U.S. Terrorism Watch List Tops 1 Million

A U.S. watch list of terrorism suspects has passed 1 million records, corresponding to about 400,000 people, and a leading civil rights group said the number was far too high to be effective. The Bush administration disagreed and called the list one of the most effective tools implemented after the September 11 hijacked plane attacks - when a federal “no-fly” list contained just 16 people considered threats to aviation. The ACLU publicized the 1 million milestone with a news conference and release. It said the watch list was an impediment to millions of travellers and called for changes, including tightening criteria for adding names, giving travellers a right to challenge their inclusion and improving procedures for taking wrongly included names off the list. “America’s new million-record watch list is a perfect symbol for what’s wrong with this administration’s approach to security: it’s unfair, out-of-control, a waste of resources (and) treats the rights of the innocent as an afterthought,” said ACLU technology director Barry Steinhardt. [Source] [ACLU: Terrorist Watch List Hits One Million Names]

US – DHS Defends Laptop Border Checks

The Department of Homeland Security (DHS) believes its practice of seizing and reviewing the content of laptop computers entering the country at border crossings is necessary to defend against terrorism and to preventing the transport of child pornography. The DHS has taken to vigorously defending itself in the face of criticism from legal advocates who believe the practice represents an unconstitutional warrantless search and seizure. Law professor Peter Swire said, “A laptop can hold [the equivalent of] a major university’s library: It can contain your full life. The government’s never gotten to search your entire life, so this is unprecedented in scale what the government can get.” [Source]

US – U.S. Senators Pass New Wiretapping Measure

The U.S. Senate has approved a bill providing legal protection to telecommunication companies that took part in an electronic surveillance program targeting terrorism. The bill, the Foreign Intelligence Surveillance Act (FISA) Amendments Act, was passed by 69 votes to 28 and will now go to President Bush to sign. Critics of the bill claim it allows for warrantless surveillance and eavesdropping on the telecommunications of American citizens and does not have adequate safeguards. [Source] [Source] [Source] UPDATE: [Wiretap Law Prompts Lawsuit]

US – FTC Sees No Need for New Privacy Law

At the same time that Google and Microsoft offered their support for new legislation aimed at protecting consumer privacy online, the FTC told a Senate committee looking into behavioral targeting that existing law and self-regulation were sufficient. Lydia Parnes, director of the FTC’s Bureau of Consumer Protection told the committee, “Although there is more work to be done in this area, the [Federal Trade] Commission is cautiously optimistic that the privacy issues raised by online behavioral advertising can be effectively addressed through meaningful, enforceable self regulation.” [Source]

UK – UK House of Lords Call for Data Breach Disclosure Law

The Science and Technology Committee in the U.K.’s House of Lords has published a follow up report on personal internet security in which they call for the introduction of data breach disclosure laws. The report also calls for a reversal in the rules whereby victims of cybercrime are supposed to report the crime to their banks rather than the police. In addition, the House of Lords wants legislation to be introduced to ensure banks are held responsible for losses resulting from electronic fraud. The committee published a report in 2007 with a number of recommendations which the UK government subsequently did not implement. The recent spate of data breaches, such as the 25 million personal records lost by the HMRC, has put internet security firmly in the spotlight. [Report] [Source] [Source]

US – Bill Would Require More Privacy Officers

Privacy officers for each of the Homeland Security Department’s components will be a requirement under a bill, H.R. 5170, which is currently under consideration in the House of Representatives. “The presence of a full-time Component Privacy Officer would ensure that privacy considerations are integrated into the decision-making process at all of the DHS Components,” the measure’s authors wrote. Of the nine components within the DHS, four of them have full-time privacy officers. [Source] [Source]