Privacy News Highlights
01–10 July 2009
Contents:
WW – “Breakthrough” Face Recognition Computers Can See Through Disguise
CA – ‘Year of the Privacy Breach’ Sask Privacy Commissioner’s 2008-09 Annual Report
CA – Bar Watch Launched in Downtown Victoria
EU – Regulating Personal Data Behaviour Between Paradoxes and Dilemmas: Research
UK – Government White Paper Sets Out Changes for UK Consumer Law
EU – France: No to New EDVIGE!
US – Privacy Act Reform Likely Delayed Till 2010
CA – BC MLA e-Mails Relevant to Trial, Judge Rules
WW – Botnets Lead the Way for Spam
UK – Tories Seek Alternatives to NHS Database
UK – Tories Claim ‘Google Health Records’ are Speculation
UK – Anger Over Minister’s Bid to Put Medical Records on ID Cards
US – MD6 Withdrawn from SHA-3 Competition
US – Nevada Law Mandates PCI Compliance
EU – Regulators Push for Easier Data Protection Compliance in Outsourcing Deals
CH – Swiss Commissioner: Social Networks Challenge Data Protection
UK – Outgoing UK Information Commissioner Releases Annual Report
UK – ICO Notification Fees Jump More than 1400%
UK – CBI Warns over Extending Data Watchdog’s Powers
EU – Opt-In Rules Relaxed for German Marketers
WW – Breach Numbers Up 60%: Ponemon Study
NO – Norway Will Not Chase File-Sharers
CN – China Delays Requirement Web-Filtering Software on PCs
WW – Some PC Makers Voluntarily Supply Web Filter in China
CH – Swiss Government Will Seize Personal Data, If Necessary
CA – Ontario Court Back Privacy Commissioner in Boulton Ruling
US – Missouri Governor Signs Bill Expanding DNA Testing
US – Blood Samples Raise Questions of Privacy
CA – Ontario Privacy Commissioner Issues Health Privacy Order
WW – NAID Aids in Developing Guidelines for Health Care Organizations
US – Ohio Supreme Court Protects Abortion Records
US – Sebelius, Others Named in Class Action
UK – Plans Dropped for Compulsory ID Cards
US – New York State Bar Waves Red Flag Over Red Flag
US – Social Security Number Code Cracked, Study Claims
US – Federal Court: DRPA Use of SSNs Violates Privacy Law
US – Jammie Thomas Files Appeal, Asks For New Trial
US – Web Advertisers Propose Self-Regulation Principles
EU – Swedish Court: IP Addresses are Personal Data
US – U.S. Court: IP Addresses Are Not ‘Personally Identifiable’ Information
WW – Chrome OS Privacy Concerns Aired
US – New York AG Accuses Social Networking Tagged.com of Massive Privacy Violation
UK – Legal Challenge to Operation Ore Web Child Abuse Inquiry
US – CDT Issues Briefing on Location Enabled Web Privacy and Civil Liberties
US – MySpace Not Liable For Assaults
WW – MySpace Hoax Conviction Overturned
UK – MI6 Chief’s Cover Blown by Wife’s Holiday Snaps on Facebook
WW – Facebook Announces Privacy Changes
WW – Facebook Fakers Prey on Students
AU – Another Year for Karen Curtis
KR – Ministry Expands Reach of Privacy Provisions
MA – Moroccan King to Nominate Commission Members
NZ – Privacy Commissioner Opines on Privacy Tort, Surveillance & Intrusion
JP – Japan Diet OKs Bills to Tighten Control on Foreign Residents
US – Rep. Wants TSA Involved in Data Transfer, Disposal
US – Massachusetts State Police Settle Strip Search Lawsuit for $70K
KR – Seoul Subway Adopts RFID Ticketing System
EU – Online Database of RFID Standards Launched
US – New York Medical Center Tracks OR Equipment for Trauma Care
UK – NFC Brings Visibility to British Home Care
US – Unified Cyber Security Command Raises Questions About Nature of Cyber Warfare
US – U.S., Europe Establish Cyber-Crime Force
US – Revised Rockefeller-Snowe Cybersecurity Bill to Move Forward
WW – Usability and Security Gurus Agree that Masked Passwords Should Go
CA – Canadian Regulators Begin Network Management Hearings
US – U.S. Wants Privacy in New Cyber Security System
US – States’ Breach Laws Effective July 1st
US – CDT: Privacy Logjam Breaking Up
EU – Deutsche Bank Monitoring Detailed in Report
JP – Wearable Sensors Help Analyze Behaviours of Factory Workers
Biometrics
A rapid but superior method for computerized face recognition could revolutionize security systems especially if it can see through disguises, according to research published in this month’s issue of the International Journal of Intelligent Systems Technologies and Applications. In the late 1980s researchers at Brown University developed the so-called “eigenface method.” Since then, approaches based on neural networks, dynamic link architectures (DLA), fisher linear discriminant model (FLD), hidden Markov models, and Gabor wavelets. Then a way to create a ghost-like image that would succumb to an even more powerful analysis was developed that could accurately identify the majority of differences between faces. Powerful techniques, however, have so far required powerful computers. Now, researchers have applied a one-dimensional filter to the two-dimensional data from conventional analyses, such as the Gabor method. This allows them to reduce significantly the amount of computer power required without compromising accuracy. The team tested the performance of their new algorithm on a standard database of 400 images of 40 subjects. Images are gray scale and just 92 x 112 pixels in size. They found that their technique is not only faster and works with low resolution images, such as those produced by standard CCTV cameras, but also solves the variation problems caused by different light levels and shadows, viewing direction, pose, and facial expressions. It can even see through certain types of disguises such as facial hair and glasses. [Source] [Original paper available at “A Method Towards Face Recognition“ International Journal of Intelligent Systems Technologies and Applications 7 (2009): 282-95]
Canada
An “explosion” of potential privacy violations is part of a “serious and troubling” trend that raises concerns about citizens’ rights and undermines confidence in public institutions, Saskatchewan’s information and privacy commissioner said this week. In his annual report, Gary Dickson called 2008-09 “the year of the privacy breach in Saskatchewan.” The commissioner’s office opened 62 privacy investigations in 2008-09. In comparison, the office conducted only two investigations four years ago. With 29 holdover investigations, the office was investigating 91 complaints in 2008-09 compared to 66 the year before. [Source] [Annual Report] [News Release]
Downtown Victoria bars and police announced their joint commitment to a Bar Watch surveillance program this week. The system is designed to discouraged unlawful activity by requiring patrons to submit their drivers’ licence to a scan as they enter participating bars. 13 downtown bars have signed on to the $4,600 technology by Treoscope Technology. The Downtown Victoria Business Association is providing a 25% grant to help cover the costs. Bar Watch works in two ways. First, if any crimes happen in the bar, patrons records are submitted to police to help them identify the criminal. Second, bar managers can submit notes about misbehaving patrons into the electronic database. The alert message will appear the next time the patron tries to enter any participating bar, so staff can choose whether to ban the person. The move to embrace Bar Watch in Victoria comes weeks before the B.C. Privacy Commissioner, David Loukidelis, is due to release the findings of his inquiry into the system. [Source] [Source]
Consumer
Presented at WEIS 2009, this research paper examines the paradoxes related to personal data, identity disclosure and protection by EU young people in four countries (ES, UK, FR, DE). Based on a large survey conducted by the JRC IPTS in 2008, the paper finds evidence of four paradoxes:
1. Privacy paradox – People do disclose a range of personal information despite high perception of privacy risks.
2. Control paradox – People desire full control on their personal data but avoid the hassle to keep it up to date and they do not use control technologies they know about.
3. Responsibility paradox – People believe that it is mainly their responsibility to protect their data online, but they are not confident in their own/other people’s ability to keep their data protected.
4. Awareness paradox – More awareness of data protection (DP) rights does not influence attitudes with respect to the effectiveness of the regulatory framework and does not influence the intention to adopt services based on personal data disclosure.
The paradoxes play out against two main dilemmas: fragmentation of perceptions and behaviours across different technologies; and significant different across the four EU countries considered. These have implications for policy making in the areas of data protection, eID and privacy (among others). [Original Document] [Source]
The UK Government will appoint a Consumer Advocate with powers to sue on behalf of consumers, the rules for selling digital downloads will change and the law of misrepresentation will be simplified, according to plans published this week. The Government said that it will also publish a Consumer Rights Bill that will go further than a forthcoming EU Directive on consumer rights. Formal consultations on the Bill’s elements will be conducted over the period 2010 to 2012. The plans are outlined in a wide-ranging White Paper written by the Department for Business, Innovation and Skills (BIS), A Better Deal for Consumers – Delivering Real Help Now and Change for the Future. [Source] [White Paper] See also: [EU launches public consultation on the legal framework for the fundamental right to protection of personal data]
E-Government
A text of a draft law on Police Files has been approved by the Laws Commission of the National Assembly. The draft law contains a new form of the EDVIGE file, nicknamed now EDVIGE 3.0. EDVIGE was a new database created in June 2008 with the purpose of filing “individuals, groups, organisations and moral persons which, due to their individual or collective activity, are likely to attempt to public order”. Not only these persons will be filed (without any offence committed), but also “those who undertake or have undertaken direct and non fortuitous relations with them.” Filing was supposed to start at age 13 and the database would be used by French intelligence services and the administrative police. Following a massive civil society protest, the database was initially revised into EDVIRSP (or so-called EDVIGE 2.0) and then withdrawn in December 2008. Although it makes some significant progress, the text of the new law is still not good enough in respecting the human rights, as underlined by a common press release of several unions and civil society groups. One of the major concerns that the press release highlights is the generic global tendency that wants to extend the methods and tools used for serious crimes and terrorism acts to the “small delinquency”. The “No to EDVIGE” group asks for a limitation of the acts of attacks to the State security and public security committed with violence. Also the new file should not include minors. The French organisations also criticized the qualification given to other files, such as STIC (Système de traitement des infractions constatées - Recorded offences treatment system), a huge police database, which records also data on minors, without any age limitation. [Law proposal on Police Files: EDVIGE 3.0, still NO] [Law proposal on Police Files] [The deputies want to frame the creation of police files] [Massive mobilization against EDVIGE, the new French database] [French EDVIGE decree withdrawn]
Chances that Congress would enact legislation to update the 35-year-old Privacy Act this year are slipping away. The legislation would have had to be introduced by Independence Day for it to have any chance of being enacted this year, says Ari Schwartz of the Center for Democracy and Technology, who has been working closely with lawmakers interested in updating the Privacy Act. Schwartz, the center’s chief operating officer, predicts a bill could be introduced in September or October, meaning Congress wouldn’t vote on the legislation until next year. A major flaw of the Privacy Act is that it doesn’t account for technologies such as the Internet that came into existence after its enactment in 1974, limiting the use by the government of some technologies. The center is hosting a wiki at eprivacyact.org to let the public help draft a new Privacy Act. [Source] [Podcast interview with Ari Schwartz] See also: [Cloud Computing, Security to Drive US Gov’t IT Spending: Report]
The defence in a political corruption trial can subpoena the e-mails of a group of present and former MLAs and cabinet ministers, the Supreme Court of British Columbia has ruled. Madam Justice Elizabeth Bennett, who is hearing fraud, breach of trust and money-laundering charges against three former government employees, said in a decision this week that any e-mails sent by a caucus of northern MLAs concerning the sale of BC Rail in 2003 are relevant to the defence. Also relevant are e-mails sent by former finance minister Gary Collins, former transportation minister Judith Reid and former deputy premier Christy Clark. Judge Bennett, however, limited her ruling when it came to the e-mails of Premier Gordon Campbell. She said as far as Mr. Campbell is concerned, the relevant e-mails should be restricted to communications he might have had with a group of lobbyists from Pilothouse Public Affairs, a Victoria-based lobbying firm involved with one of the bidders for BC Rail. And Judge Bennett restricted the overall scope of the application to e-mails sent between 2002 and 2004, not the 2001-to-2005 period the defence had sought. The ruling deals specifically with a defence application for communications sent on MLA e-mail accounts. A separate defence application remains before the court concerning cabinet e-mails, which were sent on executive e-mail accounts and were kept on a different server. Last week, a government lawyer told the court the executive branch e-mails from 2001 to 2005 could not be recovered because backup tapes were kept for only 13 months. That revelation - which came prior to a ruling on the relevance of the executive branch e-mails - has triggered calls for public inquiries into what happened to the records. [Source]
Spam made up more than 90% of all e-mail last month, with networks of zombie PCs producing the vast majority of such messages, MessageLabs says. According to the messaging security company, the biggest botnet currently is Cutwail, which has doubled in size and output per bot since March. At its peak, Cutwail had an army of 1.5 million to 2 million active bots, but the shutdown of Californian ISP Pricewert earlier this month led to several hours of downtime for the botnet. [CNET]
Electronic Records
The Tories have undertaken a review of the NHS computer system to determine whether UK patients should have the option to store their medical records elsewhere. British Computer Society experts are reviewing the program at the request of shadow health secretary Andrew Lansley. “We are thinking about how in government the architecture of technology needs to change, with people ‘owning’ their own data, including their health records,” a Tory source said. Some have expressed security and privacy concerns related to such a move, while others feel that storing citizens’ records in a centralized government database is much riskier. [Source]
The possibility that the Conservatives might transfer NHS health records to private sector internet providers such as Google or Microsoft has been dismissed as speculation. But Tory leader David Cameron raised the possibility of bypassing the “unresponsive national IT system” that “isn’t really working very well”. He told BBC Breakfast: “For every penny we could save. we could put money into nurses and doctors and patient care. “I don’t accept the principle that the safest place for information is with the government, because actually, if we think about it, who has lost all our data recently? It was Revenue and Customs, the government. I don’t accept that somehow our data is safe when it is the government that is looking after it.” [Source]
UK Home Office Minister Alan Campbell would like to see medical information recorded on ID cards. A Big Brother row erupted last night after the minister in charge of ID cards expressed a desire to load them with sensitive personal information such as medical records. The Home Office insists the microchip contained on the controversial cards will store only basic details such as name, date of birth, a facial scan and fingerprints. But Home Office Minister Alan Campbell has told MPs that a ‘future Government’ may want ‘to bring forward proposals to add to the amount of data held on a card’. Opposition MPs accused the minister of inadvertently revealing the Government’s true agenda to store medical and even criminal records on the chip. A spokesman for the Identity and Passport Service said: ‘When we issue ID cards later this year there will be no spare capacity to hold information beyond that already laid out in legislation.’ [Source]
Encryption
Ron Rivest seems to have withdrawn MD6 from the SHA-3 competition. From an e-mail to a NIST mailing list: “We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward. Basically, the issue is that in order for MD6 to be fast enough to be competitive, the designers have to reduce the number of rounds down to 30-40, and at those rounds, the algorithm loses its proofs of resistance to differential attacks. Thus, while MD6 appears to be a robust and secure cryptographic hash algorithm, and has much merit for multi-core processors, our inability to provide a proof of security for a reduced-round (and possibly tweaked) version of MD6 against differential attacks suggests that MD6 is not ready for consideration for the next SHA-3 round. [Source and Commentary by Schneier et alia]
Businesses that operate in the state of Nevada will need to become compliant with the Payment Card Industry Data Security Standard (PCI DSS) when the state’s new Security of Personal Information law goes into effect next year. It is the first state to mandate compliance with PCI DSS, but experts expect others may follow. Goodwin Procter attorney Agnes Bundy Scanlan, CIPP, says although the law hasn’t attracted as much attention as a strict new Massachusetts data security law, “this Nevada PCI compliance might become a model for other states.” Bundy Scanlan also notes that the law “has a safe harbor for merchants already compliant with PCI.” [Source]
EU Developments
The EU’s Article 29 Working Party have published an opinion on an as-yet unpublished European Commission policy change on the transfer of personal data outside the European Economic Area (EEA). It said that the Commission needs to adopt a more consistent approach in its policy governing processors. Companies that handle personal data are required by the EU’s Data Protection Directive to make sure that any outsourcing providers they use give adequate protection and security for that data, even if those providers are outside the EU and so not directly bound by the Directive. Organisations commonly use European Commission-produced model contracts to pass those obligations on, but these only cover the signatories of the contract; they do not pass liability on to sub-contractors used by the outsourcing provider. This has caused complications for businesses and the Commission has produced an unpublished proposal to change the rules to make the process more attractive to businesses. The Working Party has published its opinion on those proposals, though, and it has some criticisms of them. [Source]
Switzerland’s Federal Data Protection Commissioner Hanspeter Thür released his annual report this week. The commissioner said that social networking sites are challenging data protection, and warned users of such sites that the data they divulge will live after them. Thür also noted that users must take care in posting images of others on their pages, saying that consent is necessary. Effective data protection in the world of social media requires “other social actors,” he said, adding that schools have a role to play in educating Web users of its importance. (Article in French)
In his annual report for 2008-09, released just before he stood down last week, former Information Commissioner Richard Thomas said the Information Commissioner’s Office (ICO) needs more resources and greater audit and enforcement powers. Thomas said the ICO needs an extension of powers in order to inspect private-sector bodies for data protection compliance, and needs the enforcement powers necessary to sanction violators. “Public finances are very tight,” Thomas said in the report, “but...the ICO needs adequate and longer-term funding to enable us to fulfill properly all our complaint, guidance and enforcement responsibilities.” Christopher Graham became the new information commissioner on June 29. [Source] [Privacy tsar: Gov’t will collect less data]
Organisations with a turnover of £25.9 million or more and 250 or more staff will be required to pay the ICO an annual notification fee of £500 with effect from 1st October. The current fee is just £35. Notification is a requirement for ‘data controllers’ under the Data Protection Act. Every organisation that processes personal information must notify the ICO, unless they are exempt. Failure to notify is a criminal offence. The higher rate will also apply to public authorities with 250 or more staff. Charities, small occupational pension schemes, organisations with a turnover below £25.9m and those with a higher turnover but fewer than 250 staff will continue to pay £35. It is the first time the notification fee has changed since 2000. According to an explanatory memorandum from the Ministry of Justice, the higher fee payable by so-called ‘tier two’ organisations “reflects the amount of resources invested by the IC in regulating large data controllers.” The cost of fulfilling the ICO’s data protection regulatory and advisory responsibilities is £16 million per year, according to the Ministry of Justice memo. The ICO’s own research has indicated that less than 4% of data controllers will meet the criteria for tier two. [Source] See also: [Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009] [Explanatory Memorandum] [The ICO’s notification handbook] [The register of data controllers]
The CBI has criticised an amendment to the Coroners and Justice Bill that would allow the privacy watchdog to inspect companies’ premises without a court’s permission. Currently the Information Commissioner’s Office (ICO) is required to obtain permission from a court before searching companies and their computer systems to ensure compliance with the Data Protection Act. The removal of this safeguard could see unnecessary disruption to businesses that are complying with the law, according to Matthew Fell, CBI director of company affairs. In March the Joint Committee on Human Rights backed ICO calls for the power to carry out spot-checks on businesses without court permission. [Source]
Market researchers will be exempt from certain rules in a new German data protection law. The rules were designed to control how advertisers and direct marketers use individuals’ personal data, the report states. Lawmakers agreed to last-minute changes before Parliament broke for the summer. The original rules would have required consumer opt in to marketers’ data-sharing efforts. The new standards relax that requirement, pacifying industry concerns that the restrictions would essentially serve as a ban on its efforts. The federal council will decide later this week whether to approve the bill as passed. [Source] [Researchers win exemption from German opt-in law]
Facts & Stats
70% of UK enterprise and public-sector organizations polled by the Ponemon Institute have experienced at least one data breach incident within the last year. That’s an increase of 60% from the previous year. Commissioned by data encryption provider PGP Corporation, the study also revealed that the public sector experienced the most data loss incidents (4.48 per organization), followed by the financial services sector (3.11), the education sector (2.74), healthcare and pharmaceuticals (2.65) and the professional services industry (2.52). In addition, 12% of respondents experienced more than five data loss incidents in 12 months time. [Source] [70% of UK Organisations Hit By One or More Data Breach Incidents]
The Norwegian data protection authority has decided that ISPs had to delete all IP address-related data just 3 weeks after collection, a decision that will make difficult to chase file-sharers. The regulator started with two ISPs, Tele2 and Lyse Tele but the decision, subject by the Personal Data Act, will apply to all ISPs in Norway. As Norway is not a member of the European Union, it is not bound to comply with the European data retention directive which says that this type of data must be held for at least 6 months. In Norway, now, data retention can go from a few days to five months. The Norwegian telecom regulator has also recently ruled that the identity of file-sharers can be disclosed to copyright holders only by court order. And to make things even tougher for copyright holders, Simonsen law firm, the only legal company having had a licence to track file-sharers, has seen it expire with no renewal provided. [Anti-Piracy Lawyers Lose License To Chase Pirates] [Data Protection Makes Identifying Online Pirates a Nightmare] [Norway organises the immunity of P2Ps] [Anti-Piracy Lawyers Thwarted in Norway]
Filtering
Under pressure from the U.S. government, the global tech industry and its own citizens, the Chinese government has delayed a controversial mandate that would require all new personal computers to be loaded with Web-filtering software capable of blocking pornography and objectionable political sites. The move tamps down, at least temporarily, a firestorm of criticism in China and around the world that threatened to create a trade dispute between the Obama administration and Beijing. [SiliconValley.com]
Several PC makers were including controversial Internet-filtering software with computers shipped in China on Thursday despite a government decision to postpone its plan to make such a step mandatory. Also Thursday, a government newspaper said regulators will revive the plan to make Green Dam mandatory at some point, a move that would disappoint opponents who hoped the government would drop the effort. [SiliconValley.com] See also: [Seven Tracking Technologies]
Finance
The Swiss Justice Ministry said that, if necessary, it will seize UBS clients’ data in order to prevent its release to U.S. authorities. The U.S. Justice Department (DoJ) wants details on 52,000 American accountholders of the Swiss banking giant who are suspected of tax evasion. DoJ officials have accused the bank of helping to hide billions of dollars in secret accounts. A court hearing on the issue is set to start next week in Miami. Swiss law prevents its banks from releasing client information, and Bern officials said in court papers filed yesterday that it will block UBS from disclosing the information. [Source]
FOI
The Ontario government has lost another legal battle in its attempt to avoid turning over documents to Marsha Boulton that are related to a police raid in 2003 on the farmhouse northwest of Toronto where the author lives with her husband Stephen Williams. The Ontario Court of Appeal has refused to hear an appeal from a ruling of the Divisional Court that ordered the province to turn disclose the documents. The Divisional Court upheld a decision of the provincial Information and Privacy Commissioner in 2007 to provide Ms. Boulton with certain Ontario Provincial Police records and a police videotape of the raid on her home. “They have been fighting this tooth and nail with taxpayers’ dollars for five years. There must be something they don’t want to turn over,” said Ms. Boulton, who filed the freedom of information request in 2004. “Why not put those resources toward prosecuting actual criminals,” she asked. [Source]
Genetics
Missouri police will soon start taking DNA samples along with booking photos and fingerprints when they make arrests. Gov. Jay Nixon signed legislation this week requiring DNA be taken from people age 17 and older who are arrested on suspicion of violent felonies, sex offenses or burglary. The DNA samples will be discarded within 30 days if charges aren’t filed or are dropped, or if the suspect is acquitted at trial. Missouri already collects DNA samples from convicted felons before they are released from prison. It joins at least 15 other states in collecting it after some arrests, according to the National Conference of State Legislatures.[Source]
Parents in Minnesota and Texas are challenging state programs that collect and store blood samples from newborns. In Minnesota, the state screens babies for genetic disorders, then stores the samples, sometimes releasing them to medical researchers. The parents are concerned about the non-consensual release of their childrens’ genetic information, the long-term retention of the samples and the ability for the state to identify individual children. The challenge could spark a national debate that some feel is needed. “There has not been a good national discussion about the use of these samples,” said Jeffrey Botkin, a pediatrician and bioethicist at the University of Utah. [Source]
Health / Medical
A health information custodian failed to comply with PHIPA when records containing personal health information (“PHI”) were found on the streets of Ottawa and were accessed by at least one unauthorized individual. The physical layout of a laboratory played a key role in the PHI ending up on the streets and an unfortunate error led to records intended for shredding being treated as if they were to be recycled and subsequently falling out of the back of the recycling company’s truck. The entities Destruction Policy for the secure disposal of records, given the large volume of PHI handled by each lab, needed to be clear, understandable and leave no room for interpretation. The importance of having a written contract in place with any shredding company used to securely dispose of PHI cannot be over-emphasized and must set out the responsibilities of the shredding company in respect of secure disposal. The health information custodian was ordered to place room-cut shredders in every location and ensure that the contract in place with third parties meet PHIPA requirements. [HO-006]
The National Association for Information Destruction (NAID) will collaborate with the Ontario Information and Privacy Commissioner’s Office (IPC) to create guidelines to help health care organizations ensure the proper destruction of discarded personal information. The project was made public in the Ontario IPC’s Order issued July 3, pursuant to the province’s Personal Health Information Protection Act, documenting the investigation into the improper disposal of health information by a high-profile medical services company operating in Canada and the U.S. Ontario Information and Privacy Commissioner Dr. Ann Cavoukian will unveil the Health Information Destruction Guideline during her keynote speech at the 2009 NAID-Canada Conference Oct. 29 in Toronto. [Source] See also: [Boxes Of Medical Records Found In Salt Lake Dumpster]
The Ohio Supreme Court this week moved to protect the privacy of minors’ medical records when the minor is not a party in a lawsuit. The case involves a lawsuit against an Ohio Planned Parenthood and attempts by a teenager’s parents to obtain the medical records not only of their own daughter but of all teenagers seen at that clinic over a ten year period. “We are pleased that the court blocked the disclosure of the private medical records of teenage patients who are not directly part of a given lawsuit,” said Louise Melling, Director of the ACLU Reproductive Freedom Project. “Adults and teenagers alike need to know when they seek medical care that their private records will not be dragged into someone else’s legal dispute. Confidentiality is at the core of the doctor-patient relationship and must be fiercely protected.” The court also recognized that given the wealth of detail contained in patient medical records, redaction cannot reliably protect a patient’s privacy. [Source]
A New Hampshire woman has filed a class-action suit against three government officials, alleging the American Recovery and Reinvestment Act (ARRA) endangers the privacy of most Americans. Beatrice Heghmann filed in federal court last week, alleging that the ARRA Title XIII requires healthcare providers to digitize the medical records of all Americans, which jeopardizes the privacy of those enrolled in the public health plan and those who are not covered by Medicaid or Medicare—65% of Americans. Heghmann is seeking an injunction to protect personal health information and to prevent defendants from disbursing $22 billion earmarked for an Electronic Health Records System. [Source] [Source] [Source] [Lawsuit claims stimulus act puts privacy in jeopardy]
Identity Issues
Britain said it was dropping plans to bring in compulsory biometric identity cards for airport workers and that the multi-billion pound scheme would remain voluntary for all Britons. Home Secretary Alan Johnson said the government was going ahead with the introduction of the 30 pound cards, which contain personal details, fingerprints and a facial image, but ruled out making them compulsory. Civil rights campaigners and opposition politicians have long opposed the project, saying it was unnecessary, expensive and an intrusion into private life. The Conservative Party, ahead in the polls and tipped to win the next election due by mid-2010, has pledged to scrap the scheme as part of public spending cuts to help deal with Britain’s spiralling debt. [Source] [Source] [Source]
The New York State Bar Association has expressed its opposition to the Federal Trade Commission’s requirement that lawyers comply with Red Flag rules, a provision of the Fair and Accurate Credit Transactions Act that is scheduled to go into effect August 1. The New York State Bar joins the American Bar Association as well as state bar associations in Arkansas, Colorado, Illinois, Ohio and Virginia in protesting the requirement, claiming that Red Flag compliance would force lawyers to violate attorney-client privilege. [Source]
For all the concern about identity theft, researchers say there is a surprisingly easy way for the technology-savvy to figure out the precious nine digits of Americans’ SSNs. Alessandro Acquisti of Carnegie-Mellon University in Pittsburgh and Ralph Gross report in this week’s edition of Proceedings of the National Academy of Sciences that they were able to make the predictions using data available in public records as well as information such as birthdates cheerfully provided on social networks such as Facebook. [Washington Post] [The Register] [SSN Project home] [SSN Study] [SSN Study FAQ] [blog]
Paul Zilahy Ingerman takes his Social Security number very seriously. Ask him for it at your peril. The Delaware River Port Authority did when he applied for a senior citizen discount on his E-ZPass account and the bistate authority wound up in federal court. Judge Joseph H. Rodriguez ruled in Ingerman’s favor, saying the DRPA violated the 1974 Privacy Act by requiring the nine digits on an application for the discount. The judge also ordered the DRPA to pay Ingerman’s legal fees. The DRPA is considering an appeal, said spokesman Ed Kasuba. Twenty-five thousand motorists 65 years and older – nearly 4% of all of its E-ZPass users – are enrolled in the DRPA’s senior discount program. In lieu of his Social Security number, Ingerman submitted a photocopy of his passport as proof of age. [Source]
Intellectual Property
As expected, Jammie Thomas-Rasset, the Minnesota woman found liable for willful copyright infringement of 24 songs last month, filed her appeal this week. Thomas-Rasset, who was ordered by a jury to pay $1.92 million in damages last month, has asked the court to either alter or amend the judgment, remove or change the award of statutory damages to the statutory minimum or give her a new trial. If the award is changed, Thomas-Rasset argues she should pay the minimum damages of $18,000. [CNET]
Internet / WWW
Online advertisers are proposing a mix of consumer education, disclosures about what information is being collected and special protections for children and sensitive information in an effort to head off tough legislation. Four leading advertising trade associations – the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, or DMA, and the Interactive Advertising Bureau – drew up the “self-regulatory principles.” Their immediate impetus was criticism that too much information was gathered about Internet users that was shared too widely and stored for too long. The principles would require online advertisers to choose an icon or phrase that would be used by all web sites to point Internet users to a site where they could learn what information was being collected and perhaps opt out. Information about children and sensitive information about all computer users would face a higher standard. The principles require “consent for the collection of financial account numbers, Social Security numbers, pharmaceutical prescriptions or medical records about a specific individual for online behavioral advertising.” Internet service providers have a higher standard. They would be required to win consent before any information was gathered. Enforcement would be done by the Better Business Bureau and DMA, with non-compliant firms publicly reported. The principles will be put into effect by early 2010. The industry would also create a Web site to educate consumers about how the Internet is monetized. Many have no idea that free services often come at the price of collected information about where a user goes on the Web. Marc Rotenberg, president of the Electronic Privacy Information Center, called the principles “almost meaningless” and predicted that congress would pass legislation hemming in information collection by advertisers. “There’s very little appetite in Washington today for self-regulation,” said Rotenberg. “People have no idea about how much information is being collected about them online.” [Source] [Google blog] [Self-Regulatory Principles for Online Behavioral Advertisings] [NYT: Industry Tightens Standards for Tracking Web Surfers] [NYT: Not Much Changed in New Industry Standards]
The Swedish Supreme Administrative Court has ruled that the IP addresses are personal data in a case regarding APB (the Swedish Anti-Piracy Bureau, Antipiratbyrån), a lobby group representing copyright owners. However, from the comments following the judgement, it became clear that this ruling will not stop the implementation of the Swedish IPRED Directive or the way the copyright holder representatives record and keep IP addresses in order to identify alleged file-shares. Although the ruling means that APB’s methods for chasing filesharers by logging their IP addresses was in violation of the Personal Data Act, the new IPRED law changed the situation. Jonas Agnvall, a legal adviser with the Swedish Data Inspection Board, says that the new IPRED law specifically allows the activities of IP logging of the APB: A week later, on the 25 June 2009, a first ruling on the new IPRED law was given by the Solna District Court which decided that an ISP must hand information revealing its customers based on the IP addresses given by five publishers of audiobooks who were trying to identify some alleged copyright offenders. In the decision of the Solna District Court, the judges ordered Ephone to reveal the information regarding the customers that are using several IP addresses under a penalty of 750 000 Swedish crowns fine (approx. 70 000 euros). The company also needed to pay the publishers’ court costs. [Collecting IP Addresses Illegal in Sweden] [Favorable court ruling do not save file-sharing] [Sweden: IP numbers are personal...unless you’re a pirate] [Publishers win anti-piracy law test case] [First IPRED case settled]
A federal judge in Seattle has held that IP addresses are not personal information. “In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer,” U.S. District Court Judge Richard Jones said in a written decision. Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. The consumers argued that Microsoft’s user agreement only allowed the company to collect information that does not personally identify users. Microsoft argued that IP addresses do not identify users because the addresses don’t include people’s names or addresses. The company also said that it did not combine IP addresses with other information that could link them to individuals. Last month, Jones sided with Microsoft and dismissed the case before trial.But some say that Jones’s decision about IP addresses is inconsistent with other recent opinions about the issue. The EU considers IP addresses to be personal information. Marc Rotenberg, executive director of the Electronic Privacy Information Center, criticizes the Microsoft ruling as “a silly decision.” “The judge didn’t understand the significance of the IP address or the reason that it was collected,” he says. Rotenberg adds that the judge prematurely dismissed the case, arguing that more facts were needed to determine whether IP addresses were personally identifiable. [Source] [Source]
Google’s announcement that it will release an operating system for netbooks next year has generated wide interest. PCWorld heard from those concerned about the potential privacy and antitrust implications of the new Chrome OS. “Competition in the OS market should always be welcome,” said Marc Rotenberg of the Electronic Privacy Information Center, “but Google is a special case.” Other privacy advocacy groups concurred that the potential for Google to collect more personal data from users is a concern. Jeffrey Chester of the Center for Digital Democracy said: “I think the new OS has to be placed under the data-collection x-ray by U.S. and EU privacy regulators and advocates.” [Source] [Google’s New Operating System to Take on Microsoft] [Source] [CNET: What will Google’s Chrome OS watch you do?]
Over recent months, tens of millions of people allegedly have received e-mails telling them that friends or acquaintances were inviting them to view pictures on the Web site of a San Francisco social network, Tagged.com. Just one problem, law enforcement authorities say: The company never asked its members for permission to solicit people on their contact lists. It just took them. Thursday, Tagged.com. found itself accused by New York authorities of a massive invasion of privacy, having abused the most precious commodity users share on social sites - their identity. “This company stole the address books and identities of millions of people,” said New York Attorney General Andrew Cuomo. Tagged’s Web site claims it is the third-largest social network in the United States in terms of total monthly visits. It boasts at least 80 million registered users but only 4 million daily users, about 75% of whom are outside the United States. [Source]
Shares of Phorm, the online targeted advertising company, have fallen more than 43% after BT announced that it did not envision using the company’s technology in the immediate future. Targeted advertising technology has come under scrutiny for violating users’ privacy. BT is being especially careful about employing the technology because it was criticized for running a pilot of the technology several years ago without customers’ consent. BT says it is interested in targeted advertising, but “resources and priority” have placed it on the back burner. A handful of US Internet service providers (ISPs) started testing similar technology but stopped after testimony at congressional hearings made it clear that the public had some serious concerns about the practice. [Source] [Source] [Source] [Source] [Source] [BT Drops Phorm After Customers Cry Foul Over Privacy] [Talktalk Drops Webwise, Virgin Media Considering Following Suit]
Law Enforcement
One of Britain’s biggest online paedophile inquiries is to be challenged in the court of appeal amid allegations from campaigners that hundreds of men have been wrongly convicted in a mass miscarriage of justice. For more than two years a small group of experts have claimed that Operation Ore, the police inquiry into thousands of British men, was tainted because the database at the centre of the investigation contained evidence of widespread credit card fraud. [Guardian]
Location
The Dawn of the Location Enabled Web comprises three sections: 1) Location Privacy [Testimony of Leslie Harris (April, 2009)] [Digital Search & Seizure report (February, 2006)]; 2) The Dawn of the Location-Enabled Web [IETF Geopriv Working Group (February, 2009)] [Draft W3C standard (June, 2009)]; and 3) Location-Aware Firefox [Geolocation in Firefox (June, 2009)] [Source]
Online Privacy
Internet sites like MySpace cannot be held liable when minors are sexually assaulted by people they first meet on a Web site, a California appeals court ruled in an opinion this week. The ruling comes a day before the sentencing, also in Los Angeles, of a Missouri woman accused of using a fake MySpace profile to harass a teenage girl. The girl committed suicide. [Washington Post]
A federal judge has overturned the conviction of Lori Drew, the Missouri woman who perpetrated a MySpace hoax that ended in the suicide of a 13-year-old neighbor girl. In November, Drew was convicted of three counts of illegally accessing a protected computer. US District Judge George H. Wu’s decision is tentative pending the filing of his written ruling, which is expected next week. Judge Wu expressed concern that if Drew’s conviction of violating MySpace terms of service would “criminalize what would be a breach of contract.” [Source] [Source] [Source] [Source] [Source] [Dismissal of Myspace Case ‘Proper,’ Defendant Says]
The new head of MI6, Sir John Sawers, is at the centre of a security breach after his wife published family holiday photographs and other personal details on the Facebook website. Sir John is due to take up his post as chief of the Secret Intelligence Service, in charge of Britain’s spying operations abroad, in November. But his wife’s posting on the social networking site have exposed potentially compromising details about where they live and work, their friends and where they go on holiday. Lady Shelley Sawers put no privacy protection on the account, meaning that any of Facebook’s 200 million users in the ‘London’ network could view photographs of her family and information about the location of their London home, the whereabouts of their children, the entries, no matter where they were in the world. The lapse also revealed the couple’s friendship with senior diplomats and actors. It appears that the Foreign Office had not vetted the information that Sir John and his family were putting on the internet. [Source] [Source] [Source] [Source] [Source] [Source] [Source]
Facebook will introduce a new “Unified Privacy Page” and eliminate familiar regional networks such as “Silicon Valley” or “San Francisco” as part of an effort to streamline privacy controls and reduce user confusion and concern. In addition, Facebook plans to introduce a new way of allowing users to broadcast their posts to a wider Internet audience by clicking a button labelled “Everyone.” With more than 200 million users worldwide, Facebook’s privacy guidelines are highly scrutinized. [Source] [SiliconValley.com] [ZDNet] [IDG News] [FB Announcement] [Facebook’s Upcoming Privacy Changes: What to Know]
Prospective university students are falling prey to a growing Facebook fraud as marketers set up fake academic groups to vacuum up their personal information. After a sweep that shut down a number of fraudulent groups last month, a new batch has sprung up, targeting the classes of 2014 and 2015, and experts say more are on the way. The stakes are high – potentially years’ worth of data and thousands of contacts in a desirable demographic. So high, in fact, one company allegedly tried to bribe and blackmail a student to help a scam. Hundreds of students in the GTA were told in June to abandon fake “Class of 2013” Facebook groups, many sporting official school logos. A sweep shut down groups targeting classes at more than a dozen major Canadian universities, including the University of Toronto, York, Ryerson and McMaster. There is “a whole subculture” of people trying to make a quick buck by impersonating legitimate organizations and celebrities online, says Avner Levin, director of the Privacy and Cyber Crime Institute at Ryerson University. The set-up goes beyond sending ads to those who join the fraudulent groups, Levin says. Unbeknownst to students, marketers are building mailing lists, collecting personal information that they can store and sell for years, he says. A spokesperson for Facebook said the company doesn’t have statistics on people creating false accounts, dubbed “squatters.” But she said the company removes the accounts when notified through the “report” link found on each page. The discovery of marketer-run university groups rocked U.S. academic circles in December, after dozens of fake groups were linked to campus guidebook company College Prowler. The company apologized for misleading students. [Source]
Other Jurisdictions
The Australian federal privacy commissioner’s term has been extended. Karen Curtis will continue in her role for another year in order to assist in the transition to the new Office of the Information Commissioner (OIC). Beginning next year, the country’s information access, privacy and data protection efforts will be housed in the OIC. The new office stems from Freedom of Information reforms. It will “operate as an independent body to handle complaints, and provide advice, oversight and reporting of FOI and privacy matters,” said Special Minister of State Joe Ludwig. Ludwig said that Ms Curtis’s work as privacy commissioner is “highly regarded within government.” [Source]
A slew of customer information breaches over the past 18 months have raised public awareness on data protection, and the government has taken note, as well. The Ministry of Public Administration and Security has substantially expanded the scope of the Information and Communications Network Law’s privacy provisions. Beginning this month, 220,000 companies--including real estate brokers, career centers, marriage agencies and video-rental stores--must comply. Violators could face fines or criminal charges. An official from the Ministry’s personal information protection division said a committee will be established to help educate businesses about the rules. [Source]
Morocco is aligning its data protection standards with those of the European Union in order to bolster its attractiveness as an offshoring and outsourcing market. The nation will create a 7-member commission for the protection of personal data (CNDP) that will reinforce its new data protection law (09-08). Morocco’s Minister of Industry, Trade and Modern Technology made the announcement at a seminar this week. French data protection commission president Alex Turk, who co-presided over the seminar, said the new commission should “answer the different questions relating to the protection of personal data and give advice to the different players in this domain.” [Source]
In a submission to the New Zealand Law Commission, Privacy Commissioner Marie Shroff supports a privacy tort to allow citizens’ redress for invasions of privacy. The Law Commission is exploring potential changes to criminal and civil law to close privacy gaps made by technological advances. Ms Shroff also suggests amending criminal laws to address the use of spyware and RFID skimming, and recommends creating a criminal offence for covert tracking activities, among other changes. “Technology innovations are developing quickly in the area of video surveillance and tracking and could present future challenges to personal privacy,” Ms Shroff said. [Source] [Commissioner supports privacy law review]
The Diet passed bills this week that tighten controls on foreign residents, paving the way for them to take effect within three years, despite opposition from foreigners and human rights activists. The bills, which cleared an Upper House plenary session, will abolish the Alien Registration Act and revise immigration control and resident registration laws. The revision will shift authority to manage foreign residents from municipalities to the Immigration Bureau and enable it to consolidate the personal information of foreign residents, including name, address, type of visa and expiration date, making it easier for the bureau to detect illegal residents. The bills will also introduce a new form of identification called a “zairyu” (residence card) to replace the current alien registration cards, and code numbers on them will be kept by the Justice Ministry. Under the bills, foreign residents will be listed on the resident registry network, a computer network connecting municipalities and containing demographic information on Japanese residents. Rights activists condemned the bills for excessively tightening controls on foreigners. [Source]
Privacy (US)
The House Homeland Security Committee chair wants TSA oversight in the shutdown of Clear. Specifically, Rep. Bennie Thompson (D-MS) wants the Transportation Security Administration to ensure that the personal data of 165,000 people registered with the Clear airport security screening program will be protected as the program is dismantled. Clear announced last week it had ceased operations, prompting travelers to question what will happen to the personal information they submitted in exchange for quick passage through airport security checkpoints. In a letter to the administration’s Acting Assistant Secretary, Thompson expressed concern about the TSA’s apparent lack of disposal requirements in the event of such a shutdown. [Source]
The Massachusetts State Police and the Dartmouth Police Department will pay $70,000 to a Fall River woman who accused a state trooper of performing an illegal strip search on her along the heavily traveled Reed Road in Dartmouth more than two years ago. In a settlement filed in US District Court Thursday, $55,000 was to be paid to Bolduc from the Massachusetts State Police and $15,000 from the Dartmouth Police Department. The settlement protects both from future legal action. [Source]
RFID
Seoul Subway expects to save $2.4 million annually with a new RFID ticketing system that recently went live. The savings will come from the use of new reusable RFID fare cards that passengers can add value to, which will reduce the use of disposable paper tickets. Seoul Subway also introduced a deposit system for paper tickets to encourage recycling, according to an announcement from STMicroelectronics, which provided the RFID system. [Source]
With the GRIFS project, GS1, CEN and ETSI launch an online database of international RFID standards and report significant progress in the development of a Global Forum for RFID standardisation. GRIFS, the EU funded project promoting closer co-operation between RFID standards organisations, today announced the launch of the first comprehensive online database of international RFID standards, which should soon become the reference tool for anyone looking for up-to-date information on the current progress of international RFID standards. In addition, the GRIFS project team also issued a Memorandum of Understanding to support the organisation of the Global Forum of Collaboration on RFID standardisation and announces the GRIFS Forum kickoff meeting to be organised on 30 June and 1 July 2009 in Washington DC. [Source] See also: [EU sponsored GRIFS project shines a light on the complex world of RFID standards – 2 Dec 2008] and [GRIFS Forum successfully kicked off in Washington DC] [GRIFS Report on State of the Art RFID Standards] and also: [EU funded research demonstrates security and anti-counterfeiting is possible on standards-compliant RFID tags]
The SUNY system’s University Hospital has deployed a Wi-Fi- based RFID solution to track the location of its emergency equipment, as well as the temperatures of drugs and tissue samples in 100 refrigerators, and expects an ROI within one year. [Source]
U.K. home-care providers are testing an NFC system from mobile- phone service provider O2 that allows them to track and update a patient’s records using their own mobile phones and an NFC tag at a patient’s home. [Source]
Security
The announcement of the planned unified cyber security command raises a number of important questions about the scope of the organization and how it meshes with other government agencies. It also brings the government face to face with the thorny questions surrounding cyber warfare; a recent National Research Council study noted that “an unclassified and authoritative statement of joint [military] doctrine for the use of computer network attack is unavailable and it is fair to say that current doctrine on this matter is still evolving.” While the Geneva Convention requires that all combatants be identifiable, cyber space makes it all too easy for attackers to conceal their identities. [Source]
The U.S. Secret Service plans to unveil plans for a pan-European task force charged with preventing identity theft, computer hacking and other computer-based crime. The unit will be based in Rome, teaming up with an Italian anti-cyber-crime police unit and the Italian post office Poste Italiane SpA, which has developed software that can track electronic payments as it moves beyond traditional mail delivery. [WSJ]
The most far-reaching US legislative proposal on Cybersecurity is being modified to eliminate problematic language (such as the language that gave the government the right to “shut-off the Internet” during a national emergency) and will be moving ahead during July with a major rewrite and an additional hearing followed by a full-committee vote. Among many other far-reaching provisions, the Rockefeller-Snowe bill extends federal cyber security regulatory reach to federal contractors and grantees and calls for licensing of cyber security professionals. [Source]
Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world’s leading thinkers. [Source] [Jakob Nielson’s Alertbox on Password Masking] [Security guru says he was ‘probably wrong’ to attack masked passwords] [Schneier’s new position on password masking]
Telecom / TV
Canadian regulators are preparing to investigate how the country’s largest cable and telecom companies control the flow of Web traffic on their networks in a series of landmark hearings that are expected to have lasting implications for how millions of Canadians use the Internet. Beginning Monday, the Canadian Radio-television and Telecommunications Commission (CRTC) will kick off public hearings designed to examine how Canadian Internet Service Providers (ISPs) manage or “shape” the flow of Web traffic on their networks. [National Post] [ISPs Should Prove Need to Control Web Traffic, CRTC Hears]
US Government Programs
The Obama administration is moving cautiously on a new pilot program that would both detect and stop cyber attacks against government computers, while trying to ensure citizen privacy protections. The pilot program, known as Einstein 3, was supposed to launch in February. But DHS is still pulling the plan together. Einstein 3 has triggered debate and privacy concerns because the program will use NSA technology, which is already being employed on military networks. Any involvement of the NSA in protecting domestic computer networks worries privacy and civil liberties groups who oppose giving such control to U.S. spy agencies. [Washington Post]
US Legislation
Two more states’ data security breach notification laws go into effect July 1, 2009. Entities in Alaska and South Carolina that experience a breach of unencrypted personal information in paper and electronic records must now notify affected individuals, with some exceptions. To date, 44 states have implemented breach notification laws. [Source]
A comprehensive privacy law is closer to reality than it has been in the last several years, according to the Center for Democracy and Technology (CDT). At a briefing in Washington, CDT president Leslie Harris cited recent developments as signs that “the privacy logjam is being broken.” Harris said the enactment of stimulus package privacy provisions, an ongoing Congressional exploration of behavioral advertising and lawmakers’ stated intentions to write legislation this year suggest a renewed interest. “We have an opening here...to get a bill on privacy,” she said. [Source]
Workplace Privacy
A 150-page report on Deutsche Bank’s employee monitoring efforts has revealed that the company not only spied on management and supervisory board members, but also on a shareholder. Deutsche Bank commissioned the report. Hesse data protection officials are investigating whether the company executives who ordered the spying broke laws. The Frankfurt public prosecutor’s office may also be involved, the report states. [Source] See also: [MONDAQ: Privacy Failures Costs Employers]
DSS Co, a Japanese firm that edits and processes digital maps based on survey data, started a service of recording the actions of factory workers for long hours and visualize them. The tools used for collecting the data are (1) the “ankle sensor” to be attached to the leg of a worker for recording his or her movement, (2) the “milestone,” which will be installed in various places in the plant to know how long workers stay there and (3) the “small video camera” to be put in the chest pocket of the worker to record his or her action. To collect the data on 30 workers, a digital map of the workplace is created. Then, the milestones are set at key locations such as work areas and storage spaces, and the ankle sensors are attached to workers. The rest is to let them work as usual. [Source]
+++
