Biometrics

US – Dartmouth Researcher Accesses EMRs

Using peer-to-peer (P2P) applications, a Dartmouth College technology professor accessed tens of thousands of electronic medical records on computers that had P2P programs on their hard drives. Professor M. Eric Johnson discussed the results of his two-week long research project at a conference last week. The research, funded by the Department of Homeland Security, raises concerns about medical fraud and patient privacy, especially in the wake of President Obama’s signing of the economic stimulus bill. The law includes a $19 billion shot in the arm for healthcare information technology, including two billion for converting the medical records of all Americans to an electronic format. [Source]

Canada

CA – Saskatchewan Party Halts EDL Legislation

The Saskatchewan Party government has put at least a temporary halt to legislation that would create enhanced drivers licenses in Saskatchewan after the province’s privacy watchdog raised “significant privacy issues” about the plan. And although the government announced plans for the voluntary EDL’s last summer, Crown corporation SGI has so far not provided a privacy impact assessment that was expected last September by the information and privacy commissioner. Nor has the government consulted at all with commissioner Gary Dickson about Bill 72, the enabling legislation that creates the enhanced licences. Dickson, who had sent a report to the legislative assembly on Bill 72 last week, said Tuesday he was pleased with the government’s decision to rework the legislation. Among his concerns is that there was no public consultation ahead of the bill being introduced. As well, the bill makes no reference to the “privacy invasive character” and “risks to privacy” of the RFID tags, which can potentially be read up to 30 feet away. [Source]

CA – Surveillance Cameras Must Vanish After 2010

Surveillance cameras at the 2010 Winter Olympics in Vancouver must not be used by police to monitor the city’s residents after the games, the privacy commissioners of Canada and British Columbia said at a Victoria security and privacy workshop focused on the Olympics. Of particular concern were hundreds of security cameras expected to be placed in and around Olympic venues. After the 2004 games in Athens, police there turned the cameras into a citizen-surveillance network. Micheal Vonn, BC Civil Liberties Association policy director, said she was concerned about so-called voluntary searches of people and vehicles entering designated Olympic areas. While Olympic organizers have not yet revealed their search plans, access is expected to be heavily restricted in and around Olympic venues. [Source]

CA – Federal Privacy Commissioner Releases Paper on Privacy in Virtual Worlds

An examination of a virtual world’s privacy framework for whether it addresses the ten principles of PIPEDA; privacy risks associated with virtual worlds are raised, including user privacy, the ability to link avatars to real people and in-world surveillance. Organizations establishing virtual presences should comply with fair information practices and make it known how customer and employee personal information will be handled. [Source] [Coverage]

Consumer

UK – The UK Response to Behavioural Advertising

The UK Internet Advertising Bureau--a consortium of players in the British advertising industry--has drawn up self-regulatory guidelines on behavioural targeting,. Among the “good practice principles,” is a pledge to provide “clear and unambiguous notice” when data is being collected, and to “provide a mechanism for users to decline behavioural advertising,” the report states. The group has also created a Web site aimed at helping Internet users manage their privacy settings. Some say the guidelines don’t go far enough. “They have nothing new,” said Gus Hosein of Privacy International, adding that the principles put too much of the onus on consumers. [Source] [Guidelines]

WW – Clickers Hip to Ad Tracking, Poll Finds

Two-thirds of Web surfers know advertisers are tracking them and they’re getting used to the idea, according to a survey conducted for TRUSTe,. This year, only 51% of people were uncomfortable with the idea that advertisers collect their browsing information, compared with 57% in 2008. The more relevant and less intrusive the ads they see are, the less they tend to object. Invasion of privacy is still an issue, though. Nearly half – 48% – said they delete tracking cookies at least once a week, up from 42% last year, which means advertisers are less successful at tracking them. TRUSTe posted a white paper for businesses recommending that they explain clearly how they’re using data and offer Web surfers more options to opt out of being tracked. The survey is based on the opinions of 1,008 people over the age of 18, weighted to reflect national demographics online. [Source] [white paper]

US – Cable Companies Target Commercials to Audience

Cablevision Systems plans to announce the largest project yet using targeted advertising on television. 500,000 Cablevision subscribers will use its targeting technology to route ads to specific households based on data about income, ethnicity, gender or whether the homeowner has children or pets. The technology requires no hardware or installation in a subscriber’s home, so viewers may not realize they are seeing ads different from a neighbor’s. But during the same show, a 50-something male may see an ad for, say, high-end speakers from Best Buy, while his neighbors with children may see one for a Best Buy video game. Cablevision is not notifying customers about the targeted advertising specifically. It last sent its privacy policy, which included information about ad targeting, last May, said a spokesman, Jim Maiella. [Source]

US – Adzilla Faces Potential Class-Action Lawsuit

A Virginia woman has filed a lawsuit against behavioral targeting company Adzilla,. The company ended its U.S. operations last year, but the suit brought forth by Susan Simon last week in the northern district of California alleges that the company, along with Internet service provider Continental Visinet Broadband and others, violated the law when tracking her Internet activities beginning in June 2007. Simon says she was never notified about the tracking. She is seeking class-action status. Cyberlaw expert Bennet Kelley said however the case turns out, it could have major effects and might “encourage state or federal regulators to take a closer look at this issue.” [Source]

E-Government

CA – Tax Collector Used Agency Computers to Get Data on Women, Documents Show

A tax collector in B. C. used the Canada Revenue Agency’s computers to look up personal information of young women he hoped to date, such as their addresses, income and marital status, according to internal government documents, that show he ended up dating, and then moving in with, one of the women whose privacy he had violated. The agency’s internal investigation of the matter -- obtained through the Access to Information Act -- reveals concerns were raised in May, 2007, when a manager noticed an online dating questionnaire on the employee’s desk. The agency conducted an audit, and discovered he had accessed about 60 personal tax files, which did not appear to be related to his job, on agency computers. More than 20 of those unauthorized searches involved single Vancouver women born between 1970 and 1980, roughly the same age as the employee. [Source]

UK – One-Quarter of Defense Contractors Not Complying with Data Encryption Mandate

UK Defence Minister Bob Ainsworth said in a written response to Parliament last week that just 26 percent of defence contractors with access to the ministry’s restricted network or that work with classified or more sensitive information have either confirmed that they do not comply with data encryption requirements or have not confirmed one way or another that they comply with the requirements. The Ministry of Defence’s List-X Notice requires, among other things, that all data held on laptops and portable storage media are encrypted. MoD issued the List-X Notice last year to address data security concerns raised by data security breaches within the government. [Source]

EU – No e-Voting in Germany

The German Federal Constitutional Court decided on 3 March 2009 that electronic voting used for the last 10 years, including for the 2005 general elections, was unconstitutional and therefore not to be used for the next elections in September 2009. The court ruled that the use of the electronic machines contradicts the public nature of elections and the equipment used in 2005 had some shortcomings. However, as there has been no evidence of errors in the past, the results of the previous elections remain valid. The use of e-voting was challenged by political scientist Joachim Wiesner and his son, physicist Ulrich Wiesner who complained that the system was not transparent because the voter could not check what actually happened to his vote, being actually asked to blindly trust the technology. The voting machines which are manufactured by the Dutch firm Nedap, do not print out receipts. In the plaintiffs’ opinion, the results could be manipulated. A petition signed by over 45 000 people in 2005, trying to ban e-voting, had been rejected by the German Government. Now, the court ruled that the Federal Voting Machines Ordinance having introduced e-voting was unconstitutional because it did not “ensure that only such voting machines are permitted and used which meet the constitutional requirements of the principle of the public nature of elections.” Also the court considered that, differently from the traditional voting system where manipulations and frauds are much more difficult involving a high degree of effort and a high risk of detection, “programming errors in the software or deliberate electoral fraud committed by manipulating the software of electronic voting machines can be recognised only with difficulty.” Also, in the court’s opinion, the electors should be able to verify how their vote is recorded without having to possess detailed computer knowledge. “If the election result is determined through computer-controlled processing of the votes stored in an electronic memory, it is not sufficient if merely the result of the calculation process carried out in the voting machine can be taken note of by means of a summarising printout or an electronic display.” [German Court Rules E-Voting Unconstitutional (3.03.2009)] [Federal Constitutional Court - Press release on Use of voting computers in 2005 Bundestag election unconstitutional (3.03.2009)] [Voting machines unconstitutional in Germany] [Electronic voting machines eliminated in the Netherlands (24.10.2007) ]

AU – Australian Police to be Given Remote Surveillance Powers

Proposed legislation in the Australian state of New South Wales would give police the authority to remotely break into certain crime suspects’ computers to conduct investigations. Those targeted by the investigation could be prevented from learning of the investigation for up to three years. The permission would be given only in cases in which the alleged crime is punishable by seven or more years in prison. [Source] [Source]

E-Mail

WW – Advertisers Get a Trove of Clues in Smartphones

The millions of people who use their cellphones daily to play games, download applications and browse the Web may not realize that they have an unseen companion: advertisers that can track their interests, their habits and even their location. Eswar Priyadarshan, the chief technology officer of Quattro Wireless, which places advertising for clients like Sony on mobile sites, says he typically has 20 pieces of information about a customer who has visited a site or played with an application in his network. “The basic idea is, you go through all these channels, and you get as much data as possible,” he said. The capability for collecting information has alarmed privacy advocates. “It’s potentially a portable, personal spy,” said Jeff Chester, the executive director of the Center for Digital Democracy, who will appear before FTC staff members this month to brief them on privacy and mobile marketing. He is particularly concerned about data breaches, advertisers’ access to sensitive health or financial information, and a lack of transparency about how advertisers are collecting data. [Source]

Electronic Records

US – Industry Coalition Launches Health IT Security Plan

A coalition of healthcare companies and technology vendors has unveiled a framework for safeguarding the privacy of electronic medical records, Reuters reports. The Health Information Trust Alliance (Hitrust), whose members include Cisco, CVS Caremark, Johnson & Johnson and others, released the guidelines in a webcast yesterday. The guidelines intend to address the security aspects of electronic health records. The Obama administration is pushing for electronic medical records for all Americans, and the recently passed economic stimulus package includes two billion dollars for the creation of widespread EMRs. [Source]

WW – Wal-Mart to Enter Electronic Medical Records Arena

As the Obama administration begins investing billions in health information technology, Wal-Mart is using its size to bring high-tech medical records to American physicians. A Wal-Mart spokesperson says the company is partnering with computer giant Dell and others to launch an electronic health records package for doctors. [SiliconValley.com]

Encryption

US – College Student Faces Additional Charges in Palin e-Mail Break-in Case

David Kernell, the Tennessee college student who allegedly broke into Governor Sarah Palin’s Yahoo! mail account has pleaded not guilty to three new felony charges. Kernell now faces charges of intentional access without authorization; fraud; unlawful electronic transmission of material outside the state; and attempts to conceal records to impede an FBI investigation. If he is found guilty on all counts, Kernell could face up to 20 years in prison and a fine of up to US $250,000. [Source] [Source]

EU Developments

EU – EU Nations Oppose Extension of Data Breach Notification Law

The Council of Ministers of the 27 EU nations has rejected plans that would expand the scope of a European Union security breach law beyond telecoms companies. The European Parliament and privacy watchdogs had called for the change. The European Commission, European Parliament and Council are all considering changes to the Privacy and Electronic Communications Directive, and the issue of whether or not it should create a security breach notification requirement for companies that provide online services. The Commission and Council have backed a notification law for telecoms firms but not for online banks, email companies or web publishers. The European Data Protection Supervisor (EDPS) and the group of EU privacy watchdogs the Article 29 Working Party have both backed the extension of the breach from telecoms firms to companies which offer services over the internet. In the discussions over the issue these are called information society service providers (ISSPs). The Council has disagreed, though, and has proposed changed wording for the Directive which makes it clear that the notifications apply only to telecoms companies, or publicly available electronic communications service providers. It also says that the telecoms firms themselves will make the decision about whether a breach is serious enough for notification or not. [Source]

UK – Code on Behavioural Web Ads Launched

Internet companies in Britain are being asked to sign up to a new code of conduct for behavioural advertising, in an attempt to quell invasion of privacy concerns over the controversial marketing technology. The UK’s Internet Advertising Bureau, a trade organisation representing more than 450 companies, has announced a set of guidelines for the systems, which have stirred up passionate reaction among civil liberties and privacy campaigners. Ten companies have already signed up to the guidelines, including Google, Yahoo and Phorm, the controversial UK behavioural ad company, and the IAB said it was important to come up with standards to codify this area of business. The IAB guidelines include a number of stipulations such as telling users clearly what behavioural tracking involves and gaining their consent for its use. “Behavioural advertising makes up about 20% of the online display advertising market, and if this is going to grow we need to have consumer trust,” IAB spokesman Nick Stringer told Reuters. The IAB code of conduct may go some way to allay public concerns, but signing up to the agreement is voluntary and does not prevent any company from continuing with behavioural ads. Nor does it address the question of whether telecommunications companies should be able to use any information they collect on web users, given their privileged relationship with users. [Source]

EU – EP Wants a Better Balance Between Internet Security and Privacy Rights

On 5 March 2009, during a hearing of the Civil Liberties and Home Affairs (LIBE) Committee focused on the strengths and weaknesses of the current framework on security and privacy on the Internet, Members of the European Parliament (EP) and experts agreed on the necessity to create a better balance between Internet security and the protection of online personal data. The participants, including the European Data Protection Supervisor, academics, representatives of the Commission and of the Czech Presidency, supported a report proposing recommendations aimed at providing “adequate protection of fundamental freedoms while delivering also an enhanced security.” The report calls on the Member States and the European Commission to draft proposals defining global standards for data protection, security and freedom of expression. The report will be put to the vote at the Strasbourg full plenary session of the European Parliament on 23 March 2009. [Committee on Civil Liberties, Justice and Home Affairs - Strengthening Fundamental Freedoms and Security on the Internet (5.03.2009) ] [EP Press Release - Protecting citizens’ rights on the internet (6.03.2009)] [Europeans push for more online rights to privacy (6.03.2009)]

UK – Tribunal Wants the Gateway Reviews On ID Scheme Made Public

On 19 February, the UK tribunal ordered the disclosure of two internal reviews called the Gateway reviews regarding the national identity card scheme of the government. The Gateway reviews are independent and expert reviews carried out at key decision points of significant programmes or programs of those deemed risky. The reviews are performed by independent practitioners from outside the programme/project by using a series of interviews, documentation reviews and their expertise to provide valuable additional perspective on the respective programmes/projects and on the external challenge of the processes. The ID government programme was subjected to two “Gateway zero” reviews, in 2003 and 2004. The Treasury’s Office of Government Commerce (OGC) operating the Gateway system did not wish to disclose the reports stating that it was in the public interest to maintain them out of the public eyes and arguing that making the reports public would make them “bland and anodyne”. The tribunal refuted OGC argument considering OGC had to prove a “real and weighty” causal relationship between disclosure and damage and as OGC failed to do so, secrecy would be far from being in the public interest. The tribunal concluded that “disclosure of the requested information would clearly add to the public’s knowledge in this respect and therefore to the public interest which sought to ensure that schemes as complex albeit as sensitive as the ID cards scheme were properly scrutinised and implemented.” OGC claimed that the disclosures of the report might have “adverse press reactions ... if any form of criticism were contained in the report in question” and that the reviews should be kept away from citizens because they might seem “uninformative or hard to understand”. It also argued that the respective information did not bring any valuable addition to the debate on the merits of identity cards as a whole. The tribunal considered that none of the arguments presented was OGC’s problem. “It is not for the tribunal, let alone the OGC or the (information) commissioner, to second-guess the scope and content of the possible public debate.” The tribunal decision was promulgated on 19 February, giving the OGC 28 days to comply. [Public interest is not served by secrecy (3.03.2009)] [What is an OGC Gateway Review? - OGC Gateway Review for Programmes & Projects] [Explainer: Freedom of information (24.02.2009) ]

Facts & Stats

US – Identity Theft Complaints Increase Significantly in 2008

Along with the Federal Trade Commission (FTC), Affinion Security Center has also reported over the last six months an increase of approximately 25% in the illegal trade of personal information in online chat rooms where thieves buy and sell stolen information such as credit card and social security numbers. In 2008, the FTC reported that it had received approximately 1,200,000 complaints related to fraud, identity theft and other consumer complaints, an approximately 50% increase over the previous year. Those consumers reported fraud related losses of more than $1.8 billion. While the report showed that identity theft is widespread, the states reporting the most complaints -- Arizona, California, and Florida, coincide with the states reporting the highest rates of foreclosure, demonstrating that the economic downturn has coincided with an upturn in fraud. 2008 also demonstrated a more than 50% increase in the percentage of identity theft complaints related to fraudulent tax returns filed. [Source]

UK – Local Authorities Must Change Privacy Practices for Children, Says Report

Local authorities across England should change their rules on collecting information about children, a new report into the protection of children’s privacy has said. The report was produced by children’s rights lobby group Action on Rights for Children (ARCH). The report calls for better training for local authorities in data protection law and information security to help keep children’s personal data secure. It also calls into question the basis on which much of the information is gathered. “The Government asserts in guidance that children in England can generally be presumed able to consent to the sharing of their personal and sensitive data from around the age of 12,” said the report. “Many local authorities repeat this advice. It has no basis in English law. We recommend that reference to the age of 12 is removed from all guidance.” [Source]

WW – World’s Poor Drive Growth in Global Cell Phone Use

Six in 10 people around the world now have cell phone subscriptions, signaling that mobile phones are the communications technology of choice, particularly in poor countries, according to a U.N. report published Monday. By the end of last year there were an estimated 4.1 billion subscriptions globally, compared with about 1 billion in 2002, the International Telecommunication Union said. [SiliconValley.com]

WW – Online Networking More Popular Than Email

Networking and blogging sites account for almost ten percent of time spent on the Internet, which is more than on e-mail. Time on the sites ranked fourth, after online searching, general interest sites, and software sites, according to a study released by Nielsen Online. [Washington Post]

Filtering

EU – Net Campaign Urges Action Over Move to Block Websites

An online campaign to protest against moves to block access to certain websites by Irish ISPs gets under way tomorrow. Blackout Ireland is encouraging Irish internet users to contact their service providers, TDs and Minister for Communications Eamon Ryan to voice their opposition to the planned restrictions which are being spearheaded by the Irish Recorded Music Association. [Irish Times]

Finance

CA – Home Insurers’ Use of Credit Scoring Overlooked

One of Canada’s largest property insurers will use a customer’s credit score as a factor in pricing policies, starting in June. Co-operators General Insurance Co. is sending letters to policyholders about its plans. “If clients or applicants tell us they do not want us to access their credit score, we will respect their wishes. We will offer them insurance,” the company says. “However, if we do not have credit score information, we may not be able to offer our most competitive rate.” [Source]

US – The Hartford Offers Data Privacy Coverage for Developers

The Hartford introduces data privacy coverage for software developers and technology firms to cover data breaches. The Hartford’s Data Privacy Expense coverage pays for actual expenses incurred as a result of a policyholder’s negligent acts, errors or omissions that result in the improper dissemination of non-public personal information, or a breach or violation of data privacy laws. The Hartford officials said that although large-scale data security breaches get the attention, a breach of any size can be costly for software developers, hardware firms and other technology companies that have non-public personal information in their control. Specific components of the Hartford’s coverage may include:

1. Notification expenses incurred to comply with notification laws.

2. Crisis management expenses incurred for fees and costs associated with hiring a crisis management firm to perform services that minimize potential harm and maintain or restore confidence in the policyholder.

3. Data privacy regulatory and credit monitoring expenses incurred in connection with a statutory mandate requiring credit monitoring for third parties in compliance with data privacy laws, legal expenses in defense of a data privacy regulation proceeding, and certain fines or penalties, where insurable, in connection with a data privacy regulation proceeding.

4. Cyber-investigation expenses incurred to have a third party investigate the policyholder’s computer system to determine the source of a data privacy breach.

The Hartford’s Cyber Extortion Expense coverage addresses expenses incurred by a policyholder in the event of an extortion threat that causes an actual interruption, suspension or failure of the company’s computer system, including the failure to prevent unauthorized access or unauthorized use of the computer system. [Source]

FOI

UK – Medical Records Breached

British Prime Minister Gordon Brown and First Minister Alex Salmond are among other well-known Scots whose medical files have been breached by health workers, reports Scotland on Sunday. The files were housed on an NHS database implemented three years ago--the Emergency Care Summary system. The system contains the personal medical information on half of Scotland’s population. NHS Fife has notified officials of the breach. Health workers with access to the database are only supposed to look up individual patients’ information with their permission, or if they are unconscious or unable to give consent, the report states. [Source]

Genetics

EU – Organ Transplantation and the Data Protection Issue

European Data Protection Supervisor Peter Hustinx has recommended a greater emphasis on the protection of organ donors’ and recipients’ personal information, reports the Sofia Echo. In an opinion on the European Commission’s standards proposal, Hustinx said that more should be done. “Without obstructing the fast and efficient transfer of organs, strong data protection safeguards must be put in place throughout the donation and transplantation chain,” he said. Hustinx recommends implementing data protection procedures, ensuring the security of national databases and establishing regular monitoring and audits, in addition to other safeguards. [Source]

Health / Medical

US – CVS Caremark May be Violating Privacy of Hundreds of Thousands of Floridians

Privacy advocates have launched a public awareness campaign in Tallahassee, sounding the alarm that CVS Caremark, the pharmacy benefit manager, could be putting the patient information and prescription drug history of state employees up for sale. More than 100,000 State of Florida employees and their families are at risk of their privacy being violated, according to Change to Win who recently obtained the state contract through the Florida Freedom of Information Act (FOIA). The employees of Office Depot, the Miami Herald and other employers across Florida that contract with CVS Caremark may also be at risk, advocates are warning with informational leafleting outside state office buildings and other locations across the state this week. “CVS Caremark is putting its own profits ahead of plan participants’ privacy,” said Chris Chafe, Executive Director of Change to Win. “They could be selling patient information, including your doctor’s name, what prescription drugs you’re on and where you get your prescriptions filled - all without your knowledge or consent. And patient information that CVS Caremark gathers may also come back around in ways that could harm your health, impact your job opportunities, and drive up prescription drug costs for consumers and health plans.” [Source]

UK – Doctor Charged with Violating Data Protection Act for Unauthorized Access

A database containing medical records of 2.5 million people was breached by an NHS (UK’s National Health Service) doctor; all the people whose records were accessed without authorization are famous or high-profile, including Prime Minister Gordon Brown. The Emergency Care Summary database contains names, addresses, occupations and current medications and allergies to medicines. Normally, NHS staff must ask patients’ permission before accessing the database except in cases of emergency. An NHS Fife doctor has been charged with violations under the Data Protection Act. [Source] [Source]

Horror Stories

US – Another Breach Exposes 60,000 Payment Cards

As many as 60,000 credit cards may be at risk for fraud due to a data security breach at Australian domain name registrar Bottle Domains. National Australia Bank (NAB) and Commonwealth bank both acknowledged receiving lists of potentially compromised payment cards; NAB said that an undisclosed number of cards on the list has been used in fraudulent transactions. Bottle Domains has not yet notified its customers of the breach, although Australian domain name industry regulator au Domain Administration Ltd. has informed all Bottle Domains customers of the breach by email. The breach came to light when the stolen information was offered for sale on the Internet earlier this year; one man has been arrested in connection with the data theft. Bottle Domains maintains that it is compliant with the payment card industry data security standard (PCI DSS). [Source]

US – Financial Institutions Sue Heartland

Eight of the 500 banks and credit unions affected by the Heartland Payment Systems data breach have filed lawsuits against the company. The financial institutions are seeking restitution for costs associated with notifying customers, issuing new payment cards and other damages. One suit alleges Heartland was negligent in allowing malicious code onto its processing systems and in failing to implement or comply with the Payment Card Industry Data Security Standard. Another alleges that Heartland violated New Jersey’s consumer protection statutes.[Source]

Identity Issues

US – Maryland Court Rules Media Need Not Reveal Web Posters’ Identities

Operators of newspaper Web sites, blogs and chat rooms that allow readers to post anonymous comments using pseudonyms do not have to readily reveal the posters’ identities in defamation suits, Maryland’s highest court ruled, further shaping an emerging area of First Amendment law in the Internet age. The Maryland Court of Appeals reversed a lower court ruling and ordered that NewsZap.com, an online forum run by Independent Newspapers, does not have to disclose the identities of forum participants who engaged in an online exchange about the cleanliness of a Dunkin’ Donuts shop in 2006. [Washington Post]

Internet / WWW

WW – Google to Base Ads on Surfing Behaviour

Google is to start serving advertisements to its users based on their browsing habits, the web giant has announced. The company already offers advertising related to the site being surfed — so long as that site is a Google AdSense partner or YouTube. But the beta test of what Google calls “interest-based” advertising will take a wider view of the user’s surfing habits to target served ads even more accurately. The service will launch on 8 April. “These ads will associate categories of interest — say sports, gardening, cars, pets — with your browser, based on the types of sites you visit and the pages you view,” said Google. “We may then use those interest categories to show you more relevant text and display ads.” The new ad-serving system works by downloading a DoubleClick cookie to the user’s browser to track their path through various AdSense-using sites. As with any other cookie, this tracking file can be cleared by the user at any time. By visiting Google’s ad-preferences page, the user can opt out of having their surfing habits tracked, or input their own preferences for the subject matter of ads they would like to see. However, as clearing the browser’s cookies would effectively remove the opt-out cookie itself, Google has also released a plug-in for browsers that provides a permanent opt-out from the service. [Source]

CA – Google, Amazon Ask CRTC to Stop Internet Traffic Shaping

A submission to the Canada Radio-television and Telecommunications Commission (CRTC) this week from a coalition of companies including Google, Skype and Amazon, demanding that carriers and Internet Service Providers (ISPs) be banned from traffic-shaping, is perhaps too broad in its focus, according to one industry expert. In the submission, the Open Internet Coalition, consisting of more than 70 member companies, said certain traffic management practices by “Canadian carrier Internet service providers threaten the open and neutral design of the Internet.” [IT World Canada]

Law Enforcement

US – Insider Theft at NYPD Impacts 80,000 Cops

The New York Police Department (NYPD) is telling thousands of police officers that their personal information may be compromised due to a suspected data theft done by an insider in the police pension fund. Anthony Bonelli, who had served as the pension fund’s director of communications, has been arrested for allegedly stealing computer tapes from a Staten Island warehouse that held personal data on 80,000 current and retired police officers. Bonelli was not authorized to visit the data-storage site, but he managed to sneak in during February and walk out with tapes containing sensitive information, including Social Security numbers, bank account and direct-deposit information. The NYPD sent letters to the police officers, warning them to watch for potential identity-theft attempts, according to reports. [Source]

Online Privacy

EU – Rules for Social Networks Agreed by Data Protection Authorities in Germany

The German Düsseldorfer Kreis (GDK), a panel gathering all German data protection authorities, has sent a clear message to social networks on the mandatory respect of the data protection legal framework and highlighted eight central requirements to respect. These principles could be summarised as follows:

1. Operators of social networks have to inform their users fully with regard to the processing of their personal data and with regards their possibilities to influence the process.

2. Use of personal data for marketing is only admissible, to the extent that the data subjects have provided valid consents

3. Storage of usage data beyond the end of a session is only admissible if such data are required for invoicing purposes vis-à-vis the user.

4. There is no legal foundation for storing data about the usage of social networks in case such data should one day be needed for criminal prosecution purposes unless provided by law

5. Users should be allowed to use the service either anonymously or under a pseudonym

6. Operators are obliged to implement adequate security measures

7. Designing the standard settings in a way as to protect the users’ privacy as efficiently as possible.

8. Possibility for the users to easily delete their profile themselves. [Source]

WW – Facebook Offers Radius Targeting

In a message to advertisers, Facebook announced two new filtering features for tailoring ads to users. The company will begin offering language targeting and radius targeting, the latter of which will let advertisers tailor promotions to users within 10, 25 and 50 miles of cities in the U.S., Canada and the UK. A company spokesperson called it a “huge upgrade for Facebook’s targeting.” Facebook has more than 190 million active users. Advertisers can already tailor Facebook ads by users’ job, age, location and gender. [Source]

WW – IBM Develops Privacy Application for Facebook

IBM unveiled an application on Thursday that guides users toward strong privacy settings in Facebook’s online marketplace and could be developed into a management tool for companies or across Web sites for users. The application, called Privacy-aware MarketPlace, shows users in Facebook’s buying and selling forum how their privacy settings rate compared to a recommended level and lets them make suggested changes. It shows two scales that compare the user’s privacy rating with the recommended score. The version in Facebook Marketplace is the application’s first and will be used to collect data about user privacy preferences. [Source] [podcast]

WW – Google Latitude ‘No-log’ Policy Lauded

Google’s new location-tracking service has a short memory, reports Wired. The company has promised that, like competitor Loopt, its Latitude application will not retain users’ location information. Privacy advocates have lauded the move, which is expected to help Google avoid the scrutiny other online service providers have come under due to law enforcement’s interest in such data and resulting subpoenas. Google teamed up with the Electronic Frontier Foundation (EFF) to develop the no-logs policy. “We are incredibly happy that Google has taken this rare step, not only making the right decision about the privacy of its users’ data, but by making that policy public,” said the EFF’s Kevin Bankston. [Source]

Other Jurisdictions

NZ – Paper on Privacy Issued

The New Zealand Law Commission has released a 300-page paper on privacy, reports the Media Law Journal. The paper follows the 2008 tome Privacy: concepts and issues. “These are big issues and they are hard,” said commission President Sir Geoffrey Palmer. Key issues discussed in the new release include surveillance, closed-circuit television and other privacy-sensitive issues. The paper is a follow-up to work released in January 2008 – review here. The commission invites feedback through 29 May. [Full Story]

PH – House Panel Starts Deliberating Privacy Bill

The Philippine House committees on Government Reorganization and Information and Communications Technology are now tackling House Bill 3828, which penalizes the unauthorized processing of personal data with imprisonment from six to 12 years and imposes a fine of P1 to P3 million. Under the proposed measure, processing of personal data for unauthorized purposes would be punishable with imprisonment of six to eight years and a fine of P500,000 to P1 million. The bill also provides for the creation of a National Data Protection Commission that will register controllers and processors to ensure that data protection principles are followed. The bill, also known as the “Data Protection Act,” said giant leaps in technology in recent years make government databases vulnerable to unauthorized intrusions by hackers. [Source]

Privacy (US)

US – California Lawmaker Targets Internet Mapping Sites

A California lawmaker is targeting Internet mapping sites, fearing their detailed images of public buildings provide a blueprint for terrorists. Assemblyman Joel Anderson, a San Diego-area Republican, decided to introduce his bill after reading that terrorists who plotted attacks in Israel and India used popular sites such as Google Earth and Microsoft’s Virtual Earth. His bill would restrict the images such Web sites could post online. Clear, detailed images of schools, hospitals, churches and all government buildings-what he calls soft terrorism targets-would not be allowed. “All I’m trying to do is stop terrorists,” said Anderson, of El Cajon. “I don’t want California to be helping map out future targets for terrorists.” His bill would make it illegal in California to post close-up images of such buildings. Instead, the images would have to be blurred. [Source]

US – Research Copyright Bill Would End Access to Free Health Info

A new bill sponsored by U.S. Rep. John Conyers, D-Mich., would make it tough and costly to get access to health studies online. The Fair Copyright in Research Works Act would reverse a National Institutes of Health policy set last year that held that the public should not have to pay to see the results of medical research funded with taxpayer dollars. The bill would prevent other agencies from making similar rules regarding free public access to published studies. [Detroit Free Press]

RFID

US – Vermont Offers RFID-Enabled Driver’s Licenses to Help at Border Crossings

Vermont has joined New York and Washington State to become the third US state to offer RFID enhanced licenses. The licenses are optional, and are designed to expedite border crossings. The licenses comply with the DHS’s Western Hemisphere Travel Initiative; the chips can be read at a distance of 20 to 30 feet. Arizona and Michigan plan to establish similar systems. In Canada, British Columbia has already set up a comparable program and Manitoba, Ontario and Quebec plan to do so as well. [Source]

US – Vigil Protests Mandatory Chip Implants

Organizers planned a candlelight vigil in San Marcos, Texas, to protest the city’s ordinance requiring pets be implanted under the skin with an identifying microchip. The protesters have already sent letters and informational packets to the city’s mayor, council members and animal control board members explaining their objections to the mandatory cost, perceived invasion of privacy and potential health risks of microchipping family pets. Those gathering on San Marcos City Hall steps tomorrow evening will be joined by national radio talk show host and identity chip expert Katherine Albrecht, who explains the protesters’ concerns: “Chipping should be a voluntary decision made by a pet owner, in consultation with his or her veterinarian, after weighing the risks,” states Dr. Albrecht, a Harvard-trained researcher and privacy advocate. “It should never be required at the point of a government gun.” [Source]

Security

CA – Whole Body Imaging in Airport Scanners: Activate Privacy Filters

The Commissioner’s latest white paper, entitled “Whole Body Imaging in Airport Scanners: Activate Privacy Filters to Achieve Security and Privacy”, outlines how the activation of privacy (or modesty) filters can reduce the amount of unnecessary personal details captured by WBI technologies. In the Executive Summary. entitled “Increase airport security without compromising privacy” Commissioner Cavoukian makes the case for the use of “Privacy Filters.” [Source]

US – Job Seekers Urged to Prevent ID Theft

Officials are urging job seekers to be mindful of the information they include on resumes and to be discerning about where they post them in order to prevent identity theft, reports SiliconRepublic. “I am very concerned that in the current economic climate, criminals are trying to take advantage of job applicants,” said Data Protection Commissioner Billy Hawkes. A recent scam where job seekers were asked to divulge personal details in exchange for a job application prompted the commissioner to issue an urgent warning. “A legitimate employer would never look for detailed information so early on in a recruitment process, if at all,” said an IT security firm director. [Source]

Surveillance

US – EFF and ACLU Urge Court to Reject Warrantless GPS Tracking

EFF and the ACLU-NCA have urged a U.S. appeals court to reject government claims that federal agents have an unfettered right to install Global Positioning System (GPS) location-tracking devices on anyone’s car without a search warrant. In this case, FBI agents planted a GPS device on a car while it was on private property and then used it to track the position of the automobile every ten seconds for a full month, all without securing a warrant. In an amicus brief filed today, EFF and the ACLU-NCA argue that unsupervised use of such tactics would open the door for police to abuse their power and continuously track anyone’s physical location for any reason – never having to go to a judge to prove the surveillance is justified. “This gives police unbridled discretion to collect location data on everyone, even if there are no reasonable grounds for suspicion,” said EFF. “Investigators could track Americans on a whim -- 24 hours a day, seven days a week.” [Source]

UK – Protests at Government Surveillance Grow

UK: More than 1,500 people attended a public meeting to discuss how increasing UK government surveillance is eroding individuals’ freedom and privacy. Government officials, journalists, authors and privacy experts used the Convention of Modern Liberty to call on British citizens to defend the privacy of their data, and to campaign against the growing use of government databases and data collection. “The idea was not to form another civil liberties organisation, but to spark a political movement by laying out an argument and the facts of Labour’s erosion of our constitutional rights,” said staunch liberty rights campaigner Henry Porter in a column in The Observer. [Source]

CA – Filmmaker Plans “Eyeborg” Eye-Socket Camera

A Canadian filmmaker plans to have a mini camera installed in his prosthetic eye to make documentaries and raise awareness about surveillance in society. Rob Spence, 36, who lost an eye in an accident as a teen-ager, said his so-called Project Eyeborg is to have the camera, a battery and a wireless transmitter mounted on a tiny circuit board. www.eyeborgblog.com/ “Originally the whole idea was to do a documentary about surveillance. I thought I would become a sort of super hero ... fighting for justice against surveillance,” Spence said. Spence, in Brussels to appear at a media conference, said no part of the camera would be connected to his nerves or brain. He does not intend to create a reality TV show and the camera will be switched off when not needed, he said. “I don’t want to go into a locker room. I don’t want to show the world me going to the bathroom either ... I’m not a life-caster and I don’t plan to be one,” he said. [Source]

Telecom / TV

CA – 80% of Canadians Getting Fewer Telemarketing Calls: Survey

A new study suggests 80% of Canadians are receiving fewer direct marketing phone calls now compared to last September when the federal regulator launched a national “do-not-call” list. The poll, for the Toronto-based Marketing Research and Intelligence Association (MRIA), suggests that, despite ongoing controversy, the no-call listing is working. [Source]

EU – Spain Disconnecting Pre-Paid Phones Unless Users Identify Themselves

The Spanish government will in November disconnect the pre-paid phones of users who fail to register their personal information with the line, according to gizmodo.com. The decision comes down in accordance with an EU directive aimed at preventing terrorism. Terrorists triggered the Madrid train station bombings of 2004 using cell phones. Pre-paid phone operators are required to register all calls made to and from pre-paid phones and retain the data for 12 months under the same directive. [Source]

US – Verizon Offering Subscribers Opt-Out of Data-Sharing Arrangement

Verizon is reportedly sending letters to its customers, allowing them the opportunity to opt out of an arrangement to share their personal data with the company’s “affiliates, agents, and parent companies.” The data covered by the agreement would include, but are not limited to: “services purchases (including specific calls you make and receive), billing info, technical info and location info.” Customers who receive their Verizon statements online will not receive the letter; instead, they may access their accounts and view their messages to get the information. [Source]

US Government Programs

US – House Subcommittee Hearing Focuses on DHS Role in Federal Cyber Security

The US House Committee on Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology heard testimony this week regarding DHS’s effectiveness as the locus of federal cyber security efforts. Former director of the DHS National Cyber Security Division Amit Yoran spoke of DHS’s “inefficiency and leadership failure” regarding implementation of effective cyber security policy. Director of IT management issues at the Government Accountability Office (GAO) David Powner said that his organization believes that the country’s needs would be better served if another agency were to take the cyber security lead, with DHS involved in an operational capacity. The GAO also supports a White House role in cyber security policy. The National Security Agency is already taking an increasing role in federal cyber security. [Source] [Source] [Source] [Source] [Source]

US – DHS Secretary Proposes Increase in Spending for Domestic Surveillance Programs

Homeland Security Secretary Janet Napolitano testified before the House Committees on Homeland Security, and said that DHS plans to connect governmental databases containing personal information, expand the government’s employment tracking system, promote passenger screening, use e-passports, employ watchlists and utilize contactless identity verification cards. [Source]

US – DHS Privacy Committee Pushes for More Data Collection

The Department of Homeland Security (DHS) Data Privacy and Integrity Advisory Committee has suggested the department collect more information about individuals in order to help verify the identities of those who submit Freedom of Information Act (FOIA) requests. Following a presentation by William Holzerland at its regular meeting last week, committee members--including privacy industry experts, privacy attorneys and chief privacy officers, among others--urged the associate director of DHS Freedom of Information operations to do more to ensure individuals who request access to information the government has on them are, in fact, who they say they are. [Source]

US – Terrorist Watch List Hits 1 Million

The government’s terrorist watch list has hit 1 million entries, up 32% since 2007. Federal data show the rise comes despite the removal of 33,000 entries last year by the FBI’s Terrorist Screening Center in an effort to purge the list of outdated information and remove people cleared in investigations. It’s unclear how many individuals those 33,000 records represent — the center often uses multiple entries, or “identities,” for a person to reflect variances in name spellings or other identifying information. The remaining million entries represent about 400,000 individuals, according to the center. The new figures were provided by the screening center and the Office of the Director of National Intelligence. [Source]

US Legislation

US – Major Tech Companies to Drop Support for Comprehensive U.S. Privacy Law

In the summer of 2006, a who’s who of technology and Internet companies garnered headlines when they formed the Consumer Privacy Legislative Initiative. The group, which included Intel, Microsoft, eBay, Google, HP, Oracle, and Sun, was charged with promoting the adoption of a national privacy law in the U.S. Those same companies will announce a shift in name and emphasis. Microsoft Chief Privacy Strategist Peter Cullen says that “legislation is actually the wrong place to start. To provide effective privacy protection, it’s going to potentially require good legislation. But more importantly, it will require good business processes and good accountability.” The group is therefore morphing into the Business Forum for Consumer Privacy, which advisors say is working toward building a self-regulatory framework. The article notes that enforcement of the self-regulatory framework has not yet been worked out. [Source]

US – House Reviewing Data Protection Act

Two House of Representatives’ committees have begun reviewing a data protection bill. House Bill 3828--the Data Protection Act--would penalize those responsible for the unauthorized processing of personal data with 6-12 year prison terms and fines from P1 to P3 million. The bill would also create a National Data Protection Commission. “To date, there is no single agency which handles data protection in the country,” said one representative. The House committees on Government Reorganization and Information and Communications Technology are reviewing the proposed measure. [Source]

US – California Legislation Would Require Specific Info in Data Breach Notifications

California State Senator Joe Simitian has introduced legislation that would require organizations that experience data security breaches to provide a specific set of information in their disclosure letters. Presently, California law requires organizations to notify affected individuals if their personal data have been compromised in a security breach, but the letters often leave the recipients with more questions than answers. The bill would also require that state authorities be notified at the same time as affected residents. [Source] [Source] [Source]

Workplace Privacy

AU – RIM Records Employee Calls to Protect IP

BlackBerry maker Research In Motion has acknowledged that it records all employee conversations in the interest of maintaining control over intellectual property. RIM Chief Information Officer Robin Bienfait, said that all actions carried out on RIM’s internal network were logged, which meant that people who wanted to carry out private conversations might want to bring in personal devices. When asked exactly whether it was conversations, rather than just written information she kept tabs on, Bienfait answered: “Everything. I record everything.” It wasn’t a violation of privacy, according to Bienfait, who maintained the workers were aware of the surveillance: “They’re doing business inside of RIM. Everything they can say or do can be patented...We’re not violating anybody’s privacy. They’re aware that their information is transparent and in visibility.” [Source] [Update: RIM: we don’t record everything, honest“

+++