Biometrics

UA – Emirates to Consolidate ID on One Card

The United Arab Emirates have announced a plan to consolidate all forms of national identification onto a single card with a single application process. The program, announced by the Emirates Identity Authority this week, will go into effect in July of 2010. The cards will include personal information as well as fingerprint, facial geometry and iris biometric identification data, causing some to wonder about the impact on personal privacy. But, said Dr. Ali al Khouri, acting director of the Emirates Identity Authority: “We need to come to terms that a national ID is a part of the government’s strategy to offer better services and safeguard the public.” [Source]

US – FBI Scanning Driver’s Licenses with Recognition Tools

In a new program to track down fugitives, the FBI has begun using facial recognition technology to compare millions of driver’s license photos with the images of criminals on the lam. In North Carolina the project helped to identify a double-homicide suspect who had settled in the Greensboro area under a new identity. “Running facial recognition is not very labor-intensive at all,” FBI analyst Michael Garcia said. “If I can probe a hundred fugitives and get one or two, that’s a home run.” But not everyone is as upbeat about the program. “Everybody’s participating...in a virtual lineup by getting a driver’s license,” said Christopher Calabrese of the American Civil Liberties Union. “Suddenly they’re becoming the de facto law enforcement database.” [Source]

Canada

CA – New Decision on Warrantless Access to ISP Customer Data

The Ontario Court of Justice has issued a recent decision considering the admissibility of information obtained without a warrant from the suspect’s internet service provider, Bell. R. v. Cuttell. The Court concluded there is a reasonable expectation of privacy in your account records, but this expectation can be destroyed by your ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepts that a broadly-worded statement in Bell’s contract with the customer might supplant the reasonable expectation of privacy. In this case, there was no proof brought by the police that the Bell contract applied to this customer so a Charter breach was found. The Court importantly notes that PIPEDA does not give the police the right to seek information and rejects every crown argument that the police may have had “lawful authority” in the circumstances. But, in the end, the records were admissible as the police acted in good faith. What is perhaps most interesting is that the Judge laments the fact that the increasing use of “we will disclose” language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances. [Source] [Decision]

CA – Privacy at Home Focus of Much Court Debate

Just how much privacy can a person expect in the comfort of his or her own home, free from any government intrusion? That was the question considered in August by a three-judge panel of the Alberta Court of Appeal. The case involved the home of Daniel James Gomboc in southwest Calgary. Back in January 2004, police officers noticed that the windows in Gomboc’s house were covered with condensation, the curtains were stained with moisture and the roof was free of snow – unlike the neighbouring houses. After making these observations, the police officers asked Enmax Power Corp., the local utility supplier, to install a digital recording ammeter (DRA) to create a record of when electrical power was used in the premises. Enmax complied, even though the police had not obtained a search warrant. Five days later, Enmax provided the police with a printout of the data obtained from the DRA. The record suggested that the electricity use was consistent with a marijuana grow operation. Using that evidence and their earlier observations, the police obtained a search warrant and upon entering the house discovered a sizeable grow-op. They seized 165.3 kilograms of bulk marijuana, and 206.8 grams of processed and bagged marijuana, as well as numerous items related to the grow operation. Gomboc was later convicted of production and possession of marijuana for the purpose of trafficking. His appeal to the Alberta Court of Appeal was heard last November, and its decision was released in August. The central issue in the appeal was whether the use of the digital ammeter without a warrant was an unreasonable search contrary to Section 8 of the Canadian Charter of Rights and Freedoms. Justice Peter Martin writing for two of the judges (there was one dissent) ruled that Gomboc had an “objectively reasonable expectation of privacy regarding the information obtained by the DRA,” and that it was violated by the utility company. The electronic surveillance amounted to an unreasonable search and seizure, and the court ordered a new trial – presumably one without the DRA evidence. The Alberta court said that the utility company’s actions were similar to those of a mailman looking into the windows of a home while delivering mail, and then reporting his observations to the authorities, or a cable TV supplier reporting the viewing habits and preferences of a subscriber. Without a search warrant, all of these activities are improper, and would render the protection of a reasonable expectation of personal privacy in one’s home illusory. [Source]

CA – Government Rejects Plans for Access to Info and Privacy Reform

The Canadian government has rejected proposed reforms to the nation’s privacy and information access laws. Privacy experts who had hoped the update would help bring the 26-year-old Privacy Act up to Information Age standards expressed disappointment. “While we agree with the minister that privacy is well protected in Canada, we feel we can do better,” said Assistant Privacy Commissioner Chantal Bernier. Interim Information Commissioner Suzanne Legault said: “We really live in a world of digital information and the system hasn’t adjusted.” In rejecting the proposals, Justice Minister Rob Nicholson described them as cumbersome and ill-considered, saying that instead, access and privacy could be improved through enhanced guidance and training. [Source] [Source]

Consumer

UK – Office of Fair Trading (OFT) Launches Inquiry into Behavioural Targeting

Britain’s Office of Fair Trading (OFT) has joined regulators in the U.S., EU and Canada in taking a closer look at the practice of behavioral targeting. The OFT will examine Internet retailers and online search companies’ use of BT, which targets ads to consumers based on their online activities. “Behavioural advertising is rising fast, but a lot of companies don’t disclose what forms of tracking are taking place,” said Pinsent Masons attorney Struan Robertson. “To most people it is not clear when it is happening. There is scope to improve disclosure on this.” The OFT will also examine companies’ customized pricing practices. [Source]

US – Privacy Projects Launches to Fund ‘Evidence-Based’ Consumer Privacy Research

Mobile devices, cloud computing and global business partnerships enabled by the Internet and other network services have redrawn the map of the global flow of personal information. Technology will continue to drive simple services built on these complex systems, pushing the balance between using and protecting personal data “to the breaking point,” according to Richard Purcell, President of The Privacy Projects (TPP), a non-profit research institute that launched last week. The Privacy Projects (www.theprivacyprojects.org) intends to fund academic research into “evidence-based” privacy to enhance policies, practices and tools necessary to meet the power of the new technologies. “We intend to support advances in the ways companies collect, store, use, share and manage customer information,” said Purcell. “We encourage the digital human represented by the data to be more respected and better protected.” Funded by the proceeds of the sale of the assets of TRUSTe, the leading online privacy seal program, when it moved to for-profit status in 2008, TPP will be “an independent voice for what can come next” as companies, governments and consumer advocates consider, develop and deploy information-driven businesses with data protection and privacy built in. [Source] [Press Release]

E-Government

CA – Privacy Concerns Shrink Whitehorse Voters List

A growing number of Whitehorse residents are refusing to be enumerated in advance of this week’s civic election, citing privacy issues, and the city’s voters list has shrunk as a result. Some eligible voters in the Yukon capital do not like the idea of their names and personal information being displayed in public, which is the case when voters lists are posted. “The Municipal Act requires the city to publish the lists. And when you post lists, privacy goes out the window.” About 10,700 voters are registered for Thursday’s election, which is down slightly compared with the last civic election in 2006. Felker said she’s disappointed that people are reluctant to have their names on the public list. “Because the privacy issues are so high … they don’t believe us when we say, ‘We’re going to protect your information as much as we can.’. In the meantime, the City of Whitehorse has been trying to preserve privacy by posting the voters list in city-owned facilities only, Felker said. [Source]

US – Welfare Data Not Allowed for Employee Screening

Federal officials told the State of Indiana this week that a plan to turn welfare enrollment data over to a private contractor for the purposes of employment screening would not be allowed. The U.S. Food and Nutrition Service expressed concerns about the appropriateness of the disclosure. That the data sharing was even considered has raised questions about the security of the personal information collected and used by assistance programs. “The more people who have your data, the greater likelihood that either they’re going to lose it or a rogue employee will abuse it,” said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University. [Source]

AU – Plan to Monitor Welfare Spending Questioned

A plan by the Australian government to track how Welfare recipients spend their relief money is being questioned by the Welfare Rights Centre which believes the plan would be an invasion of privacy for those enrolled in the program. Welfare Rights Centre director Maree O’Halloran acknowledged that the program has merit, but believes the cost--individual privacy--is too high. “We are concerned that underlying this better, innovative way of collecting information, there could be the possibility of tracking the lifestyles of people who receive social security payments,” O’Halloran said. [Source]

E-Mail

CA – An Analysis of the Proposed Electronic Commerce Protection Act (Bill C-27)

On April 24, 2009, the Minister of Industry and Commerce, on behalf of the Government of Canada, tabled Bill C-27, being legislation to enact the Electronic Commerce Protection Act (the “ECPA”). The proposed legislation aims to protect and promote the growth of electronic commerce by introducing measures intended to address the problems of spam, phishing, spyware and malware. This article reviews the key provisions Bill C-27, including rules pertaining to spam, mandatory content for commercial e-mail; phishing; spyware snd malware; penalties and enforcement; private rights of action; and protection of personal information -- the ECPA amends PIPEDA by adding thereto provisions prohibiting the collection of an individual’s electronic address through the use of a computer program designed for that purpose and prohibiting the collection and use of personal information by means of unauthorized access to a computer system. The private right of action created by the ECPA will apply to both these new prohibitions as well, thus adding teeth to PIPEDA which, since its enactment, has provided for only one remedy, namely, a complaint to the Privacy Commissioner’s office. The prohibitions stand to have consequences for merchants who use the Internet as a tool to mine data on consumer habits and interests in order to target direct advertising. [Full Analysis]

CA – Canadian Marketers Want Anti-Spam Bill Altered

The Canadian Marketing Association is lobbying MPs to change an anti-spam bill so that consumers have to opt out of receiving commercial email messages, rather than opting in to get them. In a message sent to its 800 corporate members — which include Costco, the Liquor Control Board of Ontario, Home Depot and Rogers — on Thursday, the CMA urged companies to get in touch with their local MPs to demand changes to the proposed legislation, which is expected to enter a critical phase on Monday. [CBC]

CA – Conservatives Oppose Making Exceptions to Anti-Spam Bill

Business groups are concerned the anti-spam bill being considered by a parliamentary committee will hurt their ability to reach new customers by requiring consent before sending and e-mail. But the Conservative chair of the committee opposes new exceptions to the bill, and a security vendor also says the bill should be strict. Bill C-27 or the Electronic Commerce Protection Act is currently before the Standing Committee on Industry, Science and Technology. Politicians are debating whether to include more exceptions in the bill. But the Conservatives are opposed to such a move. Last week, Liberal and Bloc Quebecois members of the committee put forward 40 proposed changes to the bill. Most are new exemptions, including product updates, market research, when a person has published his e-mail address, and if a person is referred by someone else. “The sum total of these changes would be pretty significant,” Geist writes. “It is clear that the lobby groups would like more, particularly a shift from opt-in to opt-out consent.” [Source]

Electronic Records

AU – Governments Change Direction on Health E-Records

GOOGLE, Microsoft and other new providers will host Australians’ electronic health records as the federal and state governments back away from funding a nationwide scheme. National E-Health Transition Authority chief executive Peter Fleming said the original vision of a single e-health record system had been abandoned in favour of “person-controlled” records that could be adopted more quickly. The Council of Australian Governments is yet to make a decision on the business case for individual e-health records put to it by NEHTA a year ago, but Mr Fleming said the health ministers were pushing the organisation to take “a far more commercial approach”. “Five years ago, there was a strong view that there would be an e-health record for all Australians held on a massive database somewhere,” he told the Medical Software Industry Association conference in Sydney last week. “That’s no longer the view. “When and if the e-health record is approved, we’ll enter into detailed planning around the architecture, but undoubtedly people will have an option to choose health records from a range of sources and their medical information will be stored in a number of locations.” Mr Fleming said the foundation work on healthcare identifiers, secure messaging and other technical standards would support a rollout of personal health records by 2012, although a new indexing service would be needed to bring disparate files together at the point of care. To cater for emergency situations, a health summary containing key medication and allergy data could be linked to the index. “Certainly there needs to be a viable financial model for the private sector, in terms of margins or incentives, but I would see those things occurring,” Mr Fleming said. “One of our directions now is how we engage the private sector and move these things forward.” NEHTA has released to public discussion its strategic plan for the next three years to 2012. [Source]

CA – OSCAR Shows Electronic Health System Doable

Doctors behind two made-in-Canada electronic record systems designed years ago and adopted around the world insist that electronic medical records systems need not be hard to deploy. OSCAR, an open-source software pioneered by McMaster University’s school of medicine, is being used by hundreds of doctors from Prince Edward Island to British Columbia, and many more from outside the country. It puts patients’ information on secure servers that are based in a doctor’s office but can be accessed online from just about anywhere by logging on the same way one would to an online bank account. A separate sister system, MyOSCAR, lets patients access their own records online. David Chan, the system’s architect and a professor with McMaster’s family medicine department, has given talks about electronic medical records across Canada and the United States, and says he doesn’t understand why provincial governments haven’t jumped to adopt OSCAR’s technology. “The impression of our current government agencies such as eHealth is that open-source projects ... tend to be not as professional,” he said. “This is simply not true any more.” Because OSCAR is downloadable for free, the costs to implement it provincially would be relatively modest, he says - likely in the area of $20-million for Ontario, much of that going to vendors who would adapt the software to different doctors’ needs and explain how it works. He notes this system wouldn’t be ideal for a centralized, single-server database - but then, he argues, that would probably be a bad idea anyway: Having millions of patients’ medical information on one enormous server would be needlessly unwieldy, not to mention a privacy nightmare if its integrity were compromised. [Source]

EU Developments

EC – Fight Spam, Protect Privacy

A European Commission report released last week says that more needs to be done to protect online privacy and fight spammers. The commission says that although several EU countries have taken measures to enforce Europe’s ban on spam, more needs to be done. Specifically, the commission says legislative changes are needed, as well as better cross-border cooperation and more resources for national privacy authorities. “I call on EU countries to reinforce their national efforts to fight online privacy threats such as spam, spyware and malicious software,” said EU Commissioner for Information Society and Media Viviane Reding. [Source] [Study on activities undertaken to address threats that undermine confidence in the Information Society - SMART 2008/ 0013]

EU – Eurovision Changes Privacy Rule

Eurovision Song Contest organisers say they may ban countries from the competition if broadcasters disclose information about voters’ identities. It comes after a number of people in Azerbaijan were questioned by police after voting for a song by neighbouring Armenia in this year’s contest. [Source]

UK – Court Ruling Gives Employers Access to Employees’ Criminal Records

UK Employers may be made aware of the previous convictions of all staff - no matter how minor - following a landmark ruling from the Court of Appeal. The Court ruled criminal records can be held on police computers for ‘as long as they feel necessary’, and can be shared with the Criminal Records Bureau, which has the right to show the records to employers or prospective employers. Anna Fairclough, a lawyer at civil rights organisation Liberty, specialises in privacy litigation. She said: “Exceptions to the Rehabilitation of Offenders Act and the net of employment vetting are being cast so wide that people will be forever haunted by the minor indiscretions of their youth. “We need a tighter reign on the circumstances when spent convictions can be disclosed. The Independent Safeguarding Authority was supposed to address the balance between personal privacy and the protection of the vulnerable but it is in danger of collapsing under the stain of irrelevant information and excessive checks. “This judgment forgets the privacy rights of millions of people and we hope it is appealed.” [Source]

UK – Government Outlines Increased Penalties for Data Misuse

The UK Government has outlined its plans to jail people convicted of trading illegally in personal data or knowingly or recklessly disclosing it. Under the plans the jail terms would be introduced next April. Privacy regulator the Information Commissioner’s Office (ICO) has long campaigned for an increase in penalties for breaches of the Data Protection Act (DPA). The Government has agreed to back the proposal and has launched a consultation on the issue. “The custodial sentences should be set at the maximum available under the power (i.e. twelve months’ imprisonment on summary conviction and two years’ imprisonment on conviction on indictment),” says the consultation. The Government also proposes to introduce a new defence to the offences for which jail terms are being introduced. People who are engaged in art or journalism can claim exemption from the rule. “The additional defence for anyone who can show that he was acting for the special purposes (as defined by section 3 of the DPA) with a view to publishing journalistic, literary or artistic material, in the reasonable belief that the obtaining, disclosing or procuring was in the public interest should be introduced alongside the increased penalties,” said the consultation. The Government plans to introduce the changes in April 2010 at the same time as the ICO’s powers are strengthened by the Criminal Justice and Immigration Act. [Source]

UK – Police Threaten to Withhold Crime Data

Police forces are threatening to withhold information from a Government crime database over fears the project could breach data protection laws. As part of a multi-million pound Government scheme, forces across England and Wales have been asked to provide more detailed records on staff fitness, training and even marital status. The results will create a new online ‘‘data hub’’ where civil servants can access statistics for research. But senior Metropolitan Police staff believe the amount of information required is excessive and question how it will be used and protected. At the heart of the dispute is differing legal advice over who owns information about crimes and police employees. The new data hub would contain details about every crime, rather than summaries covering specific areas. These include crime reference number, date, exact location, crime type, aggravating factors and details of the victim and offender, excluding their names. Discussions began in 2007 and 30 forces, not including the Met, have provided test data so far. James Cleverley, a member of the Metropolitan Police Authority, said: ‘‘I doubt any of us would object to data sharing in support of an agreed and specific outcome. ‘‘But this rather looks like a harvesting of data just in case it might be useful, and I’m not too happy about that.’’ [Source]

Facts & Stats

WW – Study: Call Centres Store Sensitive Data

A survey of 133 call centre managers has revealed that nearly all store sensitive customer information in call recordings despite rules against such storage. More than 95% of respondents indicated that they stored customers’ credit card details – including the security codes--even though Payment Card Industry Data Security Council standards advise against it. The study also found that 61 percent of call centre managers were not aware of the industry rules and 18% indicated compliance would be too expensive. [Source]

Filtering

UK – 70% Oppose Internet Ban for Filesharers, Poll Shows

Plans to force British ISPs to disconnect suspected illegal downloaders have been roundly rejected in a new YouGov poll, the first time public opinion has been tested on the issue. Nearly 70% of those surveyed said someone suspected of illegal downloading should have a right to a trial in court before restrictions on internet use were imposed. Only 16% were in favor of automatic curbs based on accusations by copyright holders such as musicians, as is proposed by the business department. [Guardian] See also: [Twitter Jitters: Can What You Tweet About Police Land You in Jail? ]

UK – U.K. Committee Opposes Cutting Off File-Sharers

While the U.K. government has been consulting on technical measures including suspension of Internet accounts for file-sharers, a parliamentary committee has issued a report that blames the music industry for much of the file-sharing problem and opposes any policy of disconnection. It found that any disconnection of file-sharers - the government has actually only spoken of “suspension” of accounts since it toughened up its proposals in August - would be “inappropriate.” [Billboard] See also: [MPAA: Antipiracy Is Now ‘Content Protection’ ]

Health / Medical

CA – Researchers Connect Rx Info with Patients

In a study led by Children’s Hospital of Eastern Ontario, researchers were able to easily correlate hospital prescription records with the patients that received the medicines. Dr. Khaled El Emam of Children’s Hospital said it is common for pharmacies to sell bulk prescription data to aggregators working for the pharmaceutical industry, and that their findings suggest patient confidentiality may be at risk by the practice. However, Emam said that the research team had identified ways to maintain patient privacy by removing certain data points before transferring the information for analysis. [Source]

Horror Stories

UK – Private Medical Records for Sale

The confidential medical records of patients treated at one of Britain’s top private hospitals have been illegally sold to undercover investigators. Hundreds of files containing intimate details of patients’ conditions, home addresses and dates of birth are being offered for as little as £4 each. The files were sold by two men who claimed to have gained access to the information from IT companies in India, where thousands of British medical records are sent every year to be computerised. They supplied more than 100 records belonging to UK patients but claimed they would be able to pass on hundreds of thousands more on demand. The revelation raises serious questions about the security of health records sent abroad. One patient affected by the security breach described it as ‘one step up from grave-robbing’. The Information Commissioner’s Office is now looking into the allegations. [Source]

Identity Issues

UK – UK Kicks Off ID Fraud Prevention with Studies

97% of Employees Doubt Businesses’ Ability to Protect Their Customers From Identity Fraud: It is National Identity Fraud Prevention Week (NIDFPW) in the UK and the occasion was recognized with a pair of studies that underscored the need for greater awareness and attention to issues of privacy protection in that country. NIDFPW organizers issued a press release highlighing one study by Fellowes that found 32% of employees dispose of sensitive documents by putting them directly into a trash bin unshredded. Meanwhile, a study by the National Fraud Authority found that 44% of citizens fail to follow safe privacy practices at home and don’t shred sensitive documents before disposal, and only 54 percent routinely check financial statements. [Source] [ www.stop-idfraud.co.uk ]

Internet / WWW

US – Group Sex Photos Case Heads to Trial

Peterson v. Moldofsky, No. 07-2603, 2009 WL 3126229 – Defendant took pictures of his ex-girlfriend “engaged in various sex acts with two other people.” Later he emailed some of the photos to his ex-girlfriend’s mother, ex-husband, ex-in laws, boss and co-workers. The ex-girlfriend sued for intentional infliction of emotional distress and invasion of privacy. Defendant moved for summary judgment. The court denied the motion in large part. The court sided with Plaintiff’s argument that emailing the photos unlawfully publicized private facts. Defendant had argued that emailing the photos to only a half dozen or so people did not amount to “publication,” which is one of the elements of the tort. He pointed to Comment “a” of the Restatement (Second) of Torts §652D which says that “it is not an invasion of the right of privacy to communicate a fact . . . to a single person, or even to a small group of people.” In rejecting this argument, the court engaged in what some might characterize as “Internet exceptionalism,” — applying the law in response to a perceived substantial difference between online and offline communication. The court observed that “the Internet enables its users to ‘quickly and inexpensively’ surmount the barriers to generating publicity that were inherent in the traditional forms of communication.” Finding this distinction to be significant, the court held that distribution of the photos even to a small group of people through the private means of electronic mail could be considered a “publication” for purposes of the tort of invasion of privacy. [Source]

Law Enforcement

KR – Korean Police Keep Data About Demonstrators’ Relatives

Family members of those who violated the law on assembly and demonstration have their personal information recorded in the police database, without their knowing, said a lawmaker. “The police, in trials involving the candlelight vigil participants, submitted as evidence the past criminal records of their family members who were not involved in the assembly,” said Rep. Choe Kyoo-sik of the main opposition Democratic Party on Sunday. Such investigation methods correspond to the involvement system, which is banned by the Constitution, the lawmaker said. Investigators may at any time refer to the database, which shows whether any family member has ever been arrested, indicted, convicted, or even just suspected of violating the assembly law, he said. [Source]

Location

UK – Utility Meters to Spy on Britons?

New “smart” utility meters will soon replace the old, familiar devices and allow electric companies--and the government--to determine what appliances are being used, and measure homeowners’ energy-conservation efforts. Expected in every home by 2020, news of the smart meter has sparked concern among privacy advocates, who are already peeved by the use of devices to monitor household recycling, the report states. “This is Orwellian,” said Doretta Cocks of the Campaign for Weekly Waste Collection. “We’re already under surveillance for what we put outside the home in bins and now we could be watched for what we’re doing inside as well.” [Source]

Offshore

RO – Romanian Court Deems Data Retention Law Unconstitutional

Romania’s constitutional court has deemed a law requiring mobile operators and Internet service providers to store communication data for six months unconstitutional. The court said the law violates Article 28 of the Romanian constitution, which covers “the secrecy of letters, telegrams and other postal communications,” telephone calls and other legal means of communications, the report states. The law was enacted to satisfy European Data Retention Directive requirements and was set to take effect December 31. [Source]

Online Privacy

US – Judge Dismisses NebuAd Lawsuit

U.S. District Court Judge Thelton Henderson has dismissed a privacy lawsuit targeting six ISPs for their association with now defunct behavioral advertising firm NebuAd on the grounds that California has no jurisdiction over the companies. MediaPost reports that the lawsuit, filed by 15 plaintiffs, was based on allegations that the deep packet inspection technique used by NebuAd to analyze user habits and then target advertising violates user privacy. In his ruling, however, Judge Henderson rejected the defendants’ claims that they had not violated the law, and lawyers for the defendants said they intend to re-file their suit in other states. [Source]

AU – Judges Have Final Decision on Twitter

Australia’s Federal Court will leave it up to individual judges to decide whether to allow cases to be covered from within their courtrooms on new media platforms such as Twitter. The issue arose after two technology journalists started using the microblogging site to publish running reports of the landmark iiNet copyright case being heard by judge Dennis Cowdroy in Sydney and which is big news in Hollywood. [Australian IT]

Other Jurisdictions

UK – Group Wants One Law for Online and Offline Worlds

The All Party Parliamentary Communications Group says Britain should have one privacy law to protect citizens in the online and offline environments. The group recommends a green paper on privacy, intended to lead to a privacy bill in the next parliament. In a report released on Thursday, the group says that the current “hodgepodge of laws and the side-effects of complex regulations is not an ideal way to provide a legal basis for privacy.” The group also made specific recommendations regarding behavioral advertising and children’s privacy. [Source]

AU – Australian Government to Re-Write Privacy Act

The Rudd Government will rewrite the 21-year-old Privacy Act for the technology age, ending the fragmentation of state laws and streamlining the rules to apply to both private and public sectors. Special Minister of State, Senator Joe Ludwig, has released the government’s response to the first stage of the Australian Law Reform Commission’s report, For Your Information. Senator Ludwig said the government would create a clear framework and provide a single set of privacy principles for the handling of personal information by both government agencies and relevant private sector organisations. “The Privacy Act will be amended to streamline the 11 information privacy principles that apply to government agencies, and the 10 national principles that apply to businesses and private organisations,” he said. “The government will also enhance the federal Privacy Commissioner’s powers of investigation and compliance, and strengthen enforcement functions.” Senator Ludwig said the government planned to release a draft reform bill for consultation early next year. In the first-stage response, around 90% of 197 recommendations made by the ALRC have been accepted; the remaining 98 recommendations will be addressed in the government’s second-stage response covering data breach notifications, telecommunications, and a statutory cause of action for serious invasions of privacy. [Source] [Press Release] [Enhancing National Privacy Protection: Australian Government First Stage response]

AU – Privacy Award Finalists Announced

The list of contenders for the Australian Privacy Awards is down to the finalists, and in the government category such agencies as the Australian Customs and Border Protection Service, CrimTrac, Human Services Portfolio, Mildura Rural City Council, Social Security Appeals Tribunal and Victorian Department of Justice have all made the final cut. The awards recognize innovation in protecting individual privacy and raise awareness and encourage best practices among both private and public sector organizations. In announcing the finalists Privacy Commissioner Karen Curtis said: “Many of the finalists have adopted innovative approaches to compliance and have embedded privacy as a core value in their activities.” [Source]

Privacy (US)

US – State Supreme Court to Consider Breach-Related “Losses”

A federal judge in Maine is asking the state’s Supreme Court to consider whether the time consumers spend mopping up after a data breach constitutes losses worthy of compensation. Judge D. Brock Hornby reversed a May decision to dismiss a class-action lawsuit filed on behalf of Hannaford Brothers supermarket chain customers who were impacted by a security breach. In May, Hornby said the customers were not entitled to restitution. But last week Hornby granted plaintiffs’ motion to request Supreme Court review, noting “if the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim.” [Source]

Privacy Enhancing Technologies (PETs)

US – Web Privacy for the Dead

The Wall Street Journal reports on Web services that help people manage their affairs postmortem. For example, one service lets the dead or incarcerated share passwords, communicate wills and delete e-mail messages permanently after their demise or imprisonment. And entrepreneurs are not the only ones considering the virtual dealings of the dead. Some governments are working to ensure that the sensitive personal information of the deceased is handled properly by online sites that house it. [Source]

RFID

WW – Radio Waves ‘See’ Through Walls

University of Utah engineers have demonstrated that a wireless network of radio transmitters using radio tomographic imaging (RTI) can track people moving behind solid objects. “By showing the locations of people within a building during hostage situations, fires, or other emergencies, radio tomography can help law enforcement and emergency responders to know where they should focus their attention,” write Utah professor Neal Patwari and doctoral student Joey Wilson. A study on the RTI-based system involved placing a wireless network of 28 radio transceivers, or nodes, around a square-shaped portion of an indoor atrium and an outdoor area. The strength of the radio signal between the nodes was measured as a person walked in each area. The radio signal strength data was displayed on a computer screen to create a bird’s-eye view of the area, which included a blob-like image of the person. A second study showed that an improved version of the system allows for tracking through walls, and demonstrated how variations in radio signal strength within a wireless network of 34 nodes could be used to track people moving behind a brick wall. The system can be used to track a person to within three feet of their actual location. RTI, which is less expensive than radar, measures “shadows” in radio waves that are created when they pass through a moving object or person. RTI has several major advantages, since radio signals can travel through obstructions like walls, trees, and smoke, which optical and infrared systems cannot. [Source]

Security

CA – Airport Security Agency Accused of Privacy Flub

Canada’s airport security agency broke government rules by collecting personal information from passengers before considering privacy implications. The Canadian Air Transport Security Authority began scanning and keeping boarding pass information from travellers at Montreal’s Pierre Elliott Trudeau International Airport in April. While the agency flagged the project with the privacy commissioner, it proceeded before completing a privacy impact assessment (PIA). “We advised (the authority) that if they were to proceed, we would recommend a PIA. We have not received a PIA,” said the commissioner’s spokeswoman Anne-Marie Hayden. Treasury Board rules state all government agencies and departments are obliged to develop a PIA before beginning any project that might raise privacy concerns. Authority spokesman Mathieu Larocque said the agency is “doing one right now.” Larocque said the authority is keeping boarding pass details, which it collects when a passenger enters the security checkpoint line, for 24 hours. “The information will only be used if there is a security incident and we need to know who went through the line and at what time,” he said. [Source]

US – Sidekick Users See Their Personal Data Vanish Into a Cloud

A server meltdown over the weekend wiped out the master copies of personal data -- including address books, calendars, to-do lists and photos -- accumulated by users of T-Mobile’s formerly popular Sidekick smartphone. This computing calamity allows Sidekick owners only a faint hope of backing up the information currently on their devices, and none of recovering anything they’d trusted to online storage. And it leaves T-Mobile and the operator of the Sidekick’s data service, a Microsoft subsidiary formerly known as Danger Inc. with serious explaining to do. This isn’t the first time a Web service has crashed and left its users without access to data stored “in the cloud,” as Web-services evangelists like to describe their approach. Earlier this summer, users of Google’s Web-hosted e-mail, calendar and documents applications were shut out of their data for part of a day. But it is one of the few times a cloud-computing vendor didn’t have offline or off-site backups that could survive a server implosion -- even though the Sidekick’s design leaves users without any easy way to copy their data to their own computers, and even though Microsoft and Danger should have thought to run an extra backup cycle when a bout of service glitches set in a week before Sidekick data vanished down the bit bucket. [Source]

Surveillance

EU – EU to Monitor Deviant Behaviour in Fight Against Terrorism

The EU is funding ambitious programmes to monitor human behaviour in the fight against crime and terrorism. Some people are afraid this will turn us all into suspects. Say you are a frequent flier and you check in faster than most people. A network of advanced cameras at the airport can measure your speed and alert the control room. The system knows terrorists tend to be nervous and almost never stop for coffee. This makes a speedy traveller a suspicious traveller. You may also want to think twice about using the airport bathroom more than once. There is a good chance you will be picked out for an extensive security check. These are some of the things being studied by an EU-funded project for detecting suspicious behaviour, Adabts (Automatic Detection of Abnormal Behaviour and Threats in Crowded Spaces.) “We monitor all deviant behaviour,” says Maarten Hogervorst of TNO Defence and Security, an independent Dutch research institute. The Adabts project, in which TNO is a partner, is only one among hundreds of security projects under the umbrella of the EU research programme Security. The programme has a budget of 1.4 billion euros until 2013. [Source]

US – New York Security Camera Plan Questioned

Noted security expert Bruce Schneier is questioning the effectiveness of video surveillance following New York Mayor Michael Bloomberg’s announcement of a $24 million grant to procure such a network for the city. “They won’t stop any terrorist,” Schneier said. “None of them is going to look at a camera and say ‘I better go get a real job.’“ The New York Civil Liberties Union (NYCLU) has filed two lawsuits to force the NYPD to disclose more information about the systems. “The fear is [that] the NYPD without any oversight or public scrutiny is creating a massive surveillance system, when we don’t know if this is the best use of $125 million designed to keep us safe,” said NYCLU Executive Director Donna Lieberman. [Source]

CA – Canadian Privacy Commissioner Concerned Over License Plate Spying

The Office of the Privacy Commissioner of Canada has expressed concern over the growing police use of technology to spy on motorists. In a letter to the Nanaimo Daily News, Assistant Privacy Commissioner Chantal Bernier emphasized that the RCMP had not received the commissioner’s approval for the agency’s use of license plate recognition devices. Known as ALPR in North America, these cameras use a combination of electronic databases, cameras and optical character recognition software to identify each passing vehicle. Over time, the devices create a searchable log containing the exact time and date that each automobile passed a given location. “Traditionally, traffic surveillance technologies have been used to capture specific infractions such as speeding or running a red light,” Bernier wrote. “With ALPR, the technology captures personal information related to all vehicles within the camera’s field of view -- even parked cars -- in the absence of any particular suspicion of an individual or vehicle... In other words, the program involves a generalized and ubiquitous form of surveillance that is very different from previous police techniques to detect traffic violations. Generalized surveillance of the Canadian population clearly raises some red flags for privacy rights.” [Source]

US Legislation

US – Schwarzenegger Vetoes Update to California Privacy Law

Governor Arnold Schwarzenegger has vetoed an update to California’s landmark data-breach notification law, saying that the new bill would be too hard on businesses without adequately benefiting consumers. The proposed law, SB 20, would have also required companies to tell consumers exactly what information had been compromised, and provide details of how it was lost, and created a central repository of breach notification letters with the attorney general’s office -- something that states such as New York, Maryland and New Hampshire have already done. It would have been an incremental update to California’s 2002 breach notification law. The updated bill, which was passed by the state Senate and Legislature last month, was authored by State Senator Joe Simitian, a Democrat from Palo Alto, California, who said “I’m surprised as well as disappointed by the Governor’s veto” “There was no opposition to the bill in its final form. This was a common sense step to help consumers.” [Source]

Workplace Privacy

US – Hospital Cuts Off Use of Facebook

New England Baptist Hospital has jumped into the middle of the digital divide by banning Facebook, and other social media, until it crafts an at-work policy for the popular social networking site. The ban was triggered by concerns that hospital workers were revealing too much information about patients in their online posts. Employees complained to hospital administrators several times this summer about co-workers spending a lot of time on Facebook. As the complaints mounted, administrators realized that they have strict policies on e-mail, but nothing for increasingly popular social networking sites. The Facebook ban will remain for six months or so, until the Boston hospital develops the electronic tools to monitor use and content, she said. “Our hope is, as soon as we get the policies in place, we will reinstate use,” she said. [Source]

+++