Privacy News Highlights

01–16 July 2010

 

Contents:

PL – Biometric ATM Gives Cash Via ‘Finger Vein’ Scan. 3

AU – Commissioner: Safeguards Needed for Biometric Data Collection. 3

CA – New Brunswick Gets First Privacy Commissioner 3

CA – Saskatchewan Needs Privacy Upgrade: Report 3

CA – Alberta Licence Photo Used to Make Defamatory Poster 3

CA – Privacy Watchdog Probes Dating Site. 4

US – Amazon Patent’s Privacy Pratfall 4

US – Poll: Social Networking Users Concerned about Privacy. 4

US – Study: Consumer v. Marketer Expectations. 4

US – Study: Online Habits of the Young Will Live On. 5

US – Facebook Scores Low on Consumer Satisfaction. 5

CA – Federal Privacy Commissioner Sees Few Complaints About Census Form.. 5

IR – Methods of Collecting School Data to be Revised. 5

US – 911 Dispatch App Puts Emergency Data in Hands of Citizens. 6

US – State Office Releases Personal Data. 6

US – Health Net Settles with Connecticut Over Massive Security Breach. 6

AU – Medicare Watchdog Probed on Handling of Private Medical Records. 7

UK – One in Ten NHS Trusts ‘Hampered by Poor Data Security’ 7

CA – eCrypt Technologies Inc. Renews BlackBerry Alliance Program Membership. 7

EU – EU Working Party Finds Problems with Data Retention Directive. 7

EU – Germany Takes Legal Steps Against Facebook. 8

UK – Behavioural Advertising is Fair if Users Can Opt Out, Says Privacy Watchdog. 8

UK – ICO Releases Annual Report, Reiterates Call for Jail Sentences. 8

US – Breach Numbers Released, Some Not Recorded. 8

UK – Data Protection Costs £53 Million Per Year 8

AU – Study: Online Crime Hits One in 10. 9

US – AOL Suffers Blow In Lingering ‘Data Valdez’ Case. 9

EU – European Parliament Votes to Allow US Access to European Banking Data. 9

US – Study Shows Hotels Hacked at “Disturbing Rate”. 9

US – Bluetooth at Heart of Gas Station Credit-Card Scam.. 9

US – Ruling Could Affect Public Employees’ E-mail Privacy. 10

CA – Bid to Expand DNA Sampling Sparks Criticism.. 10

US – ACLU Says California DNA Law Violates Privacy. 10

CA – Privacy Breaches More Serious Than Arbitrators Realize: Dickson. 10

US – Private Practices Now Named on OCR Site. 11

US – Comment Period Begins This Week on New Proposed Rules. 11

US – ESRB Leaked Email Addresses of People Concerned About Online Privacy. 11

US – Missing CDs Hold Unencrypted Patient Data. 11

US – University of Hawaii Manoa Parking Office Computer Breached. 11

UK – Big Brother Row as ‘Food Police’ Secretly Photograph Schoolchildren’s Lunches. 12

WW – Foursquare Puts Money Before Privacy?. 12

IN – India Proposes Tighter Laws for National ID Project 12

US – Appeals Court Upholds Ruling in ID Theft Case. 12

CA – N.B. Newspaper Ordered to Name Commenter 13

US – Anti-Piracy Practices Tied to Funding for Colleges and Universities. 13

CA – Nova Scotia Court Orders New Trial Because Of Police Jury Vetting. 13

WW – Facebook Privacy About-Face. 13

CA – Facebook Class Action Spreads to Canada. 14

CA – Facebook Class-Action Lawsuit Involves Nearly Half of All Canadians. 14

WW – Google Acknowledges YouTube Hack. 14

WW – Expands Suspicious Log Warnings to All Account Products. 14

AU – Google Apologizes for Wi-Fi Data Gathering in Australia. 14

CA – Identifying G20 Suspects Using Banks’ Software a Legal Risk, Police Told. 15

US – Oregon City Settles Suit Over Recording Of Arrest 15

US – Privacy Breach Reveals Network Users’ Locations. 15

WW – APEC Launches New Privacy Enforcement Initiative. 15

WW – Researchers Find Privacy Flaws in Chatroulette. 16

CN – New Chinese Law Says No to “Human Flesh” Search. 16

MX – Mexico’s Data Protection Law Takes Effect 16

UA – New Law on Personal Data Protection in Ukraine. 17

MY – Malaysia Decision to Bar Agencies from Keeping Personal Data Welcomed. 17

US – Anonymous Group Leaks Personal Information of Alleged Illegal Immigrants in Utah. 17

US – Possible Sale of Gay Teen Database Sparks Privacy Fears. 17

US – Classmates.com Asks Judge to Dismiss Privacy Lawsuit: “Info Was Public”. 18

CA – Sovereignty up in the Air 18

US – CDT Files Privacy, Credit Complaint Against Spokeo.com.. 18

US – USPS Gets High Privacy Trust Score. 19

US – Manning Copied Stolen Data Onto CDs. 19

US – DHS Announces Dramatic Expansion of Airport Body Scanner Program.. 19

US – EPIC Sues to Block Airport Scanners. 19

AE – Body Scanners Will Not Be Used at Dubai Airports: Reports. 19

US – NSA Denies It Will Spy on Utilities. 20

US – NSA Says Perfect Citizen is Not a Monitoring Program.. 20

IN – Indian Government Seeks Access to Skype and BlackBerry Communications. 20

EU – Italy Wiretap Bill Undermines Freedom: UN Expert 20

UK – Privacy Campaigners Blast Brit Mikes on Street Lampposts ‘Snooping’ Project 20

UK – Police Number Plate Recognition Camera Rules Tightened. 21

WW – Apple Faces Privacy Questions from US Legislators and German Justice Minister 21

CA – Do-Not-Call Fines Total $73,000; Only $250 Collected. 21

US – Fight Against Telco Immunity Continues in Court of Appeals. 21

AU – Australia Introduces Internet Industry Code of Practice. 22

UK – ISPs Challenge Digital Economy Act 22

US – State Attorneys General Press Google on Street View Scandal 22

US – NSA Developing Network Attack Monitoring Program.. 22

US – DHS Shares Privacy Expertise in New Handbook. 23

US – Home Address to be Omitted from Ohio Vehicle Registration Forms. 23

US – Groups Call on FTC to Propose Privacy Law.. 23

US – New York Ends “Stop and Frisk” Data Collection. 23

 

 


Biometrics

 

PL – Biometric ATM Gives Cash Via ‘Finger Vein’ Scan

Poland’s cooperative BPS bank says it’s the first in Europe to install a biometric ATM – allowing customers to withdraw cash simply with the touch of a fingertip. The digit-scanning ATM, introduced in the Polish capital of Warsaw, runs on the latest in “finger vein” technology – an authentication system developed by Japanese tech giant Hitachi. The company says that an infrared light is passed through the finger to detect a unique pattern of micro-veins beneath the surface - which is then matched with a pre-registered profile to verify an individual’s identity. BPS plans to install a biometric ATM at every one of its branches by the end of the year, where, says Jones they will also function as a collection terminal for state benefits. [Source]

 

AU – Commissioner: Safeguards Needed for Biometric Data Collection

Fourteen major venues across Australia are now using fingerprint scanners to control alcohol-related violence, prompting Privacy Commissioner Karen Curtis to call for safeguards. Curtis says the biometric data collected should be destroyed as soon as possible; individuals should be notified as to why the data has been collected, and databases should be kept up to date and secure. “If clubs fail in any of these areas, they run the risk of breaching their customers’ privacy and of having a privacy complaint lodged against them,” Curtis said, adding that creating a database or sharing data between venues would breach privacy laws. [News.com.au]

 

Canada

 

CA – New Brunswick Gets First Privacy Commissioner

New Brunswick Premier Shawn Graham announced that Fredericton lawyer Anne Bertrand has been named New Brunswick’s first access to information and privacy commissioner. Bertrand will take on the role when the new right to information and protection of privacy act is proclaimed on Sept. 1. Bertrand has practised law in New Brunswick for 24 years. She has also served as an adjudicator, mediator and tribunal member at the provincial and federal levels. As commissioner, Bertrand will be responsible for oversight of the new legislation, as well as the Personal Health Information Privacy and Access Act. This will include hearing complaints under both pieces of legislation and fulfilling an education and advocacy role in relation to access and privacy issues. The appointment is for five years and Bertrand will report directly to the legislature. [Source]

 

CA – Saskatchewan Needs Privacy Upgrade: Report

The province’s aging privacy laws need updating to protect its citizens, says Saskatchewan’s privacy commissioner Gary Dickson in an annual report released last week: the Saskatchewan government isn’t doing anything to bring its laws into the 21st century. Dickson said the province’s 18-year-old privacy law was written before electronic health records became as accessible as they are now. Dickson referred to the handling of privacy breaches at two different health regions as evidence the province does not take its privacy laws seriously. The government said before it considers reviewing the legislation it will provide more training to employees on privacy rules this fall. [CBC News] See also [interim BC Commissioner Paul Fraser’s Annual Report]

 

CA – Alberta Licence Photo Used to Make Defamatory Poster

The case of a man whose driver’s licence photo was used in a smear campaign in an Alberta town has been deemed one of the worst breaches of personal information that the province’s privacy watchdog has ever seen. Don Laird first found the posters bearing his image on telephone poles around Edson in April 2008. The posters had an enlarged photocopy of his driver’s licence photo and a message: “Keep an eye on your children.” The posters had also been seen earlier at the Edson post office and the local friendship centre. The insinuation in the message was false. RCMP immediately told the community that Laird posed no risk to anyone and that the posters were a hoax. But the damage was done. Laird became paranoid. Whenever someone looked at him the wrong way, he worried they remembered seeing his face on the poster. Laird made a complaint about the posters to the privacy commissioner. In a ruling dated June 16, the adjudicator for the privacy commissioner found that his former employers placed the enlargement of Laird’s driver’s licence photos and the statement on the posters. The commission also found the firms broke the law by making inaccurate statements about him on those posters. The ruling also found the companies kept the copy of Laird’s licence in an unlocked filing cabinet. No determination was made in the ruling as to which person in the organization made the posters, as the privacy legislation only deals with organizations. The companies plan to appeal the privacy commission’s ruling in court. [CBC News] [Alberta: Companies put up inflammatory poster to get back at ex-employee]

 

Consumer

 

CA – Privacy Watchdog Probes Dating Site

An investigation is underway by Canada’s privacy commissioner into an online dating service, the first time Jennifer Stoddart has had to launch such a probe. Her office received a complaint from an individual about six months ago. The issue was not resolved through mediation with the company and her office has now moved to an official investigation phase. Stoddart is bound by law to keep the name of the dating company confidential but depending on the results of her investigation she may be able to publicize it later. At the very least her office will release a report about the review generally, she indicated. “I’d say watch our website in the future and we’ll be talking about it,” said Stoddart. [Source]

 

US – Amazon Patent’s Privacy Pratfall

Against a backdrop of years of vigilance in protecting consumer privacy, a newly public Amazon Patent application raises a wide range of privacy concerns. The Patent Pending automated gift registry envisions making gift recommendations to strangers, leveraging Amazon’s legendary database of consumer data. It speaks of using third-party databases, in addition to its own, to suggest gift ideas for-in an example the Patent Pending actually uses-”single Protestant Asian women between the ages of 25 and 35 with disposable incomes greater than $50,000.” And because Amazon’s new invention would make specific gift recommendations for anyone who asked, it raises the question of how easily crooks could go on private-data fishing expeditions, trying one gift after another to uncover personal details about their targets. The system the Patent application describes represents a sharp departure from Amazon’s previous approach of employing only user-approved data for gift recommendations. Less than two years ago, Amazon executive Michal Geller said that when it came to gift customization, “anything related to privacy is off the table,” forcing Amazon to focus on “some creative ways [that are] not creepy.” [Storefront Backtalk]

 

US – Poll: Social Networking Users Concerned about Privacy

A new poll indicates that half of Americans who have a profile on a social networking site are worried about their privacy. The Marist poll surveyed more than 1,000 people, 27% of whom said they were concerned about their privacy on sites such as Facebook and MySpace, and 23% of whom said they were very concerned. Americans over the age of 60 are the most concerned, and women are more concerned than men, the poll showed. “Some people are concerned, reluctant and skittish about the extent of online information. There’s a privacy element that some people feel is getting lost,” said the director of the Marist College Institute for Public Opinion. [The Washington Post]

 

US – Study: Consumer v. Marketer Expectations

A recently released study shows that when it comes to new technology, consumers have higher privacy expectations than marketers and most often prefer an opt-in method for collecting personal information. The University of Massachusetts Amherst study looked at cookies, RFID, text messaging, pop-up ads, telemarketing, SPAM, biometrics and loyalty cards. This is the first study to directly compare the privacy expectations of consumers and marketers. The researchers also discovered that many consumers don’t understand the tools used by online companies and marketers and don’t know how much, or how often, detailed information is gathered about them. [Source]

 

US – Study: Online Habits of the Young Will Live On

A study fielded by the Pew Research Center’s Internet & American Life Project and Elon University’s Imagining the Internet Center found that most technology experts and stakeholders believe the online sharing habits of the millennial generation will stay with them throughout their lives. 67% of respondents agreed with a statement that Millenials “will continue to be ambient broadcasters who disclose a great deal of personal information in order to stay connected and take advantage of social, economic and political opportunities.” Respondents also acknowledged that new social norms and new definitions of public and private information are already taking shape. [Source] [Full report]

 

US – Facebook Scores Low on Consumer Satisfaction

In a recent study by Foresee Results and the University of Michigan, Facebook has scored extremely low in the area of customer satisfaction. The 2010 American Customer Satisfaction Index E-Business Report included social networking companies for the first time, and Facebook scored a 64, putting it “in the bottom 5% of all measured private sector companies and in the same range as airlines and cable companies.” The polling company attributed Facebook’s low scores to “privacy concerns, frequent changes to the website, and commercialization and advertising.” [Source]

 

E-Government

 

CA – Federal Privacy Commissioner Sees Few Complaints About Census Form

Despite statements by the Conservative government that they scrapped the long-form census due to widespread privacy concerns from citizens, Canada’s privacy watchdog has received just three complaints about the census in the last decade. Their office was not consulted on the government’s decision, nor did they recommend the government drop the long-form mandatory questionnaire or replace it with a voluntary one. Over the last 20 years, the privacy commissioner has received about 50 complaints related to Statistics Canada. Not all of those complaints were about the census, she said, and the number of complaints has been on a steady downward trend over the last decade. In 1991, the commissioner heard 33 complaints, she said, and many of those were related to the types of questions asked on the census, including those about race, religion, fertility, mental and physical health and people who lived elsewhere but stayed overnight in a household. Other citizens were uncomfortable with the agency employing local enumerators because they felt their neighbours might be reviewing the information on their forms. In 1996, after some of those issues were rectified, the number of complaints dropped to 16. In 2001, there was one complaint about the short-form census and, in 2006, there were two complaints about the long-form. One was resolved before an investigation was launched and the commissioner found that the census question related to the other complaint was in line with the Privacy Act. Three weeks ago, the Conservatives announced they were scrapping the long-form mandatory census questionnaire that gathered information about ethnicity, religion, income, education and housing and replacing it with a voluntary survey because of widespread privacy complaints. A comprehensive Statistics Canada report outlining public feedback on the 2006 census contained no privacy complaints. [Postmedia News] See also: [Criticism mounts after Ottawa scraps census long form] [Census revamp prompts debate over the right to reliable data] [Ottawa may revamp restrictive new census rules]

 

IR – Methods of Collecting School Data to be Revised

The Irish Department of Education says it will revise its arrangements for collecting information from schools after the Data Protection Commission warned it could be in breach of legislation. In discussions with the commission earlier this year, the department confirmed it would seek parental consent in relation to the collection of sensitive personal data. This can include sensitive personal information including PPS numbers and medical card status. [The Irish Times] [Concerns over primary school admission forms] See also: [US: Perdue sues MU board, professor]

 

US – 911 Dispatch App Puts Emergency Data in Hands of Citizens

Now, mobile technology will give California’s San Ramon Valley residents an on-the-go glimpse into the district’s 911 dispatch center. Touted as the first of its kind, the FireDepartment.org iPhone app arrived this week as a tool for users to have real-time access to information about emergencies and disasters in the San Francisco Bay Area community without needing a desktop computer. Users can view active incidents and pinpoint locations on an interactive map. They can access a log of recent incidents and a photo gallery of significant events. The app allows for customization as well. For example, users can choose to be notified of incidents by category, or listen to live emergency radio communications using their handheld devices. The new app gives users access to public information like they’ve never had it before, Price said. If a resident is stuck in traffic, or sees smoke or hears a fire truck, he or she needs only to tap the app to find out what’s going on and where. The district, Price added, also will use the app to communicate with its Community Emergency Response Team (CERT) members and to share pertinent data during disasters. [Government Technology]

 

US – State Office Releases Personal Data

The Massachusetts secretary of state’s office is alerting 139,000 investment advisers that their personal information has been exposed. The information--including Social Security numbers and birth dates--was contained on a CD mailed to a business publication in response to a request for information. The publication has since returned the CD, but individuals, the state attorney general and the director of consumer affairs must be notified in accordance with Massachussetts law. “It was an unfortunate mistake,” said a spokesman for the secretary of state’s office. “It obviously was not done according to standard practice.” [The Boston Globe]

 

Electronic Records

 

US – Health Net Settles with Connecticut Over Massive Security Breach

Attorney General Richard Blumenthal has announced a settlement — the first of its kind in the nation — with Health Net and its affiliates for failing to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach. The settlement provides powerful protections for consumers and a $250,000 payment to the state — and marks the first action by a state attorney general for violations of HIPAA since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA. The agreement resolves allegations that Health Net violated HIPAA, as well as state privacy protections regarding personal data such as social security numbers and financial information. Blumenthal sued after Health Net allegedly lost a computer disk drive in May 2009 containing protected health and other private information on more than 500,000 Connecticut citizens` and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information. Underscoring the seriousness of the matter, Blumenthal learned that the company delayed notifying consumers and law enforcement authorities, and that an investigation by a Health Net consultant concluded the disk drive was likely stolen. Blumenthal negotiated stronger protections for individuals than what HealthNet initially offered, including two years of credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under this settlement, Health Net and its affiliates have agreed to:

§         A “Corrective Action Plan” in which Health Net is implementing several detailed measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.

§         A $250,000 payment to the state representing statutory damages. This payment is intended as a future deterrent to such conduct not only by Health Net, but by other insurers and health care entities that are entrusted with individuals’ private information.

§         An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members. [CTWatchDog.com]

 

AU – Medicare Watchdog Probed on Handling of Private Medical Records

Medicare’s powerful investigative arm, the Professional Services Review, has itself become the subject of an investigation. It is alleged that sensitive medical records are being misused and not protected from public release. Privacy Commissioner Karen Curtis is examining whether the PSR knowingly breached guidelines regarding the use of data from the Medicare Benefits Schedule and the Pharmaceutical Benefits Scheme. The commissioner is also investigating whether the PSR inappropriately retained patient records for years after investigations had been completed. [The Australian]

 

UK – One in Ten NHS Trusts ‘Hampered by Poor Data Security’

Even as the government says it wants to put more clinical data online, a study has suggested information security gaps may be plaguing many NHS Trusts which will need to be addressed. According to a report from supplier Hytec, as many as one in ten such NHS bodies can’t access the core NPfIT N3 secure network or the Spine, as they are only ranked “amber” for their current handling of data security. N3 is the national broadband network linking all NHS locations and 1.3 million employees across England; connections to it are strictly controlled by the Connecting for Health (CfH) Information Governance team, which specifies adherence to strict security requirements and data protocols. The Spine is the main plank of the fledgling electronic patient Summary Care Record system all the NHS is expected to be able to use. In this context amber means the organisation has only scored 40-69% on the important governmental Information Governance Statement of Compliance (IG SoC) approved assessment matrix. The firm also points out a third (approximately 300) of all data security breaches reported to the Information Commissioner’s Office (ICO) since 2007 concerned NHS Trust problems with data. Some of the most common security breaches that have been reported are due to lost or stolen data on portable devices or human error when disclosing sensitive information. [Source]

 

Encryption

 

CA – eCrypt Technologies Inc. Renews BlackBerry Alliance Program Membership

eCrypt is pleased to announce it has renewed its membership in the BlackBerry® Alliance Program. Participation in the BlackBerry Alliance Program provides eCrypt with access to a wide array of benefits to help support, market and sell their application for BlackBerry® smartphones. “As our flagship product ‘eCrypt’ provides email privacy for BlackBerry smartphone users, our membership in the BlackBerry Alliance Program is not only important in terms of development and support, but also in terms of taking it to market,” expressed Brad Lever, CEO of eCrypt Technologies. “Our participation in the program enables us to provide the best possible product to our customers.” For further information, go to: www.eCryptinc.com or www.YourPrivacyIsOurBusiness.com. [BusinessWire]

 

EU Developments

 

EU – EU Working Party Finds Problems with Data Retention Directive

The Article 29 Working Party says the European data retention directive is not being applied correctly by member states and that some service providers are retaining inappropriate data. The Working Party this week published a report on the findings of a joint inquiry into the directive. The group of European data protection authorities found discrepancies among member states’ implementation of the law. It also concluded that “more data are being retained than is allowed.” The report includes several recommendations for amending the directive and calls on the European Commission to take into account its findings as it considers potential changes to the directive. [Press Release] [EFF] [Report 01/2010]

 

EU – Germany Takes Legal Steps Against Facebook

A German data protection authority has launched legal proceedings against Facebook, which is accused of illegally accessing and saving personal data of people who don’t use the social networking site. Johannes Caspar said his Hamburg data protection office had initiated legal steps that could result in Facebook being fined tens of thousands of euros for saving private information of individuals who don’t use the site and haven’t granted it access to their details. In April, Facebook changed its privacy settings to allow users to block access to the contacts listed in their email, but Caspar argues that the previously saved contacts have not been erased and are being used for marketing purposes. Facebook has until Aug. 11 to respond formally to the legal complaint against it. Its response will determine whether the case goes further. [Associated Press]

 

UK – Behavioural Advertising is Fair if Users Can Opt Out, Says Privacy Watchdog

There is nothing “intrinsically unfair” about behavioural advertising but website operators should offer visitors the option of using their services without any activity being recorded, the UK Information Commissioner has said. The Information Commissioner’s Office (ICO) has published its first code of practice for the gathering and processing of personal data online. It gives companies guidance on how to treat the information they gather when offering services on the internet. The guidance advises web publishers to give users the option of not being tracked. However, it does allow publishers to simply refuse to offer their service on a non-tracked basis. [Out-Law News] [ICO Code of Practice]

 

UK – ICO Releases Annual Report, Reiterates Call for Jail Sentences

British Information Commissioner Christopher Graham released his Annual Report for 2009/10, reiterating his call for jail sentences for those convicted of illegal data trading. “I shall continue to press for a more effective deterrent to criminal behavior by ‘rogue’ individuals,” Graham said. “I continue to believe that the courts should be able to impose a custodial sentence, where appropriate, to tackle the unlawful trade in personal data that is the scourge of the digital world.” The ICO saw a 30% increase in the number of data protection enquiries during the 2009/10 year. [OUT-LAW.COM]

 

Facts & Stats

 

US – Breach Numbers Released, Some Not Recorded

The Identity Theft Resource Center (ITRC) has recorded 341 data breaches within the first six months of 2010. However, the ITRC says that hundreds more occurred but were not reported due to loopholes in breach notification requirements. A Department of Health and Human Services (HHS) guideline, for example, states that if an organization determines a breach has not caused “significant risk of financial, reputational or other harm to individual,” then the breach does not have to be reported. This type of exception may contribute to lower reporting numbers, the ITRC says. “Consumers want to know if they are at risk from even a small breach. The details of a breach help determine their risk factors as well as guide them in proactive measures.” [InformationWeek] [ITRC list of breaches]

 

UK – Data Protection Costs £53 Million Per Year

A new government report revealed that data protection law costs in the UK total £53 million every year. The Independent reports that a review of the Data Protection Act revealed that companies bear the brunt of costs, with officials saying they spend around £50 million a year responding to subject access requests for information. The review comes as the UK considers granting more punitive powers to the Information Commissioner’s Office, at the urging of the EU. Justice Minister Lord McNally said in reviewing the law, the government aims to protect personal privacy “without placing undue burdens on businesses and other organisations that collect personal data.” [The Independent]

 

AU – Study: Online Crime Hits One in 10

A study of 2,500 Australians found that in the past year about one in 10 have experienced online identity theft, and each occurrence cost an average of $1,000. Extrapolated nationally, that translates to 1.37 million Internet users and $1.3 billion last year. The most common methods of online fraud, according to the study, include “phishing” e-mails--imitating financial institutions or relaying sob stories--requesting personal or banking information. Despite that 60% of the respondents have encountered fraudulent sites or e-mails, the survey found that 69% of respondents ages 18-24 do not check a site’s security features before handing over sensitive information, while those over 50 are the most diligent. [The Sydney Morning Herald]

 

Filtering

 

US – AOL Suffers Blow In Lingering ‘Data Valdez’ Case

A federal judge has ruled that AOL members may pursue attempts to force the company to destroy records about users’ searches. U.S. District Court Judge Saundra Brown Armstrong decided that consumers should be able to seek an injunction, the report states. The trial is scheduled for November 2011. The case stems from a 2006 incident where AOL employees released three months of 650,000 users’ search queries. In her decision, Armstrong wrote, “Plaintiffs aver that as a matter of policy, AOL continues to collect and disseminate the same type of data disclosed” previously. “These facts are sufficient to allege an ongoing injury.” [MediaPost News]

 

Finance

 

EU – European Parliament Votes to Allow US Access to European Banking Data

Members of European Parliament have voted to allow the US access to European citizens’ financial information. The Swift agreement is aimed at combating terrorism through the terrorist Finance Tracking Program (TFTP). Though the European Parliament rejected the plan earlier this year due to civil liberties concerns, it was swayed to alter its position after both the European Commission and the European Council approved the plan. The new version of the plan allows EU officials to monitor the US investigators’ actions. [BBC News] [ComputerWorld] [Reuters]

 

US – Study Shows Hotels Hacked at “Disturbing Rate”

A recent study by SpiderLabs found that the hotel industry was involved in 38% of all credit card hacking cases last year. Anthony Roman, a private security investigator, said that hotels are attractive targets because “the greatest amount of credit card information can be obtained using the most simplified methods.” Roman added that most hotel breaches are due to “a failure to equip, or to properly store or transmit, this kind of data, and that starts with the point-of-sale credit card swiping systems.” According to the report, tough economic times have forced hotel owners to cut spending, leading to lagging security upgrades and a worsening of the problem. Credit card companies, meanwhile, are pushing for uniform security measures for all retailers. [The New York Times]

 

US – Bluetooth at Heart of Gas Station Credit-Card Scam

A gas station worker in Florida discovered fraudsters placed a credit card skimming device in the gas pump that reads data over Bluetooth networks. The Secret Service is investigating. Thieves are stealing credit-card numbers through skimmers they secretly installed inside pumps at gas stations in the U.S., using Bluetooth wireless to transmit stolen card numbers, says law enforcement investigating the incidents. [Network World]

 

FOI

 

US – Ruling Could Affect Public Employees’ E-mail Privacy

A Wisconsin case could subject public employees’ private e-mails to the state’s open records law. The Wisconsin Supreme Court is set to rule on the case, which involves a citizen’s request for release of the e-mails of five teachers in the Wisconsin Rapids School District. The teachers involved did not object to the release of work-related e-mails, but filed a lawsuit to keep their personal e-mails private, the report states. A lower court’s judge ruled that all of the e-mails should be released, which the teachers then appealed. The verdict is due soon. [Associated Press]

 

Genetics

 

CA – Bid to Expand DNA Sampling Sparks Criticism

A Senate committee has recommended extending a requirement for automatic post-conviction DNA samples to a total of 265 Criminal Code and Controlled Drugs and Substances Act offences that carry maximum sentences of five years or more. Defence lawyers are criticizing the privacy implications of the proposal since the measure would eliminate a requirement for judicial approval of DNA sampling for the vast majority of cases. But they say the federal Conservative government wants to go even further and require DNA samples for the same range of offences immediately after arrest. The Senate legal and constitutional affairs committee included the recommendation in a report following a statutory review of the DNA Identification Act completed shortly before Parliament adjourned for the summer recess. [Law Times]

 

US – ACLU Says California DNA Law Violates Privacy

Challenging a California law that requires police to collect the DNA of all suspected felons, an ACLU lawyer told a federal appeals court that the government should not be allowed to take the “genetic blueprint” of someone who hasn’t been convicted of a crime. One-third of the 300,000 Californians arrested on felony charges each year are never convicted, but the state now can “seize, search and analyze the DNA of everyone,” attorney Michael Risher told the Ninth U.S. Circuit Court of Appeals in San Francisco. He said the voter-approved law allowing DNA testing after all felony arrests sacrifices privacy in exchange for questionable gains in identifying criminals. The three-judge panel questioned whether DNA sampling is a major invasion of privacy, but indicated that the California law may be vulnerable because of a year-old ruling in another case. Judge Milan Smith said DNA testing, taken with a swab from the inner cheek, is no more intrusive than fingerprinting and is “a really good way of identifying people.” He said Risher was asking government officials to be “Luddites (who) can’t use modern technology.” But Smith said the court is bound by the precedent of its June 2009 ruling in a case from Las Vegas. That 2-1 decision said police violated the constitutional ban on unreasonable searches when they extracted DNA from a man who was under arrest - but was not suspected of any other crimes - so they could enter it into a criminal database. If the California case is similar, “our hands are tied” and the court must overturn the law, Smith told Deputy Attorney General Daniel Powell, the state’s lawyer. [Source]

 

Health / Medical

 

CA – Privacy Breaches More Serious Than Arbitrators Realize: Dickson

Saskatchewan’s information and privacy commissioner and the Ministry of Health are troubled by the case of an arbitrator whose ruling reinstated a Saskatoon Health Region employee who had been fired after a breach of privacy. Privacy commissioner Gary Dickson addressed the issue in his annual report – released last week – in a section titled: Our health regions may be handicapped by arbitration decisions. He referred to two cases: The one in Saskatoon and one in Regina Qu’Appelle Health Region. In both cases, employees who worked with health records and were responsible for training others to work with those records improperly accessed them to view personal information about others. The health regions terminated them, but upon appeal, both employees were reinstated following arbitration decisions that found the penalty to be too harsh. Dickson would like to see arbitrators receive training on privacy considerations with electronic health records. With the continued movement from paper records to electronic ones, it’s crucial that the public has confidence in the system, Dickson said. [The Star Pheonix]

 

US – Private Practices Now Named on OCR Site

The Health and Human Services Office for Civil Rights (OCR) has unveiled on its breach notification Web site the names of “private practices” that have reported data breaches affecting 500 or more individuals. When the OCR launched the Web site in February, as required by the HITECH Act, it listed sole practitioners who had experienced large breaches of unprotected health information as “private practices.” But in April, the office proposed to make the posting of such breaches “routine use,” which allows OCR to post the information without first seeking the consent of those involved. [HealthLeaders Media]

 

US – Comment Period Begins This Week on New Proposed Rules

The new proposed privacy and security rules for healthcare providers, which were put forward last week by the U.S. Department of Health and Human Services (HHS). The rules would expand Health Information Portability and Accountability Act (HIPAA) coverage to a broader group of providers and would limit the use of protected health information for marketing and fundraising. They would also expand individuals’ access and disclosure rights. “HHS strongly believes that an individual’s personal information is to be kept private and confidential and used appropriately by the right people, for the right reasons,” said HHS Chief Privacy Officer Joy Pritts. The agency will open a 60-day public comment period this week. [The Hartford Courant]

 

Horror Stories

 

US – ESRB Leaked Email Addresses of People Concerned About Online Privacy

An employee for a privacy group made a rookie mistake by sending a Reply-All email and actually breached the privacy of people who had emailed their concerns to the group about their privacy. It began when Blizzard recently proposed a Real ID implementation to expose identities on its forums. A public outcry occured and Blizzard retracted the idea, proving the masses can still save privacy. Then in a sad, sick twist of events, ESRB accidentally leaked all the email addresses of those that contacted them to report their concern about online privacy. ESRB responded to the nearly 1,000 folks who had emailed with complaints about Blizzard’s decision to implement Real ID. Unfortunately, instead of using the BCC feature, an ESRB employee seems to have committed a rookie mistake by hitting “Reply All.” The ESRB issued a statement apologizing to the nearly 1,000 privacy-minded people whose email addresses were exposed. [Source] See also: [Blizzard backs down after users voice privacy concerns] [Blizzard: post about StarCraft 2? Use your real name]

 

US – Missing CDs Hold Unencrypted Patient Data

More than 130,000 patients of New York’s Lincoln Medical and Mental Health Center are being notified that their personal information may have been compromised. A billing processor sent seven unencrypted CDs through FedEx, but the disks never arrived at their destination. The disks contain personal data, including Social Security numbers (SSNs), health plan numbers, driver’s license numbers and diagnostic and procedural codes and descriptions. In a June 4 letter to affected patients, the hospital wrote, “FedEx has suggested that the CDs likely became separated from their shipping envelope at one of its facilities, were swept up and destroyed.” [Computer World] [NYC.com]

 

US – University of Hawaii Manoa Parking Office Computer Breached

The University of Hawaii (UH) has sent notification letters to 53,000 people to let them know their personal information may have been compromised in a security breach this spring. The incident is believed to have taken place on May 30, but was not detected until June 15. The breach occurred on a server used by the UH Manoa campus parking office. The compromised data include names, SSNs, driver’s license numbers and credit card information. Those affected include faculty and staff members employed in 1998, and anyone else who conducted business with the UH Manoa campus parking office between January 1, 1998 and June 30, 2010. [Biz Journals] [DarkReading]

 

UK – Big Brother Row as ‘Food Police’ Secretly Photograph Schoolchildren’s Lunches

Teachers have used ‘Big Brother’ tactics to spy on children’s lunchboxes, it has been revealed. They secretly photographed pupils’ packed lunches over six months and analysed the contents. Staff awarded marks to the food and then showed their findings to outraged parents, offering them advice on how to improve nutrition. Education bosses have now put a stop to the scheme in Gloucestershire after discovering the extent of the surveillance. Nineteen primary schools have been using the ‘packed lunch toolkit’. [The Daily Mail]

 

WW – Foursquare Puts Money Before Privacy?

Foursquare, one of the net’s hottest startups, got an unwanted message on June 20 from a white-hat hacker: it was leaking user data on a massive scale in plain violation of its privacy policy. The company asked the white hat, Jesper Andersen, to give it nine days to deal with the problem that it was publishing all users’ location data to the entire web despite its privacy-policy promise to users that “You can opt out of such broadcasts through your privacy settings.” At the same time, the company was wrapping up a protracted and very public finance round that stalled for a while as the company reportedly almost sold itself to Facebook. So when the nine days were up, the company told Andersen in a private e-mail Tuesday morning that it had fixed the “privacy leak” (the company’s own words) by modifying how an existing privacy setting worked, and that it had no solution yet for two other privacy holes that Andersen also reported, saying it was trying to figure out how to balance usability with privacy. [Wired.com]

 

Identity Issues

 

IN – India Proposes Tighter Laws for National ID Project

The Indian agency assigned by the government to issue identity numbers has proposed stiff penalties, including imprisonment, for anybody found misusing personal biometric and other information that it collects. The UIDAI (Unique Identification Authority of India) has invited public comments by July 13 on the draft National Identification Authority of India Bill, 2010, which it has published on its Web site. The bill provides for the establishment of a National Identification Authority of India for the purpose of issuing identification numbers to individuals residing in India. The UID (Unique IDs) system will provide an effective platform for targeted subsidy payments and offering financial services to Indian people, Indian Minister of Finance Pranab Mukherjee said in February, while presenting the country’s annual budget in the Parliament. The draft law, however, leaves a lot of concepts undefined, and does not directly address the issue of how the agency aims to protect the privacy of individuals, said a cyberlaw consultant and advocate in India’s Supreme Court. By its vagueness, it is difficult to tell now whether the draft law would come into conflict with the country’s Information Technology Act, amended in 2008, which is the country’s main law governing electronic information. [ITworld] See also: [South Korea: I-Pin falls short of addressing privacy woes]

 

US – Appeals Court Upholds Ruling in ID Theft Case

Anyone who uses false personal information to commit fraud can be found guilty of identity theft in Iowa, even if he didn’t know the information belonged to someone else, the Iowa Court of Appeals ruled this week. The decision stemmed from the arrest of an illegal immigrant, Jose Abel Garcia, who was caught using a California woman’s identification number in Marshall County. The ruling came one year after a unanimous U.S. Supreme Court opinion that required federal prosecutors to show that alleged identity thieves knew the stolen personal information belonged to a real person. The Supreme Court decision, Flores-Figueroa vs. United States, addressed the same conflict within federal law. A three-judge panel of the Iowa appeals court ruled only on the state identity theft statute, which differs from federal law. State law requires prosecutors to prove only that the information belonged to another person and was used in a fraud. “A ‘fraudulent’ use requires Garcia to know his use was illegitimate, but does not require him to know the identification was of another person,” Judge Larry Eisenhauer said in the opinion. [Des Moines Register]

 

CA – N.B. Newspaper Ordered to Name Commenter

A New Brunswick judge has ordered a Moncton newspaper to reveal the identity of an anonymous commenter after the person’s online post was considered defamatory by its target. The court order is a part of a growing trend of judges siding with complainants and forcing media companies to turn over the names of people commenting anonymously on its websites, according to a law professor. The controversy started when Daryl Doucette, a Moncton firefighter, wrote a letter to the editor to the Moncton Times & Transcript in February criticizing a speed limit imposed on the province’s ambulances. [CBC News]

 

Intellectual Property

 

US – Anti-Piracy Practices Tied to Funding for Colleges and Universities

As of July 1, 2010, U.S. colleges and universities that receive Title IV federal aid are required to have anti-piracy procedures in place. Institutions of higher education have been plagued by their students’ use of the institutions’ generous bandwidth to download music and other digital media through file-sharing networks. The Higher Education Opportunity Act (HEOA) of 2008 requires that schools abide by a set of anti-piracy guidelines. The schools must provide students with information about copyright law and school policies regarding the violation thereof; the schools must employ technology-based deterrents to illegal filesharing over campus networks; and the schools must provide alternatives to illegal filesharing. [Source]

 

CA – Nova Scotia Court Orders New Trial Because Of Police Jury Vetting

The Nova Scotia Court of Appeal has ordered a new trial in a marijuana grow-op case because police conducted secret background checks on potential jurors to help the prosecution. The decision issued this week is the first time a court in Canada has ruled on what should happen as a result of improper jury vetting in a criminal trial. Halifax police and the local RCMP had run database checks on more than 300 potential jurors. The searches were wide-ranging and even disclosed if individuals had traffic tickets. In the end, police managed to pass on information about 223 people to the prosecution. The Crown who prosecuted the case maintained the background checks were to ensure potential jurors were impartial. The information obtained through the police search of confidential databases was not disclosed to the defence, because it was “trial preparation material,” the court was told. The explanation was rejected by the Nova Scotia Court of Appeal, which noted that the Supreme Court of Canada stressed nearly twenty years ago that a jury should not appear to favour one side over the other. “The failure to disclose the information, in the circumstances of this trial, gave the Crown an unfair advantage that actually impacted on the selection of the jury,” wrote Justice Duncan Beveridge, with Justices Nancy Bateman and Linda Oland concurring. [National Post]

 

Internet / WWW

 

WW – Facebook Privacy About-Face

Facebook has implemented a more transparent policy for how its users share personal information with third-party applications and websites. Now when users install a new application or login to a website through Facebook for the first time, they will see a permissions box letting them know what information the application or site wants permission to access. Applications and websites will automatically be permitted to access public portions of Facebook users’ accounts, but will have to obtain express permission to access information on private sections of the profiles. [ComputerWorld] [The Register] [Facebook blog]

 

CA – Facebook Class Action Spreads to Canada

Concerns about Facebook’s revised privacy settings has spread to Canada, in a class action in Quebec Superior Court. The class claims that Facebook subscribers own the information posted on their pages, and that Facebook “without proper communication” changed its terms of service to reveal its customers’ private information - even those who deleted their accounts. The class claims Facebook made money from its customers personal data by letting third parties us it for targeted advertising campaigns. The class claims that Facebook should not be allowed to reap the economic benefits of its “unlawful conduct” without giving its customers a slice of the pie. Similar class action lawsuits against Facebook have been filed in Toronto and Winnipeg. [Courthouse News Service]

 

CA – Facebook Class-Action Lawsuit Involves Nearly Half of All Canadians

Canada’s most popular social network is now the target of possibly the largest class-action lawsuit in the country’s history, in terms of the sheer number of people included. Facebook Inc. is the defendant in a class action proceedings filed by Merchant Law Group LLP in a Winnipeg court. The suit alleges Facebook users were duped by the social network when it made changes to privacy settings in November and December 2009. It accuses Facebook of taking part in “bait and switch” tactics with the goal of cashing in on users’ personal data. [itbusiness.ca] [Lawsuit says Facebook changes sold as making info secure had opposite effect]

 

WW – Google Acknowledges YouTube Hack

Malicious hackers attacked Google’s YouTube, exploiting a cross-site scripting (XSS) vulnerability on the ultra-popular video sharing site, hitting primarily sections where users post comments. The attack potentially put at risk YouTube cookies of users who visited a compromised page, but it couldn’t be used to access their Google accounts, the spokesman said. As a precaution, YouTube users should log out of their account and log back in again. [IT World]

 

WW – Expands Suspicious Log Warnings to All Account Products

Google has expanded its suspicious activity warnings from Gmail to all Google Account products. In March, Google began alerting Gmail users when their accounts were accessed via IP addresses that appear out of the ordinary. The system works by associating the IP address used to access the account with a general geographic location. If the account is accessed from another geographic location, an alert is triggered. Users who receive alerts are not automatically locked out of their accounts; they will be allowed to change their passwords on the spot or dismiss the warning. The new alerts will appear on users’ Google Dashboards. [Information Week] [Ars Technica] [Google Public Policy]

 

AU – Google Apologizes for Wi-Fi Data Gathering in Australia

Australian Privacy Commissioner Karen Curtis has issued a statement saying that Google’s collection of personal information through unprotected Wi-Fi networks is a breach of the Australian Privacy Act. Google collected the extra data while gathering images and Wi-Fi location data for its Street View feature in countries around the world. While Australia’s Privacy Act does not allow Curtis to impose sanctions on Google, the company was ordered to apologize. Google has also agreed to allow any future Street View activity to be subject to a privacy impact assessment and will consult Curtis about future plans. [NZ Herald] [The Register] [SC Magazine] [Google.au]

 

Law Enforcement

 

CA – Identifying G20 Suspects Using Banks’ Software a Legal Risk, Police Told

Civil liberties groups are condemning as a legal “black hole” the Toronto Police Service’s plan to use the banking industry’s facial recognition software to help identify people on a G20 “most wanted” list. At a news conference this week, Detective Sergeant Gary Giroux released the photos of 10 suspects and said the force intends to work with the Canadian Bankers Association, which owns the software. The investigation would involve scanning thousands of digital images taken during the summit weekend protests, and police expect to release more suspect photos in the weeks to come. “The concern of Canadian Civil Liberties Association is the lack of experience of the judicial system with facial recognition software and the danger of many people being arrested based on a technology that has not been fully explored and tested in our legal system,” said CCLA general counsel. A spokesperson for the Office of the Privacy Commissioner of Canada said the agency has been following the G20 situation, but added that federal government did not consult the commissioner on privacy issues relating to video surveillance prior to the event. [Source] [Opinion: G20 crackdown reeks of tyranny]

 

US – Oregon City Settles Suit Over Recording Of Arrest

An Oregon city has agreed to pay $19,000 to settle a federal lawsuit by a man the police arrested for using a cellphone to record the voice of an officer arresting a friend. Beaverton police Chief Geoff Spalding says it’s unlikely his officers would again arrest somebody for recording the voice of an officer, although he’s not ruling it out. A similar incident in Portland prompted city attorneys to advise the police that officers can’t seize cameras or arrest people for recording them in public, except in rare circumstances. The settlement comes almost two years after Beaverton police arrested Hao Xeng Vang, who used his cellphone to capture the arrest of one of his friends at the Valley Lanes Bowling Center in Beaverton. Vang made no attempt to hide his recording and even narrated what he was capturing, said his attorney, Kevin Lucey. After about 10 minutes, Officer Jason Buelt seized Vang’s phone and arrested him. The city returned the phone in October, but the recording was deleted. Lucey said officials made copies. After an investigation, Spalding said, Buelt was disciplined for deleting the recording, but Spalding declined to provide details. Buelt is now a detective. Prosecutors dropped the case against Vang on the grounds the audio quality was so poor it might not have qualified as a violation of the law. Beaverton city lawyers wrote two memos saying that in most encounters with residents police don’t have an expectation of privacy and they should assume they are being recorded. [The Associated Press]

 

Location

 

US – Privacy Breach Reveals Network Users’ Locations

Internet site Foursquare published a notice about a privacy breach that shared all users’ location information across the Web, regardless of whether they had chosen to opt out of such broadcasts through their privacy settings. The location-based social network was made aware of the data breach on June 20 by “white-hat hacker” Jesper Andersen, the report states, and asked Andersen to give it nine days to address the issue. According to the report, Foursquare sent Andersen an e-mail Tuesday morning that it had fixed that “privacy leak” but had not yet solved two other issues Andersen raised and “was trying to figure out how to balance usability with privacy.” [Wired]

 

Offshore

 

WW – APEC Launches New Privacy Enforcement Initiative

The Asia-Pacific Economic Cooperation (APEC) has launched an initiative to help boost consumer trust in e-commerce by fortifying enforcement of regional data privacy laws. The APEC Cross-border Privacy Enforcement Arrangement (CPEA) will serve as a platform for authorities to engage in information sharing, evidence collection and complaints handling, among other imperatives. Its participants include the Office of the Privacy Commissioner of Australia, the Office of the Privacy Commissioner of New Zealand and the U.S. Federal Trade Commission (FTC). The announcement follows the recent establishment of the Global Privacy Enforcement Network (GPEN). Yael Weinman of the U.S. FTC told the Daily Dashboard that while the GPEN “is a less formal, global network designed to facilitate cooperation among its participants,” the CPEA “is a more structured regional arrangement, setting out specific procedures and mechanisms for cooperation among participating privacy enforcement authorities in APEC member economies.” [ZDNet]

 

Online Privacy

 

WW – Researchers Find Privacy Flaws in Chatroulette

University researchers say that users of the popular video-chat site Chatroulette.com may not be as anonymous, or as private, as they think. In a paper posted online this week, researchers from the University of Colorado at Boulder and McGill University outline three different types of attacks that could be launched against Chatroulette users. Founded just last year by 17-year-old Russian entrepreneur Andrey Ternovskiy, Chatroulette links Web surfers randomly into one-on-one video chat conversations. The site has come under fire, however, because of nudity and inappropriate behavior. The new research doesn’t expose any gaping privacy holes, but it does show how the service could be misused by determined criminals. [IDG News]

 

CN – New Chinese Law Says No to “Human Flesh” Search

The newly enacted Tort Liability Law grants legal rights to people whose reputation or privacy has been damaged by online character assassination. It also holds Internet service providers accountable if they are aware of malicious intent of anonymous attackers, but fail to stop the infringement. “Human flesh” search is a loose term to define thousands of anonymous Internet users who work together as self-styled detectives. They track down and harass people they disagree with by exposing their personal information online. February 28th, 2006. An netizen posted a video clip depicting a woman in trendy clothes trampling a kitten using her high heel shoes. It soon triggered an outrage among other netizens. A human flesh search was initiated and four days later, the woman’s personal information was exposed online. A month later, a netizen told a story of his wife’s betrayal. He claimed his wife had had a one night stand in an offline event with a man called Bronze Beard. The post triggered another human flesh search. In the end, Bronze Beard’s real name, his photo, mobile phone number and even primary school records were published online. In both cases, the victims of human flesh search did not have legal means to fight back. But from today, their rights to privacy will be guaranteed by the Tort Liability Law. A provision of the new law stipulates that Web users and Internet service providers are legally responsible if they use the Internet to maliciously attack innocent victims and compromise their personal information. Victims have the right to demand the deletion of such posts. Internet service providers who are aware but fail to comply to the victim’s request will be held responsible. The victims are then entitled to compensation from abusers. [People’s Daily]

 

Other Jurisdictions

 

MX – Mexico’s Data Protection Law Takes Effect

Effective Tuesday, July 6, Mexico has a new “Federal Data Protection Law” published in the Federal Journal of the Federation. This new law regulates the legitimate collection, processing and disclosure of personal data held by the private sector. Its purpose is to ensure that privacy and the right to informational self-determination of individuals are guaranteed. On April 27, the Mexican Congress approved unanimously the Federal Data Protection Law. With the Federal Data Protection Law, the current Federal Institute of Access to Public Information changes its name to Federal Institute of Access to Information and Data Protection. Therefore, from now this institute will expand its oversight powers to cover the private sector, in addition to government entities. [Source]

 

UA – New Law on Personal Data Protection in Ukraine

On 1 June 2010 the Ukrainian Parliament finally adopted the Law On Personal Data Protection (the “Law”). The Law will become effective from the 1st of January 2011, and offers protection of personal data collected, accumulated, processed and used for other than private and/or certain professional needs. The Law expressly exempts from its ambit the instances of the creation of the personal data databases and processing of the personal data in such databases by (i) individuals for their personal or household needs; (ii) journalists in connection with their professional activities; and (iii) professional artists, writers and similar persons for purposes of their creative activity. The Law introduces a definition of personal data as any data or combination thereof on the identified or identifiable individual. Any personal data (except for the depersonalized one) is deemed to be the information with restricted access and may not be processed without the consent of the individual concerned except for the cases (i) when it is explicitly provided for by law, and (ii) where the data is necessary for the purposes of maintaining national security, economic welfare and for the protection of human rights. Furthermore, any personal data on the individual who is willing to occupy any public office within the system of the national government is not deemed the information with restricted access. In addition, the Law prohibits disseminating personal data for any purpose other than for purpose of the original collection of such data. The Law further sets out mandatory requirement to register any personal data database in the State Register of the Personal Data Databases. For that reason, a separate state authority is yet to be created by the government. [Mondaq News]

 

MY – Malaysia Decision to Bar Agencies from Keeping Personal Data Welcomed

Various quarters welcome the government to bar credit reference agencies from keeping personal data without permission. A Federation of Malaysian Consumers Associations (Fomca) advisor said companies that keep personal data should delete them. “It is strange how they (credit reference agencies) know our addresses and personal data although we have never dealt with them. This is a cause for concern on individual security,” he added. He was commenting on the proposed creation of a commission under the Personal Data Protection Act 2009 by January next year which is aimed at regulating the processing of the personal data of individuals. Muslim Consumers Association of Malaysia (PPIM) executive secretary Datuk Paduka Nadzim Johan said rampant use of personal data without the knowledge of individuals violated the Privacy Law. The Transport Workers Union (TWU) secretary-general said only the government was entitled to keep personal data while private companies could only obtain them after seeking permission from the government. [The Malay Mail]

 

Privacy (US)

 

US – Anonymous Group Leaks Personal Information of Alleged Illegal Immigrants in Utah

The personal information of 1,300 people who an anonymous group claims are illegal immigrants is circulating in Utah and authorities want to know whether any state employees are responsible. The list, which includes names and SSNs, was sent to media outlets, police, immigration agencies and others this week. Also included are birth dates, workplaces, addresses and phone numbers. There are even the names of children and the due dates of pregnant women on the list. A letter accompanying the list demands that those named on it be deported immediately. Gov. Gary Herbert has asked state agencies to investigate the source of the list. A spokesman for Utah’s Department of Workforce Services said the probe has been given “high priority.” Most of the names on the list are of Hispanic origin. [Source] [Governor orders investigation into immigrant list]

 

US – Possible Sale of Gay Teen Database Sparks Privacy Fears

A row has erupted in the United States centring on the ownership of a gay teenagers’ database. The owner of XY Magazine and its associated website - which catered for young homosexual boys - filed for bankruptcy earlier this year. XY’s creditors have applied for the firm’s one remaining valuable asset: its database of one million users. But the FTC has expressed its concerns and said the sale “could violate Federal law”. [BBC News]

 

US – Classmates.com Asks Judge to Dismiss Privacy Lawsuit: “Info Was Public”

Reunion site Classmates.com is asking a federal judge to dismiss a lawsuit alleging that the site violated users’ privacy by revising its default settings to make users’ information accessible via Facebook, iPhone apps, and other third-party services. In a motion arguing that the case should be dismissed, Classmates.com says that users’ profile information was available to other Web users before its change in terms. “All Classmates.com users are made aware that their profile information is (and always has been) publicly accessible by anyone with Internet access,” the company says in papers filed in federal district court in Seattle. “The only limitation to accessing that information prior to the feature changes at issue in this lawsuit was immaterial: from a technological standpoint, Internet users had to land on the Classmates.com Web site to view the information.” The privacy lawsuit, filed earlier this year, alleges that the company’s revisions to its privacy policy in January could expose members to “a panoply of harms,” including identity theft, harassment and stalking. They now oppose Classmates’ motion to dismiss the case, arguing that most profile information was only available to other Classmates.com members – “within the Internet equivalent of a gated community” – before the recent announcement about the change in terms. “In late 2009, Classmates devised a plan to throw open these gates, and provide members’ personal information to persons Classmates does not know, and cannot track, such as users of Facebook or mobile devices such as the iPhone,” they argue in papers filed with the court last week. Ferguson and Fahy allege that Classmates broke its contract with users by changing its privacy policy and default settings on an opt-out basis. But the company contends that it didn’t violate its contract with users because it said in its original privacy policy that it reserved the right to change its practices at any time. Ferguson and Fahy counter that a clause allowing Classmates to change its privacy terms at will is not valid. “If Classmates has carte blanche to decide any day that is not bound by any of the contract provisions that comprise the privacy policy, then there is no contract – it is completely illusory,” they argue. [Source]

 

CA – Sovereignty up in the Air

Canadians’ right to travel will be up to U.S. Homeland Security if a Conservative bill is passed in the last days of this parliamentary session. Bill C-42 would let airlines hand passenger information to other countries if a flight is to pass through their airspaces. Since flights to Mexico pass over the U.S., Homeland Security would have access to your personal information and travel plans. The Canadian government is responding to a U.S. request. Homeland Security protocols call for airlines to submit names, birth dates and gender of passengers 72 hours before departure. It runs the information through U.S. government databases; if it has concerns you could be questioned, delayed or barred from travelling. European countries have vowed to fight the U.S. proposal. Canada is ready to acquiesce. [The Victoria Times Colonist]

 

US – CDT Files Privacy, Credit Complaint Against Spokeo.com

The Center for Democracy and Technology has filed a complaint against people-search service Spokeo with the U.S. FTC, alleging that the Web site contains inaccurate information and violates a consumer credit protection law.Spokeo.com has billed itself as a resource for human-resources professionals, job recruiters and police, but the site contains “significant inaccuracies,” according to the complaint. The site says it offers information on the credit ratings, investments, incomes and mortgage values of millions of U.S. residents, but does not offer the consumer protections required in the Fair Credit Reporting Act, said CDT. Spokeo’s credit estimates are “based on absolutely nothing, as far as we can tell.” The site does not give consumers access to the data used in Spokeo’s credit conclusions, does not inform consumers of adverse determinations based on that data, and does not give them an opportunity to learn who has access their profiles, as required in the Fair Credit Reporting Act (FCRA). CDT’s complaint said it found significant inaccuracies in “every single profile” that Spokeo published about the organization’s employees. A Spokeo search on one IDG News Service employee found an incorrect telephone number, incorrect marital status, incorrect occupation, and an incorrect home value. CDT wants new government rules giving consumers more information about the personal data that all data brokers hold, CDT said. But Spokeo is a “particularly bad example” of data broker practices, he said. [PC World]

 

US – USPS Gets High Privacy Trust Score

A Ponemon survey of 9,000 U.S. adults found the U.S. Postal Service to be the most trusted government agency, with the Federal Trade Commission and Internal Revenue Service coming in second and third. According to the study, overall privacy trust scores for the government are at 38%, down from 52% in 2005. Respondents revealed that their top governmental privacy concerns include “surveillance into personal life,” “loss of civil liberties” and “monitoring of e-mails and Web.” [Federal Computer Week]

 

Security

 

US – Manning Copied Stolen Data Onto CDs

Pfc. Bradley E. Manning, the US Army intelligence analyst who stole more than 150,000 diplomatic cables and secret video footage and allegedly leaked it to the Internet, copied the data to CDs. While the US military has issued a ban on removable storage devices to cut down on the possibility of data theft and malware infection, CDs were not on the list of prohibited devices. Manning allegedly used CDs that were labeled with album titles and pretended to be singing along to music while he was downloading the information. [New York Times]

 

US – DHS Announces Dramatic Expansion of Airport Body Scanner Program

On July 20, 2010, the Department of Homeland Security announced a substantial change in the deployment of body scanners in US airports. According to the DHS Secretary, the devices, which had once been part of a pilot program for seconary screening, will now be deployed in 28 additional airports. The devices are designed to capture and store photographic images of naked air travelers. EPIC has filed an emergency motion in federal court, urging the suspension of the program and citing violations of several federal statutes and the Fourth Amendment. Public opposition to the program is also growing. For more information, see EPIC v. DHS (Body scanners) and EPIC Body Scanners.

 

US – EPIC Sues to Block Airport Scanners

The Electronic Privacy Information Center (EPIC) has sued the Department of Homeland Security in federal court for an emergency stay of the airport body scanner program. According to the court filing, EPIC asserts that the Transportation Security Administration’s (TSA) program violates the federal Privacy Act, the Religious Freedom Restoration Act, the Administrative Procedures Act and the Fourth Amendment. Despite earlier claims that the scanners are “configured to prevent TSA officers from storing or retaining any images,” EPIC says government records show that “the TSA required that the devices be able to store and record images of naked air travelers.” [USA Today] [EPIC complaint]

 

AE – Body Scanners Will Not Be Used at Dubai Airports: Reports

Dubai will not be using full-body scanners in either of its two airports to protect passengers’ privacy, a Dubai airports’ top police official said. Full-body scanners will not be used in Dubai airports as they “contradict Islam, and out of respect for the privacy of individuals and their personal freedom,” Al-Bayan daily quoted Brigadier Pilot Ahmad Mohammad Bin Thani, head of Dubai police’s general department of airport security, as saying. “The scanners will be replaced with other inspection systems that reserve travellers’ privacy,” it cited him as saying. However, the English-language daily said that Dubai’s airports “are considering the use of face recognition cameras to enhance security.” [Source]

 

Surveillance

 

US – NSA Denies It Will Spy on Utilities

The NSA is denying a report from the Wall Street Journal that a secret program code-named “Perfect Citizen” will be monitoring civilian networks. That’s from a rare public statement by the ultra-secret agency responsible for spying on outsiders and defending classified networks. The NSA, as a wing of the military, is largely prohibited from operating within the U.S. The Journal reported that defense contractor Raytheon won a $100 million contract that would involve sensors in the networks of “critical infrastructure” such as utilities and nuclear power plants. The sensors would report anomalies to the NSA via a partnership with Homeland Security. Our take on the original report is here. But, in a statement put out by NSA spokeswoman Judith Emmel, the agency denies there is any monitoring activities and called on the public to trust the NSA’s adherence to the law (despite the Bush-era warrantless wiretapping to the contrary). The NSA did, however, confirm the creepy code name. [Wired]

 

US – NSA Says Perfect Citizen is Not a Monitoring Program

The US National Security Agency has acknowledged the existence of the “Perfect Citizen” program, but refuted claims made in a Wall Street Journal article last week that it is a secret system designed to monitor government and private networks. Instead, according to a written statement from an NSA spokesperson, the program is a research and development (R&D) initiative. “Perfect Citizen is purely a vulnerabilities-assessment and capabilities-development contract .... There is no monitoring activity involved, and no sensors are deployed in this endeavor.” [WIRED] [PC Mag]

 

IN – Indian Government Seeks Access to Skype and BlackBerry Communications

The Indian government is seeking to ensure that it will have access to the content of communications sent over Gmail and the Skype and BlackBerry networks in a readable format. The government wants the power to access communications as a means to combat terrorism. Skype and BlackBerry parent company RIM have been given two weeks to comply, or they could find themselves banned in India. [PC World] [Business Standard] [Economic Times] [The Hindu Businessline] [Asia CNET]

 

EU – Italy Wiretap Bill Undermines Freedom: UN Expert

A UN human rights expert urged Italian Prime Minister Silvio Berlusconi’s government to drop plans to curb wiretapping, saying such a move could undermine freedom of expression. “I am aware that the draft law has been put forward due to perceived concerns regarding implications of publicising wiretapped information to the judicial process and the right to privacy,” said Frank La Rue, the UN Special Rapporteur on the freedom of expression. “However, the draft law in its current form does not constitute an appropriate response to such concerns, and poses threats to the right to freedom of expression.” Under the proposed bill, editors or journalists who publish transcripts of wiretaps can be fined up to 464,700 euros. Anyone not accredited as journalists can face up to four years in jail for recording a conversation without the consent of the person involved, and publicising such information, noted La Rue. “Such a severe penalty will seriously undermine all individuals’ right to seek and impart information in contravention of the International Covenant on Civil and Political Rights to which Italy is a party,” said La Rue. He also described the penalties as “disproportionate to the offence.” The UN expert asked the government to “refrain from adopting the draft law in its current form, and to engage in meaningful dialogue with all stakeholders, in particular journalists and media organizations, to ensure that their concerns are taken into account.” The controversial bill sparked a news blackout last Friday as journalists went on strike. It has also been criticised by the Organization for Security and Co-operation in Europe which said it “could seriously hinder investigative journalism in Italy.” Italy’s centre-right government says the measure is necessary for the protection of privacy, citing frequent leaks in the media of wiretap transcripts – notably involving Berlusconi himself. [Expatica.com]

 

UK – Privacy Campaigners Blast Brit Mikes on Street Lampposts ‘Snooping’ Project

Brit privacy campaigners have condemned reports that council officials are using high-powered spy microphones on street lampposts to listen in on private conversations. The microphones, connected to CCTV cameras, can recognize aggressive “trigger” words and sounds, then automatically direct cameras to zoom in on the speakers. According to reports, the Sigard system has been tested in London, Manchester, Birmingham, Glasgow and Coventry. The new devices come to light just days after around 200 cameras with number plate recognition software in Birmingham were mothballed after it was revealed that the project was a counterterrorism initiative.Privacy campaigners said that the surveillance system is another erosion of personal freedom.Dylan Sharpe, from Big Brother Watch, said: “There can be no justification for giving councils or the police the capability to listen in on private conversations. There is enormous potential for abuse, or a misheard word, causing unnecessary harm with this sort of intrusive and overbearing surveillance”. [Source]

 

UK – Police Number Plate Recognition Camera Rules Tightened

Police cameras that record motorists’ movements must be more tightly regulated, UK Home Secretary Theresa May has ordered. The 4,000-strong automatic number plate recognition (ANPR) network logs more than 10 million vehicles every day. The government is to look at limiting access to the database of 7.6 billion images, details of number plates and the date, time and place of capture. Privacy campaigners said restrictions on the ANPR network were long overdue. [BBC News]

 

WW – Apple Faces Privacy Questions from US Legislators and German Justice Minister

US legislators are questioning Apple about recent changes to its privacy policy. On Monday, June 21, the Los Angeles Times reported that a paragraph had been added to Apple’s privacy policy that appears to allow Apple and unnamed “partners and licensees” to collect and store real-time geographic location data of users’ Apple devices. Apple has been gathering location data since 2008, but just recently moved notification of the activity from End User License Agreements (EULAs) on individual products to its general privacy policy. Customers must agree to the terms before being permitted to download applications or other media from the Apple iTunes store. In a letter to Apple, Representatives Edward J. Markey (D-Mass.) and Joe Barton (R-Texas) said that “given the limited ability of Apple users to opt out of the revised policy and still be able to take advantage of their Apple products, we are concerned about the impact the collection of such data could have on the privacy of Apple’s customers.” The legislators have given Apple until July 12 to respond to the letter. Germany’s justice minister has indicated that she is concerned about Apple’s data collection practices for new iPhone owners. Sabine Leutheusser-Schnarrenberger has asked Apple to tell German data protection officials what kind of data it collects, how long it is stored and why it is being collected and stored. [Dark Reading] [NY Times] [LA Times] See also: [German Minister Calls for Internet Code of Honor]

 

Telecom / TV

 

CA – Do-Not-Call Fines Total $73,000; Only $250 Collected

Critics say the national do-not-call list is a sham and should be scrapped after figures suggest there is little enforcement despite more than 300,000 complaints against unwanted telemarketers. Responding to a query by Liberal Senator Percy Downe, the federal government said it has imposed $73,000 in fines in less than two years - but collected only $250 as of March 1. “It is a colossal disappointment,” said Dan McTeague, one of the Liberal MPs who first drafted do-not-call legislation when he was a member of Jean Chretien’s government in the late-1990s. “The reality is that expectations of the legislation have not been met,” said McTeague, now the Opposition consumer affairs critic. He called the list “a very hollow and very empty promise to provide consumers with a modicum of assurance the list would be respected.” “It’s up to Parliament now to scrap the legislation to begin anew. This is clearly not worth the paper it is written on.” [Metro News]

 

US – Fight Against Telco Immunity Continues in Court of Appeals

Continuing its efforts to seek judicial review of AT&T’s involvement in the National Security Agency’s warrantless wiretapping of millions of Americans, EFF has filed the final brief in the 9th Circuit Court of Appeals challenging the retroactive immunity provision of the FISA Amendments Act. The brief explains the chief constitutional problem with the law: Congress improperly gave the Attorney General the ability to selectively repeal laws passed to protect telecommunications customers from surveillance, as well as removing the protection of the Constitution from their communications and communications records. EFF filed the brief in conjunction with the ACLU offices in California and Illinois and it was filed on behalf of the 32 pending lawsuits against various telecommunications companies allegedly involved in the spying. The next step will be for the court to schedule an oral argument, likely sometime in the next year. While the specific legal arguments in the brief are somewhat technical, the basic observation is not: under our Constitution, it is Congress that must make and repeal the laws, and it cannot outsource that duty to the Attorney General. Here are the key briefs filed the appeal: Opening Brief
Opposing brief from the government | Opposing brief from the telcos | Reply brief [Source: EFF.org]

 

AU – Australia Introduces Internet Industry Code of Practice

Australia’s proposed Internet Industry Code of Practice would help mitigate the threat posed by computers that have been compromised and have become part of a botnet. The code was written by the Australian Internet Industry Association, Australia’s broadband, Communications and the Digital Economy Department and the Attorney General’s Department. The voluntary code provides a framework to help ISPs inform, educate and protect their users. [FCW]

 

UK – ISPs Challenge Digital Economy Act

Two UK Internet service providers (ISPs) are challenging the country’s Digital Economy Act. The companies want the High Court to determine the legislation’s legality before it takes effect. The ISPs maintain that the bill was rushed through Parliament just prior to the general election and therefore received “insufficient scrutiny;” there was not adequate time to hash out the bill’s content or the implications of its provisions. The bill requires that ISPs disconnect persistent illegal filesharers from the Internet and allows copyright holders to block access to sites that host illegal content. The bill does have a measure that would require additional legislation and consultation before the disconnect provision could be implemented. Europe’s e-commerce directive established that ISPs are merely conduits and are not to be held liable for the traffic’s content. [BBC News]

 

US – State Attorneys General Press Google on Street View Scandal

Connecticut Attorney General Richard Blumenthal announced in a press release that 38 states and the District of Columbia are seeking additional information about Google’s collection of Wi-Fi data from private, residential computer networks. Blumenthal also sent a letter to Google, asking for information about Google’s packet-sniffing software, the testing and review procedures, and the internal investigation of the code that “accidentally” recorded unencrypted Wi-Fi traffic in 30 countries over a three-year period. In May, EPIC wrote to the Federal Communications and recommended an investigation, noting that the collection of Wi-Fi data likely violates several federal privacy laws. Google has since suspended its Wi-Fi data collection activities. For more information, see EPIC: Street View Investigations.

 

US Government Programs

 

US – NSA Developing Network Attack Monitoring Program

According to a report in the Wall Street Journal, the US National Security Agency (NSA) is developing a program, dubbed “Perfect Citizen,” to monitor computer networks for attacks against government agencies and private organizations that support the country’s critical infrastructure. While the program has generated support among some, others have expressed concern about its intrusion into domestic affairs. The program would establish sensors across the networks that would trigger alarms when evidence of a cyber attack is detected. The program would focus on older networks that were not developed with Internet access or security in mind. The government cannot compel private companies to deploy the sensors, but the organization would reportedly offer incentives for the companies to participate in the program. [CNET] [PC World] [eWeek] SDee also: [GAO Says White House Office Needs to Step Up Cybersecurity R&D Leadership]

 

US – DHS Shares Privacy Expertise in New Handbook

DHS’s Privacy Office has released their guide to protecting privacy in order to share their approach with other agencies and the public. DHS says the document “not only describes the wide-ranging activities of the [Privacy] Office, but also explains how the office works to build a privacy culture at DHS.” DHS says it hopes the guide will help others understand its privacy program, which it describes as “one of the leading . . . programs within the federal government.” The guidebook outlines the numerous strategies DHS employs to minimize its impacts on citizens’ privacy, such as frequent certifications to ensure that all personally identifiable information (PII) is secure and “accurate, relevant, timely, complete and reduced to the minimum necessary.” The department’s efforts also include mandatory trainings on privacy for all employees and contractors. DHS has also made multiple additional training sessions available to instill workers with what they call a “culture of privacy.” In addition to privacy protection policies, the guidebook also spells out the department’s response to complaints of privacy breaches. DHS has a dedicated Complaint Tracking System (CTS) that documents “the name of the complainant, type of complaint, and other pertinent data” for each individual grievance. Complaints are then categorized, reviewed and acted upon when necessary. [Federal News Radio] [DHS Guide to Implementing Privacy]

 

US – Home Address to be Omitted from Ohio Vehicle Registration Forms

Ohio’s vehicle registration forms, often kept in glove compartments to provide on request to law enforcement, will no longer include owners’ home addresses, under legislation signed into law by Gov. Ted Strickland last month. The governor’s action came after the Ohio House and Senate OK’d House Bill 50, sponsored by Rep. John Domenick, a Democrat from Smithfield. The legislation was offered after an incident in central Ohio in which a man stole a car and used address information he found in the vehicle to drive to the owner’s home, where he killed a woman and kidnapped a youngster. The new law requires the Ohio Bureau of Motor Vehicles to provide a supplemental portion to vehicle registration paperwork that does not include home address information. The supplemental portion can then be kept in vehicles, “without the fear that their personal information could be stolen,” according to Lindsey Bohrer, spokeswoman for the Bureau of Motor Vehicles. The new registration forms will be available in early September. [The Daily Record]

 

US Legislation

 

US – Groups Call on FTC to Propose Privacy Law

Seventeen advocacy groups have asked the Federal Trade Commission (FTC) to propose a new privacy law to give consumers “meaningful safeguards and control of their personal information.” In a letter to FTC Chairman Jon Leibowitz, the groups, including the ACLU, Center for Digital Democracy, Electronic Frontier Foundation and PIRG, said “Privacy law in the United States is in disarray,” and “Existing laws don’t adequately address new business practices.” Specifically, the coalition wants the FTC to “set out specific regulations for the collection of information by the online advertising industry to help ensure that consumers have some meaningful control over their personal information.” [MediaPost]

 

US – New York Ends “Stop and Frisk” Data Collection

New York Governor David Paterson signed a bill into law last week requiring the NYPD to expunge the names and addresses in a database of people who had been stopped and questioned by police but never charged with any crimes. In signing the bill, Governor Paterson said that “simple justice as well as common sense suggest that those questioned by police and not even accused of a crime should not be subjected to perpetual suspicion.” For more information, see EPIC New York Stop-and-Frisk Database