ANZ Dashboard Digest

A new approach to notice and consent has been around for at least a couple of years now. The Microsoft whitepaper was released late 2012, and several subsequent books by privacy thought-leaders have developed this theme, which makes sense. Individuals ought to be given the opportunity to shape their profiles and to have a role in transactions involving their data, and notice and consent will no longer suffice. Equally, entities that stand to benefit from the information should protect their source if they wish to guarantee the future supply of valuable data.

If this approach is accepted, some of the stories this week indicate that there is still a long journey ahead. Whilst many entities still appear to treat privacy as a compliance issue, and one where boundaries should be pressed, others continue to succeed based on adoption of the new approach. It will be interesting to see how this divide plays out in terms of commercial success. That other old chestnut of balancing the right to information against the right to privacy also gets some play this week in the opinion piece titled “Privacy starts to bite.” To hear all about it and ask your own questions of the experts, make sure you book your place at our Privacy Awareness Week breakfast discussion on 6 May as debate on the Australian Law Reform Commission paper on serious invasions to privacy in a digital age continues.

A safe and very Happy Easter to you all,

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

DATA BREACH—AUSTRALIA

Telco Sends Wrong Info to 220,000 (October 29, 2010)

Australian Telco Telstra discovered last Friday that it had sent 220,000 letters containing customers' personal details to incorrect recipients. The letters included names, phone numbers, telephone plan details and, if applicable, references to pensioner discounts, reports the AAP. Telecommunications watchdogs are looking into the breach. Teresa Corbin of the Australian Communications Consumer Action Network said that Telstra must ensure "every customer affected has the problem resolved to their complete satisfaction," while Australian Communications and Media Authority Chairman Chris Chapman said, the "incident appears to be a mistake on Telstra's part," adding, "criminal provisions are very unlikely to apply." Privacy Commissioner Timothy Pilgrim has also launched an investigation.
Full Story

PRIVACY—AUSTRALIA

NITAC Created To Advise ASIO on Wiretaps (October 29, 2010)

The National Interception Technical Assistance Centre (NITAC) has been created to help the Australian Security Intelligence Organisation (ASIO) deal with the technological and legal problems of wiretapping and online communications, reports ZDNet. ASIO said during the two-year pilot program, NITAC will advise agencies and identify future requirements for all telecommunications interceptions. The report notes a similar UK program that intercepted and decrypted electronic data and says if NITAC mirrors the UK program, it could play a role in the government's data retention proposal currently being considered by the Attorney General's Office.
Full Story

TRAVELLERS’ PRIVACY—AUSTRALIA

Airport Scanner Privacy Unresolved Thus Far (October 29, 2010)

The Australian reports on the federal government's ongoing plans to implement body scanners at the country's airports. The type of scanner to be introduced is still being determined due to advocates' significant privacy and security concerns following the February announcement that the technologies would be applied to departing international passengers in 2011. Victoria Privacy Commissioner Anthony Bendall says the machines are an example of what U.S. security expert Bruce Schneier calls "security theatre," the report states. "They give the illusion of safety without actually making us safer," said Bendall, adding that the major privacy concern is that images will be stored and transmitted.
Full Story

SOCIAL NETWORKING

Study Shows Most Proactive Countries for Privacy Settings (October 28, 2010)

The Unisys Security Index surveyed 10,575 consumers in 11 countries and found that 80 percent of social networking users in the U.S.--more than in any other country studied--said they regularly limit the personal information they post and restrict others' access to it, reports InformationWeek. Brazil and Germany were the next in line, with Brazil the most concerned with overall security, the report states. Patricia Titus, global chief information security officer at Unisys, says that the U.S. may be more proactive because it has "better reporting on social media issues here because Facebook is a U.S.-based company."
Full Story

ONLINE PRIVACY

Google’s Fleischer Discusses Privacy Perspectives (October 27, 2010)

Only a small fraction of users of the world's largest search engine are taking advantage of privacy controls that allow them to choose which ads are steered their way, the Associated Press reports. Peter Fleischer, Google's global privacy counsel, said he is "puzzled about why more people don't use more of the privacy controls." Google targets ads based on cookies left behind on users' Web browsers, but with its "ads preference manager," a user can wipe out cookies or alter the subject areas identified, the report states. Fleischer also spoke of the challenges of global Internet products with different nations having different privacy views, noting he expects more efforts to reach agreement on common privacy policies around the world.
Full Story

ONLINE PRIVACY

How Safe Is Your Login? (October 26, 2010)

Social networks are becoming the focus of new privacy questions about how their logins can be accessed through WiFi networks. The Wall Street Journal reports that Firesheep, a new add-on for the Web browser Firefox, "is designed to make it easy to intercept browser 'cookies' used by popular Web sites like Facebook, Twitter and others to identify their users, thereby allowing Firesheep users to log in to those Web sites posing as others." Eric Butler, a U.S. programmer who developed Firesheep, said he introduced the program as a way of bringing attention to a common weakness in Web site security. "On an open wireless network," he said, "cookies are basically shouted through the air, making these attacks extremely easy." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

More Sites Tagged With Info-Sharing Concerns (October 26, 2010)

Following an investigation into a privacy breach involving popular applications on Facebook, social network MySpace and some of its apps have been found to be transmitting user information to outside advertising companies, The Wall Street Journal reports. Rapleaf, a company which compiles profiles of Internet users and was cited in the investigation as providing such information to advertisers, has stated it no longer passes such user information on to advertising networks due to privacy concerns. "The MySpace leaks appear to be more limited than those at Facebook, which has far more users and requires them to make public their name, gender and country," the report states. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

As WiFi Data Collection Revealed, New Investigation Begins (October 25, 2010)

Google has revealed that the data its Street View cars collected from unsecured WiFi networks included passwords and e-mails, Forbes reports, and now faces being the first company to incur fines of up to £500,000 under the UK's privacy laws. While UK Information Commissioner Christopher Graham has announced he is launching a new investigation into Street View's collection of private data, the Garante, Italy's DPA, has announced it will now require the company to clearly mark its Street View cars and provide detailed information on their routes to enable citizens to "freely decide what to do and possibly prevent the 'capturing' of their images" by the mapping service.
Full Story

ONLINE PRIVACY

Tools Enable Online Browsing Privacy (October 25, 2010)

Mercury News reports on various ways to maintain privacy on the Internet despite the pervasive tools used by search engines and marketing companies to track your movements online. Peter Eckersley of the Electronic Frontier Foundation says such ubiquitous online surveillance violates our right to "read in private," adding that "You might be reading the magazine, but it's reading you back." The report highlights a suite of tools available to increase online privacy, downloadable software to encrypt users' online searches and privacy modes within various Web browsers that allow for "private browsing," preventing the permanent storage of tracking technologies such as cookies.
Full Story

PRIVACY LAW—HONG KONG

Laws Concern Telemarketers Union (October 25, 2010)

The Standard reports on a telemarketer union's fears that tightened privacy protection laws will lead to more employees losing their jobs following the recent firing of 200 workers in the Octopus Cards personal data case. The government has released 37 proposals to strengthen privacy laws, the report states, including requiring user consent before personal information can be sold to direct marketers. A government official said industry and government have collaborated on the proposals, but a spokesman for the Hong Kong Telemarketer Association said consent should not be required for disseminating personal data. Meanwhile, Octopus' chairman has announced he will step down in December but says the decision is unrelated to the recent breach.
Full Story

PERSONAL PRIVACY—AUSTRALIA

Database Tells Agents When Tenants Want Out (October 22, 2010)

TICA, the largest tenant database company in Australia, has created a new service that allows real estate agents to register their tenants' details and receive an e-mail when a tenant applies for another place to live, reports The Sydney Morning Herald. Chris Martin, a senior policy officer with Tenants NSW, called the service a "gross invasion of people's privacy," and said, "the potential for abuse is high.'' The developers say that agents are required to notify tenants they are using the service, and tenants who are honest with their agents have nothing to worry about. "It's only the ones who, for want of a better term, do the midnight skip," said TICA Managing Director Phillip Nounis.
Full Story

BEHAVIORAL TARGETING—AUSTRALIA

Opinion: Self-Regulate or Face Backlash (October 22, 2010)

Technology comes at a cost, according to Matt Houltham, who, in The Sydney Morning Herald, discusses the need for online advertisers to effectively self-regulate or face consequences. "It is undeniable that audience data is important," Houltham writes, adding that behavioral targeting helps publishers commercialise their content "so consumers can continue to access it for free." But, Houltham says, "We cannot ignore the looming backlash if we fail to inform consumers about how their data is being collected and used." Pointing to a recently launched self-regulatory effort in the U.S., Houltham suggests, "Perhaps it is time the Australian industry followed suit."
Full Story

SOCIAL NETWORKING—SINGAPORE

Government Uses Social Tools Carefully (October 22, 2010)

Local governments in Singapore increasingly use social media to engage with the public, but they are doing so with caution, ZDNet reports. Singapore citizens can use government e-services portals to pay taxes and purchase licenses, for example, and some of these portals contain social elements. The general manager of NCS Portal City said the government has great concern about data privacy and protection, and the information that citizens offer in such outlets is typically not shared or disseminated by the government. "Everyone is talking about" data privacy and protection, Ng See Sing said, adding, "it's one of the ills of social networks so we have always been conscientious of this since day one."
Full Story

ONLINE PRIVACY

WiFi Scanning Discontinued (October 21, 2010)

Google has no plans to resume the collection of WiFi data through its Street View vehicles, CNET News reports. According to the report issued by the Office of the Privacy Commissioner of Canada (OPC) this week, the "collection is discontinued and Google has no plans to resume it." Instead, wrote Privacy Commissioner Jennifer Stoddart, "Google intends to obtain the information needed to populate its location-based services database" from "users' handsets." Both the OPC and Spain's Agencia Española de Protección de Datos recently concluded their investigations into the company's activity in this area, finding that it contravened laws in both countries.
Full Story

SOCIAL NETWORKING

As Officials Raise Concerns, Facebook Promises To Fix Glitch (October 19, 2010)

A report that some of Facebook's most popular applications have been transmitting user information to Web tracking companies has privacy advocates and legislators sounding an alarm. While Facebook issued a statement that there is "no evidence that any personal information was misused or even collected," The New York Times reports that the company plans to introduce "new technical systems that will dramatically limit the sharing of user IDs." Meanwhile, Canadian Privacy Commissioner Jennifer Stoddart is considering launching a new investigation into Facebook's privacy policies, and U.S. House Bipartisan Privacy Caucus Chairmen Edward Markey and Joe Barton have sent a letter to the company seeking more information on the way "third-party applications gathered and transmitted personally identifiable information about Facebook users and those users' friends." (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—HONG KONG

After Octopus, Commissioner Wants Stronger Law (October 18, 2010)

Hong Kong Privacy Commissioner for Personal Data Allan Chiang has found that the city's leading e-payment operator, Octopus Holdings, violated data protection principles when it sold about two million customers' personal data to business partners, People's Daily reports. Chiang is now seeking stricter laws and more power to protect privacy, the report states. In light of recent cases, the Hong Kong Legislative Council has announced it will meet this Wednesday to debate a motion on improving personal data privacy protection. The measures being considered include a move to make the unlawful transfer of personal data a criminal offense.
Full Story

PRIVACY LAW—AUSTRALIA

Legislation Presents Risk to Offshore Cloud Computing (October 15, 2010)

Legislation now being considered by the federal government could have serious repercussions for organisations hosting data offshore or embracing cloud computing, ITNews reports. The pending legislation would revise Privacy Principle 8 by requiring that any country hosting data outside national borders has privacy protections equal to Australia's Privacy Principles, the report states. One expert says organizations would be wise to conduct due diligence before outsourcing to foreign cloud computing platforms, the report states. "If it doesn't take those steps to make sure this company is going to look after the data in the same way, and there is a breach, the Australian company, under the exposure draft, will be liable for the breach," he said.
Full Story

BEHAVIOURAL TARGETING—AUSTRALIA

IAB Chief Clarifies Position on Self-Regulation (October 15, 2010)

The head of the Interactive Advertising Bureau has clarified his position on providing notice to consumers when online behavioural advertising is occurring, reports The Sydney Morning Herald. Recently, Paul Fisher warned that the online ad industry must self-regulate or face tougher laws. "What we want to do is give them notice that may be happening and give them an option to opt out," he said. But in a subsequent interview, he said, "It's really around the interpretation of disclosure." Fisher feels that disclosure means making the information available in a way similar to terms and conditions.
Full Story

PRIVACY LAW—HONG KONG

Commissioner To Open Legislative Proposals (October 15, 2010)

In his 2010-11 policy address, the Privacy Commissioner for Personal Data indicated that his office would put forward legislative proposals to amend the Personal Data (Privacy) Ordinance. The commissioner would like to lay out specific requirements to be included in the ordinance in order to better protect citizens' personal data. His office will open the proposals for public discussion soon.
Full Story

SOCIAL NETWORKING

Advocates Pleased with Facebook Changes (October 12, 2010)

Privacy advocates are voicing approval of Facebook's new privacy features, which will allow users greater control over their personal data, OUT-LAW.com reports. The changes include a "dashboard," which will display to users which applications are active and the data they collect. The Electronic Frontier Foundation welcomed the change, the report states. "We think that this is an important step forward in terms of providing more transparency to users about where their Facebook data is going and who is using it." Additional features will allow users to export all of their uploaded data from the site and create private groups for communications.
Full Story

ONLINE PRIVACY

HTML 5 Coming, Worries Surface (October 12, 2010)

The New York Times reports on HTML 5, the new Web language that will be rolled out over the next few years. It is expected to bring Web users many benefits. It is also expected to enhance opportunities for marketers, advertisers and others to track Web users' activities. The new language would allow for the collection of large amounts of data and storage of that data on the computer user's hard drive. Experts say that could give companies a look at weeks or months worth of personal information including location data, photographs, shopping cart contents and more. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

PCI Supports Encryption (October 8, 2010)

The Payment Card Industry (PCI) Security Standards Council has released new guidance on card security standards, including the use of point-to-point encryption, InformationWeek reports. Troy Leach of the PCI Security Standards Council said the goal is to help organizations "understand how they can better secure their payment card data and how specific technologies may assist them in meeting the requirements of the PCI Data Security Standard." The guidance also discusses EMV card security, which requires consumers to enter a personal identification number when paying with a credit or debit card in person. Jeremy King, European regional director for PCI, said "the devil is in the details" when it comes to introducing PCI changes.
Full Story

CHILDREN’S PRIVACY

Study: Lots of Little Ones Have Online Presence (October 8, 2010)

The security firm AVG has released study results that show 82 percent of kids under the age of two in 10 Western nations have an online presence, CNN reports. Newborns and toddlers in the U.S., New Zealand, Canada and Australia are the most likely to appear online in photographs, the report states. The study found that often it is friends or other family members--not the child's parents--who post the photos. "Obviously there's a privacy issue," said an AVG spokeswoman. "If they're applying for credit (later on) and having that information readily available for people who want to compromise their identities."
Full Story

ONLINE PRIVACY—AUSTRALIA

Data Mining Companies Poised To Be Next Wave (October 7, 2010)

A new wave of companies that collect data from online users' browsing histories is ready to enter the Australian market. Two of them, the British company Phorm and BlueKai out of California, are already aggregating data, reports The Sydney Morning Herald, and BlueKai claims to have the computer addresses and "purchasing intent" of eight million Australians. The trend is expected to spark a debate over online privacy. Former Privacy Commissioner Malcolm Crompton, CIPP, notes that "the question arises whether the current law is sufficient to address these issues."
Full Story

ONLINE PRIVACY—AUSTRALIA

Opinion: Time To Tame the Cookies Monsters (October 7, 2010)

The Sydney Morning Herald takes a stand against Internet tracking in an editorial on cookies as a means to mass surveillance. "Those innocuous-sounding cookies and beacons," the editorial reads, "can quickly and easily build comprehensive consumer profiles. Such specific information is a potential goldmine." Internet laws are lagging behind, according to the newspaper's editors, who suggest that, as in the case with a recent cry for better privacy policies on social networks, "Web sites that extract user information should likewise offer clear, simple instructions on opting out. That way, people who consider advertising an essential part of making informed consumer choices can benefit from precision marketing, and everyone else can simply switch the trackers off."
Full Story

PRIVACY LAW—NEW ZEALAND

Should Online Impersonation Be a Crime? (October 7, 2010)

Officials are considering whether impersonating others on the Internet--and particularly on social networking sites--should be a criminal offence. The New Zealand Herald reports on a similar move in the U.S., where the state of California passed legislation making it a crime to "harm, intimidate, threaten or defraud" through the Internet or other electronic means. New Zealand's Privacy Commission has been examining the Californian legislation, the report states, and Assistant Privacy Commissioner Katrine Evans has said the issue is among several being considered by the Law Commission. One issue to be considered is the line between serious impersonation and obvious parodies, the report states.  
Full Story

BIOMETRICS—AUSTRALIA

Plans To Track Gamblers Proposed (October 7, 2010)

Australian Prime Minister Julia Gillard has suggested using biometric cards and possibly fingerprinting to combat compulsive gambling, Poker News reports. The plan would rely on identification cards equipped with biometric technology to operate video poker machines in order to track gamblers' playing habits and restrict them from playing further when they had reached a predetermined loss limit, the report states. The plan is raising privacy concerns, as one expert noted, stating, "We absolutely recognize problem gambling is a great concern for people in the community, but I don't think fingerprinting will work from a practical point of view, and there are ethical issues with privacy."
Full Story

FINANCIAL PRIVACY—HONG KONG

Commissioner Completes Octopus Investigation (October 7, 2010)

Privacy Commissioner for Personal Data Allan Chiang has announced the completion of investigations into the collection and use of customers' personal data by Octopus Holdings Limited (OHL) and Octopus Rewards Limited (ORL). The investigations were aimed at ascertaining whether, in the process of collection of customers' personal data and use for direct marketing purposes, data protection laws were violated. According to a release from his office, the commissioner plans to publish the investigation report citing the "widespread public concern" raised by the issue after allowing time for responses from ORL and OHL on issues related to the public release of the report.
Full Story

SOCIAL NETWORKING

Facebook’s New Privacy Options (October 7, 2010)

Facebook has released new privacy settings to allow users to share their updates selectively and draw distinctions between friends, family members and co-workers, The New Zealand Herald reports. Users will now be able to create "closed" groups in order to communicate with Facebook friends privately and can also use a "dashboard," allowing them to view what personal information has been collected by games and third-party applications on the site and letting them disable some of those features. An analyst at Forrester Research called the changes a smart move for Facebook, adding the announcement "helps move the ball forward in terms of greater control and greater transparency."
Full Story

ONLINE PRIVACY

Advertisers Share Web Privacy Plan (October 4, 2010)

Amid the ongoing push-and-pull between user privacy and advertiser access to Web data, the Digital Advertising Alliance, which is comprised of some of the industry's largest trade organizations, has announced the details of a self-regulatory program allowing users to opt out of being tracked online. The New York Times reports on the program and its use of the "Advertising Option Icon" to alert users when data is collected for behavioral targeting. While some experts see the move as a step in the right direction, other privacy advocates maintain that self-regulation is not enough and government intervention is needed. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Paper Raises Concerns About Smartphone Security (October 4, 2010)

The user data collected by some smartphone applications can be correlated to real-world identities, Ars Technica reports, posing privacy risks to users of such popular devices as the iPhone, iPod and iPad. According to a paper by Bucknell University Assistant Director of Information Security and Networking Eric Smith entitled "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)," many applications request personally identifiable information affiliated with users' accounts. Smith noted that such data, combined with "extremely long-lived" tracking cookies, could result in companies tracking users' online activities for extended periods of time and across multiple devices, the report states.
Full Story

DATA PROTECTION—AUSTRALIA

Ludwig: Participation in CBPA Will Enhance Reforms (October 1, 2010)

Sen. Joe Ludwig, special minister of state, says Australia's involvement in the Asia-Pacific Economic Cooperation's (APEC) cross-border privacy enforcement arrangement will allow the privacy commissioner to cooperate with foreign privacy enforcement authorities to resolve overseas complaints, PSnews reports. Ludwig said the government's privacy principles, intended to reform Australia's privacy act, include provisions on cross-border disclosures of personal information and that APEC's Cross-Border Privacy Enforcement Arrangement (CPEA) will enhance those reforms. Australia was closely involved in the development and implementation of CPEA, Ludwig said. A spokesman for APEC said the arrangement "demonstrates that privacy enforcement authorities are engaging with the realities of global data flows and the associated risks of privacy violations."
Full Story

PRIVACY LAW—AUSTRALIA

Consent a “Serious Weakness” in Privacy Regs (October 1, 2010)

The Australian Privacy Foundation (APF) is calling for stricter rules on how data controllers obtain and use consumers' consent, reports ITnews. In a submission to a parliamentary online privacy inquiry, the APF described consent as the "single most serious weakness" in the nation's privacy regulations. "Consent works like a miracle cure for conduct that otherwise would have been contrary to the law," wrote APF Vice Chair Dan Svantesson. Parliament opened the inquiry--The adequacy of protections for the privacy of Australians online--on 24 June and will continue to accept public comments through 30 September.
Full Story

PRIVACY LAW—VICTORIA

Commissioner Tells Police To Improve Data Security (October 1, 2010)

Australia's Commissioner for Law Enforcement Data Security has warned Victoria Police that any further delay in addressing concerns about safeguards for sharing personal data with third parties is "unacceptable," reports The Australian. Commissioner David Watts last week released a report on a memorandum of understanding reached between the police and company Aquasure. The memorandum, which included provisions on sharing police data with the company, "did not adequately take account of Victoria's human rights, information privacy and law enforcement data security laws and did not establish mechanisms necessary to support compliance with them," the report states. Watts has given the police 28 days to provide a proposed timeline for changes.  
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Board Warns Doctors Not To Post about Patients (October 1, 2010)

The NSW Medical Board has cautioned a doctor for making "flippant and derogatory" comments and warned others to think twice before disclosing patient details on social networking sites, News.com.au reports. "Facebook users are reminded that, despite their privacy settings, no security measures are perfect or impenetrable," the board said. The board issued the warning after a patient read comments posted by their doctor on the social networking site. A spokeswoman for the Medical Error Action Group said doctors posting comments on social networking sites is not uncommon and needs to be "reigned in."
Full Story

PRIVACY LAW—NEW ZEALAND

Shroff Pleased with Revised Surveillance Bill (October 1, 2010)

In her latest submission to Parliament's Justice and Electoral Select Committee on the Search and Surveillance Bill of 2009, Privacy Commissioner Marie Shroff last week said she's satisfied with revisions to the bill. Shroff said she was encouraged by the fact that concerns raised during hearings on the bill in 2009 were taken seriously and addressed in most cases. Shroff's concerns about the original bill surrounded the state's powers to search people and their property and the use of surveillance technologies. Shroff said the revised bill makes "the balance between privacy and law enforcement interests more acceptable," and said she has no further issues to raise.
Full Story