ANZ Dashboard Digest

A new approach to notice and consent has been around for at least a couple of years now. The Microsoft whitepaper was released late 2012, and several subsequent books by privacy thought-leaders have developed this theme, which makes sense. Individuals ought to be given the opportunity to shape their profiles and to have a role in transactions involving their data, and notice and consent will no longer suffice. Equally, entities that stand to benefit from the information should protect their source if they wish to guarantee the future supply of valuable data.

If this approach is accepted, some of the stories this week indicate that there is still a long journey ahead. Whilst many entities still appear to treat privacy as a compliance issue, and one where boundaries should be pressed, others continue to succeed based on adoption of the new approach. It will be interesting to see how this divide plays out in terms of commercial success. That other old chestnut of balancing the right to information against the right to privacy also gets some play this week in the opinion piece titled “Privacy starts to bite.” To hear all about it and ask your own questions of the experts, make sure you book your place at our Privacy Awareness Week breakfast discussion on 6 May as debate on the Australian Law Reform Commission paper on serious invasions to privacy in a digital age continues.

A safe and very Happy Easter to you all,

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

ONLINE PRIVACY

Company Revises End User License Agreement (August 31, 2011)

Video game developer Electronic Arts (EA) has revised its Origin digital distribution service End User License Agreement (EULA) after websites said the EULA gave the company the ability to collect users' personal information beyond necessary gaming data, GameSpy reports. The updated EULA says, "Information about our customers is an important part of our business, and EA would never sell your personally identifiable information to anyone, nor would it ever use spyware or install spyware on users' machines." 
Full Story

DATA LOSS

Phone Company Hacked (August 30, 2011)

Nokia says its developer forum website has been hacked, requiring it to shut down the site until "further investigations and security assessments" have been completed, The Wall Street Journal reports. The company says users' personal information--including e-mail, some dates of birth and other data--were compromised. A hacker known as "pr0tect0r AKA mrNRG," believed to be based in India, claimed responsibility for the breach. "Though we have no evidence of any misuse, we believe the potential risk is an increase in unsolicited e-mail," the company said. (Registration may be required to access this story.)   
Full Story

ONLINE PRIVACY

Identifiable By Association (August 30, 2011)

In an article for Slate, Kevin Gold discusses the "leaky" nature of online privacy. Pattern recognition software has made it increasingly possible to determine a person's identity not by the data that they themselves have shared online, but by what their friends have shared. A researcher from Northeastern University found that only 20 percent of college students needed to participate in filling out profile information online "in order to deduce facts about the nonresponders who friended others," the report states. Using statistics about common characteristics, it's possible to make a "statistically motivated guess as to whether a person belongs to a particular community."     
Full Story

ONLINE PRIVACY

Virtual World Group Uncovers Real World Data (August 29, 2011)

An organization within the Second Life online virtual world is collecting real-world information on users, sidestepping the sites' terms of use and possibly some data protection laws, reports Avril Korman for Search Engine Watch. While Linden Lab, the company that owns the site, offers tools to customize the user experience, the report states that it is not providing adequate support, causing a rise in self-policing organizations. One such organization has, in concert with others, begun collecting information on "people's real lives, including jobs, medical conditions and family," and posting it to an unsecure wiki site, according to Korman. Some users are dismissing the threat, but Korman says, "Until Linden Lab starts actually managing their own (virtual) land and dealing with security issues in an effective manner, this problem and others like them will continue."  
Full Story

PRIVACY LAW—AUSTRALIA

Cybercrime Bill Moves Forward (August 26, 2011)

The House of Representatives has passed a bill that would require Internet service providers to collect and make available to law enforcement the Internet traffic data of users, The Australian reports. Telstra said the new obligations were "beyond business needs," placing "a significant burden on carriers and service providers in the form of cost and manpower." The Cybercrime Bill will now go to the Senate for approval. The bill's author said, "The passage through the House is a significant step forward." Meanwhile, Sen. Scott Ludlam said, "We are greatly troubled by the fact that neither government nor Coalition MPs gave any indication they believed there were flaws that needed to be fixed."   
Full Story

HEALTHCARE PRIVACY—NEW ZEALAND

Gov’t Officials Respond to Law Commission Recommendations (August 26, 2011)

Health Minister Tony Ryall says there is no "great urgency" for a review of the handling of health information after the Law Commission recommended a separate government review of the Privacy Act, the Otago Daily Times writes. Ryall believes that the Privacy Act and the Health Information Privacy Code already cover the processing of health information. Privacy Commissioner Marie Shroff has said she supports the Law Commission's recommendation but has not said how it could be addressed. "Whether that improvement would come from new legislation, as the Law Commission suggests, is something that will doubtless come out over the course of the proposed review," Shroff said.  
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

AFP: eHealth “Smokescreen” for National ID (August 26, 2011)

The Australian reports on recent comments made by Australian Privacy Foundation Chairman Roger Clarke that the country's eHealth program is a "smokescreen" for a "centralised patient identification regime." Clarke said that individual healthcare identifiers "are an enabling mechanism for linkage between agencies, allowing the creation of virtually centralised national databases." A spokesman for Health Minister Nicola Roxon responded that, "eHealth records are being developed for the ultimate benefit of patients and not for the conspiracy theory reasons claimed."   
Full Story

PRIVACY LAW—AUSTRALIA

Commissioner Prefers Conciliated Outcomes (August 26, 2011)

Privacy Commissioner Timothy Pilgrim says he would prefer conciliated outcomes over going to court in response to privacy violations, The Australian reports, but adds that mandatory data breach notification and stronger penalties would benefit the country. "We have seen the Australian Law Reform Commission's views, and what we need to see now is how the government is going to reflect those initial thoughts," says Pilgrim, adding, "There are some very big questions that we as a community are going to have to consider in that debate." Australian Privacy Foundation Chairman Roger Clarke, meanwhile, says he prefers torts and additional criminal penalties, the report states.  
Full Story

PERSONAL PRIVACY—VICTORIA

Agency To Apologise for Data Collection (August 26, 2011)

A woman who has been protesting a pipeline says that Melbourne Water will publically apologise to her for collecting her personal information, ABC News reports. The woman said, "It has now set a precedent that you cannot treat people in that fashion...Even if you're a large government agency, you must abide by the law. You cannot do those things."  
Full Story

DATA LOSS—SOUTH KOREA

Breach Affects 350,000 (August 26, 2011)

A Naked Security article reminds users of the importance of using multiple passwords across various websites after a breach at Epson Korea affecting 350,000. The company says hackers accessed its website last week and stole customers' personal data, including passwords, phone numbers, names and e-mail addresses. Customers have been advised to change their passwords as soon as possible. "Although you may not care very much if someone can log into your account at Epson, you certainly will care if they can also use the same password to access your other online accounts," the author writes.
Full Story

ONLINE PRIVACY

Facebook Unveils New Settings (August 24, 2011)

The Wall Street Journal reports that Facebook has unveiled new options to help users manage the amount of information they share on the site and with whom. The changes, to roll out Thursday, will allow users to check a box indicating which friends can see which online posts; share locations from PCs and laptops; control being "tagged" by others in posted photos, or choose to block a user entirely--disabling them from photo tags or other interactions on the site. The company wants to make the sharing options "unmistakably clear," said a Facebook spokesman. (Registration may be required to access this article.) 
Full Story

IDENTITY THEFT

Caller ID Spoofing Threatens Personal Privacy (August 23, 2011)

The New York Times reports on the rise of an easy-to-find and legal service known as "spoofing" that allows identity thieves to access others' voicemail accounts by disguising their phone numbers and consumer advocate Edgar Dworsky's recent finding that thieves can also access some automated bank and credit card systems. Many mobile phone providers and financial institutions have phone systems that disclose personal information--like recent purchases--when a call is made from the customer's phone number. "There are additional steps mobile phone companies and the card issuers could take to stop this sort of thing from ever happening," the report states. "The fact that many of them don't, however, makes this your problem to solve." (Registration may be required to access this story.)  
Full Story

BEHAVIORAL TARGETING

Company Advises Against UDID (August 22, 2011)

Software developers who build programs for Apple's operating system have been asked by the company to avoid using unique device identifiers (UDID) in software for its iPhones and iPads, The Wall Street Journal reports. UDIDs make it easier for advertising networks, analytics firms and others to observe and track users' online behavior. A deadline for the change has not been specified, but the company's website tells developers that the tracking tool "has been superseded and may become unsupported in the future." The Center for Democracy & Technology's Justin Brookman said, "I want to see how this all plays out, but at first glance, this is a really good result for consumers." (Registration may be required to access this story.)        
Full Story

PRIVACY LAW—AUSTRALIA

Senator: Cybercrime Bill Has “Serious Flaws” (August 20, 2011)

Greens Sen. Scott Ludlam says a proposed cybercrime bill has "serious flaws" and "goes well beyond the already controversial European convention on which it is based," The Australian reports. The bill, which would require ISPs to collect Internet traffic to assist law enforcement authorities, was introduced by Attorney-General Robert McClelland in June. Ludlam said, "We have recommended a number of improvements to the bill, fixing flaws and clarifying the ombudsman's powers to inspect and audit compliance with the preservation regime." McClelland said he welcomes the report, adding that "some recent commentary contains inaccuracies which need to be corrected." 
Full Story

ONLINE PRIVACY—NEW ZEALAND

Company Deletes Payload Data, Announces PIA (August 20, 2011)

Google has announced that it deleted data collected by its Street View cars and will conduct a privacy impact assessment (PIA) on future Street View activities, The National Business Reivew reports. In a Google blog post, the company made the two announcements while also pledging to ensure that images are not in real time; automatically blur faces and licence plates prior to publishing images, and provide a "report a problem" option, which allows individuals to request additional blurring to images that may have been missed. Google also said it has removed WiFi equipment from its Street View cars and has "taken steps to strengthen our internal privacy controls." 
Full Story

DATA LOSS—NEW SOUTH WALES

Assessing Fair Punishment for Data Breaches (August 20, 2011)

ITNews reports that some experts assert "Australia's light touch to breaches of the Privacy Act may not be enough to protect consumers and punish the companies that put their personal information at risk." Data breach investigations have increased by 27 percent in the last year, but, barring mandatory notification laws, the largest breaches remain unreported. A University of Canberra professor says that organisations that undergo a breach after using best practices should not be punished, but companies that are negligent should be punished to get the attention of executives, insurers and shareholders. He queries, "If a food company kept on having food contamination problems, it would stop operating. Why is a data custodian any different?"
Full Story

DATA LOSS—VICTORIA

Medical Records Left in Abandoned Clinic (August 20, 2011)

The medical files of thousands of children were left behind in a Melbourne clinic that went out of business approximately three years ago, the Herald Sun reports. The records contain names, birth dates, addresses and medication details of patients needing treatment for dyslexia and hyperactivity, and, the report states, anyone could have accessed them after the clinic closed. Saying she was "horrified," Victorian Health Services Commissioner Beth Wilson added that she will begin an investigation into the incident and ensure the files will be protected. "Whenever a health organisation holds health information," Wilson said, "the owners are obliged to comply with the health services commissioner's guidelines on the safe storage and handling of people's private health records."   
Full Story
 

STUDENT PRIVACY—NEW SOUTH WALES

Schools Monitor Students on Social Networking Sites (August 20, 2011)

ANI reports that Australian schools have started hiring Internet monitoring companies to review publically available student posts on social networking sites. A school principal said, "Our school policy now extends the concept of the school playground to any environment in the social media platform where a student of the school or a teacher is identified by either name, image or inference." The president of the New South Wales Council for Civil Liberties said the monitoring is an "outrageous invasion" of students' privacy, the report states.
Full Story

SOCIAL NETWORKING—AUSTRALIA

Opinion: Users Need To Investigate Privacy Options (August 20, 2011)

In a column for News.com.au, Claire Connelly writes that rumors about Facebook publishing phone numbers that were synched from smartphones were false. "Everyone loves it when Facebook makes a mistake," she writes, "but this time, it may be users who've got it wrong." The company has not sold phone numbers to third parties or published them, the report states. One security expert said, "there's all of the various privacy issues and privacy concerns that have happened over the years," and "there are a lot of people looking for it to have security and privacy problems, and a lot of people who want it to have those problems." 
Full Story

DATA LOSS—SOUTH KOREA

Media Streaming Service Breached (August 20, 2011)

The website of South Korean media streaming service GOMTV.net has been breached, v3.co.uk reports. Compromised data includes names, e-mail addresses and passwords but not credit card information. The company has notified its customers, writing, "As soon as we discovered the sign of intrusion, we conducted a complete investigation into the incidents and have also taken steps to enhance security and strengthen our network system." The announcement comes shortly after a popular social networking site was breached, affecting the data of nearly 35 million South Koreans. 
Full Story
     

DATA PROTECTION

Opinion: Are PIAs Enough? (August 19, 2011)

In a Communications of the ACM article, David Wright of Trilateral Research considers whether privacy impact assessments (PIAs) should be mandatory. As databases grow, so do data breaches. PIAs are a reasonable tool for any organization managing personal data, but are they enough? Wright says no; the most effective way to protect sensitive information is to use PIAs with a "combination of tools and strategies, which include complying with legislation and policy, using privacy-enhancing technologies and architectures and engaging in public education..." Whether PIAs will become mandatory, in the meantime, remains to be seen. (Registration may be required to access this story.)      
Full Story

ONLINE PRIVACY

Researchers Uncover “Supercookies” (August 18, 2011)
The Wall Street Journal reports on the latest online tracking methods, including the existence of "supercookies" found on popular websites. Researchers at Stanford Univeristy and the University of California at Berkeley say that supercookies are able to recreate a user's profile even after normal cookies are deleted. According to the report, companies who were found to be using the tracking technology have since stopped the practice. A Microsoft representative said as soon as the supercookies were "brought to our attention, we were alarmed. It was inconsistent with our intent and our policy." Hulu said in an online statement that it "acted immediately to investigate and address" the supercookie issue. (Registration may be required to access this story.)

GEO PRIVACY—SOUTH KOREA

Company Sued Over Location Data (August 17, 2011)

Approximately 27,000 South Korean iPhone users are suing Apple, Inc. on claims the company compromised their privacy when it collected location data without their consent, the San Francisco Chronicle reports. The class-action suit against the company's South Korean unit seeks $930 per user for damages. The suit comes just weeks after the company was fined by the Korean Communications Commission for its smartphone data collection practices. 
Full Story

HEALTHCARE PRIVACY

Health Industry Prepares To Mine Patient Data (August 16, 2011)

With the increased use of remote monitoring systems and new digital imaging technology, "tremendous amounts of data" are being generated but not analyzed, The Australian reports. A vice president of an analytics company says that "doctors have live data coming out of these devices and equipment, but to date it really hasn't been analyzed." According to the report, healthcare suppliers will begin selling equipment and software that can analyze the streaming data. "If there was a national healthcare database in the U.S.," he says, "the value of that information in terms of mining it to identify trends across population segments is phenomenal."         
Full Story

DATA PROTECTION

Tokenization Guidelines Released (August 15, 2011)

The Payment Card Industry Security Standards Council (PCI SSC) has released guidelines on tokenization, SC Magazine reports. The PCI DSS Tokenization Guidelines Information Supplement provides suggestions for "developing, evaluating or implementing a tokenization solution, including insight on how a tokenization solution may impact the scope of PCI DSS efforts," the report states. "These specific guidelines provide a starting point for merchants when considering tokenization implementations. The council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements," said PCI SSC General Manager Bob Russo. 
Full Story

PRIVACY LAW—AUSTRALIA

Data Retention Law Still Possible (August 12, 2011)

The attorney-general's department says the federal government is still considering introducing a data retention regime, IT News reports. A spokeswoman said the department is committed to an "open and transparent consultation" once a proposal has been developed. Until now, Australia has used the European Union's Data Retention Directive as a model for its potential plan, which allows law authorities to access telephone and Internet activity dated two years back, though that model is now being reviewed. "Australia can learn from this review, and its recommendations will be taken into consideration when assessing the applicability of a regime based on the EU Data Retention Directive to the Australian context," the spokeswoman said.
Full Story

DATA PROTECTION—AUSTRALIA

Gov’t Increases Census Security (August 12, 2011)

Government officials are increasing security measures for the national census amid concerns about hacking and privacy, the Herald Sun reports. For those who submit the 9 August survey electronically, it will employ encryption technology frequently used in electronic banking, according to the Australian Bureau of Statistics (ABS). Queensland Census Director Sally Pritchard said that after the ABS processes the submitted data, names are removed. "There's hefty fines and punishments for anyone who breaches the strict privacy conditions or divulges confidential information," she said, adding that the data would not be shared with any other agencies.
Full Story

PRIVACY—NEW ZEALAND

Commission Notes Smart Phone Threats (August 12, 2011)

At the release of the Review of the Privacy Act 1993 last week, Law Commissioner John Burrows and Privacy Commissioner Marie Shroff discussed future challenges to privacy as technology progresses, The New Zealand Herald reports. "Overall, we think the broad principles of the act are flexible enough to cope," the review states. The reforms--there are 136 recommendations--would make the act "future proof," the commissioners said. Of particular concern is the proliferation of smartphones capable of geotagging. The Law Commission sees education as key, adding, "we also note the critical importance of educating people--particularly young people--on how to respect and protect their online privacy."
Full Story
 

PRIVACY LAW—AUSTRALIA

Company Warned After E-mail Campaign (August 12, 2011)

A human resources company has been given a formal warning after sending marketing e-mails without consent. The warning follows an Australian Communications and Media Authority (ACMA) investigation into Astute People Solutions due to complaints that the company breached the Spam Act 2003. The ACMA recently launched a campaign aimed at encouraging compliance called "Successful e-marketing...it's about reputation."
Full Story

DATA LOSS—AUSTRALIA

Sony Offering ID Theft Protection (August 12, 2011)

Sony is offering Australian PlayStation Network accountholders a year of free identity theft protection in the wake of a breach affecting 77 million worldwide, The Sydney Morning Herald reports. The company has begun sending e-mails to about 1.5 million Australians who had an account on the date of the breach, which is being investigated by Australian Privacy Commissioner Timothy Pilgrim. The company is also offering identity restoration services for those whose identities may be stolen as a result of the breach.
Full Story

DATA PROTECTION—AUSTRALIA

Opinion: A Call for Stronger Action (August 12, 2011)

Australia needs more than privacy guidelines; it needs a watchdog, CIO reports. That's according to University of Canberra law lecturer Bruce Arnold, who says that the number of breaches indicates the need for government action. "Australia needs a privacy watchdog that is quick to act, a watchdog that, like its overseas counterparts in the UK and U.S., is equipped with the sort of financial penalties that get the attention of executives," says Arnold. "We also need a cultural change, whereby institutions regard themselves as data custodians rather than data owners and therefore take their responsibilities more seriously."
Full Story

PRIVACY—AUSTRALIA

Opinion: Privacy Is Here To Stay (August 12, 2011)

In an opinion piece for The Sydney Morning Herald, Nick Abrahams and Warwick Andersen write about privacy's rise to the top as an agenda item. The authors attribute the focus on privacy to media hacking scandals, the rise of e-commerce and cloud computing, among other factors. Australia's major proposals include a mandatory breach notification requirement and an enforceable right to privacy, which would allow Australians to sue for invasions of privacy. However, it can be difficult to prove that damage has been caused to an individual if a crime such as identity theft doesn't result, the authors say. They predict that privacy, as a topic, has staying power.
Full Story

PRIVACY LAW—NEW ZEALAND

Opinion: Privacy A Precious Commodity (August 12, 2011)

An Otago Daily Times editorial discusses the Law Commission's recently completed review of the Privacy Act. The report notes the importance of balancing privacy with the public interest. Among the commission's recommendations are a new framework within the act for intergovernmental data sharing and exceptions for both health and safety and reporting crimes to law enforcement agencies. The report also discusses data breach notifications, simplifying the complaints process, potentially establishing a do-not-call register and protection for individuals against online publication. "Privacy in an increasingly public world is a precious commodity," the commission's report states.
Full Story

ONLINE PRIVACY—SOUTH KOREA

Real-Name System To See Its Demise (August 12, 2011)

The South Korean government will push ahead with plans to scrap the real-name system for Internet users in the wake of the country's worst online security breach, TMCnet reports. A report on how to protect personal information online is soon expected from the Ministry of Public Administration and Security and will include plans for scrapping the system, which was launched in 2007 and requires people to use their real names and resident registration numbers when posting to websites with more than 100,000 visitors per day. Last month, 35 million online users had their sensitive data, including their passwords and resident registration numbers, breached.
Full Story

DATA THEFT—HONG KONG

OFTA Laptop Stolen (August 12, 2011)

The Office of the Telecommunications Authority (OFTA) has notified the Privacy Commissioner for Personal Data and others of the theft of an agency computer, according to an OFTA press statement. OFTA said a staff member's password-protected laptop was stolen on 11 August in Wan Chai. The personal details of emergency services personnel, government and telecommunications workers are housed on the device. OFTA says it will investigate the incident and will enhance staff training on the protection of personal data. The police have been notified.
Full Story

Company Cancels Advertising Scheme (August 12, 2011)
LinkedIn has announced that it will no longer pursue its new form of advertising called "social ads," which shared users' activities and included their pictures, The Wall Street Journal reports. The company began testing the initiative in late June after announcing it to users. Complaints about user privacy followed, including a statement from the Dutch Data Protection Authority that the company's changes may have breached Dutch privacy law. The company's head of marketing solutions told users, however, that "The only information that (was) used in social ads is information that is already publicly available and viewable by anyone in your network." (Registration may be required to access this article.)

ONLINE PRIVACY—CHINA

Ministry Proposes New Rule for PI (August 12, 2011)

China's Ministry of Industry and Information Technology (MIIT) is seeking comment on a draft rule regulating the processing of personal information by "Internet Information Service Providers," the Hunton & Williams Privacy and Information Security Law Blog reports, defining "Internet Information Services" as "service activities for the provision of information to Internet users over the Internet." If enacted, the rule's provisions include requiring Internet Information Service Providers to refrain from collecting personal information (PI) without users' consent, only collect PI as necessary to provide services, inform Internet users of how and why their PI is collected, not disclose PI to third parties without consent and "immediately take remedial measures" in the event of any breach. 
Full Story

SOCIAL NETWORKING

Threat To Destroy Site May Be Hoax (August 12, 2011)

A reported threat by a hacker group to destroy Facebook on November 5 may have been a hoax, reports eWeek. The group claimed earlier this week that it would destroy Facebook on the grounds of privacy issues, stating that the site's privacy controls are lacking. But some are skeptical about the claims. The CEO of Kapersky Lab, Eugene Kaspersky, tweeted about the news on Wednesday, saying it "most probably is fake." Others have also registered skepticism.  
Full Story

DATA PROTECTION

Report Analyzes Advanced Persistent Threats (August 11, 2011)

In its latest global threat report, Cisco has found that data breaches have been "seemingly nonstop" in 2011, with unique instances of malware more than doubling, siliconrepublic reports. The report discusses advanced persistent threats (APTs) and the difficulty of identifying them, saying that APTs "must enable the attacker to remotely manipulate a system while remaining virtually invisible to standard defenses." A Cisco representative said, "If anyone attempts to sell your organization a hardware or software solution for APTs, they either don't understand APTs, don't really understand how computers work or are lying--or possibly all three."      
Full Story

DATA LOSS—JAPAN

Credit Card Data Compromised (August 10, 2011)

InfoSecurity reports on a credit card data breach affecting approximately 92,400 Japanese Citigroup customers. Compromised data includes names, addresses, credit card account numbers, phone numbers, dates of birth and dates accounts were opened. According to the report, an individual employed by a Citigroup subcontractor sold the data to a third party. This is the second breach that has affected the company this year.    
Full Story

DATA PROTECTION—SOUTH KOREA

KCC Proposes Plan for Online Data Protection (August 9, 2011)

In light of a recent breach affecting 35 million citizens, the Korea Communications Commission (KCC) has announced a plan that will require website operators to limit the amount of stored personal information of users and to encrypt data that is stored, The Chosun Ilbo reports. Under the proposal, websites would be required to encode information such as telephone numbers and e-mail addresses and provide free security software to companies that cannot afford the required security systems upgrade but would not be able to request resident registration numbers from subscribers. The KCC will have a "detailed action plan" by December, the report states.   
Full Story

ONLINE PRIVACY

The War On Anonymity (August 8, 2011)

A SPIEGEL International report discusses what some describe as a war on online anonymity. Some say anonymity is the Internet's greatest strength--promoting free speech and privacy--but others see it as increasingly dangerous. In the wake of terrorist acts and cyber-bullying worldwide, there is a push to reveal the identities of extremist bloggers and online bullies. In fact, a Carnegie Mellon study found that when users were required to identify themselves by using their real names, they behaved in a more civilized way. However, an American Association for the Advancement of Science report states that "Anonymous communication should be regarded as a strong human right."  
Full Story

SOCIAL NETWORKING

Start Up Allows for Privacy On the Web (August 8, 2011)

A social network launched in April of this year claims to give people "real-world style, disposable interaction on the web," reports PaidContent. In an interview, SecretSocial co-founder Zubin Wadia discusses the idea behind the company and its plans for the future, including becoming the "go-to place" for private conversations when using other online networks. All SecretSocial conversations have an expiration date set by the users involved, at which time the conversation is deleted from user browsers as well as the company's servers. According to Wadia, one of the problems behind Internet privacy is the assumption that data needs to be retained forever. "A lot of this data analysis, complex or not, can occur in realtime," he says.
Full Story

ONLINE PRIVACY—VICTORIA

Researchers Developing Cloud User Savings (August 5, 2011)

The Age reports on research being conducted at Swineburne University that is attempting to find cost-cutting strategies to assist companies and organisations that store large amounts of information on the cloud. The news comes after Victoria's Privacy Commissioner, Helen Versey, warned last month that the cost of privacy and security issues surrounding the cloud could "outweigh" savings provided by the cloud. According to the report, cloud computing costs to users is rising nearly as fast as the growing use of the cloud. One Swineburne University professor says the "aim is to find the minimum cost depending on how the data is used, how much is stored and how much computing time is needed."
Full Story

DATA RETENTION—AUSTRALIA

ISP Requests More Time To Become Compliant (August 5, 2011)

Telstra wants the federal government to give it more time to implement the mandatory data retention regime proposed in the Cybercrime Legislation Amendment Bill, ZDNet reports. The amendment requires that Internet service providers (ISPs) store data for up to 180 days under certain circumstances, and it requires that ISPs become compliant within 28 days of the act receiving Royal Assent. But "Telstra suggests there be an implementation study period of 90 days following the Royal Assent of the Bill to enable ISPs to undertake the necessary feasibility and impact studies," the company told a joint select committee on Monday. The company also wants help in footing the bill.
Full Story

PRIVACY LAW—AUSTRALIA

Advocacy Group: Cybercrime Bill Is Flawed (August 5, 2011)

The Australian Privacy Foundation (APF) is calling the federal government's Cybercrime Legislation Amendment Bill "irretrievable," saying it goes beyond its stated purpose. CRN reports that the bill would require telcos to store data on people suspected of committing serious crimes, bringing the country in step with the European Convention on Cybercrime. According to APF, there are 14 elements of the bill that should "under no circumstances be passed into law," including those that control which countries and agencies can seek provisions to access the data and a lack of guarantees that the data will be used only for the intended purpose.
Full Story

DATA LOSS—NEW ZEALAND

Medical Faxes Sent to Incorrect Destination (August 5, 2011)

A Merivale resident has received between 50 and 100 faxes containing the personal health information of patients from as many as five different healthcare institutions, Stuff.co.nz reports. The compromised data includes details of mental health illnesses, treatments, prescribed medications and other sensitive data. A representative from one of the health institutions said he is "very concerned" about the incidents, adding, "We are investigating this matter, as any potential breach of patient privacy is a serious matter and of major concern."
Full Story

PRIVACY LAW—NEW ZEALAND

Taxi Cameras Come With Policies (August 5, 2011)

A new law went into effect this week requiring taxi companies to install cameras in cabs and operate 24-hour call centres to protect drivers and passengers from attacks. Assistant Privacy Commissioner Katrine Evans said, "there have to be policies in place to check that the cameras comply with privacy law, such as controlling who has access to the footage, how the images can be used or how long they're kept." The Taxi Federation executive director told the Dominion Post that only authorized staff would be able to view the videos and they would automatically be deleted after four days. Meanwhile, the Privacy Commissioner has issued guidelines on how taxi organizations may use audio footage. 
Full Story

PRIVACY LAW—AUSTRALIA

Opinion: Privacy Act Needs Revamping (August 5, 2011)

In a column for the Sydney Morning Herald, law professor George Williams writes that Australian law needs to protect people's right to privacy and enact consequences for serious privacy breaches. Williams contends that the "1988 Privacy Act is a lengthy, complex law that is...riddled with exemptions," but the "real problem lies with serious breaches of privacy by large corporations." In addition to requiring a breach response remedy, "there should also be checks on the information that companies can collect from us without our knowledge through our use of computers and websites." 
Full Story

PRIVACY LAW—AUSTRALIA

Opinion: Tort Has Costs (August 5, 2011)

The Australian reacts to the government's proposed privacy tort that would allow civil actions for privacy breaches. "The proponents of the privacy tort have not yet grasped that litigation imposes costs on society that might not be readily apparent," writes Legal Affairs Editor Chris Merritt, pointing to the tort's potential impact on free speech and legal costs due to potential increases in litigation. "The critical question," Merritt writes, "is whether the benefits flowing from this proposed cause of action would justify the costs it will impose on business and society as a whole."
Full Story

DATA PROTECTION—SOUTH KOREA

Opinion: Personal Data as National Resource (August 5, 2011)

In a column for Asia-Pacific Business and Technology Report, Matthew Weigand analyses recent raids by the South Korean government on Google's South Korean offices. Weigand contends that rapid technological innovation has "blurred the line" between appropriate and inappropriate privacy intrusions, and the recent raids are an attempt to re-draw the line around national interests against international corporations. "Perhaps this is one of the first steps" he writes, "in nations beginning to view their citizens' privacy as national resources to be exploited for national gain, like oil or forests."
Full Story

DATA LOSS—HONG KONG

Security Bureau Posts Resident Data Online (August 5, 2011)

The personal information of more than 3,000 spouses of mainlanders residing in Hong Kong is available online, reports The Standard. The data--including identity card numbers, addresses and dates of marriage of Hunan residents allowed to live in Hong Kong and Macau permanently--resides on lists complied by the Hunan public security bureau and is accessible on its website. Similar lists of residents in other provinces are also accessible, according to the report. While the Immigration Department has not received any complaints about the posting, the security bureau has expressed "grave concern," and the Office of the Privacy Commissioner for Personal Data has said it "is only empowered to handle complaints within the territory," states the report.
Full Story

BEHAVIORAL TARGETING

Web Tracking Raises Revenue, Threatens Privacy (August 4, 2011)
USA Today reports on the rise in online tracking for behavioral advertising and the subsequent challenges tracking poses to personal privacy. Privacy advocates are concerned that digital shadowing will erode "traditional notions of privacy," while new research suggests that as more companies exercise online tracking, opportunities for the loss of privacy increase, the report states. Ernst & Young's Sagi Leizerov, CIPP, says, "It is a mistake to consider tracking benign...It's both an opportunity for amazing connections of data as well as a time bomb of revealing personal information you assume will be kept private."

ONLINE PRIVACY

Company To Sell Tracking Abilities to Merchants (August 4, 2011)

Online deals company Foursquare is looking to bring in revenue by selling its merchants software that will enable them to track--and therefore better target specials to--their customers who use the service. Traditionally, social media companies have turned to advertisers to monetize "free" services, and Foursquare's method may end up putting them in the center of the privacy debate, according to Erik Sherman, writing for BNET. "The minute you start analysis on people at specific stores, particularly smaller stores with repeat customers, consumer anonymity begins to fade," Sherman writes. "Set the right specials, and a store owner could begin matching faces, names (especially from credit card purchases) and online identities."
Full Story

PRIVACY LAW—SOUTH KOREA

Gov’t Fines Company Over Location Data (August 3, 2011)

The Korea Communications Commission has fined Apple, Inc. $2,855 for collecting users' location data without authorization, the Chicago Tribune reports. This is the first time, the report states, that punishment has been levied on the company in response to its collection of location information. Meanwhile, approximately 27,800 South Korean iPhone and iPad users are planning to file a class-action lawsuit against the company for its collection practices. A company representative said, "Apple is not tracking the location of your iPhone" and "has never done so and has no plans to ever do so."  
Full Story

PRIVACY LAW—NEW ZEALAND

Law Commission Recommends Breach Notification, Do-Not-Call Register (August 2, 2011)
The Law Commission tabled its final report on its review of the Privacy Act in parliament on Tuesday, The New Zealand Herald reports. In it, the commission recommends the creation of a do-not-call register, more authority for the privacy commissioner and mandatory breach notification provisions. "People have a right to know if their information has been compromised in a serious way," said Law Commissioner John Burrows. Privacy Commissioner Marie Shroff said the commission's suggested reforms "would power up privacy law to meet the challenge of protecting New Zealanders' personal information in the digital age."

GEO PRIVACY

Company Limits WiFi Location Database (August 2, 2011)

CNET News reports that Microsoft has stopped publishing the locations of WiFi connections on its Live.com database. Access to the website has been restricted as of last Saturday, according to the report. The location data was gathered from Windows Phone 7 phones and "managed driving" that records WiFi signals accessed from public roads. A Microsoft representative wrote, "This change improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted," adding, "We will continue to update our service with improvements that benefit the consumer in both positioning accuracy as well as individual privacy."  
Full Story

BIOMETRICS

Study: Facial Recognition Technology Powerful, Intrusive (August 1, 2011)

The Wall Street Journal reports on research conducted at Carnegie Mellon University that successfully identified approximately one-third of participants using the same facial recognition technology recently acquired by Google. Using profile data from Facebook, the study's author could also correctly predict the first five digits of the participants' Social Security numbers nearly 27 percent of the time. One law professor notes that the combination of available, "anonymous" online data and the technology makes re-identifying people possible. The study's author says, "This paper really establishes that re-identification is much easier than experts think it's going to be." (Registration may be required to access this story.) 
Full Story