ANZ Dashboard Digest

A new approach to notice and consent has been around for at least a couple of years now. The Microsoft whitepaper was released late 2012, and several subsequent books by privacy thought-leaders have developed this theme, which makes sense. Individuals ought to be given the opportunity to shape their profiles and to have a role in transactions involving their data, and notice and consent will no longer suffice. Equally, entities that stand to benefit from the information should protect their source if they wish to guarantee the future supply of valuable data.

If this approach is accepted, some of the stories this week indicate that there is still a long journey ahead. Whilst many entities still appear to treat privacy as a compliance issue, and one where boundaries should be pressed, others continue to succeed based on adoption of the new approach. It will be interesting to see how this divide plays out in terms of commercial success. That other old chestnut of balancing the right to information against the right to privacy also gets some play this week in the opinion piece titled “Privacy starts to bite.” To hear all about it and ask your own questions of the experts, make sure you book your place at our Privacy Awareness Week breakfast discussion on 6 May as debate on the Australian Law Reform Commission paper on serious invasions to privacy in a digital age continues.

A safe and very Happy Easter to you all,

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

DATA RETENTION—AUSTRALIA

Petition Against Data Retention Plan Fails (February 28, 2013)

The Australian government’s proposed two-year data retention law has been met by major public opposition, reports COMPUTERWORLD Australia, noting, “of about 5,500 submissions received in the inquiry by the joint committee, 98.9 percent opposed the law.” However, a Pirate Party petition submitted by Greens Sen. Scott Ludlam against the proposed law failed to pass the Senate by a 9-33 vote. “I hope our new attorney general pays very close attention to the tenor of the submissions to the national security inquiry,” Ludlam stated.
Full Story

PRIVACY LAW—AUSTRALIA

Speculation Over Proposed Media Changes (February 28, 2013)

A recent cabinet meeting has increased speculation that a decision is close on proposed changes to media laws, The Daily Telegraph reports. The package of media reforms includes a “code of ethics for journalists, a tort of privacy and increased Australian content rules for FTA networks,” reports Financial Review. Concerns remain that the independent Finkelstein inquiry and its recommendations—including exemptions for some journalists to parts of the Privacy Actare now being “watered down,” the report states. Prime Minister Julia Gillard denied that a decision was imminent, adding, “When we’ve got something to say about it, we will.”
Full Story

DATA THEFT—AUSTRALIA

Pilgrim Will Not Investigate ABC Hack (February 28, 2013)

The Australian reports that Privacy Commissioner Timothy Pilgrim will not investigate the hacking of ABC’s website. The incident may have exposed the personal details of nearly 50,000 Internet users, including passwords, user names, e-mail addresses, locations and post codes, the report states. “If people are concerned that their information may have been compromised, they should first contact the ABC,” Pilgrim said, adding, “If they are not satisfied with the response, they can lodge a complaint with our office.” (Registration may be required to access this story.)
Full Story

INFORMATION ACCESS—HONG KONG

Markets May Be Moving Toward Less Transparency (February 28, 2013)

The Economist reports on the government’s proposal to no longer require company directors to disclose their full Hong Kong identity card (HKID) numbers or home addresses to a public directory. The proposal “has led to a row over the trade-off between directors’ privacy and the public good,” the report states. A coalition is arguing that the government not tamper with HKIDs since many local names are similar and the HKIDs serve as the “only practical unique identifier available.” The Hong Kong Small and Medium Enterprises Association’s Danny Lau said “only tycoons” would benefit from the change, while small businesses benefit from accurate HKIDs because more information “means more trust.”
Full Story

ONLINE PRIVACY

Tech Firms Discuss DNT, Data Currency (February 28, 2013)

A panel of privacy experts from some of the Internet’s top technology companies—including Microsoft, Mozilla, Facebook and Google—discussed Do Not Track, mobile privacy and third-party data transfers, NETWORKWORLD reports. According to SC Magazine, Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, said, “It hasn’t yet been defined on a broad level what a service should do when they receive a Do-Not-Track signal,” adding, “It’s going to be confusing for people if there’s not a common understanding of what Do-Not-Track means.” Meanwhile, author Cory Doctorow questions whether personal information sharing for free services overlooks the value of an individual’s personal data.
Full Story

BIG DATA

Facebook To Partner With Data Brokers (February 26, 2013)
NBC News reports that Facebook is planning to announce partnerships with three data marketing firms to deliver online targeted ads gleaned from offline information. Acxiom, Epsilon and Datalogix will all partner with the social networking company and allegedly upload customer lists to Facebook, which will then find matches among its users to create “custom audiences,” the report states. Facebook will not know the identity of the customers because the data will be hashed. The combination of the online and offline databases has raised privacy concerns. “There needs to be limits on Facebook’s growing use of outside data broker information,” Jeffrey Chester of the Center for Digital Democracy. Meanwhile, a security specialist was able to access any Facebook account through an authentication flaw. The company says it has since fixed the problem. Editor’s Note: The breakout session Big Data, Not Big Brother: Best Practices for Data Analytics will be part of next week’s IAPP Global Privacy Summit in Washington, DC.

ONLINE PRIVACY

Web Tracking Tags Raise Concerns; Ad Industry Reacts to Browser Changes (February 26, 2013)

Financial Times reports on the rise of website tracking tags and corresponding security and privacy concerns. According to an Evidon report that surveyed 7.5 million Internet users, 55 percent of tracking devices used by major websites were placed by third parties rather than the first-party publisher. One Evidon representative said, “If you’re unaware of the companies injecting scripts into your page, it makes it hard to keep your users safe.” Meanwhile, AdvertisingAge reports on the ad industry’s reaction to news that Mozilla will block third-party tracking by default in its latest version of Firefox. Mozilla’s Alex Fowler said “strong user support for more control is driving our decision to move forward with this patch.” An industry representative said “the unintended consequences may outweigh the benefit that’s achieved.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Lobbyists Want Data on Skype Disclosures (February 25, 2013)

A coalition of digital rights groups and individuals are calling on Microsoft to release regular transparency reports on data collected from Skype users, including whether it’s been shared with third parties such as advertisers and law enforcement agencies. Microsoft purchased Skype in 2011, The New York Times reports. “We need to know how Microsoft and Skype cooperate with law enforcement and others around the world,” said Prof. Paul Bernal, a lawyer who is one of the 61 individuals to sign the open letter to Microsoft. “People living under authoritarian regimes need to know what kinds of personal risks they are taking when using Skype.” The coalition also wants to know whether Skype’s headquarters have changed from the EU since it was purchased by a U.S.-based company. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—AUSTRALIA

AFP Pushes for Indefinite Data Retention (February 21, 2013)

Data retention and increased data-based communications continue to concern government officials charged with reforming National Security Legislation. Australian Federal Police (AFP) has indicated support for indefinite data retention. AFP National Manager for Hi-Tech Crime Operations Neil Gaughan said, “increased use of Internet-based communication…was stymieing police due to a lack of data needed for crime investigations." Simon Breheny writes for Freedom Watch that officials are overlooking an important privacy distinction between phone billing and data usage and that proposed data retention regimes require excessive collection and violate privacy. “The renewed push by the AFP shows how wary we should be when law enforcement agencies collude with government," he said.
Full Story

SURVEILLANCE—INDONESIA

Wiretapping Raises Privacy Concerns (February 21, 2013)

Though the Indonesian Constitution specifically guarantees its citizens’ privacy rights, the rules governing wiretapping by law enforcement remain vague and incomplete, reports The Jakarta Post. In 2008, the Constitutional Court stated the need for a distinct law addressing wiretapping, but no such reform has been made. Since various agencies utilise wiretapping and do not clear it through one central body, practices and standards vary widely, the report states.
Full Story

SURVEILLANCE—AUSTRALIA

Opinion: Camera Drones Have Massive Implications (February 21, 2013)

In a column for The Sydney Morning Herald, Martin McKenzie-Murray writes that drone technology has become less expensive and more widely available, raising serious privacy concerns. While camera drones have positive applications, they can also be used for nefarious purposes, McKenzie-Murray opines, an even-handed analysis will be necessary. “Regulators will have to find the sensible ground between fears of Orwellian misuse and technological evangelism—one outlook is likely to retard the natural growth and discovery of positive applications, and the other may overlook the social costs.”
Full Story

PRIVACY LAW—CHINA

Housing Privacy Regulations Questioned (February 21, 2013)

Several Chinese cities have imposed greater restrictions on housing registration inquiries, the South China Morning Post reports. In one region, house ownership information is no longer available without the subject’s approval, and in another, local authority employees who make property ownership information public may face criminal charges, the report states. Local authorities claim the measures are designed to protect privacy, but some citizens say they are designed to protect corrupt officials. In recent months, both a county-level official and a deputy bank chief have been found to have purchased multiple homes using fraudulent money and identities, the report states.
Full Story

PERSONAL PRIVACY—CHINA

PCPD Says Identity Card Numbers Are Private (February 21, 2013)

Government transparency advocate David Webb recently published online a list of Hong Kong residents, including both their names and identity numbers gleaned from public information, South China Morning Post reports. The Office of the Privacy Commissioner for Personal Data (PCPD) warned Webb was in violation of Hong Kong’s data privacy law, and the list was removed. Columnist Tom Holland opines that identity card numbers are so public and widely available that no company should use them for customer authentication, nor should they be considered highly personal and sensitive data by the PCPD.
Full Story

BEHAVIORAL TARGETING

TV-Monitoring Patent Prompts Privacy Concerns (February 20, 2013)

A patent application for infrared cameras and microphones proposes using a “detection zone” that would allow a television system to cue an advertisement based on a viewers’ actions prompted privacy concerns. In this exclusive for The Privacy Advisor, Mathew Schwartz looks at the application, which was rejected in November, and considers managing consumer privacy expectations and the “creepiness factor” when it comes to consumer behavior-based advertising.
Full Story

PRIVACY

Information Privacy Trailblazer Alan Westin Passes Away (February 19, 2013)
Alan Westin, a groundbreaking scholar of information privacy who helped influence a generation of privacy study and the privacy profession itself, passed away Monday at the age of 83. “Today, literally tens of thousands of statutes, court decisions, regulations and company best practice standards, throughout the globe, are based upon” principles set forth by Westin, said friend and Arnall Golden Gregory Privacy Partner Bob Belair. The Privacy Advisor explores Westin’s legacy in this exclusive feature, including commentary from privacy notables. As Indiana University Prof. Fred Cate told The Privacy Advisor, “Alan's passing is especially hard to come to grips with because he was such a larger-than-life figure who not only helped to create and define the modern field of privacy law but welcomed, included and mentored so many of us who followed in his giant footsteps. I wouldn't be in privacy law if it weren't for Alan, and I suspect that is true--directly or indirectly--for many IAPP members.”

SOCIAL NETWORKING

Features Spark Privacy Worries (February 19, 2013)

While IDG News Service reports on Facebook’s efforts “to assure users that Graph Search, its new search engine…does not compromise the privacy rights of minors,” The Guardian reports on privacy concerns prompted by the social network’s new promote-post feature. “Facebook announced the launch of a new feature on Friday that allows users to pay to promote their friends' posts,” the report states, noting that while the feature is governed by the site’s privacy settings, it “has already sparked privacy concerns” because users do not have to give permission to have their posts promoted by their friends.
Full Story

ONLINE PRIVACY

File-Sharing Service Calls Itself “The Privacy Company” (February 19, 2013)

The Telegraph reports on Megaupload founder Kim Dotcom’s goal of making his new file-sharing service, Mega, “a standard-bearer for online privacy.” Mega was unveiled during a recent event in New Zealand. “The decryption keys for uploaded files are held by the users, not Mega, which means the company cannot see what is in the files being shared,” the report states, noting Dotcom has indicated the site will “be expanded to include secure e-mail, mobile services as well as chat, voice and video-messaging.”
Full Story

MOBILE PRIVACY

Developer Raises App Store Privacy Policy Concerns (February 15, 2013)

An Australian-based app developer has raised concerns that Google’s app store policies allow for the sharing of users’ personal information—including e-mails, names and addresses—without consent, Reuters reports. Electronic Privacy Information Center Executive Director Marc Rotenberg said the company buries the notice explaining how it shares users’ personal data and does not clearly obtain express consent. “In a situation like this,” he said, “where people just don’t know what information is being transferred or who it’s going to or for what purpose, it seems ridiculous to say that Google has consent.” Google has said, “Google Wallet shares the information needed to process transactions, and this is clearly stated in the Google Wallet Privacy Notice.”
Full Story

BIOMETRICS—AUSTRALIA

Facial Recognition Database Brings Concerns (February 14, 2013)

The Australian Federal Police (AFP) has captured the images of about 15,000 people in the first year of its facial recognition database, causing some to voice concerns, reports The Sydney Morning Herald. AFP representatives say facial recognition may someday be as credible as fingerprinting and investigators have had positive outcomes when using it, but Garner Clancey, the deputy director of the Sydney Institute of Criminology, warns against the practice, noting, “If police started to stop large numbers of Australians in the street to say 'who are you, we want to make sure you are who you say you are', there would be outrage. This does precisely that, without them knowing.”
Full Story

CLOUD COMPUTING—NEW ZEALAND

Commissioner Releases Guidance (February 14, 2013)

Federal Privacy Commissioner Marie Shroff has released guidance for businesses considering switching to the cloud, reports Stuff.co.nz. The guidance includes a checklist of potential questions small- and medium-sized businesses can use to determine whether cloud computing is right for them. “The reality is you’re still responsible for what happens to your customers’ information in the cloud,” said Shroff. The guidance is freely available on the commission’s website.
Full Story

DATA LOSS—NEW ZEALAND

Breaches Continue at ACC (February 14, 2013)

Paula Rebstock, chairwoman of Accident Compensation Corporation, says that the organisation experienced an average of 75 privacy breaches per month in the most recent quarter, calling that number “unacceptably high,” reports The New Zealand Herald. "We have invested a very considerable amount of money, time and effort, our very best people to do these checks, but they're still missing some of the things," said Rebstock. While Rebstock expressed impatience with the organisation’s progress, she noted it was on track to meet targets set after an independent privacy review.
Full Story

PRIVACY LAW—AUSTRALIA

Opinion: New Laws Will Hit Traditional Marketing (February 14, 2013)

In a column for The Australian, Jason Hill writes that newly released privacy laws “will have ramifications across the marketing industry.” Industry is busy interpreting and clarifying the new laws to help marketers with compliance questions. According to Hill, “the introduction of these new privacy laws will have a far more dramatic impact. Just as companies are compelled by the Spam Act to give customers the option of opting out of commercial emails, the requirement could be extended to all targeted customer communications.” (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Developer Releases Privacy Locker App (February 14, 2013)

A Thai developer has released an app that allows users to import photos and videos from their cameras into a secured folder, CNET Asia reports. The Private Locker for Photo & Video is designed to be unnoticeable unless a user actively seeks it out, the report states. If an individual enters an incorrect password on a smartphone, its front-facing camera takes a picture of the user, and any secured data is deleted after five failed attempts to access the locker. Editor’s Note: The breakout session The Mobile Majority: Building Privacy by Design into Mobile Apps will be part of this year’s IAPP Global Privacy Summit in Washington, DC.
Full Story

DATA RETENTION—AUSTRALIA

Report Indicates Early Tensions Over Proposal (February 14, 2013)

As the Australian government considers a data retention proposal that would see Internet service providers (ISPs) storing customer data for up to two years, ZDNet reports on early discussions indicating concerns. The Attorney General’s Office began meeting with telecommunications companies in 2010 based on a government consultation paper, publicly released this week, explaining the proposal, which would allow law enforcement to access the data for investigations. Minutes from one such meeting indicate tense moments regarding the kind of data retention model ISPs would agree to adopt.
Full Story

DATA LOSS

Report: Hacking Caused Majority of Breaches (February 12, 2013)

CSO reports a new survey by Open Security Foundation has found hacking was the most common source of data breaches in 2012. There were 2,644 known data breaches last year, slightly more than double the number of breaches reported in 2011, the report states. Hacking was the reason for 68.2 percent of breaches. Meanwhile, a nonprofit organization in Maine inadvertently posted to its website a database containing details on a portion of its membership. The details included each member's donation amount, address, telephone number, birthday and emergency contact information.
Full Story

ONLINE PRIVACY

Glitch Overrides User Privacy Settings (February 12, 2013)

A privacy bug reversed some Flickr users’ privacy settings to become ineffective, causing their private images to become public, Digital Trends reports. In response, Flickr set all public photos to private and e-mailed affected members of the glitch. The exposed photos were not indexed by search engines, however.
Full Story

SOCIAL NETWORKING

Self-Destructing App Grows; Software Mines Social Media (February 11, 2013)

The New York Times reports on the growing popularity of Snapchat, a service that allows users to send messages that self-destruct seconds after they’re viewed. According to the report, “Snapchat is being embraced as an antidote to a world where nearly every feeling, celebration and life moment is captured to be shared, logged, liked, commented on, stored, searched and sold.” Meanwhile, The Guardian reports on Riot—software capable of tracking individuals’ movements and predicting their behaviors by mining social media data. EPIC Attorney Ginger McCall said, “Users may be posting information that they believe will be viewed only by their friends, but instead, it is being viewed by government officials or pulled in by data collection services like the Riot search.” (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

“Godfather of Encryption” Introduces Smartphone Service (February 8, 2013)
The New York Times reports on the release of a new technology that provides encryption for smartphone users. Phil Zimmermann, “widely considered the godfather of encryption software,” has introduced Silent Circle, which allows users to make encrypted phone calls, send encrypted texts and conduct videoconferencing. Zimmermann’s company has planted its servers in Canada, known to have stronger privacy laws than the U.S. or the EU, the report states. The company has said it will not cooperate with law enforcement requests for data. (Registration may be required to access this story.)

IDENTITY THEFT—AUSTRALIA

Tax Workers’ IDs Stolen To Access ATO Data (February 8, 2013)

Criminals have stolen the identities of four tax agents at the Australian Taxation Office (ATO) in order to create “AUSkeys—digital security tokens that allow tax agents to interact with the ATO securely,” reports The Australian. The ATO says using the digital keys, the criminals would be able to access the accounts of the tax agents whose identities were stolen—disputing earlier reports stating they could gain more widespread access. A warning has been issued to tax agents to ensure their accounts haven’t been compromised. An ATO spokesman said it isn’t clear whether other agents have been affected. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—AUSTRALIA

Incoming Attorney General Expresses Concern (February 7, 2013)

Australia’s new attorney general, Mark Dreyfus, says he has not yet made a decision about the government’s controversial proposal to store web users’ online histories for a period of up to two years. The data retention plan is unpopular with users and ISPs alike, and The Australian reports that Dreyfus has expressed concern about the potential violation of people’s privacy. Meanwhile, iTnews states that the proposal has stalled at the committee level and is unlikely to be taken up in this legislative session.
Full Story

SOCIAL NETWORKING—AUSTRALIA

Study: Sites “Eroding” Workplace Privacy (February 7, 2013)

A new study of 4,000 social media users in 10 countries has been published by AVG Technologies, The Australian reports. The survey’s findings reveal that the posting of embarrassing photos on social media sites is contributing to a breakdown of workplace privacy. “This study highlights the need for a combination of greater education around social media, alongside increased attention and care by both employees and employers to their social media etiquette at work,” the study states. (Registration may be required to access this story.)
Full Story

BIOMETRICS—INDIA

States To Share Criminal Fingerprint Data (February 7, 2013)

India.com reports that law enforcement across the nation will soon share data—including fingerprints—on criminals. States are reportedly working on an automated fingerprint identification system, and representatives at a conference on fingerprinting have issued 10 recommendations for setting up a framework to share such data.
Full Story

ONLINE PRIVACY

Firm Using Privacy As Competitive Advantage (February 7, 2013)

The competitive battlefield over privacy is heating up as Microsoft unveils a new print, television and online advertising campaign against Google’s privacy practices, The New York Times reports. The advertisements will reportedly reveal research showing consumers are unaware of e-mail monitoring practices for personalized advertising and their disapproval once they find out. A Microsoft representative said, “There’s a lot of fear out there. We can bring these issues to light without fear.” Google said in a statement, “We work hard to make sure that ads are safe, unobtrusive and relevant,” adding, “No humans read your e-mail…in order to show you advertisements or related information.” (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook To Join Ranks, Employ AdChoices Icon (February 6, 2013)
Following pressure from ad agencies and advertisers, Facebook has agreed to start displaying the “AdChoices” icon on its FBX display ads. The symbol will appear only when users move their mouse over an “x” displayed over the ads, however. The move will likely appease advertisers who choose not to invest in behavioral targeting campaigns without the icon, Ad Age reports, but whether the move satisfies the Digital Advertising Alliance is yet to be seen. Genie Barton of the Online Interest-Based Advertising Accountability Program, who worked with Facebook to come to the icon agreement, says if a business feels this solution isn’t sufficient, “they only have to let me know.”

PRIVACY LAW—SINGAPORE

Commission Seeks Feedback on Privacy Act (February 6, 2013)

The Personal Data Protection Commission (PDPC) is seeking public consultation on the Personal Data Protection Act 2012, Channel News Asia reports. Over the next six weeks, the PDPC is looking for feedback on the regulatory aspects of the law, including age definition for minors, what constitutes personal data and means by which organizations can notify consumers of data collection, the report states. PDPC Chairman Leong Keng Thai said that in order for the act to be implemented, “we will need the next level of details so that companies and organizations know exactly what to do to prepare for compliance.” The deadline for comment is set for March 19.
Full Story

MOBILE PRIVACY

App Vetting Service Alerts Users of Privacy Issues (February 6, 2013)

BlackBerry has rolled out a new privacy notification service to warn app developers and users when an app may collect more data than it states, USA Today reports. Any apps approved for distribution in the BlackBerry World online store are vetted for privacy and security issues. The company’s privacy notices “are for applications that do not appear to have malicious objectives or aim to mislead customers but rather don't clearly or adequately inform users about how the app is accessing and possibly managing customers' data,” the BlackBerry website states. Lockheed Martin Director of Cybersecurity Steve Adegbite said the new service “gives power back to the user to protect important information.” A BlackBerry representative said, “We believe this is the way forward for the entire mobile ecosystem.”
Full Story

PRIVACY LAW—MALAYSIA

Law’s Implementation Lags (February 5, 2013)

Malaysia’s Personal Data Protection Act 2010 was slated to be in effect January 1, but the law has not come into force, ZDNet reports. An official notification in the Government Gazette is required before the act can become formalized, the report states, and many companies are not prepared for its implementation. Some Malaysians have expressed doubt in the law’s efficacy. “Enacting an act is simple, but placing it into the actual corporate world and making sure that it’s followed is another story altogether,” said IT systems engineer Ranjeeta Kaur. The bill, first drafted in 2001, forbids disclosing or processing personal data without consent, selling data and unlawful collection of data.
Full Story

DATA THEFT

Hackers Compromise 250,000 Twitter Accounts (February 4, 2013)

Twitter has said nearly 250,000 user accounts may have been breached in what it called a “sophisticated attack,” The New York Times reports. In a blog post, the company said it detected out-of-the-ordinary access patterns and that user data—including user names, e-mail addresses and encrypted passwords—may have been compromised. Twitter Director of Information Security Bob Lord said, “This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.” Both the Times and The Wall Street Journal announced last week that hackers infiltrated their internal networks. (Registration may be required to access this story.)
Full Story