ANZ Dashboard Digest

Putting its regard for privacy compliance to the fore, the iappANZ Board has this week taken the decision to opt in to the obligations of the new privacy legislation. You will see our new privacy policy, and we welcome any comments as it has been a collaborative effort by some of Australia’s finest privacy minds. We understand that the privacy commissioner will be talking about ways to improve organisations’ privacy policies at the OAIC Privacy Awareness Week Breakfast, so if you are revising yours, it is an event not to be missed. In news this week you will also see that AMSRO has also applied to register a non-mandatory code of practice.

Now that 12 March is over, we are starting to see less of the doomsday reports and more of the innovation which the OAIC encourages. We expect plenty of new ideas in Privacy Awareness Week in May. We are delighted to confirm that the deputy chair of the ACMA will be joining the ALRC and OAIC representatives in our Great Debate on Australia’s direction on serious invasion of privacy in the digital age.

The article by Brenda Aynsley OAM this week, “Sharing the Values to match the technology,” presents a fascinating counterpoint to the call by Tim Berners-Lee and the World Wide Web consortium in their “Web We Want Campaign.” Aynsley examines the important distinction between “trusted” providers and “trustworthy” providers. Trustworthiness is critical because technology projects continue to have one of the highest rates of failure—failure to deliver on promises, on time, on budget—or all three. Risks such as those presented internationally by Heartbleed or the CDA security breach, which threatens the Personally Controlled Electronic Health Record, mean that the concept of trustworthy will become increasingly significant for privacy professionals that either develop or procure technology. Then, of course, as the story on the use of biometric facial recognition technology in Japan shows, trustworthiness in the party deploying the technology is vital. It will be interesting to hear from Tim Rains on trustworthy computing in Privacy Awareness Week. Hope to meet you there.

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

SOCIAL NETWORKING

Facebook Changes Include Expanded Facial Recognition (August 30, 2013)

The Wall Street Journal reports on Facebook’s announcement that it is “updating its privacy policies to clarify how the personal information of its more than one billion users” is collected and used—including at least one change: the expanded “use of facial recognition software to include profile pictures.” Some of the language is being included to comply with the recent $20 million settlement of a lawsuit over Facebook’s "Sponsored Stories" feature. Chief Privacy Officer Erin Egan, who outlined the changes to two legal documents, explained, “we revised our explanation of how things like your name, profile picture and content may be used in connection with ads or commercial content to make it clear that you are granting Facebook permission for this use when you use our services.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRALIA

OAIC Releases Draft Guidelines (August 29, 2013)

The Office of the Australian Information Commissioner (OAIC) has released the draft Australian Privacy Principle (APP) guidelines for public feedback, Computerworld reports. The guidelines outline how the OAIC will interpret and apply the APPs, which go into effect in March of next year, the report states. Australian Privacy Commissioner Timothy Pilgrim said the new laws require government agencies and private-sector organisations to be more open and transparent on data handling. “This will give people a better understanding of how their information will be handled so that they can make an informed decision about interacting with the entities covered by the Privacy Act,” he said.
Full Story

BYOD—AUSTRALIA

Energy Company’s BYOD Policy Sparks Concerns (August 29, 2013)

Computerworld reports Energy Australia has had to respond to employee concerns about location privacy after it rolled out its BYOD policy. The company operates with a mix of corporate-owned mobile devices and personal devices, with BYOD accounting for about 30 percent. The company tracks the location of its corporate-owned devices but does not track BYOD devices, it says. However, some are concerned the company will nonetheless keep tabs on them. Energy Australia’s telephony analyst said the best approach to addressing privacy concerns is being “open and honest” and for employees to tighten controls on their phones to avoid mishaps.
Full Story

EMPLOYEE PRIVACY—AUSTRALIA

Police Union: Officers’ Call Records Improperly Used (August 29, 2013)

Queensland Police Union is calling a potential privacy breach involving senior police “disturbing” and “potentially unlawful,” Courier Mail reports. Investigators at Queensland Police Service (QPS) allegedly accessed officers’ phone records by conducting fake criminal probes in order to determine whether officers were missing on the job or faking sick days. Federal laws limit the use of call charge records (CCRs)—which reveal location, time and duration of calls and texts made. QPS issued a statement that it is “not aware of any instances where CCRs have been unlawfully obtained.”
Full Story

SURVEILLANCE—NEW ZEALAND

Concerns Abound Over CCTV Network (August 29, 2013)

ONE News reports on concerns that a CCTV network in Auckland will invade privacy. Auckland councilors have agreed to a one-year pilot programme in order to set guidelines for the cameras. But one attorney says surveillance cameras haven’t been proven as effective crime-fighting tools. “There is no great proof from 19 studies that I’ve looked at that CCTV footage leads statistically to a significant drop in crime,” he said. “So the real risk is we are sacrificing our freedom, our anonymity to be able to move around unsurveilled, for the sake of a fiction.” Meanwhile, a live music venue in Christchurch is under fire for posting photos of two alleged vandals to Facebook in order to shame them.
Full Story

TRAVELLERS’ PRIVACY—AUSTRALIA

ACBPS: Passenger-Matching System Complies with Laws (August 29, 2013)

The Australian Customs and Border Protection Service (ACBPS) says its Big Data passenger-matching system will comply with Australian and European privacy rules, CSO reports. ACBPS worked with IBM Australia to implement the passenger-name record-analysis solution aimed at allowing officials to “accurately zero in on potentially high-risk passengers,” according to IBM. The data sets contain approximately 106 different fields, including passenger names, residences, e-mail addresses and credit card details. Australia is the second country to implement such a system; Canada was the first.
Full Story

PERSONAL PRIVACY—AUSTRALIA

Transit Data Used for Investigations (August 29, 2013)

The Australian reports on TransLink granting police access to its “Go” card database nearly 10,000 times in the past three years “to help track alleged offenders and potential witnesses to crime.” The cards, which are registered in users’ names, allow police to pinpoint user locations, the report states. “Transport Minister Scott Emerson said the handover of Go card information to police and other agencies had been approved by the privacy commissioner,” the report states.
Full Story

INTERNATIONAL RELATIONS

The Brussels and Warsaw Privacy Peace Talks (August 29, 2013)
Next month, U.S. Federal Trade Commissioner Julie Brill and Deputy Assistant Secretary of State Danny Sepulveda will travel to Brussels to discuss privacy with EU officials. Later in the month, Poland will host the 35th Conference of Data Protection and Privacy Commissioners, a meeting that will be attended by privacy officials and stakeholders from around the world. In the latest installment of Privacy Perspectives, Hogan Lovells’ Christopher Wolf argues that the “gatherings provide an opportunity to declare a ceasefire in the war of words—a war in which most of the ‘incoming’ has originated on the European side of the Atlantic in the wake of the Snowden NSA revelations, and a war that threatens progress in international cooperation on privacy.”

PRIVACY RESOURCES

The Complex Concept of Accountability (August 28, 2013)

The principle of accountability is found in guidance across the globe, and while it is recognized as an essential element of an effective privacy program, demonstrating it and measuring it can be a challenge. The IAPP Resource Center has compiled research, articles and presentations on the topic. From Hunton & Williams’ “Accountability: A Compendium for Stakeholders” to the Article 29 Working Party’s opinion on the principle of accountability, you’ll find the information you need to clarify what it means and how to demonstrate it.
Close-Up: Accountability

ONLINE PRIVACY

Gov’t Requests for Facebook Data Outlined in Transparency Report (August 28, 2013)

In the first half of 2013, Facebook fielded governments’ requests for data on more than 38,000 Facebook users and complied with about 80 percent of those requests, Reuters reports. That’s according to the social networking giant’s first report on the scale of data inquiries it receives globally. Of those, U.S. law enforcement authorities made the most requests, seeking data on between 20,000 and 21,000 users between January and June, the report states. That’s up from the amount of requests they made in the six month-period prior, which was roughly between 18,000 to 19,000. Authorities in India, the UK and Germany also requested data on large numbers of users.
Full Story

PRIVACY SCHOLARSHIP

IAPP/PLSC Award-Winning Papers Posted (August 28, 2013)

Earlier this month, The Privacy Advisor spoke with the authors of the award-winning papers from the Privacy Law Scholars Conference: Ryan Calo and Daniel Solove and Woodrow Hartzog. Now, both papers have been posted to the Social Science Research Network and you can read the current drafts. Find Solove and Hartzog’s “The FTC and the New Common Law of Privacy” here. Find Calo’s “Digital Market Manipulation” here. Geekwire talks with Calo as well about his paper and its implications for the current Internet marketplace. Editor’s Note: Calo, Solove and Hartzog will present their papers at the IAPP Privacy Academy, in Seattle, Sept. 30-Oct. 2.
Full Story

ONLINE PRIVACY

Lenders Determining Creditworthiness Via Facebook Friends (August 28, 2013)

CNN reports that a handful of tech startups are using social data to determine the risk of lending to people. That’s because financial lenders have discovered social connections are a good indicator of a person’s creditworthiness, the report states. Lenddo, for example, determines whether an individual is “Facebook friends” with someone who was late in paying back a loan. “It turns out humans are really good at knowing who is trustworthy and reliable in their community,” said the company’s CEO. “What’s new is that we’re now able to measure through massive computing power.”
Full Story

CLOUD COMPUTING

Managing Risks in the Growing Cloud Environment (August 27, 2013)

As a precursor to his presentation at the IAPP Privacy Academy in Seattle this fall, Chris Zoladz, CIPP/US, CIPP/E, CIPP/IT, CIPP/G, writes in this latest Privacy Perspectives blog post that, “While there are real security and privacy concerns surrounding the cloud, they are by no means insurmountable.” Acknowledging studies that predict the growth of the cloud market to more than $120 billion by 2020, Zoladz offers common characteristics of those companies currently active in the cloud and advocates for “strong encryption with appropriate key management,” adding, “What would be the security and privacy risk if only encrypted data is ever stored in the cloud and only you as the cloud customer have the encryption keys?”
Full Story

DATA PROTECTION

Password-Cracking Just Got Smarter (August 27, 2013)

Passwords just got a lot easier to crack, Ars Technica reports. That’s because password-cracker “ocl-Hashcat-plus,” a freely available service for offline hashed password cracking, can now decode passwords with as many as 55 characters. The program previously could only crack passcodes with 15 characters or less, but Web users have increasingly used longer passcodes and phrases to protect their online data. “This was by far one of the most requested features,” said the program’s lead developer. The development means Hashcat users can now achieve as many as eight-billion guesses per second “on a virtually unlimited number of compromised hashes.”
Full Story

PRIVACY

GE Appoints Chief Privacy Counsel (August 26, 2013)

General Electric has announced the appointment of Peter Lefkowitz, CIPP/US, as chief privacy counsel. Lefkowitz most recently served as vice president of privacy and security legal and chief privacy officer at Oracle. “I’m honored to join the strong global privacy team at General Electric. Privacy is increasingly a business and brand differentiator, and GE is at the forefront of managing privacy compliance and providing thought leadership,” Lefkowitz told the IAPP. He will take his post September 9.
Full Story

PRIVACY IN POPULAR CULTURE

Privacy Is “More Complicated Than We Realized” (August 23, 2013)

When Shel Israel and Robert Scoble started looking into their second book together, Age of Context: How Mobile, Sensors and Data Will Change Your Life, it was because “we’re enthusiasts of new technology,” said Israel. As Rackspace’s startup liaison officer, Scoble has gained wide renown in tech circles for his Scobleizer blog and Twitter handle. Israel is maybe best known for his writings for Forbes, where he looks at “the ever-evolving tech industry.” So maybe their initial impressions of privacy should not be surprising: “We joked that people ought to get over it,” Israel said with a laugh. “But the more we listened, the more deeply we realized that we don’t really have a choice about what’s coming.” The Privacy Advisor offers you exclusive thoughts from Israel about how privacy will become a business driver, plus a free download of the privacy chapter from the book.
Full Story

ONLINE PRIVACY

Companies Enhancing Ways To Go Incognito (August 23, 2013)

Companies that offer secure online communication services are increasingly pushing private texting applications over encrypted e-mail, reports The Wall Street Journal. While consumer e-mail programs require authentication credentials—which are then stored in a database—for user login capabilities, the companies say the encryption for smartphone-based services happen on the device, so there is no way to unencrypt the messages remotely. Both Apple and Android secure messaging services say they have seen an increase in downloads in the past month. Meanwhile, a new website called justdelete.me collects on one page links that will delete online accounts, including social media, photo-sharing and shopping accounts, simplifying the process of vanishing from the Internet. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—NEW ZEALAND

GCSB Passes, Key Rebuffs Spying Fears (August 22, 2013)

Parliament narrowly passed the Government Communications Security Bureau (GCSB) bill on Wednesday, which some say expands the agency’s ability to spy on New Zealanders, reports The New Zealand Herald. Prime Minister John Key assured, however, that claims the bill allows “for wholesale collection of metadata without a warrant,” are not true, adding that, under GCSB, metadata will be treated the same as content. Labour leader David Shearer was less optimistic, saying New Zealand has lost an opportunity to be a world leader in “charting a path through these dilemmas…” Key maintains the law "isn't a revolution in the way New Zealand conducts its intelligence operations…It simply makes clear what the GCSB may and may not do."
Full Story

DATA RETENTION—AUSTRALIA

AG Won’t Yet Weigh In on Mandatory Data Retention (August 22, 2013)

The Office of Australian Attorney-General Mark Dreyfus has decided against making an election commitment for or against mandatory data retention, ZDNet reports. Earlier this year, a parliamentary inquiry looked at a proposal to require Australian telcos to retain metadata for up to two years, a proposal that law enforcement supports but the public has widely rejected. A committee decided government should make the decision whether to implement such a scheme, but a spokesperson for Dreyfus has said “it would not be appropriate to rush our response,” adding that government access to telecommunications data is essential for national security and law enforcement.
Full Story

DATA LOSS—AUSTRALIA

Customers Use Breach to Their Advantage (August 22, 2013)

Customers with an axe to grind against AAMI are using a data breach in their favor, The Age reports. An AAMI manager sent an e-mail to all people with ongoing disputes against the insurer. The manager had meant to enter the addresses into a “blind carbon copy” field. The 110 recipients started e-mailing each other and are now discussing launching a class-action lawsuit against the company. A company spokesman said, “As soon as we realised our error, we contacted each affected customer to apologise, explain what happened and assure them that no other personal information was revealed.”
Full Story

DATA PROTECTION—HONG KONG

Opinion: Recent Enforcement Action Indicates Law’s Limitations (August 22, 2013)

In an opinion piece for the South China Morning Post, Kai-Lung Hui says the recent action on behalf of the privacy commissioner’s office against the mobile app Do No Evil highlights the limitations of the Personal Data (Privacy) Ordinance. While the office highlighted the privacy risk of compiling bankruptcy and other records, there are other practices to consider. Hui writes, “Above all, we must fix the role of privacy in our society. The ordinance and its strict interpretation seem more consistent with the human rights perspective. Lawmakers should decide whether that is best for Hong Kong.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Can What We Post Online Ever Be Forgotten? (August 22, 2013)

In a blog post for Field Fisher Waterhouse’s Privacy and Information Law Blog, Phil Lee, CIPP/E, CIPM, asks the question that continues to persist in discussions of online privacy: “Can your data, once uploaded publicly onto the web, ever realistically be forgotten?” Lee writes that while much discussion has centered around EU’s proposed “right to be forgotten,” leaving legal arguments aside, the question is “whether it is even possible to purge all copies of an individual’s data from the web.” The answer, he suggests, “is both yes and no: yes, it’s technically possible, and no, it’s very unlikely ever to happen.”
Full Story

ONLINE PRIVACY

Project Loon Raises Concerns (August 22, 2013)

The Atlantic explores Project Loon, Google’s plan for a “soaring, international balloon armada, beaming Internet to the parts of the world that don't have it.” While the report acknowledges there is potential for humanitarian benefits in “bringing a connection to the farthest reaches of the developing world,” it also cautions, “If Google's claims about the Loon balloons' navigability are true, it is in fact an 'unmanned aircraft,' sometimes more pejoratively referred to as a drone,” with vast possibilities for data collection. And questions of jurisdiction abound, the report states, noting, “With its Project Loon, Google is venturing into not one but two vast open spaces—the law and the sky.”
Full Story

BIG DATA

Is This Our Biggest Public Policy Challenge? (August 21, 2013)
Difficult questions about balancing national security with privacy have come to light since the NSA surveillance disclosures and its use of Big Data, “Yet the benefits of Big Data…exceed the realm of national security or even government usage and extend to areas such as scientific research, public health and energy conservation by the private sector,” writes Omer Tene in this latest installment of Privacy Perspectives. Tene, who is now the IAPP’s first vice president of research and education where he administers the IAPP Westin Research Center, writes, “Finding the right balance between privacy risks and Big Data rewards may very well be the biggest public policy challenge of our time,” and calls for “momentous choices” between “weighty policy concerns” and “individuals’ rights to privacy” and freedom of speech, among others.

PRIVACY RESOURCES

Drill Down to the Most Valuable Content for You (August 21, 2013)

The improvements to the IAPP Resource Center just keep coming. We’ve added industry verticals to the mix. Are you in higher education and looking for help with FERPA? Check out the education section of the tools page. Confused about GLBA? Look in the finance section. And if you don’t find it by browsing, we’ve improved search, too; you can now specifically search the section that relates to you—just tools, just research or even just research helpful for the healthcare industry, for example. Take a look, and as always, if you can’t find what you’re looking for, let us know, and we’ll do our best to help.
IAPP Resource Center

PRIVACY LAW

From Gmail to HIPAA to Class-Actions, Questions Abound (August 19, 2013)

The privacy news seems to have stirred up more legal questions than answers this past week, as you’ll discover in the Privacy Tracker Global News Roundup. With effective dates coming up for HIPAA in the U.S. and FOIA reforms in the UK, privacy pros are figuring out the new lay of the land. Court cases in the U.S. and France bring up e-mail privacy questions, both in and out of the workplace, and in the UK one court ruling may reveal a need for stronger data destruction policies. Lastly, an article from The New York Times questions the new trend of class-actions leaving plaintiffs empty-handed. (IAPP member login required.)
Full Story

ONLINE PRIVACY

Our Collective Privacy and One Strange Tale (August 19, 2013)

What happens when individuals decide to publish their entire lives on the Internet? Is it just their privacy they are giving up, or is it also the privacy of their friends, family and others that is violated, too? Last week, a former sportswriter published a website revealing countless personal thoughts, photos and memories and timed it to go public after his death by suicide. But in revealing his personal secrets, others around him were affected as well. This post for Privacy Perspectives explores the implications of our collective privacy and how our choices to disclose personal data can have wide-reaching effects on those around us.
Full Story

ONLINE PRIVACY—NEW ZEALAND

GPEN Finds Many Websites Do Not Post Policies (August 15, 2013)

Privacy Commissioner Marie Shroff has expressed disappointment in the wake of the Global Privacy Enforcement Network's Internet Privacy Sweep, which found nearly one-third of New Zealand websites “did not set out their organisation's privacy policy,” Stuff.co.nz reports. Shroff also noted that of the 393 New Zealand websites surveyed, those that did display privacy policies focused on meeting their legal obligations “and not on providing information about consumer rights,” the report states. “Websites and apps that collect people's personal information could do much better in telling people that they are doing it, why they are doing it and how securely the information will be held,” Shroff said.
Full Story

INFORMATION ACCESS—AUSTRALIA

AG Will Not Reveal Telco IDs (August 15, 2013)

ITnews reports the Attorney-General's Department will not reveal identities of the telcos that participated in data retention consultations in 2009. The report states that while the department “left the door open to disclosing the identity of ‘commercial participants’ at the consultation meetings during a Senate Estimates hearing on May 29,” it has now said, “on reflection it is considered that identifying the private-sector organisations that participated would jeopardise industry's willingness to participate in further consultative forums.”
Full Story

MOBILE PRIVACY—HONG KONG

PCPD: “Do No Evil” App Invades Privacy (August 15, 2013)

South China Morning Post reports Hong Kong Privacy Commissioner for Personal Data (PCPD) Allan Chiang Yam-wang has “found mobile app Do No Evil had supplied sensitive personal data—including names of litigants, partial identity card numbers, addresses, claims amounts and company directors' data—to users without voluntary consent.” The PCPD found the smartphone application, which allows members of the public to access a database of millions of litigation records "seriously invaded" privacy, the report states. "I must make clear that personal data obtained from the public domain is still subject to regulation of the [Personal Data (Privacy)] Ordinance, otherwise consequences will be dire," the PCPD said. The PCPD's actions have received criticism from a corporate governance activist.
Full Story

SURVEILLANCE—THAILAND

Police Plan Raises Privacy Concerns (August 15, 2013)

Police plan to keep tabs on messaging app users “who discuss issues that pose a potential threat to national security,” Bangkok Post reports, prompting critics to caution that “the plan violates the law and threatens to infringe on people's privacy.” The commander of Thailand’s Technology Crime Suppression Division (TCSD) said the TCSD plan will not violate privacy but will “monitor messages with words that pose threats to national security, such as coup, monarchy, lese majeste, drugs, counterfeit goods and prostitution.” However, the Office of the National Human Rights chairwoman cautions, “This investigation method has a high risk of violating privacy because most chat conversations involve people sharing personal information.”
Full Story

DATA PROTECTION

IBM Gets Certified Under APEC Privacy Rules (August 15, 2013)

IBM has announced it has achieved certification under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR), the first company to do so, according to a press release. The CBPR system is designed to facilitate data flows between the U.S. and the other APEC member economies, through voluntary, enforceable codes of conduct. IBM Chief Privacy Officer Christina Peters, CIPP/US, said, “CBPR rules will become the foundation of a globally accepted system that enables data to be shared throughout different regions with strong and trustworthy privacy protections.” Hogan Lovell’s Partner Christopher Wolf told The Daily Dashboard, “APEC CBPRs, containing enforceable commitments for the protection of personal data, are a lot like BCRs (binding corporate rules) that the EU recognizes as sufficient for cross-border transfers. Their adoption and effectiveness suggests that the EU should move its focus from the adequacy of the U.S. legal framework to whether personal data is being adequately protected through mechanisms like the CBPRs.”
Full Story

ONLINE PRIVACY

Study: Consumer Reaction to NSA Could Hurt Ad Targeting (August 14, 2013)

AdWeek reports on a study revealing that consumer concerns about online privacy have jumped from 48 percent to 57 percent since the National Security Agency surveillance programs were first disclosed in June. The findings, according to the report, could have “huge implications for the targeted advertising” industry because users will likely alter privacy settings and block tracking. The study also noted, if similar trends continue and some browser makers block third-party cookies by default, “the ad industry’s ability to effectively use third-party cookies for marketing purposes will decrease.” The study also found that 31 percent said they now actively take steps to protect their privacy online.
Full Story

PRIVACY BIZ

Leizerov on Thinking Strategically About Privacy (August 14, 2013)

In a column for SC Magazine, Ernst & Young's Sagi Leizerov, CIPP/US, discusses the importance of thinking strategically about privacy. Governance, technology and regulation, he notes, are “three distinct megatrends forming based on market conditions and the impact they are having on how organizations approach privacy.” Leizerov writes, “Regulators realize that their tools of compliance and enforcement are simply not enough,” adding, “As such, they are becoming more active participants—strategic advisors—in decision-making discussions with organizations and consumers.” Though enforcement actions are “an important tool,” Leizerov says the “focus is shifting more toward collaboration, communication and education.”
Full Story

DATA LOSS

Responding to a Data Breach (August 14, 2013)

According to the Ponemon Institute’s 2012 Data Breach Notification Study, most consumers that have received a breach notification say the breached organization did not do a good job in communicating and handling the data breach. What’s your plan for breach response? If you need some guidance on responding to a breach, the IAPP Resource Center can help. Check out Close-Up: Responding to a Data Breach for valuable tools, research and articles from experts in the field. (IAPP member login required.)
Read Now

BIG DATA

Making the Case for Data Assets, Not Privacy (August 12, 2013)

Alex “Sandy” Pentland discussed the importance of Universal People Sensors and the benefits of using Big Data to enhance the public good, effectively making our lives safer, at the IAPP’s Navigate un-conference in June. This Privacy Perspectives blog post delves into Pentland’s discussion and looks at how consumer choice and trust can play an important role in promoting the public good in a Big Data world.
Full Story

SURVEILLANCE

Satellite Technology a Boon for Business (August 12, 2013)

The New York Times reports on affordable miniature satellites that will soon be orbiting Earth and sending back frequent, low-cost snapshots from space. The data captured from such technology will be valuable, one expert says, perhaps used by insurance companies to take “before” and “after” views of insured property to validate claims, for example. But some may not be so excited about such surveillance, said New York University Prof. Mitchell Stephens, calling the satellite’s pictures “a Godlike view, looking down from the heavens.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE—NEW ZEALAND

Is NZ a Conduit for U.S. Spy Programmes? (August 8, 2013)

The New Zealand Herald reports on last week’s release by The Guardian of a new leaked U.S. National Security Agency programme called XKeyscore. In one of the slides, it appears that one of the servers in question is located at the Waihopai base in the north of South Island. A computer forensic investigator said, “If that’s the case, then it’s pretty big news because I don’t think that’s been publicly discussed by the government. It means our role in this is greater than we knew.” Meanwhile, the Law Society said that recent changes to the Government Communications Security Bureau (GCSB) bill, which would expand the agency’s ability to spy on New Zealanders, are not enough to “allay its concerns.” Attoney-General Chris Finlayson said the changes “are not revolutionary,” adding, “They do not involve a fundamental change in the construction of the GCSB act or the principles underpinning it.”
Full Story

PRIVACY LAW—AUSTRALIA

Expert: Laws “Often Poorly Understood” (August 8, 2013)

“Australia’s privacy and data protection laws are hard to explain and often poorly understood,” iappANZ Board Member Peter G. Leonard of Gilbert + Tobin writes for CIO. Ticking down through many “challenges” to comprehending Australia’s laws, Leonard writes, “At a time when privacy and information security is becoming a major area of concern for governments, businesses and consumers, it is unfortunate that Australia has created such a confusing thicket of regulation and quasi regulation.” Meanwhile, Queensland is conducting a review aimed at eliminating “unjustified” compliance burdens and barriers to data sharing in Australia’s “patchwork” of privacy and freedom of information laws.
Full Story

PRIVACY LAW—NEW ZEALAND

MP’s Bill Would Allow Commissioner Inquiries (August 8, 2013)

Voxy reports that Privacy Commissioner Marie Shroff “would have been able to launch her own inquiry into the breach of a journalist’s privacy under a law being proposed by Labour MP Sue Moroney” without having to await a formal complaint. Moroney contends, “Our current complaints-driven process puts the onus for action on the wrong people. This bill would give the privacy commissioner more scope to address underlying, systemic privacy issues that currently aren’t dealt with until it is too late.”
Full Story

PRIVACY LAW—INDIA

Proposal Aims To Balance Security, Privacy (August 8, 2013)

The Department of Personnel and Training (DoPT) is proposing “bringing intelligence and law enforcement agencies under the ambit of the Privacy Bill,” Business Standard reports, noting that it “would make these agencies accountable in case of unauthorised phone tapping and its subsequent leakage.” However, the report states, “the person offended has to establish himself of impeccable repute and identify the culprit, before pressing criminal and defamation charges.” One official commented, "Everyone acknowledges the need for lawful interception. So, we have allowed it in the Privacy Bill, subject to greater accountability." The DoPT plans to seek public comment before the bill is introduced in Parliament, the report states.
Full Story

ONLINE PRIVACY

Twitter Retargeting Service Gets Advocate Approval (August 8, 2013)
The Guardian reports on what Twitter’s new retargeting advertising service may mean for user privacy. Users “won’t see more ads on Twitter, but they may see better ones,” the company told its users. While some privacy advocates have scrutinized the plan, others say Twitter’s approach is admirable given its adherence to “Do Not Track” settings and its easy opt-out. The Electronic Frontier Foundation says other companies should follow Twitter’s lead: “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice.”

SURVEILLANCE

NSA Is Casting “Far Wider Net” Than Previously Disclosed (August 8, 2013)

While the NSA has publicly acknowledged collecting and searching the contents of Americans’ digital communications without a warrant, it was previously understood that only conversations between Americans and targeted foreign nationals were collected and searched. Now, reports The New York Times, the documents released by Edward Snowden reveal that any communication that crosses the border and even mentions a piece of information connected to a suspect is being collected and searched. The NSA says this practice is legal under the 2008 FISA law. An anonymous senior intelligence official told The Times the NSA “makes ‘a clone of selected communication links’” to gather the information. NSA officials have publicly denied this practice in the past. The ACLU and other organizations are calling this “precisely the kind of generalized spying that the Fourth Amendment was intended to prohibit.” (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Android 4.3 Keeps WiFi On, Even When It’s “Off” (August 8, 2013)

The latest version of the Android operating system comes with a new feature that some technologists are drawing attention to: Even when a user switches WiFi access off, the device will continue to scan for WiFi networks. This is done, according to a report from ValueWalk, “for providing better location information to apps.” However, there is a way to disable this functionality, which is detailed in the article. WPIX, a television station in New York, notes this default setting is raising privacy concerns.
Full Story

CYBERSECURITY

Tor Network Breached (August 7, 2013)

The web anonymity service Tor announced that its network had been breached through a vulnerability in the Tor Browser, Naked Security reports, and that malicious JavaScript may have revealed the identities of those using the service. Tor allows web users to mask their browsing habits by sending data through onion routers to mask the original header information—including the user’s IP address. As a result, a hidden server network run by Freedom Hosting was taken offline. Freedom Hosting’s owner and operator Eric Eion Marques is currently being held without bail and awaits extradition by the FBI for allegedly distributing child pornography online. Based on the timing of the arrest and the insertion of the malicious code, some speculate U.S. investigators introduced the script. “There are lots of rumors and speculation as to what’s happened,” writes the Tor Project on its blog. “We’re reading the same news and threads you are and don’t have any insider information.”
Full Story

PERSONAL PRIVACY

Will Data Ownership EVER Be a Privacy Solution? (August 6, 2013)
“Why is it that better methods of digital contracting and data ownership have not yet developed to help us protect our privacy online?” asks Adam Thierer in this installment of Privacy Perspectives. Thierer, a senior research fellow at George Mason University’s Mercatus Center, writes, “there probably hasn’t been as much demand for formal contracting because many users don’t mind today’s ‘take-it-or-leave-it’ model of online services” and that formal contracting around privacy “has always been tied up with the same thorny issues of information ownership and enforcement, which have complicated digital copyright policy.” But maybe that's changing.

CLOUD COMPUTING

Europe and Asia Stand To Gain from U.S. Industry’s Loss (August 6, 2013)

The U.S. cloud computing industry could take a major earnings hit as a result of fallout from the NSA revelations. That’s according to an Information Technology and Innovation Foundation (ITIF) report, which estimates U.S. cloud computing providers could lose $21.5 billion in revenue in the next three years. And that’s its conservative estimate, IT News reports. The worst-case scenario could see losses of up to $35 billion by 2016, with European and Asian markets poised to gain, the report states. “If European cloud customers can’t trust the United States government, then maybe they won’t trust the U.S. cloud providers either,” European Commissioner for Digital Matters Neelie Kroes said recently. Editor’s Note: The preconference workshop The Privacy Pro’s Field Guide to Contracting and Compliance in the Cloud will be part of this year’s Privacy Academy in Bellevue, WA. Also, Jason Weinstein recently proposed steps for U.S. cloud providers to take on the Privacy Perspectives blog.
Full Story

PRIVACY LAW

Surveillance Issues Loom Large, Safe Harbor Questions and More (August 6, 2013)

In this week’s Privacy Tracker Global News Roundup, you’ll find new challenges to a Utah surveillance law; an interesting turn of events in a case deciding whether government authorities can extract historical location data directly from telecommunications carriers without a search warrant; legislative initiatives related to FISA and the USA PATRIOT Act; questions about the future of Safe Harbor, and information on developments in Italy, France and Australia. (IAPP member login required.)
Full Story

ONLINE PRIVACY

Making the Case for More Obscurity and Less Anonymity (August 5, 2013)

Speaking at Navigate in June, Prof. Woodrow Hartzog explored the value of and made the case for using online obscurity to help protect a user’s personal privacy. By obscuring our online profiles—by varying degrees depending on intent and context—Hartzog said we can help protect some of our online privacy. But what about those who hide behind masks of online anonymity to spout nefarious words of hate speech? This Privacy Perspectives installment explores the tension between the need for online obscurity and the need to unmask those who prowl the Internet with damaging intent.
Full Story

BIG DATA—AUSTRALIA

Australia Gunning To Become World Leader in Big Data Analytics (August 5, 2013)

The Australian Government Information Management Office has released its Public Service Big Data Strategy that aims to “position Australia as a world leader in the public sector use of Big Data analytics to deliver service-delivery reform, better public policy and protect citizens’ privacy,” ZDNet reports. The report discusses Big Data’s role in improving the targeting of services and the ability for businesses to offer more tailored services in accordance with individual and community needs, but it also notes privacy concerns that must be addressed before full benefits are realized. Agencies must develop better practices when it comes to cross-agency data sets and data deidentification, for example.
Full Story

PRIVACY PROFESSION

The Case for a Code (August 2, 2013)

Should privacy professionals have a code of ethics? That was the question first raised on Privacy Perspectives by Alex Fowler, and now continued by K Royal, CIPP/US, CIPP/E. Balancing roles as a nurse and an attorney, Royal discovered a tension allowing for conflict between professional obligations. The same may be true for privacy professionals serving as in-house counsel. “The potential for conflict is reduced when the law speaks clearly to the issue, but becomes muddy when the ‘right thing’ is not statutorily driven,” Royal writes. “Does one’s duty to the company carry more weight than one’s duty to a data subject? Does one have a duty to a data subject if the law is silent?”
Full Story

PRIVACY LAW—AUSTRALIA

Provision Could Label Data Transfers as Breaches (August 1, 2013)

GovInfoSecurity reports on a provision in Australia’s proposed data breach notification legislation that “could deem the unauthorised transfer of data from Australia to another country a breach.” In an interview, Françoise Gilbert, CIPP/US, notes, “Europe has been the most adamant at trying to curb the exodus of information outside of Europe without the proper measures…Australia is sort of following this trend and becoming much more serious about the cross-border data transfers.” The proposed law also calls for a requirement for organisations to notify stakeholders in the event of a breach.
Full Story

PRIVACY LAW—AUSTRALIA

McDonald To Lead ALRC Inquiry (August 1, 2013)

University of Sydney Law Prof. Barbara McDonald has been appointed to lead the Australian Law Reform Commission (ALRC) Inquiry Into Serious Invasions of Privacy in the Digital Era, The Drum reports. The ALRC inquiry will review privacy statutes, asses the “rapid growth in capabilities and use of information, surveillance and communication technologies” and examine the “desirability of consistency in laws affecting national and transnational data flows,” the report states. McDonald said, “There is clearly a community desire for legal protection of personal privacy, but any greater protection must coexist with other aspects of our society that we value highly: freedom of speech, freedom of the press in its modern forms, effective and proper governance, national security and the openness of social communication that the digital age has allowed.”
Full Story

DATA PROTECTION—NEW ZEALAND

Company Launches Breach-Prevention Tool (August 1, 2013)

A Wellington tech company is launching a tool designed to prevent e-mail privacy breaches, The New Zealand Herald reports. The launch responds to calls from the public sector for such a tool, and government agencies including the Financial Markets Authority and Ministry of Primary Industries have already signed on to use it. The tool prompts users to double-check data being sent to unsecured or public e-mail addresses.
Full Story

SURVEILLANCE—HONG KONG

Heat-Sensitive Monitoring System Sparks Concerns (August 1, 2013)

Stores are using a “state-of-the-art, heat-sensitive, in-store surveillance system” to monitor what consumers purchase and their in-store movements, sparking concerns from privacy advocates, South China Morning Post reports. At least one company selling the technology contends “the system ensured better privacy than standard in-store surveillance cameras because shopper's faces are not identified,” the report states. Privacy advocates have said the new technology violates consumers’ privacy rights because it collects data without informing customers or providing an opt-out.
Full Story

BIG DATA

Not All Data Collectors Are Created Equal (August 1, 2013)

Speakers at a recent Sydney conference pointed to the proliferation of “quantified-self” devices such as wearable computers in their discussion of the potential economic and privacy implications in the transmission of significant amounts of personal information. “Using this stuff, we become Big Data,” said speaker Kevin Kelly, co-founder of Wired. Those with powerful computers are capable of making the most money off others’ information,” said another expert, creating income inequality in developed economies. “If you create a world where everybody’s sharing information openly, it is not the case that everybody benefits equally from that.”
Full Story

PRIVACY SCHOLARSHIP

Deception Is at the Heart of PLSC-Winning Papers (August 1, 2013)

At each year’s Privacy Law Scholars Conference, scholars workshop papers that bring together the academic privacy community with those working in industry, advocacy, law and government. The IAPP awards the two papers that receive the most votes from attendees with a cash prize and a speaking slot at the IAPP Privacy Academy, to be held this year in Seattle, Sept. 30 through Oct. 2. In an exclusive for The Privacy Advisor, we interview the winners and discuss their inspiration for the papers and the conclusions they’ve drawn about deceptive privacy practices and what the FTC might start doing about them.
Full Story

ONLINE PRIVACY

Companies Shifting To Meet Consumer Expectations (August 1, 2013)

Forbes reports on products that are changing based on consumer expectations of privacy. Pinterest is now offering users a Do-Not-Track option. Google Now is a digital assistant capable of alerting users if a flight is delayed or a particular route is backed up with traffic, but Google reserves the service’s full functionality for those users who don’t mind their locations being tracked, the report states. And Facebook’s latest ad offerings target users based only on age and gender rather than more granular data.
Full Story