ANZ Dashboard Digest

A new approach to notice and consent has been around for at least a couple of years now. The Microsoft whitepaper was released late 2012, and several subsequent books by privacy thought-leaders have developed this theme, which makes sense. Individuals ought to be given the opportunity to shape their profiles and to have a role in transactions involving their data, and notice and consent will no longer suffice. Equally, entities that stand to benefit from the information should protect their source if they wish to guarantee the future supply of valuable data.

If this approach is accepted, some of the stories this week indicate that there is still a long journey ahead. Whilst many entities still appear to treat privacy as a compliance issue, and one where boundaries should be pressed, others continue to succeed based on adoption of the new approach. It will be interesting to see how this divide plays out in terms of commercial success. That other old chestnut of balancing the right to information against the right to privacy also gets some play this week in the opinion piece titled “Privacy starts to bite.” To hear all about it and ask your own questions of the experts, make sure you book your place at our Privacy Awareness Week breakfast discussion on 6 May as debate on the Australian Law Reform Commission paper on serious invasions to privacy in a digital age continues.

A safe and very Happy Easter to you all,

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

PRIVACY RESOURCES

To BYOD or Not To BYOD (October 31, 2013)

Bring Your Own Device (BYOD) programs allow employees to use their own devices to stay connected to, access data from or complete tasks for their organizations. While BYOD programs reportedly result in increased employee productivity and job satisfaction, they also bring privacy and security challenges. View research, sample policies and guidance in this IAPP Resource Center Close-Up to help you determine whether BYOD works for your organization—and, if it does, how to keep your data safe in the process.
Close-Up: BYOD

ONLINE PRIVACY

E-mail Encryptors Form Dark Mail Alliance (October 31, 2013)

Online encryption organizations Silent Circle and Lavabit have announced the formation of the Dark Mail Alliance, an open-sourced tool with end-to-end encryption, Forbes reports. The group aims to improve e-mail privacy by preventing e-mails from being shared with third parties, scanned for ads or easily hacked. Both businesses earlier this year shut down their respective encrypted e-mail services rather than share users’ data with the U.S. government. Silent Circle CEO Mike Janke said, “We’re the rebels who have decided privacy is too important to compromise on,” adding, “We believe e-mail is fundamentally broken in its current architecture … This is an opportunity to create a new e-mail service where the keys are created on the device and only the user can decrypt it.”
Full Story

BEHAVIOURAL TARGETING—AUSTRALIA

ADMA Launches Data Pass Accreditation (October 30, 2013)

The Association for Data-driven Marketing and Advertising (ADMA) has launched a new program, ADMA Data Pass, “to promote responsible data practices across the Australian marketing community,” CMO reports. The ADMA Data Pass accreditation program “focuses on privacy and security issues around collecting, analysing and using data in marketing and advertising activity” and comes in the wake of privacy law reforms, the report states. “Through discussions with our board and the wider marketing and advertising community, we identified a need for member companies to proactively educate their staff in responsible data management capabilities,” said ADMA CEO Jodie Sangster.
Full Story

BIG DATA—AUSTRALIA

Expert: Orgs Need To Consider Privacy Expectations (October 30, 2013)

The Australian reports on recommendations from DLA Piper’s Alec Christie that companies need to consider consumer privacy expectations and incorporate them into their processes and policies. Christie explained that organisations using Big Data can risk loss of reputation and fines if they breach Australia’s privacy laws, noting they should consider what other purposes they might use consumer data for and whether they need consent. “You are looking at a difference between collecting information for core business purposes and then personal information for a more commercial analysis prediction and totally different uses than what you first collected it for,” he said. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

PCEHR and Privacy Issues (October 30, 2013)

In a report for Mondaq, Alison Choy Flannigan explores the legal and privacy issues around Personally Controlled Electronic Health Records (PCEHR). “To date, the uptake has been slow,” she writes, highlighting, among other things, the privacy issues related to the program. Privacy issues include obtaining adequate privacy consent as well as being sure “only information which is required to provide treatment for the patient is collected,” Flannigan writes, noting other issues include data security, identity verification issues for patients and participating healthcare providers and “education and training of participating health professionals.”
Full Story

EMPLOYEE PRIVACY—AUSTRALIA

Union: Company Not Protecting Workers (October 30, 2013)

ABC reports the Communications, Electrical and Plumbing Union, which represents Tasmania’s Aurora Energy workers, is accusing the company of not protecting the privacy of employees who drive vehicles equipped with tracking devices. “That information now is out there for the general public to have a look at," said the union's Todd Lambert. “They can just download this app; they can punch in the password, which is very readily available across Aurora because so many people have it, and they can view people coming and going.” A company spokesman indicated Aurora “has no intention of interfering with employee privacy,” the report states.
Full Story

PRIVACY EDUCATION—AUSTRALIA

Opinion: We Have A Long Way To Go (October 30, 2013)

Mathaba suggests that despite international reports on privacy violations, Australians “are still all too willing to surrender vitally important data including their passport details, via online websites all in the name of convenience.” The report references the service 1Form, noting its privacy policy indicates it will share this type of data with third parties and cites Sen. Nick Xenophon’s call for a summit on "the end of privacy," noting, “With almost everyone using sites such as Facebook and LinkedIn to share vital and personal data without reading the policies they agreed to upon signup … it appears we have a long way to go in educating the public of the dangers.”
Full Story

DATA PROTECTION—SOUTH KOREA

Gov’t To Issue Privacy Protection Certifications (October 30, 2013)

The Ministry of Security and Public Administration has announced the government will issue certifications to companies “that effectively comply with regulations to enhance personal privacy information,” The Korea Times reports. The National Information Society Agency (NISA) will begin accepting applications at the end of November, and will then assess whether “applicants effectively fulfill their duties stipulated under the Privacy Protection Law.” NISA will assess such factors as privacy protection policies and what businesses and organisations do to prevent leaks of private information. “Companies can gain trust from their customers with the certification program, and customers can find reliable entities more easily,” a ministry official said.
Full Story

GEO PRIVACY

Location Tracking: Coming to a Government, Employer and Retailer Near You (October 29, 2013)
Location tracking has become a hot button issue with implications for government surveillance, employee monitoring and consumer tracking online and in-store. Hundreds of millions of users carry smartphones with them every step of the day, and as these devices send and receive electronic signals, they silently map their users’ movements. More and more organizations are seeking to utilize this data, and while the industry for location-tracking analytics is becoming more sophisticated, so too is the range of interested parties—including regulators. IAPP Westin Research Fellow Kelsey Finch examines the issue in this in-depth exclusive for The Privacy Advisor. (Editor’s Note: The IAPP is hosting a web conference on this topic Oct. 31 at 1 p.m. EDT.)

ONLINE PRIVACY

Website, Researcher Rate Sites on Practices (October 29, 2013)

Forbes reports on a fledgling site using crowdsourcing to rate the privacy policies of hundreds of websites. Called “Terms of Service; Didn’t Read,” the site’s tagline states, “'I have read and agree to the terms’ is the biggest lie on the web.” Sites with the best practices are assigned to “Class A,” while the worst are put in “Class E.” Individual aspects of policies are given a “thumbs up” or a “thumbs down.” Meanwhile, researcher Rebecca MacKinnon’s “Ranking Digital Rights” project—which ranks companies on how well they respect users’ privacy rights—was thrust into overdrive since the NSA revelations.
Full Story

ONLINE PRIVACY

The Economics and Future of Cookies (October 29, 2013)

As the IAPP reported in The Privacy Advisor last week, cookies may be reaching the end of the road—but not with a whimper. The Wall Street Journal reports Google, Facebook and Microsoft are designing their own online tracking systems “in ways that bypass the more than a thousand software companies that place cookies on websites," which could mean a radical shift in the balance of power in the $120 billion digital ad industry. Evidon CEO Scott Meyer said, “There is a Battle Royal brewing … Whoever controls access to all that data can charge rent for it—and has a tremendous advantage going forward.” (Registration may be required to access this story.)
Full Story

GEO PRIVACY

Mozilla Developing Public Data Service (October 29, 2013)

PCWorld reports Mozilla is working on a public geolocation data service using cell tower and WiFi signals to give developers “a more privacy-aware option than current alternatives.” "The data would be provided by cell towers, WiFi and IP addresses," the report states, and could be made available to the public. It’s a service already experimentally operating in the U.S., Brazil, Russia, Australia and Indonesia.
Full Story

PRIVACY LAW

EU, Ecuador and the FTC in This Week’s Tracker Roundup (October 28, 2013)

While much of the news was focused on the EU Data Protection Regulation over the past week, a few other things of note happened in the legal realm as well. For example, the EU Parliament adopted a resolution to suspend SWIFT based on allegations that the U.S. NSA had access to EU citizens’ bank data; the FTC reached a settlement with Aaron’s, Inc., over the company’s consumer spying regime, and in Ecuador, there are concerns that a new penal code could violate citizens’ online privacy. These are just a few of the stories—in addition to information on the LIBE vote and the future of Safe Harbor and the EU regulation—in this week’s Privacy Tracker legislative roundup.
Full Story

PRIVACY COMMUNITY

Strickland New CPO at JP Morgan Chase (October 28, 2013)

Last week was the first for Zoe Strickland, CIPP/US, CIPP/G, CIPP/IT, as managing director, SVP and CPO at JP Morgan Chase. She has left her post as VP and CPO at UnitedHealth Group to take on the new role in the financial services industry. In this exclusive for The Privacy Advisor, we talk with her about new challenges, how the two jobs overlap and why CPOs “can be an asset to the firm outside the company walls.”
Full Story

PRIVACY BUSINESS

Entrepreneurs, Businesses Focused on Privacy (October 28, 2013)

Internet companies and entrepreneurs are making headlines with their privacy-focused business ventures. The Washington Post reports on ManageURiD, formed last year to “dynamically and automatically determine how much of your sensitive personal information is available on the Internet and who is selling it” as well as manage its removal, monitor its reappearance and provide “a Personal Privacy Dashboard so you can see the current status, history and details … at any time.” Ars Technica describes how Private Internet Access, a small U.S.-based VPN, is “trying to stand up for privacy”—in part by not logging anything. Meanwhile, Mozilla’s new Lightbeam add-on for Firefox shows users “what companies are behind each cookie stored in their browsers and what information those companies are gathering.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE

Spying Fallout Continues; Countries Draft UN Resolution (October 28, 2013)

Internal documents from UK intelligence agency GCHQ indicate fears of a “damaging public debate” on the scale of its activities, The Guardian reports. GCHQ feared such a debate could lead to legal challenges against mass-surveillance programs, the report states. In the U.S., former Secretary of State Hillary Clinton called for a “full, comprehensive discussion” on the balance between privacy and security; experts debated the worth of mass data collection to begin with, and U.S. Rep. Alan Grayson (D-FL) said in an opinion piece that he learned much more about U.S. surveillance policies from the media than from intelligence meetings. Meanwhile, Germany and Brazil are reportedly working on a UN General Assembly resolution on surveillance.
Full Story

PRIVACY LAW—AUSTRALIA

Expert Examines APPs Changes (October 24, 2013)

In a feature for Lexology, Addisons’ Cate Sendall examines the changes to Australia’s privacy law due to come into effect in March. The Australian Privacy Principles (APPs) “will combine and replace the National Privacy Principles and the Information Privacy Principles contained in the Privacy Act 1988,” Sendall writes, noting the APPs will apply to all direct-selling organisations with an annual turnover of $3 million or more. By 12 March, such organisations will be required to adhere to multiple APPs requirements, including not using or disclosing “any information they may hold about an individual for direct marketing, subject to specific exceptions.” The amendments also provide the privacy commissioner with additional enforcement powers. (Registration may be required to access this story.)
Full Story

BEHAVIOURAL TARGETING—AUSTRALIA

Targeted Ads Reach New Level (October 24, 2013)

The Australian examines the privacy implications of targeted advertising, suggesting, “Big Data and cloud computing have given targeted advertising new potency—an unbridled ability to digest millions of snippets of information gleaned daily as consumers go about their lives.” The report highlights the rules in Australia, where “digital media firms follow a code of conduct administered by the Australian Communications and Media Authority,” but cautions, “The public might seem accepting of targeted advertising and data collection, albeit grudgingly, but there are occasions where schemes fall apart. (Registration may be required to access this story.)
Full Story

BEHAVIOURAL TARGETING—AUSTRALIA

Commissioner: Read Loyalty Program Privacy Policies (October 24, 2013)

Amidst announcements about Priceline Pharmacy receiving commissions from the sale of insurance products to members of its customer loyalty program, Privacy Commissioner Timothy Pilgrim is reminding those who sign up for such programs to read their privacy policies, The Sydney Morning Herald reports. “Businesses that are covered by the Privacy Act are required to comply with several principles when handling personal information, including information collected for a loyalty card scheme,” Pilgrim said. Companies must have publicly available privacy policies or statements explaining how they handle personal data, he noted, adding, “There are also rules about when businesses can share your personal information with others.”
Full Story

DATA BREACH—NEW ZEALAND

Staff Warned After “Delving Into Records” (October 24, 2013)

Following a threatening anonymous text sent to a woman who allegedly had an affair with Auckland’s mayor, Vodafone is warning staff “about delving into records,” The New Zealand Herald reports. According to a company spokesman, “We regularly update our customer service agents, and the e-mail was a timely reminder of our company security policy—particularly relating to accessing and disclosing customer information." Although no staff member currently faces disciplinary action, the spokesman noted, “It is against company policy to disclose any individual customer information unless privacy law permits, and there is a legitimate business reason.”
Full Story

PRIVACY COMMUNITY—NEW ZEALAND

Professor Announces Privacy Law Scholarship (October 24, 2013)

Victoria University Prof. Nicole Moreham has announced a scholarship being offered by Victoria University of Wellington for a student wishing to complete an LLM thesis on the law of privacy. “This is a one-year scholarship, commencing in March or July 2014, and will cover living expenses and tuition fees,” the announcement states, noting the scholarship will allow the student “to complete a 50,000-word thesis, which could include research into the protection of privacy in English, Commonwealth or U.S. common law; the concept of privacy in search and seizure cases; press regulation; data protection, or privacy in Article 8 of the European Convention on Human Rights.”
Full Story

DATA LOSS—HONG KONG

Police, Hospital Criticised After Losing PII (October 24, 2013)

Privacy Commissioner Allan Chiang Yam-wang has served enforcement notices on police and the Hospital Authority after “both bodies had failed to take ‘all reasonably practicable’ steps to keep sensitive information safe from unauthorised or accidental access, loss or use,” The Standard reports. Police lost the personal information of 285 people between October 2011 and this past January when they “mislaid notebooks and copies of fixed-penalty tickets,” the report states, noting, “The Hospital Authority was cited after waste containing patients' data was found outside a shredding factory in Fanling last year.”
Full Story

ONLINE PRIVACY

Cookies’ Days Are Numbered, but Not Without a Fight (October 24, 2013)
Despite a recent court ruling that may seem to indicate otherwise, cookies will go extinct. Firms including Google and Microsoft are already developing alternatives. What that technology will specifically look like is not clear. What is clear is that the replacement will likely concentrate huge amounts of data with a few controllers and be able to track a user across platforms—including desktop, mobile and in the home. The benefits of this new technology, though, may not outweigh the risks, writes David Tashroudian in this exclusive for The Privacy Advisor.

PRIVACY

Global Business? Find Privacy Allies Throughout the Company (October 23, 2013)

Finding the C-level executive who cares most is the first step in convincing the people at the top that privacy is important. With a CEO who is most likely juggling priorities constantly, it's important to put privacy in context and bring home how a good—or bad—privacy program is going to affect the overall business. And sometimes, that requires help, Intel Chief Privacy and Security Counsel Ruby Zefo, CIPP/US, CIPM, explained during the IAPP's recent Privacy Academy in Seattle, WA.
Full Story

ONLINE PRIVACY

New Open-Sourced Browser Blocks Ads by Default (October 22, 2013)

WhiteHat Security has released a new open-sourced, ad-blocking browser for OS X, InformationWeek reports. Called Aviator, the browser preserves privacy by default and treats ads like a security threat. The browser is also preconfigured to use anonymous search engine Duck Duck Go. WhiteHat Security Product Management Director Robert Hansen wrote, “(N)ot a single browser vendor offers ad blocking, instead relying on optional third-party plugins, because this breaks their business model and how they make money,” adding, “Current incentives between the user and the browser vendor are misaligned. People simply aren’t safe online when their browser vendor profits from ads.” The browser comes out after recent talks around an industry standard do-not-track option have had difficulty moving forward.
Full Story

DATA LOSS

Roundup: The Week in Breaches (October 21, 2013)

A woman looking for yard sale bargains in Colorado purchased a box of office supplies worth more than she paid; the box contained student records—including Social Security numbers—from Pueblo Community College. “With all the identity theft and fraud, I was shocked that this was found at a garage sale,” the woman said. That breach was just one of many discovered, investigated or arbitrated in the U.S. and abroad in the last week. In this exclusive for The Privacy Advisor, we give you a roundup.
Full Story

PRIVACY

The Big Data Fight and the Garden of Eden (October 21, 2013)

In the privacy world, we often hear the argument that, in order for the information economy to thrive, personal privacy must be leveraged—that there must be tradeoffs. In a complicated Big Data landscape, conveying transparency and consumer education are huge challenges. But in the latest iteration of the well-known TED Talks, Carnegie Mellon University researcher Alessandro Acquisti—a past co-recipient of the IAPP-Privacy Law Scholars Conference Award for his work on fairness and discrimination in job hiring practices—discusses some of his research and how it shows why privacy matters. This Privacy Perspectives post looks at Acquisti’s talk and how there may be alternative privacy solutions for consumers, businesses and policymakers alike.
Full Story

PRIVACY LAW

Legislation on the Move Globally (October 21, 2013)

This week’s Privacy Tracker legislative roundup highlights changing privacy laws from the U.S. to Bahrain. Revisions to the U.S. Telephone Consumer Protection Act went into effect last week; the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs will vote today on amendments to the proposed regulation and directive, and the Bahrain cabinet has preliminarily approved a data protection law. Meanwhile, the UK Information Commissioner’s Office is considering jail time for breaches at the same time as justifying its fining practices. (IAPP member login required.)
Full Story

BIG DATA

Acxiom, MasterCard CPOs Talk Transparency, De-identification, FTC Consent Orders (October 18, 2013)
What do you get when you put chief privacy officers from two of the world’s largest Big Data businesses in the same room with an outside privacy counsel and privacy academic? Based on just one of the many compelling panels at this year’s IAPP Privacy Academy, you get conversation as robust as some of Seattle’s finest blends. In this exclusive for The Privacy Advisor, we give you the rundown on a wide-ranging discussion that provided key insights on decision-making and tactics.

PRIVACY LAW—AUSTRALIA

McDonald: Privacy Tort Can’t Do Everything (October 17, 2013)

The Australian takes another look at the Australian Law Reform Commission (ALRC) inquiry into privacy law, highlighting comments by Prof. Barbara McDonald, the commissioner in charge of the inquiry. “The law cannot do everything--even if we have a statutory tort for invasion of privacy, it is not going to stop people invading privacy any more than a law against murder stops murder," she said. McDonald has been asked to produce a detailed design for a privacy tort but “is also examining alternatives to a privacy tort that could fill the gaps in privacy law without the need for the creation of a new method of litigating,” the report states. Meanwhile, The Age reports on the Australian Internet Governance Forum’s examination of the question of the ALRC’s consideration of whether Australia should introduce its own “right to be forgotten.” (Registration may be required to access this story.)
Full Story

DATA LOSS—AUSTRALIA

Vulnerability Allows Access to News Corp Subscribers (October 17, 2013)

The Sydney Morning Herald reports on an IT security expert’s finding of vulnerability on all of News Corp's Australian major metropolitan websites giving “the potential to access all of its newsletter subscribers' highly personal information, including their household income.” Other details exposed included e-mail subscribers’ mobile numbers, birth years, numbers of children, names, occupations, interests and genders. “The information of anyone who had ever signed up to receive a News Corp metropolitan newspaper newsletter was available,” the report states, noting News Corp has issued a statement that it found "no evidence of malicious access," noting, “We sincerely apologise for what has happened. We are investigating this matter thoroughly to ensure this does not happen again."
Full Story

PRIVACY LAW—AUSTRALIA

Report: Many Businesses Not Ready for Law Reforms (October 17, 2013)

A research report from cybersecurity firm Clearswift has found that more than one third of Australia’s businesses are not prepared for amendments to the Privacy Act that go into effect in March, IT Wire reports. The report, entitled “The Enemy Within,” also found that 24 per cent of organisations surveyed “have suffered some form of data security incident in the past 12 months.” Clearswift ANZ Regional Director Michael Toms said he is “surprised by not only the number of organisations unprepared for the significant impact these legislative changes will have on their business but that many businesses aren’t even aware that the changes exist.”
Full Story

DATA LOSS—AUSTRALIA

Pilgrim Finds AAPT Breached Privacy Act (October 17, 2013)

Privacy Commissioner Timothy Pilgrim has determined AAPT to be in breach of the Privacy Act after it failed to secure customer information following a hack by Anonymous. The commissioner found AAPT in breach of the sections of Australia’s National Privacy Principles addressing the security of personal information and retention of personal information. The report notes that AAPT previously received a warning from the Australian Communications and Media Authority for violating the Telecommunications Consumer Protection Code, and while AAPT is currently not subject to formal fines, when the commissioner’s expanded powers come into effect in March, “Pilgrim will have the ability to … hand down civil penalties” of up to AU$1.7 million for companies.
Full Story

PRIVACY LAW—NEW ZEALAND

Expert Urges “Major Rethink” on Data Privacy (October 17, 2013)

University of Otago Associate Prof. Hank Wolfe is urging a ''major rethink'' on data privacy issues in the wake of such developments as a push for increased data sharing by government departments, Otago Daily Times reports. Wolfe said New Zealanders should “stand tall once again for freedom and privacy,” commenting that the proposed increased data sharing plan is “a vast over-reach” and noting the current situation involving private data held by the government “doesn't inspire any confidence whatsoever.”
Full Story

EMPLOYEE PRIVACY—AUSTRALIA

Smartphones and Surveillance (October 17, 2013)

In a feature for Lexology, Piper Alderman’s Ben Motro examines smartphones and social media under the Workplace Surveillance Act (NSW) 2005. The act “prescribes the way in which employers can legitimately use camera, computer and tracking surveillance to monitor an employee whilst they are at work,” the report states, noting, “the ‘computer surveillance’ requirements under the act have particular relevance for employers who wish to access information on an employee’s smartphone.” Motro writes, “computer surveillance means surveillance by means of software or other equipment that monitors or records the information input or output or other use of a computer and includes but is not limited to the sending and receipt of e-mails and the accessing of websites.”
Full Story

PRIVACY LAW—HONG KONG

PCPD Orders Company To Stop Supplying Data (October 17, 2013)

“Something of a furore has been caused in Hong Kong by the decision of the Office of the Privacy Commissioner for Personal Data (PCPD) to issue an enforcement notice to stop a company from supplying data on individuals obtained from publicly available litigation and bankruptcy records via a smartphone application,” Lexology reports. The PCPD said the app, Do No Evil, “seriously invaded” those individuals’ privacy. Commentators, meanwhile, are accusing “the PCPD of threatening freedom of information, making inconsistent decisions and being technophobic,” the report states. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook Changes Teen Privacy Rules (October 17, 2013)

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.”
Full Story

MOBILE PRIVACY

Indoor Location Market Set To Boom; Privacy Concerns Loom (October 17, 2013)

In a column for MediaPost, Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations” function—and the new iPhone’s motion sensor chip are raising privacy concerns. Editor’s Note: The IAPP will host the web conference Brick-and-Mortar Is Back—Emerging Privacy Issues for U.S. Retailers on Thursday October 31.
Full Story

BIG DATA

The Dangers of Democratized Big Data (October 17, 2013)

In a report for Forbes, Woodrow Hartzog and Evan Selinger write about the dangers of democratized Big Data. Whereas presently only a few organizations use Big Data tools and techniques, in looking at the democratization of myriad Internet-based technology such as apps, cloud storage and encryption, “Big Data seems next,” the report states. Facebook’s Graph Search is an example of the progression, allowing users to look at a vast amount of data to see what other users “like.” As technology advances and more users have access to Big Data analysis, “privacy through obscurity” will become increasingly important because having “to resort to a complete withdrawal from public life simply is too steep a price to pay for whatever benefits Big Data brings,” the authors write.
Full Story

PRIVACY COMMUNITY

IAPP Hits 14k Members, Expands Into New Space (October 17, 2013)

By coincidence, the IAPP celebrated the joining of its 14,000th member by opening up new office space this past weekend, continuing its growth in both the privacy industry and the warehouse space it occupies on the former Pease Air Force Base in Portsmouth, NH. The membership growth and need for office space obviously are closely connected. While it took more than 10 years to hit 10,000 members in 2012, membership has grown to 14,000 in 18 months since then, and the IAPP has had to add staff to support those members in their training, certification, events and publications teams along the way, along with the addition of the Westin Research Center, also housed in the IAPP’s offices.
Full Story

BIOMETRICS

Fingerprint Sensor: Tech Wonder or Privacy Headache? (October 16, 2013)

In the wake of the news announcing the release of the new iPhone 5s, Lindsey Partridge, CIPP/US, examines what may be “the most newsworthy piece of the new mobile device”—its fingerprint sensor. The sensor allows for biometric securing of what’s becoming one the most personal devices people own. This exclusive for The Privacy Advisor offers a primer on biometrics and the potential “privacy alarms” triggered by the new sensor in multiple contexts, including legal cases involving access to PI and geolocation.
Full Story

BIG DATA

If Consumers Are Scared of It, Regulation Will Follow (October 16, 2013)

In this exclusive for The Privacy Advisor, iappANZ Director Peter Leonard discusses threats to Big Data’s success. “If bad practices and bad media further promote businesses and government to be less transparent about their data analytics projects, public perception of business and government colluding in secrecy will grow, prompting more prescriptive regulation,” Leonard writes, adding, “Big Data and the privacy regulatory and compliance response to it will be one of the most important areas for development of operational privacy compliance for the next five years.”
Full Story

BIG DATA

“U.S.-Style” Data Collection Spreads Globally (October 16, 2013)

The business trend of collecting the maximum amount of information about customers and potential clients is being adopted by businesses around the world, according to Forbes. One international data catalog advertisement by California-based data broker Infocore states, “For example, you might be interested in female, affluent customers in China, Hong Kong and Singapore … From that we’ll access our repository and send you a custom data summary.” The company has access to 6.5 billion records worldwide and expects to have access to 10 billion by next year, according to the report. Infocore President and CEO Kitty Kolding said, “The data industry is very nascent right now … But there is a lot of long-term profit to be had.” In some countries, however, the data is obtained through questionable methods, Kolding said, adding, “In China, there is way more data than you would think … Some of it is dodgy.”
Full Story

PERSONAL PRIVACY

On Embarrassing Photos and Personal Accountability (October 15, 2013)

The dynamic nature of the Internet allows for information to flow quickly, but when it involves embarrassing photos, it can be a very damaging experience for an individual. In a recent column for Salon, Caitlin Seida wrote about her experience of having one such photo go viral and the harm she experienced. However, Seida took steps to be accountable for the incident and took personal control over her photo. This Privacy Perspectives post looks into her incident and explores how businesses may improve their accountability by showing their users how they can be accountable by providing them with tools for better control over their data.
Full Story

SOCIAL NETWORKING

Facebook Privacy Tool To Be Removed (October 11, 2013)

Facebook has announced the final phase of removing an old privacy feature from the site, USA TODAY reports. The feature, called “Who can look up your timeline by name?” allowed users to be hidden from searches if they so chose. Those users will now begin to see removal notices from Facebook. Now, user “timelines” will only be private when marked to be seen by “friends only.” Facebook says only a single-digit percentage of users on its network were using the setting.
Full Story

PERSONAL PRIVACY—AUSTRALIA

OIAC Survey: Majority Concerned About Privacy (October 10, 2013)

A new study from the Office of the Australian Information Commissioner (OIAC), the first of its kind since 2007, reveals that one in three Australians have had concerns about how their personal information was handled in the last year. Additionally, 97 per cent surveyed believe secondary use without consent is a misuse of their personal information. The survey, called Community Attitudes to Privacy, interviewed 1,000 Australians over the age of 18 via landline and mobile phone. Ninety per cent of respondents expressed concern about organisations sending their data overseas, and nearly half admitted they do not read privacy policies.
Full Story

PRIVACY LAW—AUSTRALIA

ALRC Releases Issues Paper on Reducing “Serious Invasions of Privacy” (October 10, 2013)

ZDNet reports on the release of the Australian Law Reform Commission (ALRC) issues paper and indications “that social media, GPS, website user tracking and drones are testing the effectiveness of Australian law in protecting privacy.” Attorney-General Mark Dreyfus tasked the ALRC with making recommendations on how Australia’s laws could be updated “to reduce serious invasions of privacy in the digital era,” the report states, and the ALRC’s possible remedies include a “right to be forgotten and to erasure” proposal similar to that being considered by the EU.
Full Story

PRIVACY LAW—NEW ZEALAND

New Privacy Bill On Hold (October 10, 2013)

NewsTalkZB reports that “planned changes to the country's privacy laws appear to be on hold.” Justice Minister Judith Collins commented last year on a planned overhaul to respond to continuing changes in technology, the report notes, but has now said “the introduction of a new privacy bill has been delayed pending the appointment of a new privacy commissioner” as Privacy Commissioner Marie Shroff's term comes to an end this year.
Full Story

DATA PROTECTION—NEW ZEALAND

Cunliffe: Information Sharing Rules Needed (October 10, 2013)

Amidst reports of high-profile data breaches in recent years and plans to expand the practice of sharing private information about New Zealanders between government departments, Labour Leader and Information and Communications Technology spokesperson David Cunliffe says the government has a “terrible record of protecting personal information,” The New Zealand Herald reports. “It will send a chill down the spines of many of those who have had their personal information mistakenly released that the Government is exploring new data sharing agreements involving 32 agencies,” he said, adding, “One breach is too many. Almost 100,000 is sheer negligence.” He is calling for strict rules around increased information sharing.
Full Story

ONLINE PRIVACY

W3C Do Not Track in Limbo (October 10, 2013)

Yesterday, the W3C’s Tracking Protection Working Group voted on whether to continue its efforts. The results? That remains unclear. The voting itself is public and can be found here. However, even one of the group’s new chairs isn’t sure how to interpret the results. With no option clearly the winner, the Center for Democracy and Technology’s Justin Brookman, who joined the group as chair just last month, said he is unsure of the group’s next step, adding W3C Director Tim Berners-Lee would make the ultimate decision. In this exclusive for The Privacy Advisor, we break down the vote and comments from the voters.
Full Story

DATA LOSS

October Shaping Up To Be Month of Innumerable Breaches (October 10, 2013)

PII lost, stolen or compromised through human error. Cybersecurity concerns. Health data lost. Amidst this month’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach could be. “If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said. However, as The Wall Street Journal reports, he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.” In this exclusive for The Privacy Advisor, we round-up an already very busy month in data breaches and responses.
Full Story

ONLINE PRIVACY

Study Looks at Privacy Personalities (October 10, 2013)

MasterCard has released a study revealing that traditional demographics—age, gender, race—are poor indicators of consumer attitudes toward online privacy, The Washington Post reports. MasterCard conducted interviews with 9,000 Internet users globally. Theodore Iacobuzio, MasterCard vice president of global insights, said, “We were blown away … It’s all about why you go online,” adding, “Why you go on determines your attitude toward data privacy.” Iacobuzio’s team defined five online personality types: passive users, proactive protectors, solely shoppers, open sharers and simply interactors. The study also found that privacy attitudes do not change; they “determine your behavior.” Iacobuzio said, “One of the real lessons of this piece is that consumers are well-aware of how to protect (their privacy) and whether they want to or not.” (Registration may be required to access this story.)
Full Story

PRIVACY IN POP CULTURE

Eggers Book Satirizes Threat to Privacy (October 10, 2013)

The Associated Press reviews Dave Eggers’ book The Circle, which satirizes the threat to personal privacy from technology giants. “Entertained at nightly campus events by famous musicians and artists, fed by celebrity chefs and bombarded by swag, employees of the Circle corporation are expected to bask in their mutual privilege through constant oversharing in the company’s thriving social networks,” the report states. The book’s protagonist, through incentives, begins living a fully transparent life online, delivering Eggers’ message that “too many of us flock to the Internet all too willing to abandon any sense of privacy around both our personal information and our inner lives.” The New York Times wonders if the novel will change the way we use technology.
Full Story

DATA LOSS

Researcher Finds Encryption Flaw in WhatsApp (October 10, 2013)

A security researcher said he has found an encryption flaw making it possible for adversaries to decrypt communications sent with WhatsApp, though developers say the messages are “fully encrypted” and the company’s CEO says the report is “sensationalized and overblown,” Ars Technica reports. A computer science and mathematics student wrote in a blog posted Tuesday, “You should consider all your previous WhatsApp conversations compromised,” adding, “There is nothing a WhatsApp user can do about this … except to stop using it until the developers can update it.”
Full Story

PRIVACY RESOURCES

Not a Big Tech Firm? We Can Still Help (October 9, 2013)

We at the IAPP know that it’s not only large organizations that struggle with privacy issues; small- and medium-sized businesses also need tools and guidance. With fewer employees and often lower budgets, smaller businesses have unique needs. This Close-Up offers tips and guidance from the experts on protecting consumer data, creating online privacy policies, minimizing human error and conducting employee background checks, among other tools. (IAPP member login required.)
Close-Up: Small- and Medium-Sized Businesses

SURVEILLANCE

EU-U.S. Safe Harbor, Australian Gov’t Actions Questioned (October 8, 2013)

Press TV reports on the European Parliament's Electronic Mass Surveillance of EU Citizens Inquiry’s discussion on the EU-U.S. Safe Harbor data sharing agreement and concerns “the system is flawed and allows for wide-scale abuse by the firms themselves and easy infiltration by U.S. intelligence agencies.” Christopher Connolly of Australian-based consulting firm Galexia told the committee that “many claims of Safe Harbor membership are false”—to the tune of 427 organizations “with hundreds of millions of customers.” Meanwhile, ABC News reports on documents obtained under Freedom of Information laws showing Australia’s government “knew about the secret U.S. Internet spying program PRISM months before a whistleblower made details public.”
Full Story

PRIVACY LAW

Tracker Roundup: From Government Surveillance to Presumption of Harm (October 7, 2013)

While U.S. regulators mull over the need for rules surrounding drone use by law enforcement, Montana’s new gun owner healthcare privacy law went into effect and California continues to shape privacy law moving toward a “presumption of harm” in breach cases, but one op-ed claims its “revenge porn” law doesn’t do enough. A Zimbabwean law established a central SIM card database, and Australia’s information commissioner has released a best practice guide for app developers. This Privacy Tracker weekly roundup offers information on all these issues and more, including what regulators had to say at both the IAPP Privacy Academy and the 35th International Conference of Data Protection and Privacy Commissioners. (IAPP member login required.)
Full Story

DATA BREACH

2.9 Million Customers Affected by Cyber-Attack (October 4, 2013)

Adobe has confirmed that 2.9 million customers had private data including passwords and payment card information stolen “during a ‘sophisticated’ cyber-attack on its website,” BBC reports. The illegal access of a variety of products’ source code is also being investigated, the report states. “We deeply regret that this incident occurred," said Adobe CSO Brad Arkin, adding, “Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.” However, a security expert has told BBC, “Access to the source code could be very serious … if hackers manage to embed malicious code in official-looking software updates, they could potentially take control of millions of machines.”
Full Story

PRIVACY PROFESSION

Experts Highlight Current, Future Challenges (October 4, 2013)

In an in-depth feature for Data Informed, Eric Lucas highlights just a few of the key moments from this week’s IAPP Privacy Academy in Seattle, WA, quoting key concerns and tips from some of the speakers who addressed the international attendees. Howard Schmidt, for example, highlighted the profession’s challenges stemming from the link between privacy and security, noting, “Privacy and security are two sides of the same coin. Without security, you have no privacy. Privacy is the goal, security is the means.” Lucas also quotes several other privacy professionals, including keynote speaker Stewart Baker’s discussion of the “privacy panic” that spurred American privacy law. Meanwhile, Inside Counsel looks at how CPOs manage risk, focusing on insights from experts including Maureen Cooney, CIPP/US, CIPP/G, and Nuala O’Connor, CIPP/US, CIPP/G, at the recent Women, Influence and Power in Law conference.
Full Story

PRIVACY LAW—AUSTRALIA

OAIC Releases Best Practice Guide for Apps (October 3, 2013)

The Office of the Australian Information Commissioner (OAIC) has unveiled a guide to help mobile app developers embed better privacy practices into their products, TechWorld reports. Mobile Privacy: A Better Practice Guide for Mobile App Developers recommends developers use short privacy notices. Privacy Commissioner Timothy Pilgrim said app developers should adopt a Privacy-by-Design approach. “The mobile apps that take privacy seriously will be the ones that stand out from the crowd and gain user trust,” he said. A ZDNet report, however, suggests, “Short of enforcing privacy laws on app store curators, it is doubtful that the developers will implement the otherwise worthy privacy protections.” Meanwhile, the OAIC’s 2013 Community Attitudes to Privacy Survey, which will be released in full on 9 October, indicates six in 10 Australians choose not to use smartphones apps due to privacy concerns.
Full Story

CHILDREN’S PRIVACY—NEW ZEALAND

Commissioner Consulted on ID Plan (October 3, 2013)

The Office of the Privacy Commissioner has been consulted on the possibility of using identification numbers to track preschoolers, The New Zealand Herald reports. Beginning next year, about 190,000 children in early childhood education will be assigned a national student number. But some parents are worried about how attendance data may be used, as new obligations require beneficiaries to “take reasonable steps for their children to attend early childhood education … or have their benefits cut.” The government has said data would not be used for these purposes, but “documents released under the Official Information Act show the Office of the Privacy Commissioner has been consulted on such an arrangement,” the report states.
Full Story

PRIVACY LAW—AUSTRALIA

Gov’t Urged To Rewrite Terms of Reference (October 3, 2013)

The federal government has been urged to rewrite the terms of reference for its inquiry into privacy law, The Australian reports. The terms of reference were drawn up by former Attorney-General Mark Dreyfus and require the commission “to produce detailed plans for a privacy tort or statutory cause of action,” the report states. The commission is expected to publish an issues paper next week based on those terms of reference, the report states. In the last six months, it has become clear “the major threat to privacy is the role of the state,” said Media Entertainment and Arts Alliance Secretary Chris Warren, adding that large data aggregators are going to be a key issue moving forward.
Full Story

SURVEILLANCE—NEW ZEALAND

Activist: Illegal Spying Sanctioned (October 3, 2013)

Radio New Zealand News reports that a political activist is accusing the privacy commissioner of “upholding illegal spying carried out by the Government Communications Security Bureau (GCSB).” A report released earlier this year indicates as many as 88 individuals were spied on; however, the privacy commissioner has not commented on the accusations. One of the women concerned that she was spied on says the commissioner’s willingness to allow the GCSB to neither confirm nor deny the accusations is a cover-up of systematic illegalities and that “New Zealanders are opposed to this rampant state surveillance and in particular the expanded powers of the GCSB. We will not rest until the surveillance state is history.”
Full Story

PRIVACY—AUSTRALIA

Expert: Privacy Needs Bolstering for ICT (October 3, 2013)

The Victorian government is working to implement online service delivery; however, according to Chief Technology Advocate Grantly Mailes, it needs to bolster its privacy and information security approach first, reports iTnews. As part of its 50-point ICT strategy, the government hopes to overhaul its “whole-of-government identity management framework,” choose an “identity management solution to facilitate citizen engagement” and offer consumers “the ability to consent to their personal details being shared amongst Victorian agencies,” the report states. In order to facilitate that effort, the government is looking for a privacy and identity management consultant to aid in the process.
Full Story

FINANCIAL PRIVACY—MALAYSIA

Parliament: Credit Co. Did Not Breach Privacy (October 3, 2013)

The Malaysian Parliament has determined that credit information company CTOS Sdn Bhd (CTOS) did not breach consumers’ privacy in its business practices, reports The Star. The data gathered by CTOS came from publicly available resources, said Deputy Finance Minister Datuk Ahmad Maslan, adding, “The information gathered by the agency is one of the ways used by financial institutions to facilitate and speed up loan applications.” Maslan said the company will not be shut down, noting, “The establishment of private credit rating agencies like CTOS is to provide full coverage and content of information from various public resources such as newspapers, government gazettes and SSM data.”
Full Story

BIG DATA

Opinion: Why Data Center Locations Matter (October 3, 2013)

Andy Thurai and David Houlding of Intel write for Venture Beat about the importance of controlling where data is stored and processed in the age of Big Data and varied laws across the globe. “While most Big Data providers are able to provide security for the storage and transmission of sensitive data, most implementations that we see don’t provide location transparency or location-contingent data processing,” the authors write, adding, “imagine the power of users being able to choose where their data is processed or stored.” The authors suggest allowing consumers to choose the location and security level of their data and offer technical solutions to make that possible.
Full Story

PRIVACY COMMUNITY

Callahan Named Vanguard; Innovation Award Recipients Announced (October 2, 2013)

And the 2013 Privacy Vanguard Award goes to Mary Ellen Callahan, CIPP/US, former chief privacy officer of the U.S. Department of Homeland Security. Announced Tuesday evening at the annual IAPP Privacy Dinner held in conjunction with the IAPP Privacy Academy in Seattle, WA, Callahan, who is founder and current chair of Jenner & Block’s Privacy and Information Governance Practice, was praised for her visionary leadership and extensive work in consumer protection law. Also at the Privacy Dinner, this year’s HP-IAPP Privacy Innovation Awards recipients were announced. Johnson & Johnson, Canadian Primary Care Sentinel Surveillance Network and Considerati were honored for their unique programs.
Full Story

DATA LOSS

Amidst Myriad Breach Reports, Tips Offered (October 1, 2013)

It is shaping up to be a busy week for data breach incidents. Yahoo is facing claims its decision to recycle accounts that had been inactive for a year or more has resulted in individuals receiving e-mails intended for the previous owners, ITPro UK reports. An Ohio psychologist is notifying clients of a burglary where “the thieves may have intended on stealing patients’ personal data when they stole the office’s entire computer supply.” Patients at a Canadian health region are also receiving letters after an employee accessed “patients’ personal health information between 2009 and 2012, considered a breach under the Health Information Protection Act.” Meanwhile, Krebs on Security reports the “miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data” from the U.S. National White Collar Crime Center. Amidst all these reports, InformationWeek offers tips on the “lessons learned” from data breach incidents.
Full Story

PRIVACY BUSINESS

Experian Buys Fraud Detection Firm for $324 Million (October 1, 2013)

Reuters reports that Experian will acquire U.S.-based fraud detection group The 41st Parameter for $324 million. Experian noted it will increase its presence in the fraud prevention arena and bolster its current work in fraud detection and online authentication.
Full Story