Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Court: State DNA Testing Did Not Violate Privacy (August 31, 2010)
Minnesota's Court of Appeals has ruled that the state did not violate families' privacy rights by collecting and storing children's blood samples, Courthouse News Service reports. The parents of 25 children filed the suit, claiming the families' privacy rights were violated when the state collected their infants' blood to test for genetic disorders and then stored the DNA for future research without obtaining parental consent.

GENETIC PRIVACY

What To Ask Before You Give Away Your DNA (August 31, 2010)

When it comes to giving samples of your DNA, there are things you need to know. That's according to Marcy Darnovsky, head of the U.S.-based Center for Genetics and Society, who told The Wall Street Journal that while individuals may want to share their DNA to help scientific studies move forward, it must be done in a "responsible way" that does not put privacy at risk. Darnovsky recommends asking who will have access to the data, whether and how it will be anonymized, where it will be stored and how it will be analyzed, the report states. As Darnovsky put it, "once you give someone your genetic information, it doesn't matter if you destroy the sample" since the data will live on. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Breaches at Half a Billion Since 2005 (August 31, 2010)

More than a half billion sensitive records have been breached since 2005, according to the most recent estimates from the Privacy Rights Clearinghouse (PRC), which keeps track of such breaches in its Chronology of Data Breaches project. The most recent total was published this month and is thought to only represent a fraction of all breaches. "This is a conservative number," said PRC Director Beth Givens. "We generally learn about breaches that garner media attention. Unfortunately, many do not." She added that many states do not have laws requiring that breaches are reported to a clearinghouse.
Full Story

FINANCIAL PRIVACY—HONG KONG

Survey: Banks Using Customer Data Improperly (August 31, 2010)

The Standard reports that many local banks have full power to do what they wish with personal information provided by credit card applicants. A recent New Forum survey, conducted in the wake of the Octopus Cards scandal in which the company admitted to selling the personal data of its customers, found that 10 local banks' credit card application forms have no "opt-in" or "out-out" clauses regarding privacy and that the banks acknowledge using personal data for purposes other than credit checks and debt collection, the report states. A New Forum spokesman said, "Banks are selling out customers," suggesting separate forms for credit card applications and authorization for use of personal data.
Full Story

PRIVACY LAW—U.S.

FTC Closes Peer-to-Peer Privacy Probe (August 31, 2010)

The Federal Trade Commission (FTC) has closed its investigation into peer-to-peer network LimeWire without taking action, Media Post reports. The FTC previously warned various businesses as well as local governments and schools about sensitive data ending up on such file-sharing networks, the report states, and announced it was investigating individual companies to determine whether they violated federal law by exposing private information online. In closing the LimeWire probe, the FTC pointed to such factors as the use of mechanisms to prevent the accidental sharing of personal documents in recent versions of the service. The FTC expects LimeWire to take part in efforts "to inform consumers about how best to avoid the inadvertent sharing of sensitive documents."
Full Story

GEO PRIVACY—U.S.

Location-Based Apps Dependent on Age (August 31, 2010)

People born after 1981 are likely to have different standards for online privacy than those born earlier, The Hill reports. That's according to the chief executive of geolocational application Loopt, who said the "magic age is people born after 1981. That's the cut-off for us where we see a big change in privacy settings and user acceptance." Only four percent of Americans have tried geolocational apps, the report states, and only one percent use them weekly, according to Forrester Research, which also found that young people living in cities are most likely to use the services.
Full Story

DATA PROTECTION

Opinion: Ten Fallacies About Web Privacy (August 30, 2010)

In a column for The Wall Street Journal, Emory University economics Prof. Paul Rubin discusses 10 fallacies about Web privacy. Rubin asserts that despite privacy advocates' arguments otherwise, increased privacy online comes at a cost to the consumer. Information helps the economy to function, Rubin says, and less of it will result in less efficient markets. More information also means firms are able to better market to specific customers, meaning they receive information useful to them more quickly. Additionally, Rubin says, it's untrue that more privacy means more safety and less risk. For example, the more information available to firms for identity verification, the less risk of identity theft, he writes. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Ads That Follow You on the Web (August 30, 2010)

The New York Times reports on an ad industry practice known as personalized retargeting or remarketing, where Internet users are followed from site to site by ads for items they've viewed online. With more retailers and Internet companies using it, the report states, retargeting, which relies on placing cookies on users' browsers, has reached a level of precision that is leaving consumers with the palpable feeling that they are being watched as they roam the virtual aisles of online stores." While the practice is raising privacy advocates' concerns, even some advertising and media experts suggest the practice is "bold," the report states, and many users may not like it. (Registration may be required to access this story.)
Full Story

GEO PRIVACY—U.S.

Not Everyone Wants To Be Found (August 30, 2010)

While a vast array of online companies are offering services that let users broadcast their physical location, Forrester Research has discovered that only four percent of Americans have tried such services, The New York Times reports. Of those using location-based technology, 80 percent are men and 70 percent are between the ages of 19 and 35, the report states. Some users featured in the report indicated they did not think about the "privacy trade-off" when it comes to location services that provide such marketing incentives as coupons. Many people, however, said "sharing their physical location crosses a line, even if they freely share other information on the Web." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Managing an “Ocean” of Content (August 30, 2010)

A team from the University of Arkansas at Little Rock has created a unique model to manage user-generated content on social networking sites. That's according to U.S. News & World Report, which describes the development of the Context-Based Privacy Model to allow Internet sites to automatically adjust privacy "to the context in which the data is accessed." According to one of the team's members, social networks have created "a vast ocean of user-generated content" where "users may be unknowingly granting access to their data, leading to grave privacy concerns." The model, which was supported by the Office of Naval Research and the National Science Foundation, is described as unique because it focuses on context rather than content in privacy protection.
Full Story

BEHAVIORAL TARGETING—GERMANY

Postal Company Acquires Online Ad Platform (August 30, 2010)

As the behavioral targeting market continues to gain momentum in Germany, mail services provider Deutsche Post has acquired Europe's largest targeted online ad platform, Media Post reports. Nugg.ad, which provides "predictive behavioral targeting" for an array of companies, integrates surveys with "machine learning, predictive analytics and targeting." Deutsche Post and its DHL Express division are not strangers to new technology, the report states, pointing out the early use of RFID by the company to track packages. Deutsche Post stated in a press release that the investment in targeting technology will consolidate new areas of growth in online marketing. Nugg.ad displays the European Privacy Seal of approval, the report states.
Full Story

ONLINE PRIVACY

Define “Harm” (August 27, 2010)
In a report for The Wall Street Journal, Ryan Calo of Stanford University Law School discusses the key question that comes up in debates about online privacy, "What's the harm?" in cases where there is no fraud or identity theft.

ONLINE PRIVACY

Colbert Takes on Internet Privacy (August 27, 2010)

In the Wednesday airing of "The Colbert Report," host Stephen Colbert discusses social media and its potentially negative consequences for young people seeking employment given the scope of personal information they frequently post to social networking sites. "If you're not careful, your online past could destroy your offline future," Colbert said. "But there's a solution. Just don't ever make a mistake. How hard is that?" the comedian quips, adding that other solutions may include changing your name, surgically altering your appearance to avoid facial recognition technologies and changing everything you've ever searched for on the Internet to avoid data mining and cookies. "Then you'll be the ideal job candidate," he jokes.
Full Story

PRIVACY LAW—UK & EU

MoJ Responds to EC on Data Protection (August 27, 2010)

The UK Ministry of Justice said today it has responded to the European Commission on demands that it bring British data protection in line with European law, The Register reports. In June, the EC gave the UK government two months to respond to its demand that the government come into line with Europe's Data Protection Directive of 1995. Specifically, the EC wants the information commissioner's powers strengthened. "Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement," EU justice commissioner Viviane Reding said in June.
Full Story

DATA LOSS—GERMANY

Drugstore Customers’ Data Exposed (August 27, 2010)

German drugstore chain Schlecker has confirmed that, for an unspecified amount of time, the personal details of about 150,000 customers were exposed on the Internet, The Local reports. An external service provider was responsible for the error, according to the report. Schlecker is investigating how the names, profiles and e-mail addresses of customers were exposed. Customer account numbers and passwords were not affected.  The e-mail addresses of an additional 7.1 million company newsletter subscribers were also exposed in the breach. "We are in close contact with our service provider," a Schlecker spokesperson said.
Full Story

DATA LOSS—U.S.

Insurance Dept. Mandates 5-Day Breach Notifications (August 27, 2010)

Following a string of incidents involving the exposure of residents' personal information, insurance regulators in the state of Connecticut are placing notification requirements on insurers and their agents, requiring that they let the state insurance commissioner know within five days of discovering a breach. Insurance Journal reports that, in a bulletin sent to state entities this month, officials said, "The Department's concern is to make certain that in addition to minimizing these incidents, licensees and registrants react quickly and affirmatively to let affected Connecticut consumers know that they may be at risk and what is being done to protect sensitive and confidential information."
Full Story

DATA PROTECTION—INDIA

Survey: Many Organizations Not Confident in Data Protection (August 27, 2010)

Almost half of Indian organizations polled in a recent survey said they've experienced at least one internal security breach within the last year, India Blooms reports. Thirty-two percent said their information security professionals are missing competencies to handle existing and foreseeable security requirements, the report states, though 66 percent of organizations said they are very confident or extremely confident in their ability to thwart external attacks. Deloitte's "2010 Global Security Survey-India Report," polled 62 Indian organizations. "While organizations have taken a step in the right direction by reinforcing budgets towards information security, current strategies may still be inadequate to close the gaps," said a Deloitte spokesperson.
Full Story

PRIVACY LAW—U.S.

Illinois Law Prohibits Credit Checks (August 27, 2010)

Illinois became the fourth state to restrict employers' access to and use of credit histories in hiring decisions this month with the enactment of H.B. 4658, the Employee Credit Privacy Act. The law prohibits employers from firing, not hiring or otherwise discriminating based on an individual's credit history, reports Kelley Drye & Warren LLP's Alysa Zeltzer Hutnik and Megan Olsen. It also prohibits employers from inquiring about or obtaining an applicant or employee's credit report, with some exceptions. The law will take effect on January 1, 2011. Oregon, Hawaii and Washington have enacted similar laws. (Registration may be required to access this article.)
Full Story

ONLINE PRIVACY—U.S.

Internet Reputation Managers Increasingly Popular (August 27, 2010)

The Boston Globe reports on the increasing prevalence of Internet reputation managers. The services aim to promote factual or neutral news on multiple social networking and profile pages so that those items appear ahead of "digital dirt." Harvard University Internet law professor Jonathan Zittrain says he's concerned with the idea "that people should have to buy their way to a better, or just accurate, reputation," and proposes people should be able to declare "reputation bankruptcy" every few years and start with a clean slate.
Full Story

DATA PROTECTION

Bank SVP Talks Privacy (August 27, 2010)

In an interview with Bank Info Security, the senior vice president and HIPAA officer for the twelfth largest bank in the U.S. discusses the top challenges and threats in protecting privacy in today's banking environment. Brian Dean says that, in the future, industries will need to consider working together against increasingly more sophisticated and coordinated attacks, and he says that banks can limit their risks by limiting the data they collect. "If the data isn't needed, don't collect it," Dean says. "And if you're a consumer, don't feel bad questioning why certain data elements are being collected."
Full Story

CONSUMER PRIVACY—U.S.

FTC: Data Collected for Ads Must Not Be Used Beyond Ads (August 26, 2010)
Tech Daily Dose reports on FTC Consumer Protection Bureau Director David Vladeck's comments on concerns that information collected for advertising purposes could be used in other ways. "I don't think the delivery of targeted ads is what has people worried," he said, noting that most people are concerned with "the threat that there is this enormous amount of data out there that can be used for purposes other than advertising."

PRIVACY LAW—GERMANY

Law Would Forbid Social Networking Research (August 26, 2010)

The New York Times reports German Chancellor Angela Merkel's cabinet yesterday backed a proposed law that would prevent employers from looking at job applicants' social networking activities during the hiring process. Under the law, which now moves to the parliament, employers would still be permitted to conduct general Internet searches regarding potential employees. In addition to forbidding social networking inquiries, the law would also forbid certain employee surveillance in the workplace. German Commissioner for Data Protection and Freedom of Information Peter Schaar called the proposal "a substantial improvement on the status quo in dealing with employees' data." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

What Posts Are Private, and What Is Discoverable? (August 26, 2010)

A U.S. district court opinion appears to offer the first in-depth analysis on social network privacy settings and whether user information is protected from discovery by the Stored Communications Act (SCA) of 1986, Law Technology News reports. The court's decision determined that "the SCA's protections reach at least some of the content" on social networks and suggested that users' privacy settings do matter. It found that "private messages as well as comments visible to a restricted set of Facebook or MySpace users were held in 'electronic storage,' but its analysis was complicated by novel features of these technologies," the report states. Questions remain related to what forms of content the SCA protects and how much users need to restrict their content for it to be designated as private.
Full Story

DATA PROTECTION—U.S.

CIO Council Releases Cloud Computing Framework (August 26, 2010)

The federal CIO Council says agencies must be aware of the privacy concerns involved in storing personally identifiable information on the cloud, InformationWeek reports. In a new document outlining a proposed policy framework on privacy and the cloud, the CIOs warn that federal agencies should seek legal and privacy team counsel before moving data to the cloud, as providers are not necessarily bound by the same laws and regulations as the federal government when it comes to storing personally identifiable information. The document recommends agencies conduct a "Privacy Threshold Analysis" to determine whether a new system creates privacy risks, the report states. The council says a "thoughtfully considered" move to the cloud may actually enhance privacy.
Full Story

STUDENT PRIVACY—U.S.

Connecticut Schools Consider RFID Program (August 26, 2010)

One Connecticut community is considering RFID monitoring in an effort to "keep students safe and save the district money," New Canaan Patch reports. New Canaan, CT, is considering embedding RFID into student ID cards to monitor student locations, the report states. According to New Canaan Board of Education Chair Nick Williams, the primary use of RFID would be student safety as the school has an open campus. Privacy of RFID is a major concern, said Assistant Superintendent of Schools Steven Swerdlick, noting, "We will have to be thoroughly satisfied there is no negative impact on privacy and safety." Participation in the program would be voluntary, the report states.
Full Story

BIOMETRICS—U.S. & AFGHANISTAN

Prison Becoming A “Datafarm” (August 26, 2010)

Wired reports on the U.S. military's new detention facility in Parwan, Afghanistan, as "an emerging datafarm" where all detainees brought to the facility are given medical exams and have their irises scanned and fingerprints taken to be stored in a military database called the Automated Biometric Information System. The report cautions that given Afghanistan's "shaky commitment to the rule of law, those identifiers could become weapons." Human rights advocates are raising concerns about privacy, including the fear that when Parwan is turned over to Afghanistan, the nation's leaders will use the facility to lock up individuals against their will to collect biometric data.  
Full Story

SOCIAL MEDIA

Boyd: Privacy Is Not Dead (August 26, 2010)

In the MIT Technology Review, researcher Danah Boyd says that the way privacy is encoded into software doesn't match the way we handle it in real life and that, as social media mature, "we must rethink how we encode privacy into our systems." As social media become more embedded in everyday society, Boyd says, "the mismatch between the rule-based privacy that software offers and the subtler, intuitive ways that humans understand the concept will increasingly cause cultural collisions" and users will have to work harder to gain privacy. "Instead of forcing users to do that," Boyd asks, "why not make our social software support the way we naturally handle privacy?"
Full Story

ONLINE PRIVACY—U.S.

Is Government Intervention the Answer? (August 25, 2010)

The Economist is asking its readers to weigh in on whether the government should step in to protect individuals' privacy on the Internet. Marc Rotenberg of the Electronic Privacy Information Center and Jim Harper of the Cato Institute provide opposing views on the issue. Rotenberg writes in support of privacy laws and regulations tailored specifically to the Internet, while Harper suggests that individual privacy preferences mean that a "state-mandated, one-size-fits-all" plan would be worse than the privacy regulations currently in place. Rotenberg writes of the need for "government agencies charged with consumer protection, privacy protection and antitrust review to play a more active role on behalf of Internet users." Harper, however, suggests, "The better alternative is to get people educated and involved in their own privacy protection."
Full Story

SOCIAL NETWORKING—CANADA

Commissioner’s Facebook Report Coming Soon (August 25, 2010)

Privacy Commissioner Jennifer Stoddart will soon issue her assessment of whether Facebook has come into compliance with Canadian privacy law, the Leader-Post reports. "We are currently reviewing their commitments, the changes they've made in response to our findings, and we are still in discussions, but we hope to be in a position to be able to communicate publicly on this matter sometime in the near future," said Anne-Marie Hayden of the Office of the Privacy Commissioner (OPC). Meanwhile, BC Information and Privacy Commissioner Elizabeth Denham, who played a key role in the OPC's prior Facebook investigation, has spoken in support of stronger OPC powers to address social networks and geolocation technologies. If Stoddart's forthcoming Facebook review is negative, her office can open a fresh investigation or move to seek a binding order in federal court, the report states.
Full Story

PRIVACY LAW—SINGAPORE

Four Years Later, Singapore Still Reviewing Data Protection System (August 25, 2010)

ZDNet Asia reports on Singapore's ongoing review of its data protection system, which the government began four years ago in an effort to assess suitable frameworks. A spokeswoman for the Ministry for Information, Communications and the Arts (MICA) said the government has been reviewing the need for a general data protection law, its implications on consumers, businesses and the country's national interests, the report states, adding, "As the issues involved are multi-faceted with extensive impact on all stakeholders, the review is ongoing." One legal expert said an area of concern in determining an appropriate framework is the cost a data protection law would impose on organizations and businesses.
Full Story

PRIVACY LAW—U.S.

Another Lawsuit Filed over Zombie Cookies (August 25, 2010)

Another lawsuit has been filed over the use of so-called zombie cookies, Wired reports. The suit, filed in California's Central District federal court last week, alleges that a large tracking and ad-serving company used Adobe Flash to recreate browser cookies that users had cleared previously. The suit follows two others filed this month by attorney Joseph Malley. Attorneys Mark Anstoetter and Madeleine McDonough of Shook Hardy & Bacon LLP outline
the issues associated with zombie cookies, which first came to light in a report published by University of California Berkeley researchers last year.  
Full Story

HEALTHCARE PRIVACY - AUSTRALIA

E-Health Support Grows (August 25, 2010)

Australia's Green Party has announced it will support government e-health initiatives as long as strong privacy and security protections are in place, The Australian reports. Sen. Rachel Siewert said there is support for the plan, but added there must be assurances "that sensitive medical information is protected and that individuals have control over decision-making." Concerns over health data privacy had emerged during debate over Healthcare Identifiers (Health ID) legislation that passed at the end of the last parliamentary session in June. Siewart noted that identifiers are likely to improve healthcare delivery and administration, but that privacy concerns remain. She said the Greens will work with the government "to ensure those safeguards are there."
Full Story

ONLINE PRIVACY

What Is Personal Information? Debate Continues (August 25, 2010)

The debate over what is and is not personal information continues to play out, as witnessed at an event last week in Seattle, WA, where one identity expert asserted that, "The notion that location information tied to random identifiers is not personally identifiable information is total hogwash." The statement led to an exchange about transparency and duplicity in privacy policies, The Register reports.
Full Story

PRIVACY LAW—U.S.

California’s Transportation Privacy Bill Heads to Senate (August 25, 2010)

The California state assembly last week passed a bill to protect the locational privacy of commuters using the "FasTrak" system to pay road tolls, Palo Alto Online reports. Senate Bill 1286, sponsored by Sen. Joe Simitian (D-Palo Alto), forbids transportation agencies from selling or sharing personal data, requires data be purged when necessary, sets penalties for violations and requires privacy notices. "Personal driving histories are just that, personal," Simitian said. "State law should protect and respect the privacy of California drivers...Where you've been, and when, day after day, year after year, reveals a lot about you." The bill will next go to the senate.
Full Story

PRIVACY LAW—GERMANY

Law Would Ban Employers from Social Networking Site Research (August 24, 2010)

Spiegel reports on the drafting of a law that would prevent employers from looking at job applicants' social networking activities during the hiring process. The law, drafted by Interior Minister Thomas de Maiziére and expected to pass after the German cabinet vote Wednesday, would radically restrict the information bosses can legally collect, the report states, though general information about the candidate available on the Internet would not be forbidden. The law would also restrict certain video surveillance in the workplace  E-mail and telephone communication surveillance would be permitted only under certain conditions. Meanwhile, privacy advocates are voicing concern over the country's plan to require citizens to carry RFID-equipped identification cards.
Full Story

PRIVACY LAW—U.S.

California Senate Passes Breach Bill (August 23, 2010)

California Senate Bill 1166 passed the state legislature on Thursday. The law strengthens the notification requirements for data breaches, reports Central Valley Business Times. It specifies what information must be included in notices and requires entities to notify the state AG under certain circumstances. "This new measure makes modest but helpful changes" to existing data breach notification law, said Sen. Joe Simitian (D-Palo Alto), the bill's sponsor. "It will also give law enforcement the ability to see the big picture and a better understanding of the patterns and practices developing in connection with identity theft," Simitian said.
Full Story

ONLINE PRIVACY—GERMANY

Defining and Defending Privacy (August 23, 2010)

The legacy of the Nazi era and the Cold War has many Germans focused on protecting privacy, the Canadian Press reports, most recently prompting the government to take a stand against Google's plans to unveil its Street View in that country in the months ahead. "We respect people's privacy," said Philipp Schindler of Google, noting, "In Germany, we offer rules for 'Street View' that do not exist in any other countries. Only in Germany can you request your house be omitted before the start." The issues rekindle debate over how to define and defend privacy in the digital age, the report states. According to Berlin's Freie University Prof. Jesko Kaltenbaek, "There is a fear of becoming a 'See-through Citizen' in a totalitarian surveillance state."
Full Story

PRIVACY LAW—U.S.

Tighter Medical Privacy Rules Sought (August 23, 2010)

The New York Times reports on the Obama administration's rewriting of medical privacy rules due to criticism of those proffered last year at this time. At the urging of the White House, the Department of Health and Human Services recently withdrew the temporary rules for further consideration, the report states. Chief among criticisms of the rules was the harm threshold provision, which would let healthcare providers and insurers determine whether to notify patients of a privacy breach based on potential harm. "Harm is in the eye of the beholder," said Deven McGraw of the Center for Democracy and Technology. Senior lawmakers told HHS Secretary Kathleen Sebelius that the rules were "not consistent with Congressional intent." (Registration may be required to access this story.)   
Full Story

DATA PROTECTION

Startups Grow in Line with Breaches (August 23, 2010)

As online data breaches increase to 100 million in the U.S. alone, the numbers of data protection startups are increasing as well, reports CNBC, thanks to the investments of entrepreneurs and venture capitalists. Protecting online identity is a $2.5 billion market, according to Forrester Research, growing 12 to 15 percent annually. Among the new companies in the space are those that allow parents to monitor their children's online activities, which is expected to become a $1.5 billion industry and as popular as anti-virus software. Also growing are startups allowing individuals to manage their online reputation. One such company charges between $100 and $1,000 annually to control what users see about clients when they are searched online.
Full Story

GENETIC PRIVACY—U.S.

Prosecutors Urged To Collect DNA in Plea Bargains (August 23, 2010)

New York prosecutors are being urged to collect DNA samples as part of plea bargains in all misdemeanor cases after a bill proposing to do just that got stuck in the legislature, The Associated Press reports. The Department of Criminal Justice Services' acting commissioner wrote to 62 county district attorneys last week encouraging the idea, which is aimed at preventing violent crimes. The New York Civil Liberties Union opposes the idea, which would roughly double the current state database. "DAs must resist this kind of pressure and continue reaching plea bargaining agreements as they always have," a spokeswoman said.
Full Story

GEO PRIVACY

Mixed Reactions to Social Network’s Location Feature (August 23, 2010)

The Wall Street Journal reports on reactions to Facebook's new location feature, "Places," which range from concerns about privacy to nods to the company for improvement over past privacy-related issues. Among those who are still concerned about the feature, which allows users to share their physical location and that of friends who have not opted out of Places, is Ireland's Data Protection Commissioner, which has announced it will be monitoring its privacy implications. Facebook has defended the new feature, stating it consulted numerous privacy and safety groups before it went live, the report states. However, advocacy groups including the Electronic Privacy Information Center have said the company has not given users adequate controls. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

The Failure of Anonymity (August 23, 2010)

In the August issue of the UCLA Law Review, Paul Ohm writes about the ways that advancing computer science has "undermined our faith in the privacy-protecting power of anonymization" in his article entitled, "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization." The article discusses how scientists have learned to "reidentify" or "deanonymize" data, revealing the individuals behind the "anonymous" information. "By understanding this research, we realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed," the paper's abstract notes, suggesting this error "pervades nearly every information privacy law, regulation and debate, yet regulators and legal scholars have paid it scant attention."
Full Story

ONLINE PRIVACY

Intel Acquires Security Specialist McAfee (August 20, 2010)
The New York Times reports that chip maker Intel has acquired McAfee, which is one of the leading providers of antivirus and other computer security software, for $7.68 billion, turning to "security software and services as a way to separate its products from those of its rivals."

DATA RETENTION—AUSTRALIA

Ombudsman: Retained Data Must Be Protected (August 20, 2010)

Incoming Commonwealth Ombudsman Allan Asher thinks there should be better public consultation when it comes to data retention. That's according to a report in ZDNet Australia on Asher's views as he prepares to take up his new role at a time when the Attorney-General's Department is considering implementing a data retention plan where ISPs would be responsible for logging users' Web histories. Asher, who is the former CEO of the Australian Communications Consumer Action Network, said, "The job of the ombudsman is to keep (government departments) honest across our jurisdiction," noting that any complaints relating to the collection and handling of personal data by a government department would fall under his jurisdiction.
Full Story

PRIVACY LAW—U.S.

New IL Law Prevents Credit Checks (August 20, 2010)

A new Illinois law prohibits employers from using credit histories to determine whether to hire, fire or promote, the Chicago Tribune reports. Employers found to be accessing credit histories for such purposes could face legal action, the report states. Some employers are exempt from the law, which takes effect January 1, 2011. "If you lose your job and your credit is damaged as a result, and employers use your credit to prevent you from getting a job, this is a vicious cycle folks will never get out," said Sen. Don Harmon, the sponsor of the legislation.
Full Story

PRIVACY LAW—HONG KONG

New, Tougher Privacy Legislation to be Tabled Soon (August 20, 2010)

Hong Kong Chief Secretary Henry Tang says the government is working with the privacy commissioner on tougher privacy legislation that will be tabled soon, reports the Web site news.gov.hk. Tang said that recent privacy scandals involving mishandled customer data will help the government fine-tune the legislative proposal. Tang told reporters, "The recent incidents have aroused public awareness of privacy protection, which requires joint efforts by the government, the public and the trades. The government will put more effort in privacy protection and will give clear guidelines to various industries."
Full Story

ONLINE PRIVACY

Tracking the Online Trackers (August 20, 2010)

NPR reports on what it calls one of the fastest growing businesses on the Web, "spying on Internet users by using sophisticated software" to gather information that can then be sold to advertisers. In an interview on "Fresh Air," Julia Angwin, who led the team of reporters behind The Wall Street Journal's recent analysis of the use of tracking software by popular Web sites, noted that many Internet users are unaware of how their data is tracked and traded online. "Most people that we have heard from since writing these stories did not know what was going on," Angwin said, adding, "when you go to a Web site, you're not thinking about the fact that they might have relationships with all different types of monitoring firms, and those firms are installing things that are invisible to you on your computer."
Full Story

PRIVACY LAW—SPAIN

Court Date Set in WiFi Case (August 20, 2010)

A Madrid court has asked Google to have its representatives appear before it on October 4 in relation to its Street View vehicles' gathering of personal data through unsecured wireless networks, according to Spanish digital rights group Apedanica. OUT-LAW.COM reports on the case in Spain as one of many international investigations related to the collection of "snippets of the traffic that travelled over those networks." The UK's ICO has stated it is not likely that much personal data was gathered, but the Madrid court wants additional information, the report states, including what data was collected and from how many people.
Full Story

PRIVACY LAW—AUSTRALIA

Advocates Oppose Proposed Health ID Function (August 20, 2010)

Privacy advocates are expressing concern over a proposed plan to use the mandatory healthcare identifiers to monitor people on benefits, The Australian reports. Opposition treasury spokesman Joe Hockey is sponsoring the bill, which privacy advocates dislike due to the fact that the health identifiers laws were to prohibit the use of health ID numbers in non health-related instances, the report states. "We repeatedly warned of the risk of function creep in relation to healthcare identifiers," said Australian Privacy Foundation health spokeswoman Juanita Fernando. "The coalition plans to make use of the HI scheme to achieve cost savings in health and welfare despite the risks to citizens' privacy, not to mention the danger of identity fraud."  
Full Story

DATA LOSS—U.S.

Stolen Laptops Behind UConn, Yale Breaches (August 20, 2010)

Officials at the University of Connecticut (UConn) are notifying more than 10,000 individuals that their personal information was on a laptop computer stolen from the school's West Hartford campus, the New Haven Register reports. The names, contact information and Social Security numbers of those who applied for admission to the school between 2004 and 2010 are affected, and the university is offering two years of free credit monitoring. UConn is the second higher education institution in Connecticut to announce a breach this week. State Attorney General Richard Blumenthal is looking into a Yale School of Medicine laptop theft that involves the health information of 1,000 individuals.
Full Story

SOCIAL NETWORKING—U.S.

Teacher Resigns over Wall Posts (August 20, 2010)

A Massachusetts teacher is no longer employed at a Cohasset school due to unfavorable comments she made about students and parents on a social networking site, ABC News reports. School officials asked the high school math and science educator to resign after parents complained about the comments, in which she described students as "germ bags" and parents as "arrogant." "I embarrassed the school district," 54-year-old June Talvitie-Siple told ABC. She said she didn't realize that her wall posts were visible beyond her network of friends.
Full Story

ONLINE PRIVACY

Gambling Site Cleared to Relaunch (August 20, 2010)

The BC Lottery Corporation (BCLC) is set to relaunch its PlayNow online gambling Web site after resolving to the satisfaction of the provincial privacy commissioner a security vulnerability that caused a breach last month, The Globe and Mail reports. BCLC took the site offline on July 15 after players reported that they could see the personal information of others. BC Privacy Commissioner Elizabeth Denham said that while the data crossover problem has been remedied, she will continue to investigate BCLC's risk management efforts. "The nature of these Web sites exposes personal information to a greater risk," Denham wrote in a letter to BCLC CEO Michael Graydon.
Full Story

GEO PRIVACY

Facebook Launches Places (August 19, 2010)

Facebook yesterday introduced a new geolocation feature that lets users share their locations, The New York Times reports. Called Places, the service allows users to "check in" to a place, allowing friends to see where they are and letting them find nearby friends. Users can also tag friends as being at the place. "This is not a service to broadcast your location at all times," said Places product manager Michael Sharon, "but rather one to share where you are, who you are with, when you want to." Sharon said that users will be able to control who sees their check-ins and remove themselves after being tagged. According to analysts, the company must tread carefully. "Location-aware services, if misused, could...result in catastrophic events." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—GERMANY

Leaders To Convene Summit (August 19, 2010)

Germany is now planning a summit on geographically based Internet services in response to concerns about Google's introduction of Street View in that country, Spiegel reports. Interior Minister Thomas de Maizière said government ministers as well as consumer, data and privacy protection officials and "the companies in question--including, above all, Google" will be invited to the summit, the report states. Meanwhile, Data Protection Commissioner Peter Schaar is calling for greater protection of private data on the Internet, including a federal register to assist those who want to keep their personal information off the Web. According to Justice Minister Sabine Leutheusser-Schnarrenberger, "The current right to data protection needs to finally be adapted for the digital world."  
Full Story

BEHAVIORAL TARGETING—U.S.

Businesses Rely on Analytics (August 19, 2010)

CNBC reports on retailers' increasing use of analytics software to turn data into profits. Rental car company Avis, for example, is using accumulated data to find rental patterns and Web site browsing habits to better tailor e-mail marketing, which has proven to be cost effective for the company. Today, analytics software is a $25 billion market and growing. "Analytics is not just a luxury these days, it's a necessity," said an analyst at Forrester Research. "Large enterprises, especially large retailers, because we're talking about customer data today, can't really survive today without analytics." Police departments in New York and Memphis are also using the technology to anticipate crime.
Full Story

HEALTHCARE PRIVACY—U.S.

Team To Recommend Ways To Keep PII Safe (August 19, 2010)

Computerworld reports that the "tiger team" advising the federal Health IT Policy Committee is expected to submit 19 pages of recommendations today in response to a specific set of privacy-related questions raised by the Office of the National Coordinator for Health Information Technology for ensuring the privacy and security of personally identifiable health information in health data exchanges. The recommendations will clarify topics such as patient consent and the use of third-party service providers in the exchange of personally identifiable health information, the report states. The team's letter recommends no additional consent for the direct exchange of electronic patient data between health providers for treatment purposes, but "any data exchange that involves a third party does require specific and 'meaningful' patient consent."
Full Story

HEALTHCARE PRIVACY—U.S.

Hospitals, University Concerned About Breaches (August 19, 2010)

Yale School of Medicine is alerting 1,000 people that their health information has been compromised after a laptop containing non-encrypted information was stolen last month, New Haven Register reports. State Attorney General Richard Blumenthal's office is investigating, and officials say Yale and New Haven Police departments are working together. The school's dean said the college deeply regrets the incident and that it is moving to make security upgrades. Meanwhile, a recent survey indicates hospitals' concerns about data breaches as they increasingly move towards electronic health records. The Imprivata study shows 80 percent of those polled say locking down patient information from breaches and unauthorized access is a top priority.
Full Story

ONLINE PRIVACY

Google CEO Discusses Privacy Trends (August 19, 2010)

In an interview with The Wall Street Journal, Google CEO Eric Schmidt describes a future where the transition from childhood to adulthood could include an option where adults can change their names to protect their privacy later in life. CRN reports on his point of view that "as our private information becomes ubiquitous on the Internet due to postings on social media sites such as Facebook, young people should be entitled to automatically change their name on reaching adulthood." Schmidt also discussed Google's ongoing privacy-related issues across the globe, stating it will do what is "good for consumers" and "fair" to competitors.
Full Story

PRIVACY LAW—U.S.

Class Action Claims Sites Spied on Users via Cookies (August 19, 2010)

OUT-LAW.COM reports on a class-action lawsuit claiming that customers of a content-sharing service and its affiliates have used Flash cookies to track users' Web movements. The suit, filed in U.S. District Court for the Central District of California, alleges that Clearspring Technologies and some of its affiliates have used the cookie technology without properly notifying users, infringing on their online privacy. The plaintiffs allege the sites "hacked the computers of millions of consumers' computers to plant rogue, cookie-like tracking code on users' computers," without disclosing such practices in terms of service of privacy policies.  
Full Story

DATA PROTECTION—CANADA

Commissioner: Prioritize Privacy or Watch It Go Away (August 18, 2010)

Now is the time for governments to radically change the way they police the sharing of personal information. That's according to Ontario's Information and Privacy Commissioner, Ann Cavoukian, who said at a University of Ottawa event this week that already legislation cannot keep up with advances in technology and that governments worldwide must adopt a "privacy by design" mentality and force businesses to make personal information private, the Ottawa Citizen reports. Cavoukian's privacy by design concept requires businesses to ask individuals for access to their personal information and explain the intended use before mining it. "It's your information, You should be able to decide what happens to it," Cavoukian said. "Privacy must become the default." Editor's note: Commissioner Cavoukian will lead the "Practical Privacy by Design: A Hands-On Workshop" preconference session at the upcoming IAPP Privacy Academy.
Full Story

DATA PROTECTION—HONG KONG

Telecoms Investigated for Data Practices (August 18, 2010)

The Standard reports that three telecom operators are being investigated over the improper handling of customer data. Noting serious concerns, Privacy Commissioner Allan Chiang Yam-wang said a hearing is possible and that he has received 20 complaints regarding telecoms' handling of personal data over the last two years, the report states. Chiang has met with officials from the Office of the Telecommunications Authority to discuss ways the companies can improve data protection practices. The news follows last week's announcement that six retail banks sold the personal data of 600,000 credit card and savings account customers to third parties.
Full Story

GEO PRIVACY—U.S.

Maine Officials Concerned about Finance Firm’s Request (August 18, 2010)

Officials in Maine are concerned about a finance company's recent query about placing GPS devices in financed vehicles, MPBN reports. "I foresee a fairly small step from that to a more immediate situation in which the owners of the contracts are keeping an eye on the activities of consumers," said State Bureau of Consumer Credit Protection Superintendent Will Lund. "Certainly it raises privacy issues." According to the report, Maine Attorney General Janet Mills is looking into the matter.
Full Story

PRIVACY LAW—U.S.

School Officials Tell Parents “Don’t Provide SSNs” (August 18, 2010)

Concerned about a new Maine law requiring schools to collect students' Social Security numbers (SSNs), some local officials are encouraging parents not to provide the numbers to the state, Bangor Daily News reports. Brewer Superintendent Daniel Lee said parents should know they have the authority to decline providing their children's SSNs, which will be used to track students' progress for 12 years. Lee said the study is worthwhile, but shouldn't use SSNs as identifiers. The Maine Civil Liberties Union, which opposed the law from the start, says the Department of Education hasn't educated parents on the privacy risks. "Even the most secure databases are subject to breach," a spokeswoman said.
Full Story

PRIVACY LAW—U.S.

Second Suit Filed Involving Use of Flash Cookies (August 18, 2010)

A lawsuit filed in California's Central District federal court last week alleges that Clearspring and its affiliates violated user privacy by using Flash cookies, MediaPost reports. It is the second lawsuit to have been filed for such claims. Both suits seek class-action status. "Plaintiffs and the class members did not voluntarily disclose their personal and private information, including their Internet surfing habits, to defendants--and indeed never even knew that defendants existed or conducted data collection and monitoring activities," the latest suit states. The plaintiffs say that the use of Flash cookies "unfairly wrests control from users who choose to delete their cookies in order to avoid being tracked."
Full Story

SURVEILLANCE

With the Sky Watching, What Is and Is Not Private? (August 17, 2010)

A report published in the San Francisco Chronicle describes how "High-tech eyes in the sky--from satellite imagery to sophisticated aerial photography that maps entire communities--are being employed in creative new ways by government officials," which is raising concerns about the loss of privacy rights. From online services providing detailed views of locations across the planet to the use of such technology to monitor compliance with local, state and federal laws, Gregory Nojeim of the Washington, DC-based Center for Democracy and Technology, points out, "As technology advances, we have to revisit questions about what is and what is not private information."
Full Story

RFID—U.S.

Researcher: RFID Tags Can Spy on Consumers (August 17, 2010)

The electronic tracking tags some retailers are putting in their products could threaten consumers' privacy, says a researcher from Purdue University. One major retailer is planning on attaching the tags to some of its products starting this month, The Chicago Tribune reports, raising concerns among some privacy advocates that the discarded RFID tags could be tracked and even reveal what products are in a consumer's home. Information security expert Eugene Spafford says companies can use the tags to track what consumers have purchased without alerting them that they're being spied on, and relatively inexpensive devices can read tags from hundreds of feet away.
Full Story

DATA PROTECTION—NIGERIA

Attorney: Privacy Law Needed (August 17, 2010)

Requiring cell phone users to register their SIM cards prior to activation may violate Nigerians' right to privacy, writes attorney Rotimi Fawole in the Daily Independent. The Nigerian Communications Commission has said the measure will help prevent and prosecute crime, but Fawole says that may come at the cost of user privacy, given the lack of safeguards employed for the collection of SIM card users' data, which includes a photograph and fingerprint. Without a data protection law, questions remain over who owns the collected data, who may seize it lawfully and which third parties may have access to it. "Should there not be a minimum legal standard for the handling of such information?" Fawole asks.
Full Story

ONLINE PRIVACY—EUROPE

Mapping Service Debate Continues (August 17, 2010)

While debate continues in Germany over Google's plan to launch its Street View services in 20 cities there, Spain has become the most recent country to launch an investigation into concerns that Street View data collection violated people's privacy, a Google spokeswoman confirmed. Meanwhile, Google has announced it is seeking a UK Privacy Counsel. The Wall Street Journal reports that polls show a majority of Germans oppose having images of their homes included in Street View. While Google has given residents several weeks to opt out of the service before it goes live, concerns persist that Street View data could eventually be used by some sites in conjunction with other personal information about residents. (Registration may be required to access this story.)
Full Story

BIOMETRICS—AUSTRALIA & NEW ZEALAND

Countries Sharing Fingerprint Data (August 17, 2010)

The New Zealand Herald reports that New Zealand and Australian immigration officials have begun sharing fingerprint information in an effort to prevent immigrants carrying false identification papers from crossing the border. The measure is primarily aimed at those applying for refugee status, a New Zealand immigration official for identity and biometrics said, and would not require everyone entering the country to be fingerprinted. The program will expand to include checks with the UK, Canada and the United States under the Five Country Conference, which will match fingerprints of persons of interest. The official said the system includes privacy safeguards and will help immigration strengthen border security and combat fraud early in the immigration process.
Full Story

ONLINE PRIVACY

Advocates: Net Neutrality Is Necessary (August 16, 2010)

Privacy experts are questioning the impact that moving away from net neutrality, where ISPs are prohibited "from exploiting their role in delivering information to favor their own content or the content of the highest bidders," will have on online privacy. The New York Times reports on privacy advocates' concerns that in a non-neutral Web environment, "the Internet becomes more like a mall--where users are from the start viewed as consumers--and less like a public square." Cindy Cohn of the Electronic Frontier Foundation contends, "The people who are pushing for a non-neutral world are pushing it for monetary purposes," while Columbia Law School Prof. Eben Moglen believes such moves emphasize the business of the Internet at the expense of privacy. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Suit Alleges Web Sites Spied on Users (August 16, 2010)

A recent lawsuit filed in federal court by a group of minors and their parents alleges well-known Web sites broke the law by secretly tracking their Web movements, CNET News reports. The suit, filed Tuesday in the U.S. District Court for the Central District of California, alleges that software company Clearspring Technologies placed Flash cookies on computers belonging to users of its affiliates' Web sites, allowing them to be tracked wherever they went online without their knowledge. The plaintiffs allege that the information collected was personal and far-reaching, including gender, age, race, geographic location and household income.
Full Story

ONLINE PRIVACY—CANADA

Are We A See-Through Society? (August 16, 2010)

"The traditional notions of privacy and anonymity--and even the revamped versions that arose with the Web two decades ago--are dying." That's according to a report in The Globe and Mail that examines the way a few simple clicks on Internet sites can reveal settings and information that can be used to identify users. Noting that privacy legislation in Canada and many countries was drafted long before current tracking capabilities emerged, the report suggests that the Internet's "marketing-oriented assault on privacy is unnervingly complemented by a move to greater security measures, with everything from airport scanners to street surveillance cameras turning an invasive eye on citizens as they go through everyday life" resulting in a "see-through society" that features "digital doppelgangers of us all over the place."
Full Story

PRIVACY LAW—U.S.

Courts Differ on Constitutional Privacy Rights (August 16, 2010)

The New York Times reports on the differing opinions among U.S. courts regarding police use of tracking technologies and whether or not they violate privacy rights. Last week, a federal appeals court ruled that police must obtain a warrant before attaching a GPS to a suspect's vehicle for tracking purposes, though that contradicts rulings from three other appeals courts. Some legal scholars have called for a fundamental rethinking of how to apply Fourth Amendment privacy rights in the 21st century, the report states. "Often what we have to do with the march of technology is realize that the difference in quantity and speed can actually amount to significantly more invasive practices," said one law professor. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

Advocate: Technologies Fight Crime, Erode Privacy (August 16, 2010)

Law enforcement officials point to high-tech tools used to fight crime as a key reason why the national crime rate has decreased. But with the increased use of such technologies comes an increased risk to privacy, CBS News reports. In Chicago, for example, officials estimate the number of privately and publicly used surveillance cameras to be around 15,000, capable of zooming in to read a license plate. Jim Harper of the Cato Institute says the cameras invade privacy, recording people daily without their knowledge. "As these cameras network together, and as they are better capable at recognizing individual faces," he says, "people will realize just how they are being watched."
Full Story

SOCIAL NETWORKING

Facebook Privacy Questions Remain (August 16, 2010)

Although Facebook has corrected a glitch that exposed user photos and screen names to anyone who supplied the site with a correct e-mail address but incorrect password, Bloomberg reports that the site continues to juggle users' privacy expectations with the needs of its advertising customers. Referencing the recent book, "The Facebook Effect: The Inside Story of the Company That Is Connecting the World," the report describes the conflict between Facebook's users and the advertisers who pay the site's bills. Recent issues include privacy advocates' concerns with changes in the site's policies and the results of the 2010 American Customer Satisfaction Index, which listed "privacy concerns...and commercialization and advertising" as having a negative effect on the site's users.
Full Story

ONLINE PRIVACY

RIM Responds to Indian Government (August 13, 2010)

Research in Motion (RIM) yesterday responded to the Indian government's threat to "take steps to block" some Blackberry services if they're not made accessible to law enforcement there. The Victoria Times Colonist reports that RIM has announced four principles to guide negotiations with foreign governments over access. The principles include that carriers must observe the strict context of lawful access and national security requirements by the country's judiciary and rules of law; the carrier's demands must be what BlackBerry calls "technology and vendor neutral;" there will be no changes to the security architecture for BlackBerry Enterprise Server, and RIM will maintain  a "consistent global standard for lawful access requirements that does not include special deals for specific purposes." BlackBerry services have been banned in the United Arab Emirates and Saudi Arabia, and Indonesia is also considering a ban.
Full Story

ONLINE PRIVACY—U.S.

Internet Advertisers Speak Out (August 13, 2010)

In the wake of reports on privacy concerns related to online advertising, the Interactive Advertising Bureau (IAB) is asking its members to help fund a campaign defending the industry, The Wall Street Journal reports. While online advertising associations have designed a self-regulatory plan aimed at informing consumers about data collection, many lawmakers and privacy advocates do not believe it is enough. IAB President Randall Rothenberg spoke out against government regulation of the collection and use of consumer data, the report states, noting that limitations would "return the U.S. to a world of limited consumer choice in news, entertainment, products and services." Other Internet advertising executives have a different view, suggesting there is a need for a sustainable privacy strategy. (Registration may be required to access this story.)
Full Story

PRIVACY—U.S.

The New Tools of the Trade (August 13, 2010)

Jay Cline, CIPP, writes for Computerworld about his investigation into the present and future of the software market for privacy governenance, risk and compliance (GRC) products. Based on growth in organizations like the IAPP and other benchmarks, Cline estimates the market to be around $1 billion and, he says, some entrepreneurs have noticed. In his investigation, Cline and research analyst Michael Lotti found that tools are emerging to help privacy professionals track and unify laws and regulations, integrate overlapping audits and assessments and maintain data inventory. Those using these products, writes Cline, are feeling "relief at having software to leverage existing staff, but also a sense of being overwhelmed by the Year One task of getting everything loaded into the tool and customized."
Full Story

ONLINE PRIVACY—U.S.

Opinion: Time To “Bake In” Privacy (August 13, 2010)

Looking at recent privacy issues ranging from Web tracking to street mapping, Dave Morgan writes in a blog for MediaPost that, "Many in the industry have been taking a lot of reactive--and appropriate--steps to deal with privacy issues as they surface...But all this is not enough." Referencing recommendations by Federal Trade Commission Chairman Jon Leibowitz during a recent Senate Commerce Committee hearing, Morgan suggests, "It's time for online companies to get out in front of the privacy issue," pointing out that Leibowitz and others have suggested, "if the industry doesn't make a lot of progress on this issue, it could face everything from congressional action to a national do-not-track list."
Full Story

BIOMETRICS—U.S.

SIA Concerned Over ID Legislation (August 13, 2010)

Dark Reading reports on Security Industry Association (SIA) concerns that proposed legislation in Alaska to restrict the use of biometric technology could "ultimately result in the use of less secure identity solutions." The bill, proposed by Alaska Sen. Bill Wielechowski, would make it illegal for individuals, other than law enforcement and those authorized in state or federal law, to "retain or analyze, or disclose or distribute to another person, biometric information on an individual without first obtaining the informed and written consent of the individual." SIA CEO Richard Chace wrote to Wielechowski that the federal government is implementing an identity management program that relies on biometric technology, the report states, arguing it is an important tool in proving people are who they say they are.
Full Story

ONLINE PRIVACY—GERMANY

Officials Consider New Street-Level Photography Regulations (August 13, 2010)

Germany is considering introducing legislation to place stricter limits on Google's Street View and similar mapping services, The Wall Street Journal reports. The announcement came after Google confirmed this week that it plans to introduce Street View in the country's largest cities by the end of this year, a move that has data protection regulators in the country voicing concerns about privacy. A spokesman for the German Interior Ministry said the federal government is exploring the possibility of strengthening existing rules, which could require new legislation. "We must ensure this technology respects privacy," said Member of Parliament Peter Blesser. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Stacks of Medical Records Found at MA Dump (August 13, 2010)

The medical records of thousands of pathology patients from four Massachusetts hospitals were found at a transfer station on July 26, reports The Boston Globe. The records are believed to go back two to three years and include names, Social Security numbers, cancer test results and post-miscarriage lab results. Hospital officials say they were dumped there by the medical billing company contracted by the pathologists. It is not known where the majority of the records are now. The hospitals plan to formally notify the attorney general's office and now need to determine who should be notified--and also who is legally responsible for notifying them. Clark Fenn of Holyoke Medical Center said, "This is a perfect example of how complicated the security of confidential information is. There are many hands that touch things. All it takes is one slip in that process for information to be released.''
Full Story

GENETIC PRIVACY—U.S.

University Revises Student DNA Plan (August 13, 2010)

The University of California Berkeley announced Thursday that it is altering its voluntary genetics testing of incoming students in response to a California Public Health Department ruling on how DNA samples should be handled, the Los Angeles Times reports. Originally, the plan would have provided an option for students to learn about three of their own genetic traits, the report states, while the new program will only make collective results of the approximately 1,000 participants available for discussion at orientation. Critics have been raising privacy concerns about the program since it was unveiled earlier this year, but the state's Senate Education Committee defeated a bill this week that would have restricted public universities from seeking student DNA.
Full Story

DATA LOSS—U.S.

Reports Link Payment Systems Company to Breach (August 13, 2010)

The company that "suffered the largest ever data breach involving payment card data" last year, is downplaying reports linking it to a data breach at a Texas restaurant chain, Computerworld reports. Newspaper reports out of Austin allege that intruders hacked into the network connecting the restaurant with Heartland Payment Systems. Heartland Payment Systems CIO Steven Elefant said the reports point to a "localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud" adding that the company is "unaware of any broader issue." Elefant said Heartland will work closely with business owners to help identify the source of the breach and help with remediation efforts.
Full Story

PRIVACY LAW—U.S.

GPS Case Raises Geo-Tagging Questions (August 12, 2010)

A federal appeals court opinion issued last week about a criminal conviction based on the surreptitious use of GPS in a suspect's vehicle resonates with online and geo privacy issues, TechFlash reports. The court's opinion stated that what people do repeatedly, what they do not do and what that information holds when taken together, "can each reveal more about a person than does any individual trip viewed in isolation." The court found that a "reasonable person" does not expect their daily activities to be monitored and recorded. However, as attorney William Carleton writes, "Presumably, someone who voluntarily exposes the record of his Foursquare check-ins will not have the same expectations of privacy" as the suspect in the criminal case.
Full Story

PRIVACY LAW—U.S.

XY User Data to Be Destroyed (August 12, 2010)

ReadWriteWeb reports that the owner and former partners and debtors of the defunct XY publication and Web site have agreed to destroy the personal information of users. The future of the data came into question earlier this year when the site's owner filed for bankruptcy protection, listing as assets the XY customer list and personal data. The Federal Trade Commission weighed in on the matter. But the bankruptcy ruling sets a timeframe for destruction of the data. The Electronic Frontier Foundation (EFF) said of the agreement, "We're happy...that this potential privacy fiasco has ended well for XY's customers" but warned that it's a problem that will likely come around again.
Full Story

GEO PRIVACY

There’s More to That Photo Than Meets the Eye (August 12, 2010)

Geotags embedded in photos and videos taken with GPS-equipped devices are invisible to the casual viewer, The New York Times reports, and that has experts concerned that many people are putting their privacy and security at risk. By looking at geotags and the text of posts, "you can easily find out where people live, what kind of things they have in their house and also when they are going to be away," said Robin Sommer, who authored the recent paper "Cybercasing the Joint: On the Privacy Implications of Geotagging" with Gerald Friedland. Peter Eckersley of the Electronic Frontier Foundation said he believes few people are aware of geotagging capabilities, "and consent is sort of a slippery slope" due to the complexities of disabling such functions. (Registration may be required to access this story.) Editor's Note: See our related story in this month's edition of Inside 1to1: Privacy.
Full Story

SOCIAL NETWORKING

Facebook Working To Fix Privacy Flaw (August 12, 2010)

Following a security researcher's announcement that entering an e-mail address into Facebook's login page with an incorrect password could result in access to the user's name and profile photo, the company has acknowledged it is working on fixing a bug that it says "temporarily prevented" its systems from working correctly. InformationWeek reports on Secfence Technologies CEO Atul Agarwal's discovery that such details could be exposed regardless of user privacy settings. Another researcher found that the site suggested valid user names, profile pictures and e-mail addresses when supplied with an incorrect e-mail address that was similar to a valid one, the report states. A Facebook spokesperson noted, "We are already working on a fix and expect to remedy the situation shortly."
Full Story

DATA PROTECTION

PCI DSS 2.0 Summary Unveiled (August 12, 2010)

The PCI Security Standards Council has released a summary of anticipated changes to the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS), Bank Info Security reports. The 12 proposed changes are designed to clarify certain aspects of the standards and provide additional guidance, among other aims. There are no new requirements in version 2.0. "The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive data," said council General Manager Bob Russo. A more detailed summary of both will be released in September.
Full Story

PERSONAL PRIVACY—UK

Police Collect PII on Innocents (August 12, 2010)

The Daily Mail reports that police in the United Kingdom are amassing personal details on citizens who call them to report incidents. One police force has compiled data on hundreds of thousands of innocent individuals. The North Yorkshire Police confirmed that the information is retained for a minimum of 15 years and up to 100 years and can be shared with other forces. A spokesperson said, "Data is an essential factor in being effective, which is why we request that individuals who come into contact with [us] provide additional information regarding their date of birth and ethnicity."
Full Story

DATA RETENTION—U.S.

Veterans Affairs Data Breaches Online (August 12, 2010)

Veterans Affairs Department (VA) Chief Information Officer Roger Baker told a press briefing yesterday that the department has begun posting monthly data breach reports on the Internet, reports nextgov.com. The monthly reports will include such breaches as lost, misplaced or stolen computers and smartphones and mail-order prescriptions sent to the wrong recipients. Baker said that VA employees have lost a total of 50 smartphones since the beginning of May. Meanwhile, of the 5.6 million prescriptions mailed by the VA pharmacy in July, 10 were incorrectly addressed. The online posting of breaches is an extension of continuing efforts by the VA to increase transparency.
Full Story

DATA PROTECTION—U.S.

DARPA Draws White House Praise; Will Appoint Privacy Ombudsman (August 11, 2010)

The White House has commended the Defense Advanced Research Projects Agency (DARPA) for its new privacy principles, unveiled Monday, which aim to balance national security and individual privacy, The Hill reports. In a blog post, Tom Kalil, deputy director for policy at the White House Office of Science and Technology Policy, expressed delight with DARPA's leadership on the issue. "It is critical that we maintain our privacy and civil liberties in the Digital Age," Kalil said. Under the new guidelines, the agency will appoint an internal privacy ombudsman and will establish an independent privacy review panel, the reports states.
Full Story

DATA LOSS—CANADA

Pharmacy Orders Blow Through Thunder Bay (August 11, 2010)

The Office of the Information and Privacy Commissioner (OIPC) of Ontario is investigating a breach of patient records discovered last week, The Chronicle Journal reports. Pharmacy orders containing patients' medical information were found blowing about public streets near the demolition site of a former hospital. A spokesperson for the Port Arthur General Hospital said a filing cabinet that was left behind when the hospital moved to a new location in 2004 may be the source of the documents. Officials are notifying the patients involved. Brian Beamish of the OIPC said his office is working with the hospital on post-breach matters.
Full Story

DATA LOSS—U.S.

Florida Students and Faculty at Risk (August 11, 2010)

A software upgrade at the College Center for Library Automation exposed the personal information of about 126,000 Florida public college students and faculty, reports The Miami Herald. According to the center, there is no evidence that the information was inappropriately accessed. However, the center is notifying those affected and encouraging them to place a fraud alert on their credit files. Florida State College at Jacksonville (FSCJ) and five other institutions were affected by the breach, which was discovered when a student found his personal information through a Google search. FSCJ is employing a new student identification card that does not include Social Security numbers that will be used for all on-campus resources to help curb the threat of identity theft.
Full Story

ONLINE PRIVACY

Germany, Korea Raise “Street View” Concerns (August 11, 2010)

German data privacy officials are criticizing Google's plan to give property owners there four weeks if they want to stop their buildings from showing up on the company's Street View mapping service, Bloomberg reports. Meanwhile, South Korean police have raided the company's offices there under suspicion it had been "illegally gathering citizens' personal information." Google, on the same day, announced it would introduce Street View in Germany's largest cities by the end of this year. Johannes Caspar, Hamburg's data protection regulator, said the quick introduction and lack of a complaints hotline "create doubts about Google's interests in a simple and user-friendly implementation." Data Protection Commissioner Peter Schaar noted, "It should also be ensured that all complaints received are dealt with before" Street View services begin.
Full Story

STUDENT PRIVACY—U.S.

Maine Schools Will Collect Student SSNs (August 11, 2010)

Beginning this fall, Maine law will require schools to collect student Social Security numbers (SSNs) and submit them to state officials, which has raised privacy concerns and prompted the Department of Education to release guidelines to the state's superintendents, the Portland Press Herald reports. The Department of Education is advising districts to make sure parents understand that they are not required to submit their children's SSNs when schools ask for them, the report states. Although the guidelines followed a request by the Maine Civil Liberties Union (MCLU) that schools alert parents of the privacy concerns related to releasing SSNs, MCLU Legal Director Zach Heiden said they do not go far enough. "It would have been nice for them to include that explicit caution," he said.
Full Story

ONLINE PRIVACY

Google Memo Details Privacy “Soul-Searching” (August 10, 2010)

The Wall Street Journal is reporting on a confidential Google vision statement drafted two years ago, describing the document as a glimpse into the company's "soul-searching" over the use of its "vast trove" of data. "Google is pushing into uncharted privacy territory," the report states, noting, "Until recently, it refrained from aggressively cashing in on its own data about Internet users." According to the report, several of the suggestions included in the "brainstorming document" have been implemented, such as collecting user data to track them for advertising purposes. The next step, the report states, could be for the company to become a clearinghouse for data, which "would put Google--already one of the biggest repositories of consumer data anywhere--at the center of the trade in other people's data as well." (Registration may be required to access this story.)
Full Story

BIOMETRICS—CANADA

Commissioner Wants Fingerprinting Blocked (August 10, 2010)

Privacy Commissioner Jennifer Stoddart has moved to block the fingerprinting of medical school applicants, the Ottawa Citizen reports. The commissioner launched a legal action in Federal Court last week, stating that the American Association of Medical Colleges' (AAMC) collection of test takers' fingerprints violates Canadian law. The AAMC administers the Medical College Admission Test in the U.S. and Canada. It collects photographs and fingerprints from test takers and retains the data for a period of 10 years. Stoddart wants the court to order the organization to create an alternative procedure for fraud prevention, the report states.
Full Story

ONLINE PRIVACY

Pixels Could Replace People in Street Photography (August 10, 2010)

Two University of California researchers have come up with a way to ghost-out the images of pedestrians captured in street-level photography, InformationWeek reports. Arturo Flores and Serge Belongie described their method at the IEEE International Workshop on Mobile Vision in June, saying that it could be a way for Google to address the privacy issues associated with its Street View mapping application. The method "yields Street View images as if the pedestrians had never been there," the researchers wrote in their paper, "Removing pedestrians from Google Street View images."
Full Story

DATA THEFT

Hotel Industry Hard Hit by Hackers (August 10, 2010)

Data theft continues to be prevalent in the hotel industry, with breaches occurring on a weekly basis, SC Magazine reports. The wealth of consumer financial data hotels hold, combined with a lack of basic security precautions, makes them a keen target of data thieves, according to one expert. The industry-wide lack of compliance with Payment Card Industry Data Security Standards (PCI DSS) adds to hotels' vulnerabilities, others say. Navigate LLC founder Chris Zoladz, CIPP, told the Daily Dashboard that non-hospitality breaches are also numerous and that while every company must assess its own security and privacy risks, "certainly being PCI compliant will help minimize the risks of unauthorized disclosure or theft of card data." A former privacy executive in the hotel industry, Zoladz added, "Every company is under challenging financial constraints; however, doing nothing to address these risks will come at a high cost when the risks materialize."
Full Story

ONLINE PRIVACY—GERMANY

State Wants to Boost Students’ Internet Savvy (August 10, 2010)

The government of one German state is embarking on an initiative to educate young people about Internet privacy, Spiegel reports. "Many young people are unaware of how many details they reveal about themselves online," said North Rhine-Westphalia media minister Angelica Schwall-Düren. The initiative will bring privacy education into the state's schools. "Our goal is to convey that the Internet...has risks that students should understand in order to exercise autonomy with regards to digital media," Schwall-Düren said. A similar initiative is underway in Bavaria, where elementary school children are learning about the various forms of digital media.
Full Story

PRIVACY LAW—EU

Commission Confirms Directive’s Timetable (August 10, 2010)

The European Commission has confirmed that while it will release plans for a review of the Data Protection Directive this year, the proposed new law itself will not be published until next year. OUT-LAW.COM reports that a spokeswoman has said the commission is taking time to consider 160 responses from public consultations, noting the process could not be a short one because the changes EU Commissioner Viviane Reding is seeking are significant. "Commissioner Reding envisages it as a bit more than simply 'an amendment'... It is rather an overhaul because the idea is to integrate data protection for law enforcement purposes into the new framework," the spokeswoman said.
Full Story

RFID—U.S. & EU

Researchers: Your Tires Can Be Used To Track You (August 10, 2010)

Researchers from Rutgers University and the University of South Carolina have found that the RFID tags used to measure tire pressure on new cars and provide information wirelessly to the car's electronic control unit can be intercepted or even forged, Computerworld reports. Such monitors are currently required in the U.S. and will be required in the EU by 2012. The vulnerability points to what one researcher described as a troubling lack of concern about privacy and security with new software development. With such systems, "people just try to make things work first, and they don't care about the security or privacy during the first run of design," said Wenyuan Xu, adding, however, that consumers "may be willing to pay a few dollars to make their autos secure."
Full Story

HEALTHCARE PRIVACY—U.S.

Employee Fired for Social Networking Post (August 10, 2010)

A hospital worker has been fired for posting on her Facebook page information about a patient she treated, reports BusinessInsurance.com. The post contained information that could lead to identification of the patient. "As healthcare providers, we have a legal and ethical responsibility to protect patient privacy and we are bound by HIPAA rules and regulations to ensure that we do," the hospital said in a statement. This is the latest example of healthcare workers being called out for inappropriate social networking posts, causing some to encourage hospitals to implement clear policies on acceptable use of such sites.
Full Story

ONLINE PRIVACY

Opinion: The Internet Tracking Debate (August 9, 2010)

Following up on last week's investigative report, The Wall Street Journal is exploring "The Great Privacy Debate" around consumer tracking on the Internet. Some advocates are calling for more control of users' online information while others are supporting less intervention on the Web. Jim Harper writes that when it comes to the Internet, "If Web users supply less information to the Web, the Web will supply less information to them." He discounts assertions about "surreptitious" cookies and writes, "people should get smart and learn how to control personal information." Nicholas Carr, however, suggests that the tradeoff between personalization and privacy on the Web poses real dangers--ranging from the potential for criminals to access personal information to a society-wide erosion of privacy. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Privacy Modes Aren’t Always Private (August 9, 2010)

"Don't do anything in privacy mode that you wouldn't do with the boss looking over your shoulder," PCWorld warns in an article examining the potential to discover users' online activities through Web browsers' privacy modes. According to the findings of a trio of researchers from Stanford and Carnegie Mellon, privacy modes used by major Web browsers to "cover a user's tracks" after an online browsing session fail to purge all traces of user activities. Browser add-ons and even secure certificates can undermine user privacy, the report states, "So anyone who knows where to look for it can find it and glimpse into a user's Internet travels."
Full Story

PRIVACY LAW—U.S.

Opinion: Pros and Cons of Legislating Privacy Online (August 9, 2010)

Point-counterpoint op-eds in USA Today explore the growing concerns around Internet tracking and the debate over whether the time has come for new federal legislation regulating online privacy. Randall Rothenberg of the Interactive Advertising Bureau suggests such regulation is just "one more Big Government idea," stressing users already have the tools to control their privacy online. USA Today's editors offer a different perspective. "Federal privacy laws are not designed to protect consumers in this new age," they write. Since current practices by online companies to keep tabs on consumer interests could evolve into more intrusive tracking, they write, "Better to erect some legal guardrails before the road toward decreasing privacy becomes too slippery."
Full Story

PRIVACY LAW—U.S.

Sacramento Asks, Candidates Answer (August 9, 2010)

Should California set its own laws protecting the privacy of Internet users in the absence of federal oversight? That's the question posed by the Sacramento Bee, which is hosting a forum for answers to that question. Bee Senior Editor Dan Morain reminds readers that in California, "privacy is a fundamental right" and "a governor...has an obligation to defend states' interests." Candidates for some of the state's top offices, including Meg Whitman, Jerry Brown and Chris Kelly, weigh in.
Full Story

PRIVACY—U.S.

Schwartz Moves to NIST (August 9, 2010)

Internet privacy advocate and Center for Democracy and Technology Chief Operating Officer Ari Schwartz will, on August 30, take a new post as senior Internet policy adviser at the National Institute of Science and Technology (NIST), reports GovInfoSecurity.com. In his new role, Schwartz will work with the Commerce Department's Internet Policy Task Force on information security, among other issues, and advise NIST Director Patrick Gallagher on working groups such as the subcommittee on standards under the National Science and Technology Council's Committee on Technology, says the report. Schwartz says he is looking forward to the new opportunity. "NIST's work on Internet issues is at a critical juncture, and NIST and the Department of Commerce are taking the lead on some really key issues right now."
Full Story

ONLINE PRIVACY

CEO: On the Internet, There’s Nowhere To Hide (August 6, 2010)

According to Google's top executive, Internet users can look forward to a future with nowhere to hide online. That's according to a report in THINQ.co.uk on Google CEO Eric Schmidt's comments at this week's Techonomy conference that "true transparency and no anonymity" are what users should expect in the future of the Web. Noting that every digital interaction creates information, Schmidt pointed out that such data can be used to analyze and predict behavior. "If I look at enough of your messaging and your location, and use artificial intelligence, we can predict where you are going to go," Schmidt said, adding, "Show us 14 photos of yourself and we can identify who you are."
Full Story

PRIVACY LAW—U.S.

Maine Prescription Law Upheld (August 6, 2010)

The First U.S. Circuit Court of Appeals in Boston, MA, has upheld a Maine law making doctors' prescription-writing habits confidential, reports the Associated Press. Three companies that provide medical data to pharmaceutical marketers filed the suit challenging the constitutionality of the law. "The plaintiffs suggested that this law chills their commercial free speech," said Maine Attorney General Janet Mills. "All our law does is protect the privacy of doctors who prescribe medications." A similar law in New Hampshire was upheld in courts last year, and a comparable law in Vermont is in front of the Second U.S. Court of Appeals with a ruling expected in a matter of days.
Full Story

PRIVACY LAW—U.S.

Senators Introduce Data Protection Bill (August 6, 2010)

Senate Commerce Consumer Protection Subcommittee Chairman Mark Pryor (D-AR) and Commerce Chairman John (Jay) Rockefeller (D-WV) introduced legislation Thursday to require businesses and nonprofits to establish "reasonable" security policies to protect personal consumer information, Tech Daily Dose reports. The bill would require businesses or nonprofits that own or possess personal information such as credit card numbers to notify individuals if their information is accessed as a result of a data breach within 60 days and to provide them with credit monitoring services for two years. The bill follows one introduced last month focused on requiring businesses to do more to protect sensitive consumer data, the report states. A hearing on the proposal has not yet been scheduled.
Full Story

PRIVACY LAW—EU

Data Protection Directive Delay Expected (August 6, 2010)

Infosecurity reports that the European Commission's decision to revise the schedule for its revision of the EU's Data Protection Directive was to be expected, given the scope of the project. That's according to Bridget Treacy of Hunton & Williams, who explained, "It is an ambitious project and an ambitious timeline, and it is going to take a little time to get things in order...Due to the wealth of comments and active debate, it is not a surprise." The French Data Protection Authority (CNIL) announced the new schedule this week, citing pressure from data protection authorities seeking more time to revise the directive.
Full Story

ONLINE PRIVACY—U.S.

Lawmakers Question Web Tracking (August 6, 2010)

Following a recent report in The Wall Street Journal, Representatives Ed Markey (D-MA) and Joe Barton (R-TX) are seeking information about the privacy practice of 15 popular Web sites the newspaper's investigation identified as "installing the most tracking technology on their visitors' computers." Markey and Barton, who chair the House Bi-Partisan Privacy Caucus, sent letters to the sites on Thursday, stating they are "troubled by the findings in this report, which suggest that the price of consumers' daily use of the Internet increasingly is surrender of their personal information." The legislators have asked the sites to detail their own privacy practices as well as those of the tracking technologies installed by outside companies. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

RIM: No Special Access to User Data (August 6, 2010)

Research in Motion (RIM), the Canadian company behind BlackBerry smartphones, is rejecting reports that it would allow the Indian government access to user data shared via e-mail and instant messaging. The Guardian reports that India, following bans by the United Arab Emirates and Saudi Arabia, had warned it could block some BlackBerry services based on concerns about encrypted e-mail. RIM has since issued a statement that suggestions it would allow governments to have special access to customers data were "unfounded." The company has said that its services have been designed "to preclude RIM, or any third party, from reading encrypted information under any circumstances since RIM does not store or have access to the encrypted data." Indonesia is also considering a ban on Blackberry services.
Full Story

HEALTHCARE PRIVACY—U.S.

HIPAA Pharmacy Investigation Continues (August 6, 2010)

The Office for Civil Rights this week confirmed that it is investigating Walgreens in relation to a four-year-old story involving the improper disposal of personal health information at pharmacy chains including CVS and Rite Aid. HealthLeaders Media reports that Walgreens was not mentioned in the settlement agreements reached recently with the other two chains; however, it was reported as being involved when WTHR broke the story in 2007. A Walgreens spokesman said, "We don't comment on whether or not an investigation is being conducted. If HHS has something to announce, we would defer to them. We have high confidence in our HIPAA compliance program and believe we have strong procedures to ensure compliance."
Full Story

HEALTHCARE PRIVACY—U.S.

Stolen Laptop Contained Hospital Records (August 6, 2010)

A Philadelphia, PA, hospital reported this week that a personal laptop containing the names, social security numbers, birth dates and insurance information of about 21,000 patients was stolen from a hospital office, reports eSecurity Planet. The stolen laptop belonged to a Thomas Jefferson University Hospital (TJUH) employee who was using it to store hospital data. It was password protected, but the data was not encrypted. The hospital has conducted an investigation and is notifying patients possibly affected by the loss. "The storage of patient data on an employee's unencrypted computer--even while on TJUH premises--is a breach of hospitals' policy," said TJUH President and CEO Thomas Lewis.
Full Story

SURVEILLANCE

Camera-Equipped Policemen an Increasing Trend (August 6, 2010)

The Toronto Star reports on the increasing trend of police officers outfitted with body cameras. Though Toronto police don't yet employ the technology, a spokesman said the trend is clearly moving in that direction. Police forces in Calgary, Victoria and Edmonton have experimented with programs or will in the near future. The cameras are meant to provide the best possible evidence and eliminate "baseless allegations," but civil rights activists have cited privacy concerns involving data use, access and retention. "Who has access to the images and audio tape? Does the person being filmed have access to it?" asked a spokeswoman from the Canadian Civil Liberties Association.
Full Story

DATA PROTECTION—HONG KONG

Octopus CEO Resigns over Privacy Scandal (August 5, 2010)

Amid pressure over her handling of a data privacy scandal, the CEO of Octopus Holdings has resigned, The Wall Street Journal  reports. The company last week admitted to selling the personal data of nearly two million customers to third parties. In a statement Wednesday, Prudence Chan said that though she doesn't believe Octopus violated any laws or regulations under her watch, she decided to step down as the company works to regain public trust and confidence. "I believe the current issues could have been better handled and for that, I sincerely apologize to our customers and the community," Chan said. Meanwhile, the government has signaled that it will increase privacy protections. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRALIA

Keating: Protect Privacy in Info Age “Free-for-All” (August 5, 2010)

Former Australian Prime Minister Paul Keating is voicing his support for a proposal by the Australian Law Reform Commission to create national legislation that would punish businesses and organizations responsible for ''unwarranted and serious breaches of privacy'' with tough financial sanctions, The Age reports. Keating's comments follow on a push by Sen. Joe Ludwig for the Australian Privacy Act to be amended with "serious sanctions" to ensure individuals' privacy rights are protected. Speaking in support of tougher legislation, Keating said, "This is likely to concentrate minds on the importance of compliance with privacy principles a little more than hitherto."
Full Story

PERSONAL PRIVACY—U.S.

Body Scanner Debate Continues (August 5, 2010)

CNET News reports on the privacy debate concerning full-body security scanners. The Electronic Privacy Information Center (EPIC) has asked a federal judge to grant an injunction on Transportation Security Administration (TSA) plans to implement the scanners at major U.S. airports, saying that the "devices are designed and deployed in a way that allows the images to be routinely stored and recorded." EPIC points to the recent acknowledgment by the U.S. Marshals Service that it has retained more than 35,000 body-scan images collected from an Orlando, FL, federal courthouse as cause for concern. However, TSA Privacy Officer Peter Pietra, CIPP/G, told the Daily Dashboard that "TSA privacy policies don't apply to the U.S. Marshals Service, which falls under the Department of Justice." The TSA asserts that the scanners intended for airport use "will not and cannot store, transmit or print images of passengers at airports" and that "there is no way for someone in the airport environment to alter the machine in any way that would give it any functionality to do so."
Full Story

DATA LOSS—CANADA

Ontario Commissioner Investigating Gov’t Site (August 5, 2010)

The Office of the Ontario Information and Privacy Commissioner is looking into a reported breach of the province's change-of-address Web site, the Ottawa Citizen reports. The government is also investigating and has suspended the site after learning that a man's identity was stolen by thieves who allegedly tampered with the site via a Service Ontario kiosk in Hamilton, the report states. A spokesperson for the privacy commissioner confirmed the office had received two complaints about the site and that an investigation is underway.   
Full Story

ONLINE PRIVACY

Google CEO Discusses Technology and Privacy (August 5, 2010)

Speaking at this week's Techonomy conference in the U.S., Google CEO Eric Schmidt discussed some of the privacy-related issues spurred by the advent of new and evolving technology. Schmidt's examples included the use of computers and artificial intelligence to identify people from their online photos, CNET News reports, as well as using data collected by location-based services not only to show where people are but to predict where they are going. Schmidt said that technology is good, but the only way to manage the challenges is "much greater transparency and no anonymity" as "true anonymity is too dangerous."
Full Story

ONLINE PRIVACY

Privacy Breaches in the Clouds? Blame the Customer (August 5, 2010)

When it comes to computing in the cloud, the default contract from many major cloud providers puts the onus for any privacy problems on the customer--even if the provider is at fault for the breach, Steven J. Vaughan-Nichols writes in a report published in the San Francisco Chronicle. "You should ask questions about data security and privacy during the preliminary stages, even before you get to the contract," warns Tanya Forsheit, CIPP, of Info Law Group. "You should ask them what kind of privacy and security controls they have, whether they'll let you audit their security and what they will agree to in regards to liability." Vaughan-Nichols notes that "when it comes to cloud computing, it's better to be safe than sorry regarding both the legal and technical issues." Editor's Note: This year's Privacy Academy will feature multiple breakout sessions related to cloud computing.
Full Story

PRIVACY LAW—U.S.

Ohio Court Dismisses Joe the Plumber’s Suit (August 5, 2010)

A federal court in Ohio yesterday dismissed a lawsuit brought forward by Samuel J. Wurzelbacher, aka "Joe the Plumber," that claimed former Buckeye State employees violated his privacy by accessing his personal information in state records, the Associated Press reports. The suit named former Department of Job and Family Services Director Helen Jones-Kelley, alleging she allowed employees to conduct database checks of Wurzelbacher for no legitimate purpose. In dismissing the suit, the U.S. District Court in Columbus said that the privacy claims did not amount to constitutional violations, the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: Stronger Privacy Provisions Needed for Electronic Records (August 5, 2010)

In a Huffington Post editorial, attorney Marty Robins addresses concerns about the privacy and security of electronic medical records (EMRs). Though the private sector customarily employs firewalls, encryption and intrusion detection protocols, Robins says the government largely ignores security in its EMR regulations, only "strongly encouraging" encryption. "It is difficult to see how the public can be confident that their records will be handled properly when there is no explanation of the steps taken to make this true," Robins writes. He urges the administration "to publicly commit to and make a high priority the development and use of only state of the art technology and practices..." Center for Democracy & Technology health privacy expert Deven McGraw told the Daily Dashboard, "The HIPAA security rule allows providers some flexibility with respect to implementing certain specific safeguards like encryption. The risk of this approach is that it doesn't allow for us to confidently say to the public that a strong baseline of protections exists for electronic health information. It's hard to reassure the public with that level of uncertainty."   
Full Story

ONLINE PRIVACY—U.S.

Opinion: Watch Out for Web-Watchers (August 5, 2010)

"Commercial tracking software often secretly records where users go on the Internet. If businesses don't set their own clear, simple privacy standards, government may need to step in with a 'do not track' option." That's according to an editorial published in The Christian Science Monitor that weighs questions of regulation when it comes to online privacy concerns. Pointing out that both privacy advocates and private citizens are increasingly alarmed by the amount of information being collected by Web sites, the editors suggest that before regulations are put in place, the online advertising industry should have a chance to better regulate itself, noting, "Transparency and openness should be keystones in creating any policy on Web tracking."
Full Story

PRIVACY LAW—EUROPE

EU Data Protection Directive Revision Postponed (August 4, 2010)

The French Data Protection Authority (CNIL) announced that the European Commission has decided to postpone proposed revisions to the EU Data Protection Directive until next year. The Hunton & Williams Privacy and Information Security Law Blog reports that although EU Commissioner Viviane Reding had previously announced that a proposal for the revisions would be presented this November, several data protection authorities have requested additional time to address such issues as challenges to personal data protection. The European Commission will outline its plans this year for action later, The Register reports, quoting a commission spokeswoman who said, "This will be the first step for a legislative proposal that will then follow in the course of the next 10 months."
Full Story

DATA PROTECTION—HONG KONG

Lam: Gov’t Will Boost Privacy Protections (August 4, 2010)

A government official said Monday that the Hong Kong government will strengthen privacy protections following a recent scandal involving the sale of citizens' data to third parties. Octopus Holdings admitted last week that it has received HK$44 million since January 2006 through selling the personal information of customers of its RFID-enabled cashless payment card. Stephen Lam, secretary for constitutional and mainland affairs, said the government would consider increasing controls and penalties to ensure corporations use data only as authorized by data subjects, International Business Times reports.
Full Story

ONLINE PRIVACY

Citizens, Activists Denounce Nations’ Internet Monitoring (August 4, 2010)

Across the globe, critics believe governments have been engaged in a "surveillance land-grab" when it comes to online information, The Christian Science Monitor reports. The article examines such recent developments as a lawsuit in Ireland challenging the EU's efforts to collect and store personal data, the UAE's plan to ban BlackBerry use unless it can monitor user information and a push in the U.S. to allow the government access to browser histories and e-mail addresses without judicial oversight. "Online privacy has become a key civil liberty battleground," the report states, noting that across Europe, for example, "a backlash against the storage of private data is growing."
Full Story

IDENTITY THEFT

Children’s SSNs Prime for Identity Theft (August 4, 2010)

The Associated Press reports about an on-the-rise form of identity theft involving the sale of children's Social Security numbers (SSNs) to establish credit lines. Sellers find kids' dormant SSNs on the Internet and avoid prosecution by referring to the numbers as credit privacy numbers, or CPNs. Sellers promise to raise customers' credit scores to 700 or 800 within six months, the report states. One expert said it can take years before the crime is detected. "This is an invisible crime with invisible victims who don't have enough support out there to help them," said a spokeswoman from the ID Theft Resource Center.
Full Story

ONLINE PRIVACY

Researchers Propose “PseudoID” for Web Logins (August 4, 2010)

Google researchers are proposing using a system called "PseudoID" to protect the privacy of Internet users, InformationWeek reports. A paper presented at a conference in July describes how the system would use blind cryptographic signatures to generate pseudonyms that would allow the users to be authenticated to log into Web sites without being identified. Under current sign-on systems, the researchers note, user login information is passed through an identity provider, presenting privacy risks. Should PseudoID be adopted, the report notes, online identity providers would be prevented "from amassing information about Internet users that could harm user privacy if exposed."
Full Story

TRAVELERS’ PRIVACY—U.S.

Lawsuit Aims To Stop Airport Scanners (August 4, 2010)

The Electronic Privacy Information Center (EPIC) is suing the Department of Homeland Security to suspend the use of full-body scanners in airports, claiming they violate the Privacy Act, among other laws, reports The Boston Globe. A Transportation Security Administration (TSA) spokesman said the agency is exploring "additional privacy protections through automated threat detection," but Marc Rotenberg of EPIC says that will not solve the privacy issues because the machines capture passengers' images. The report states that according to the TSA, the scanners' ability to capture images is disabled prior to installing them in airports and is for testing purposes only.
Full Story

ONLINE PRIVACY—U.S.

Industry, Advocates React to Web Tracking Report (August 3, 2010)

The Wall Street Journal's recent report on the use of tracking technology by Internet companies "to trail users across the Web and create marketing profiles of them based on sites visited" is getting strong reactions from industry executives and privacy leaders, MediaPost reports. The decision by many companies to "omit far more information than they provide when discussing behavioral targeting" has resulted in privacy policies that are "less than transparent," the report states. Citing proposed legislation now being discussed in the U.S. Congress, the report continues on to quote one media commentator's perspective that advertising-supported Web sites should be "aggressively transparent," suggesting that if more companies shared this view, "the online ad industry might not be facing the threat of regulation."
Full Story

GEO PRIVACY—BRAZIL

Company Equips Laundry Detergent With GPS (August 3, 2010)

Consumers in Brazil who purchase boxes of Omo detergent may find an unexpected ingredient inside as the company is adding GPS devices to allow promotions agency Bullet to follow shoppers to their homes with surprise gifts, Advertising Age reports. Bullet President Fernando Figueiredo explained that the GPS is activated when a box of detergent is removed from the market, and teams in 35 Brazilian cities are on standby to reach the shoppers "within hours or days." The promotion also includes a Web site, the report states, which will feature pictures of the winners, a map showing roughly where they live and footage of the promotion teams tracking the detergent boxes to the prizewinners' homes and surprising them.
Full Story

ONLINE PRIVACY

UAE Threat Highlights Data Tensions (August 3, 2010)

The threat this week by the United Arab Emirates (UAE) to shut down mobile services on BlackBerrys highlights a growing tension between governments and communications companies, The New York Times reports, where governments are seeking more access to communications data for intelligence-gathering purposes and companies are trying to protect user privacy. "These requirements for access to communications exist on a significant scale worldwide," said the head of a technology and regulatory consulting company. The tension is expected to continue to grow as the Indian, Saudi Arabian and Kuwaiti governments, among others, consider ways to gain even more access to electronic messages. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

BCLC Could Face Fines (August 3, 2010)

After a breach of its Web site, PlayNow.com, BC Lottery Corporation (BCLC) may face big fines, says one check card security expert. Paul Gregoire, who is licensed to check card systems for security compliance, told CTV that the range of fines for this type of breach "could be as small as $10,000 and upwards of $500,000." In a press release last week, BCLC admitted that a "defect in the error handling logic of an industry standard Web server" caused the security breach that exposed 134 users' personal information. BCLC is currently working with the BC privacy commissioner to fix the problem before relaunching the site.
Full Story

PRIVACY LAW—U.S.

HHS Withdraws Final Breach Rule (August 3, 2010)

The Department of Health and Human Services' Office for Civil Rights (OCR) has withdrawn a final breach notification rule. The rule was with the Office of Management and Budget for regulatory review but was pulled to allow for further scrutiny, Health Data Management reports. OCR said the administration is "committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures and that individuals are appropriately notified when incidents do occur." The office will publish a final rule in the Federal Register in the coming months.
Full Story

PRIVACY LAW—KENYA

Opinion: Kenya Needs Privacy Laws (August 3, 2010)

In a Business Daily Africa editorial, Anne Kiunuhe describes the need for privacy legislation in Kenya, where there is no specific statute dealing with data protection or the right of privacy, just a few sectoral statutes which have "scanty provisions on data protection," she writes. Though telecommunications companies must obtain licenses containing provisions on customer data protection, they are regulated by the Communications Commission of Kenya and not by law. "In the absence of privacy laws, the right of privacy and data protection is left to be governed by contractual terms between the party disclosing the confidential information and the party receiving the same," Kiunuhe writes.
Full Story

FINANCIAL PRIVACY—EU & U.S.

SWIFT Agreement Takes Effect (August 3, 2010)

The U.S. can now access the details of European bank transactions to be used in the effort to fight terrorism as the SWIFT agreement went into effect August 1. Deutsche Welle reports that the U.S. will be able to demand information about transfers that take place between the EU and the rest of the world with requested data to be sent in bulk packages to the U.S. Some members of the European Parliament remain concerned that the revised agreement poses a risk to the privacy of innocent individuals. MEP Jan Philipp Albrecht, for example, believes the agreement represents "a step backwards for negotiations for comprehensive privacy rights in international security operations."
Full Story

ONLINE PRIVACY—U.S.

Study: What “They” Know May Surprise You (August 2, 2010)

"Wittingly or not, people pay a price in reduced privacy for the information and services they receive online," The Wall Street Journal contends in its "What They Know" series, which includes a study of 50 popular Web sites that track user visits and a feature on the economic factors behind privacy decisions. While users are not identified by name, certain tracking files predict ages, zip codes, gender, estimated income, marital status, presence of children and home ownership, the report states. "Unfortunately, most Web users really have no idea how their data is being shared and used; the 'notice-and-consent' model has failed consumers," Justin Brookman of the Center for Democracy and Technology told the Daily Dashboard, noting that while some online companies are working to be more transparent about data sharing, there is a need for "baseline privacy legislation to ensure that everyone is adhering to basic rules to allow consumers to exercise control over their privacy." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—SPAIN

Spain Asks EU To Review Data Protection Law (August 2, 2010)

The Spanish Supreme Court is asking the European Court of Justice to review the country's Data Protection Regulations to determine whether they are compatible with the EU's Data Protection Directive, Expansión reports. The Spanish Supreme Court agreed to submit a preliminary question to the European Court of Justice in a case brought on behalf of the Spanish Digital Economy Federation (FECEMD), according to a release from the Madrid office of Bird & Bird LLP. "In the last years, we have witnessed a number of companies deciding to stop operations in Spain due to the strict regulations and strict approaches of the Spanish Data Protection," said Javier Fernandez-Samaniego of Bird & Bird, noting the goal is "harmonization of data regulations in Europe." (Article in Spanish.)
Full Story

HEALTHCARE PRIVACY—U.S.

Laptop Stolen, Kids’ Records at Risk (August 2, 2010)

Texas Children's Hospital announced that a laptop containing the names, birthdates, diagnoses and dates of service of about 1,600 patients was stolen in May. The hospital mailed letters to parents of the affected children, and the Houston Chronicle reports that there is no evidence the information has been inappropriately accessed. "Safeguard requirements and policies and procedures for laptops have been reviewed, and we are in the process of encrypting patient data to help ensure it is stored and handled in a secure manner," said a hospital press release. A suspect is in custody, but the laptop has not been recovered.
Full Story

RFID—HONG KONG

CEO Called to Task for Customer Data Sales (August 2, 2010)

Octopus Holdings' largest shareholder, MTR Corp., has said the Octopus board must decide CEO Prudence Chan's fate after the company's management of the sale of nearly two million customers' personal data put its reputation at risk, Bloomberg reports. Meanwhile, Democratic Party Deputy Chairwoman Emily Lau Wai-hing has urged the government to appoint an independent inquiry panel to investigate the matter. Additionally, the acting chief secretary has announced that the government is to review the privacy law and will possibly consider making the unauthorized use of personal data a criminal offense, and Privacy Commissioner for Personal Data Roderick Woo Bun has suggested Octopus use a larger font size on future customer application forms for greater transparency.
Full Story

ONLINE PRIVACY

Did Last Week Mark the End of Privacy? (August 2, 2010)

CNET News reports on a conversation between media industry pundit Jeff Jarvis and Danah Boyd of Microsoft that took place at the Supernova conference in Philadelphia, PA, last week. Both speakers weighed in on privacy in the framework of social networking, the government and the media. Boyd noted security, protection of PII and avoiding embarrassment as reasons people tend to uphold privacy, while Jarvis warned that alarmism over privacy may cause people to miss "getting to the benefits of publicness that the Internet makes possible." Meanwhile, a Telegraph blogger writes about online data sharing, questioning whether the "end of privacy" has come.
Full Story

TRAVELERS’ PRIVACY—U.S.

Op-Ed: Will Collected Passenger Data Be Misused? (August 2, 2010)

A Washington Post editorial reports on airlines' potential use of collected passenger information for marketing purposes. The Secure Flight program, operating domestically now and internationally by year's end, is aimed at improving travel by collecting additional passenger data to verify identity. But airlines see an opportunity to "maximize the marketing and other commercial value of this government-coerced informational windfall," said one privacy expert, by drawing a fine line between Secure Flight data collection and data gathered for other purposes. However, a database security expert said in addition to the Transportation Security Administration's regulations on passenger data, airlines must also follow federal compliance mandates preventing the sale of passenger data to third parties. (Registration may be required to access this story.)
Full Story