Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

DATA PROTECTION—EU & U.S.

Commission Gives U.S. 13 Ways To Save Safe Harbor (November 27, 2013)
The European Commission has released its report on EU-U.S. data flows, including a critique of the widely-criticized Safe Harbor framework , which makes 13 recommendations to improve the data-transfer mechanism. The commission says U.S. authorities have until summer of 2014 to implement the recommendations, at which point it will revisit the review. In this exclusive for The Privacy Advisor, U.S. Federal Trade Commissioner Julie Brill said she’s pleased the commission has indicated its support for maintaining Safe Harbor as a data transfer mechanism. “I think some of the recommendations—increasing transparency and making alternate dispute resolution accessible and affordable—would be helpful.” Dutch MEP Sophie in ‘t Veld told The Privacy Advisor that while she’s pleased there’s progress, the report is long overdue. “Maybe we’re now finally entering the phase where we no longer tolerate that our own EU rules are being overruled by third countries’ laws,” she said. Covington & Burling’s Henriette Tielemans said the report indicates a “genuine willingness on the part of the commission” to save Safe Harbor.

GLOBAL INTEROPERABILITY—EU & U.S.

Safe Harbor Report Could Be the Start of Real Privacy Interoperability (November 27, 2013)

According to Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, the European Commission’s report on Safe Harbor lived up to expectations of being “critical” of the agreement but stopped short of “delivering a fatal blow to the scheme.” Ustaran writes for Privacy Perspectives that false claims of compliance with Safe Harbor “appear to be a greater concern than the potential vulnerability of Safe Harbor as a conduit to allow U.S. intelligence authorities to access data originating from the EU,” adding, “In other words, the European Commission is not really seeking to turn Safe Harbor into a data bunker…”
Full Story

INTERNET OF THINGS

Opinion: TV’s Rollout Shows Lack of PbD, Transparency (November 27, 2013)

The recent rollout of LG’s new smart television has garnered press attention arising from several privacy concerns about how the new appliance collects and shares user data. The company has since announced it will update its firmware to address some of the concerns, and in the meantime, according to the Center for Democracy & Technology Director of Consumer Privacy Justin Brookman, its privacy notice has changed several times—often in contradictory ways. Did the company miss an opportunity to prevent all this? What roles could privacy professionals play in preventing such backlash. In this installment for Privacy Perspectives, Brookman looks into LG’s collection practices while pointing out the appliance’s apparent lack of Privacy by Design and transparency, suggesting the incident could serve as a lesson for privacy pros within other companies set to roll out new technology and consumer products.
Full Story

INTERNATIONAL PRIVACY

UN Passes Internet Privacy Resolution (November 27, 2013)

The United Nations General Assembly’s Human Rights Committee has unanimously approved an unlawful surveillance resolution originally proposed by Brazil and Germany, the Associated Press reports. Though symbolic, the resolution looks to pass along privacy rights to people around the world. The U.S., along with the other “Five Eyes” nations, had tried to dilute some of the resolution’s language, the report states. Brazil’s UN ambassador said the resolution “established for the first time that human rights should prevail irrespective of the medium and therefore need to be protected online and offline.” Germany’s ambassador queried, “Is the human right to privacy still protected in our digital world? And should everything that is technologically feasible, be allowed?”
Full Story

PRIVACY LAW—U.S.

Apple Wins iPhone Privacy Lawsuit Dismissal (November 27, 2013)

A federal judge has dismissed a lawsuit that accused Apple of not complying with the privacy promises it makes to iPhone and iPad users, MediaPost reports. The class alleged the company violated its privacy policy by allowing unique identifiers to be shared with third parties, thereby compromising user privacy. U.S. District Court Judge Lucy Koh ruled consumers failed to show they had read the privacy statements prior to purchasing the devices and none had submitted evidence they “read or relied on any particular Apple misrepresentation regarding privacy.”
Full Story

BIG DATA—U.S.

Data Broker Settles With NJ Attorney General (November 27, 2013)

A firm specializing in the tracking of car buying has settled charges with New Jersey’s attorney general after it was accused of using code to identify websites visited by its customers without their knowledge or consent and selling the harvested data, InformationWeek reports. At least 181,000 consumers were affected. The Tennessee-based data broker in question, Dataium, has been fined $99,000, payable over the next two years, and will be liable to pay a suspended amount of $301,000 if the company fails to comply with the settlement over the next five years. New Jersey Division of Law Director Christopher S. Porrino said, “Dataium allegedly used software code to track the websites visited by consumers without their knowledge or consent. The company also allegedly transferred the personal information of 400,000 consumers to one of the largest data brokers in the world.” Meanwhile, the city of San Diego, CA, has settled with a family after their DNA was swabbed without their consent by police.
Full Story

SURVEILLANCE—GERMANY

Berlin Now Home to Privacy Activists, Leakers (November 27, 2013)

The Washington Post reports on Germany’s once-divided city of Berlin and how it has become a haven for privacy activists and whistleblowers attempting to avoid prosecution from countries such as the U.S. and UK. Documentary filmmaker and Edward Snowden conduit Laura Poitras has made Berlin home, as has former Wikileaks spokesman Jacob Appelbaum. One privacy activist said, “It’s a rather inviting social climate right now … Why be completely paranoid, go mad, have your house surveilled? There’s a reason people are coming here.” (Registration may be required to access this story.) Editor’s Note: Appelbaum will be part of a panel discussing the NSA disclosures at this year’s IAPP Europe Data Protection Congress in Brussels.
Full Story

ONLINE PRIVACY—EU

Complaints Over Google Terms of Service Filed in 14 Countries (November 27, 2013)

Privacy advocate Simon Davies has filed complaints with 14 European data protection authorities stating that Google’s new terms of service violate European data protection law, reports PCWorld. The main issue involves changes to the “shared endorsements” feature, which allows Google+ users’ names and photos to be used in advertising for products they follow on the service. “The general position is that the ground rules shouldn’t be changed halfway through the match. Google acquired the data under one condition, and I’m asserting that it cannot change the purpose of that data after the fact,” Davies said. Davies’ other challenges target the feature’s opt-out mechanism and changes in the way users are required to interact with YouTube.
Full Story

ONLINE PRIVACY

Will the Internet Become Private as a Standard? (November 27, 2013)

The Internet Engineering Task Force (IETF) has asked the architects of Tor, a privacy-protecting web-browsing tool, to discuss the idea of using their product to make private web browsing the Internet standard, Salon reports. “Collaborating with Tor would add an additional layer of security and privacy … that goes beyond encrypting your communications,” the report states. Andrew Lewman, executive director of Tor, says the idea is “worth exploring to see what is involved. It adds legitimacy; it adds validation of all the research we’ve done”; however, he adds, “The risks and concerns are that it would tie down developers in rehashing everything we’ve done, explaining why we made decisions we made. It also opens it up to being weakened.” Meanwhile, new app Aether is an encrypted network that lets people share content anonymously.
Full Story

PRIVACY BIZ—U.S.

ProPublica Hires Angwin To Investigate Privacy Issues (November 27, 2013)

ProPublica has announced the hiring of investigative journalist Julia Angwin of The Wall Street Journal to cover privacy, technology and the surveillance state beginning early in January. Beginning in 2010, Angwin led a team of reporters to chronicle online privacy issues in The WSJ’s “What They Know” series. She is also the author of the forthcoming Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance. “Julia brings with her a magnificent portfolio of work, and she will be a stellar addition to our staff,” said ProPublica Managing Editor Robin Fields.
Full Story

PRIVACY COMMUNITY

Willis Ware, 1920-2013 (November 26, 2013)
Willis H. Ware, a foundational thinker in the fields of computer sciences and privacy, died on Friday at the age of 93. As part of a long career at the RAND Corporation, he participated in much of the foundation of computing technology and data governance. He taught the first computing course at UCLA, was the founding president of the American Federation of Information Processing Societies, and, writes Gene Spafford in an obituary, recently received a lifetime achievement award from EPIC. Further, said Bob Gellman, who worked for years on U.S. federal privacy matters, in an interview with Daily Dashboard, “Among his many other accomplishments, Willis Ware chaired an advisory committee that may have had the greatest worldwide influence of any similar committee. His work on the HEW committee that created Fair Information Practices continues to echo strongly in privacy debates, laws and rules all over the world. Fair Information Practices are still a useful and important policy standard for privacy more than 40 years later. And as major a legacy as Fair Information Practices are, it represented just one of his contributions. Willis was a quiet, unassuming, remarkable guy.”

PRIVACY—EU & U.S.

When the NSA Meets Tor, Vodafone and the European Parliament (November 26, 2013)

“Imagine the NSA, European Parliament, Tor and Vodafone having a civilized conversation about privacy,” writes IAPP VP of Research Omer Tene. “Considering the ricochets from the Snowden affair are still reverberating on both sides of the Atlantic, this may seem implausible,” but, Tene adds, “you better believe it: The IAPP Europe Data Protection Congress 2013 is featuring a panel discussion among representatives from all of the above, which I look forward to moderating.” In this Privacy Perspectives post, Tene discusses the varying sides of the equation, bringing together what should be a robust and dynamic conversation.
Full Story

PRIVACY BIZ

EuroPriSe Seal To Change Hands January 1 (November 26, 2013)

The German data protection authority that operates the EuroPriSe privacy certification seal, the Independent Centre for Privacy Protection Schleswig-Holstein (ULD), announced this month that it is transferring operations to a new entity to be known as EuroPriSe GmbH as of January 1. This, said Thilo Weichert, head of ULD, will allow the program to grow in a way that was not possible as part of a regulatory body like ULD. Jurgen van Staden of 2B Advice explains the new organization will allow for extending certifications to a much larger group of methods, concepts, people, training sessions and websites “in accordance with the tried and tested certification structure EuroPriSe experts and customers have come to know.”
Full Story

DATA TRANSFER—EU & U.S.

Brussels To Warn U.S. of Safe Harbor Risk (November 26, 2013)

Lawmakers in Brussels are set to officially warn Washington that Safe Harbor may be at risk unless U.S. tech businesses change the way they handle the data collected on EU citizens, Financial Times reports. The European Commission (EC) has been reviewing the Safe Harbor pact and is slated to announce its conclusions on Wednesday. According to the report, the EU is not expected to scrap the deal, but its wording suggests the EU will move in that direction if changes are not made by U.S. businesses. “The personal data of EU citizens sent to the U.S. under the ‘Safe Harbor’ may be accessed and further processed by U.S. authorities in a way incompatible with the ground on which the data was originally collected,” the draft version of the EC report states. “The commission has the authority … to suspend or revoke the Safe Harbor decision if the scheme no longer provides an adequate level of protection.”
Full Story

DATA LOSS—U.S.

Breaches Hit Health Exchanges, Anthem and More (November 26, 2013)

Los Angeles Times reports that Anthem Blue Cross accidentally posted online the Social Security numbers (SSNs) and tax identification numbers of approximately 24,500 doctors. The data was mistakenly published within an online directory last month. Meanwhile, GovInfoSecurity reports on three breaches involving health insurance exchanges, including in Vermont and Oregon. In a separate report, the Office of the National Coordinator for Health IT Chief Privacy Officer Joy Pritts discusses two essential steps organizations should take to help mitigate data breaches. More than 1,000 patients at California’s Redwood Memorial Hospital have been notified their personal information may have been compromised after an unencrypted USB drive was misplaced. Crown Castle has revealed that sensitive payroll data of its U.S. employees has been accessed by hackers. After a data breach affecting several city workers, the city of Milwaukee has said it will avoid using SSNs. And representatives from Adobe have said e-mails notifying those affected by a massive breach are taking longer than it anticipated.
Full Story

SURVEILLANCE—U.S.

Opinion: NSA Dragnet “Violates the Spirit of Framers’ Intentions” (November 26, 2013)

Sens. Ron Wyden (D-OR), Mark Udall (D-CO) and Martin Heinrich (D-NM) write in an op-ed for The New York Times that, “The bulk collection of Americans’ telephone records—so-called metadata—by the National Security Agency (NSA) is, in our view, a clear case of a general warrant that violates the spirit of the framers’ intentions.” The senators opine that there’s no proof of the program’s usefulness in protecting national security and call for an end to it while promoting their Intelligence Oversight and Surveillance Reform Act and expressing disappointment with the Intelligence Committee for rejecting the act in multiple forms. Meanwhile, some are questioning the credibility of the Review Group on Intelligence and Communications, which will soon deliver a report on the NSA’s surveillance activities, saying it is made up of administration insiders. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Open-Sourced Router Privacy Project Unveiled (November 26, 2013)

Embedded systems design company Redfish Group has launched an open-sourced router project to help protect online privacy, ZDNet reports. Called ORP1, the project aims to protect the privacy of users across all their devices located within their homes. ORP1 is set to feature a user-friendly interface with an OPSec virtual privacy network and Tor server, the report states. Redfish Managing Director Justin Clacherty said, “I've really wanted to get an open networking platform out there for a while now, and we just felt that a router was the way to go, especially with all the NSA revelations and people's worrying about the different U.S. tech companies providing equipment to us, which may have backdoors.”
Full Story

TRAVELERS’ PRIVACY—UK

Air Passengers Allowed To Refuse Scanners as More Are Installed (November 26, 2013)

Security scanners are currently in use at 10 of the UK’s busiest airports and are being deployed at 11 more, according to Transport Secretary Patrick McLoughlin. At the same time, passengers are now being offered alternate options after refusing to go through the scanners, while previously they were simply not allowed to fly, reports Computerworld UK. "From today, passengers who opt out of being screened by a security scanner will be allowed a private search alternative. This is a method of screening which we consider is of an equivalent security value to a security scan,” McLoughlin said.
Full Story

SOCIAL NETWORKING

Viral Video Exposes Privacy Disconnect (November 25, 2013)

A video went viral last week in which the host, Jack Vale, decided he wanted to know “how easy it would be to get personal information from complete strangers.” Vale located nearby social media users by using his own location and identifying nearby users who publicly posted basic personal information. It turned out that identifying and gleaning additional personal data was relatively simple. This installment of Privacy Perspectives explores the experiment, looking at “what seems to be a common disconnect between our online and offline lives” and possible lessons for online businesses.
Full Story

PRIVACY LAW—EU

Cookie Monsters of Silicon Valley Come to Brussels (November 25, 2013)

In the world of online tracking, the cookie is kingbut there may be a regime change on the horizon. Cookies are under more regulatory scrutiny than ever, especially in Europe, but even as legislation seeks to make cookie use more privacy protective, the technology itself is on the way out. Instead, server-side tracking alternatives and embedded device identifiers, mainly in the hands of Internet giants like Google, Facebook, Microsoft and Apple, are poised to supplant cookies in the digital tracking market. Thus, it is important to analyze the effect of these changes in the techno-business landscape on the EU regulatory framework. IAPP Westin Research Fellow Kelsey Finch examines how this new technology is likely to be viewed and regulated in the European Union. (Editor’s Note: The IAPP Data Protection Congress will explore these issues Dec. 10 through 12, in Brussels.)
Full Story

CHILDREN’S PRIVACY—U.S.

Site Settles After State Alleges COPPA Violation (November 25, 2013)

New Jersey has reached a settlement with a California app developer who allegedly violated COPPA by collecting the personal information of customers, which included children, NorthJersey.com reports. Dokogeo has agreed to pay the state $25,000, but that payment will be suspended for 10 years and voided if the company complies with the settlement’s terms, which include Dokogeo’s disclosure of the type of information it collects on its apps and website and how it shares data with third parties. Meanwhile, attorneys at Reed Smith discuss the increasing attention state Attorneys General are paying to privacy lately.
Full Story

PRIVACY LAW

Tracker Roundup: Wyndham Case, Safe Harbor and More (November 25, 2013)

In the U.S., FTC v. Wyndham will decide whether the company’s “failure to safeguard personal information caused substantial consumer injury” and whether the FTC even has the authority to regulate data security; the GAO is pushing for comprehensive federal law governing the collection, use and sale of personal data by businesses, and Sen. Al Franken (D-MN) is calling for regulation over biometric data before the horse leaves the barn. In the EU, the debate over Safe Harbor continues, with MEP Jan Philipp Albrecht and Justice Commissioner Viviane Reding saying EU residents need to be able take data privacy complaints to U.S. courts. The Office of the Australian Information Commissioner (OAIC) has released the final set of Australian Privacy Principles that cover access to and correction of personal information, and in Canada, Alberta needs to create a new Privacy Act and Bill C-30 is back in the news. All this and more in this week’s Privacy Tracker legislative roundup. (IAPP member login required.)
Full Story

SURVEILLANCE

Twitter Encrypts; Zuckerberg Says Gov’t “Continuing To Blow It” on Privacy (November 25, 2013)

Twitter has announced it has encrypted its services to protect user data from cyber criminals and intelligence agencies. Lawyers for Lavabit—which closed its e-mail services rather than share master encryption keys with the government—have filed a reply brief in a case that may determine whether a company must be compelled to turn over such keys. Lavabit Founder Ladar Levison recently spoke about his experience with The Privacy Advisor. Meanwhile, the NSA’s John Inglis said he is skeptical about the NSA sharing the vast troves of data it collects with other federal agencies such as the FBI or DEA—indicating he does not agree with a reform bill proposed by Sen. Diane Feinstein (D-CA). The Wall Street Journal reports that a federal judge appears to be “receptive to critics” of the NSA’s collection of phone metadata, but one federal lawyer has argued that Americans have “no expectation of privacy” in making phone calls. And on ABC’s This Week, Facebook CEO Mark Zuckerberg said the U.S. is “continuing to blow it” on privacy issues.
Full Story

BIG DATA—U.S.

Washington’s Complex Approach to Data Brokers (November 25, 2013)

Politico reports on two current government investigations into data brokers and what those could mean for the federal government’s approach to the industry. The Federal Trade Commission (FTC) and the Senate Commerce, Science and Transportation Committee are each conducting separate investigations. It is not yet known when results will arrive, the report states. FTC Commissioner Julie Brill has been promoting her Reclaim-Your-Name concept, a one-stop shop for consumers to access their online profiles compiled by data brokers, but the marketing industry is pushing back. Direct Marketing Association Vice President for Government Affairs Rachel Thomas said, “We don’t believe a one-stop, one-size-fits-all web portal with every data broker in the world is going to be something that actually increases consumer understanding in the way that is necessary.” Editor’s Note: The session Background Screening: Data Brokers and Consumer Reporting Agencies at the upcoming IAPP Practical Privacy Series on December 3 and 4 in Washington, DC, will examine recent FTC actions, including warnings to online data brokers.
Full Story

PRIVACY LAW—AUSTRALIA

Pilgrim Discusses New Powers (November 25, 2013)

Privacy Commissioner Timothy Pilgrim has said his office “won’t take a ‘softly-softly’ approach with new regulatory powers that will become available to it in March,” IT News reports. Speaking at the iappANZ Privacy Unbound Summit this week, Pilgrim said, “The two sets of principles we have are fundamentally very similar to the ones that are coming into place. The private sector has been working with them for over 12 years; the government has been working with them for over 25 years; there’s a common theme, so there shouldn’t be a big challenge in complying with them." He noted, however, that for “difficult organisations and some intransigent organizations,” the office would take a stricter stance. Meanwhile, the Australian Law Reform Commission will be recommending updates to privacy laws to address serious invasions of privacy.
Full Story

PRIVACY LAW—HONG KONG

Critics Say Data Protection Law Needs Update (November 25, 2013)

Critics of Hong Kong’s data protection law say the law is “miles away” from comparable laws internationally and needs an update in order for the city to tackle privacy challenges and embrace opportunities presented by public data use, South China Morning Post reports. Reviews of the law have come following the privacy commissioner’s forced shutdown of mobile app “Do No Evil” for privacy violations. “There is a need to conduct a public consultation again to see whether people think the law now needs to be amended,” said lawmaker Charles Mok, adding he hopes the government will engage the public.
Full Story

PRIVACY

Vint Cerf is Wrong. Privacy Is Not an Anomaly (November 22, 2013)
During a keynote address at the FTC roundtable on the Internet of Things on Tuesday, Google Chief Internet Evangelist Vint Cerf said, “privacy may actually be an anomaly.” Not all agree, however, with this assertion. “The view of privacy as an anomaly is not new, particularly among Silicon Valley entrepreneurs, who time and again express a cavalier approach to what is a fundamental, deep-rooted social, moral and legal value,” writes IAPP VP of Research Omer Tene. In this installment of Privacy Perspectives, Tene lays out his argument for why privacy may be evolving but is hardly an anomaly.

EMPLOYEE PRIVACY—U.S.

Study Finds Hiring Discrimination Based on Social Media (November 22, 2013)

The Wall Street Journal reports on a Carnegie Mellon study that found many businesses use social media to look up job applicants and suggests they use such data to discriminate. The study revealed that between 10 percent and one-third of U.S. firms searched social media to check on job applicants early in the hiring process. One of the study’s authors, Alessandro Acquisti, said, “By and large, employers avoid asking questions about these traits (such as religion or sexuality) in interviews,” adding, “But now technology makes it easier to find that information.” Meanwhile, The Atlantic’s featured article for December reports on the now common combination of Big Data analytics and human resources—also known as “people analytics”—and the way it’s transforming how employers hire, fire and promote employees. (Registration may be required to access this story.)
Full Story

BIG DATA

Hartzog and Selinger: Maybe We Need More Specific Terms (November 22, 2013)

In a piece for Forbes, Woodrow Hartzog and Evan Selinger discuss some of the myths around Big Data and the importance of using the term correctly. Skepticism is important in order to help society set realistic expectations, the authors write, but like the concept of “privacy,” the term “Big Data” itself is problematic because “it has no set meaning.” At some point it will be important to assign specific terms, rather than “heuristic terms”—or “mental shortcuts” developed to make sense of complex ideas quickly—in order to accurately discuss such concepts as Big Data, the authors write.
Full Story

BIOMETRICS—U.S.

Franken Wants Users Protected Against Facial Recognition ASAP (November 22, 2013)

Sen. Al Franken (D-MN) has asked the Commerce Department to facilitate a discussion between tech companies and privacy advocates on facial recognition technology, The Hill reports. In a letter to the Commerce Department’s National Telecommunications and Information Administration this week, Franken said the tech community should develop best practices “as quickly as possible” to protect individuals when it comes to the technology. “The urgency of this matter is underlined by Facebook’s recent expansion of its facial recognition database—already likely the largest in private hands,” Franken wrote, referring to Facebook’s recent update to its data-use policy that states it will use public profile pictures to identify users in other photos.
Full Story

ONLINE PRIVACY

Browser Extension Allows Users To Use “Fake” Identifiers (November 22, 2013)

PCWorld reports that U.S.-based Abine is adding features to its anti-tracking browser extension to allow users to hide their personal details during web transactions. The features are being added to “DoNotTrackMe,” an extension for browsers such as Firefox, Internet Explorer, Chrome and Safari. Users can give a one-time credit card number and a disposable e-mail address and phone number, the report states, rather than using their real details.
Full Story

SURVEILLANCE—FRANCE

Prosecutors Investigating IKEA Execs for Data-Spying (November 22, 2013)

Prosecutors in France are investigating three senior IKEA executives amid allegations they authorized illegal spying on employees and customers, The New York Times reports. Chief Executive Stefan Vanoverbeke and two others were possibly involved in a “conspiracy to collect a range of personal information including criminal records, automobile registrations and property records,” the report states. According to prosecutors, the executives collected such data in order to watch employees and also reveal “unflattering details” about customers bringing lawsuits. IKEA France has been ordered to post a bond of 500,000 euros. (Registration may be required to access this story.)
Full Story

INTERNET OF THINGS

LG Plans To Update Firmware Following Smart TV Allegations (November 22, 2013)

Following a UK blogger’s allegations that smart TVs are collecting user data on such details as what channels are watched and the names of media files streamed over networks, LG has responded saying that the information collected was “not personal but viewing information.” The company said it has verified that even when the Smart TV platform is turned off by the user, information apparently continues to be transmitted, though the data is not retained by the server. “A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted,” the company said.
Full Story

PRIVACY LAW—U.S.

U.S. Accountability Office Calls for Baseline Privacy Legislation (November 21, 2013)
The Government Accountability Office (GAO) has released a report calling for a comprehensive federal law governing the collection, use and sale of personal data by businesses, AdWeek reports. The report was called for by Sen. Jay Rockefeller (D-WV) earlier this year. The GAO analyzed current law, regulation and enforcement actions and convened with representatives from government, advocacy groups, trade associations and data broker organizations, concluding, “Congress should consider strengthening the current consumer privacy framework to reflect the changes in technology and the marketplace, particularly in relation to consumer data use for marketing purposes.” The Direct Marketing Association (DMA) said, “While we do not share the GAO’s opinion … DMA was pleased to see that the report recognized the important economic benefits that derive from the responsible use of consumer data…”

CYBERSECURITY

Debunking Three Cyber Insurance Myths (November 21, 2013)

“In the past, cyber insurance was a polarizing issue in my discussions with privacy and risk professionals,” writes Experian Data Breach Resolution Vice President Michael Bruemmer, CIPP/US, “Some professionals were adamant about the benefits of cyber insurance, while others worried that the policies currently on the market didn’t meet its needs or were too costly.” In this post for Privacy Perspectives, Bruemmer debunks three of the most common myths associated with cyber insurance and examines why small- and medium-sized businesses are not off the radar of hackers and other cyber thieves.
Full Story

ONLINE PRIVACY—U.S.

BBB: Ad Campaign Violated Industry Code (November 21, 2013)

The Better Business Bureau has said a genetic testing company’s recent online ad campaign didn’t comply with the ad industry’s privacy code, MediaPost News reports. Company 23andMe retargeted users who had visited 23andMe’s website, according to the report, but the ads lacked the AdChoices icon, which allows users to opt out of behavioral advertising. The company as well as its ad-campaign agency and the platform used all said they expected the other to serve the icon. The failure “highlights the need for greater awareness and vigilance from all companies that comprise this diverse and interdependent ecosystem,” the Better Business Bureau said in a statement.
Full Story

DATA LOSS—U.S.

Breaches Affect School, Dating Site, Health Plan (November 21, 2013)

A New York school district is alerting thousands of students and their parents of a security breach that saw some of their data posted online, Newsday reports. A list of 15,000 names and school ID numbers were posted. Meanwhile, Anthem Blue Cross has begun notifying customers that their names, business addresses and tax ID numbers were posted to the company’s website this month. And online dating service company Cupid Media suffered a breach in January this year exposing names, e-mail addresses and passwords in plaintext. In an opinion piece for Dark Reading, Robert Lemos warns that cloud data is increasingly vulnerable to hacks.
Full Story

TRANSPARENCY—U.S.

Investors Want AT&T, Verizon To Share Gov’t Requests (November 21, 2013)

Bloomberg reports that investors have asked AT&T and Verizon to reveal what data was shared with U.S. and foreign governments and what measures were taken to protect users’ privacy. New York State Comptroller Thomas DiNapoli said, “Transparency allows investors to make informed decisions about corporate behavior … Publishing regular reports on requests for information from governments would be an appropriate response to shareholder and customer concerns about trust and privacy in the digital world.” A spokesman for AT&T said, “As standard practice we look carefully at all shareholder proposals, but at this point in the process we do not expect to comment on them.” Meanwhile, newly released FISA court documents reveal that the NSA shared bulk e-mail and phone records data with other government agencies, a violation of court-ordered procedures, The Guardian reports.
Full Story

PRIVACY ENGINEERING

How To Do PbD in Predictive Analytics (November 21, 2013)

In a Q&A with DataInformed, IBM Fellow and Entity Analytics Group Chief Scientist Jeff Jonas discusses his involvement with Privacy by Design and how he integrated it into new predictive analytics software. Jonas has created technology that allows businesses to collect and analyze data from multiple sources in real time to help make “smart” decisions. He said, “One of my goals in the use of Privacy by Design in the G2 project was what kind of privacy features can I bake in that cost no more? In other words, they’re by default. They’re built in. In fact, a few of them, you can’t even turn them off. That way, someone’s not left there with a decision, ‘Yeah, we trust ourselves. I don’t have to pay extra for a privacy feature. I’d rather just buy more disk space.’”
Full Story

DRONES—U.S.

FAA Unveils Privacy Rules for Test Sites (November 21, 2013)

The Federal Aviation Administration (FAA) has issued privacy requirements for U.S.-based drone testing sites, Courthouse News Service reports. Earlier this year, the FAA announced there will be six drone testing sites to help integrate the technology into the National Airspace System. Some have questioned whether the agency has the authority to issue privacy requirements. One commenter said, “Existing privacy laws are sufficient to cover the responsible use of (drones). There already exist federal, state and other laws that protect privacy … tort law may also provide avenues of recourse for plaintiffs to protect their privacy rights.” The ACLU’s Chris Calabrese said the government has taken an “important step” by issuing the requirements, but added, “Congress must also weigh in on areas outside the FAA’s authority…”
Full Story

INTERNET OF THINGS

Are Smart TVs Watching Us? (November 21, 2013)

CNET UK reports on a UK blogger's allegations that “smart TVs are sending information on what channels you watch and the names of media files you stream over your network—even if you turn the setting off.” The report notes the blogger noticed ads on his Internet-connected TV and found an online instruction video where TV-maker LG “details how it can effectively target ads based on user data.” Asked for comment, LG responded, “Customer privacy is a top priority at LG Electronics and, as such, we take the issue very seriously. We are looking into reports that certain viewing information on LG Smart TVs was shared without consent.”
Full Story

GEO PRIVACY—U.S.

Officers May Be Tracked Via GPS-Equipped Cars (November 21, 2013)

Boston, MA, police officers are worried that their superiors will be tracking their every move now that Boston police cruisers are likely to be equipped with GPS tracking devices, The Boston Globe reports. Administrators say the devices will allow dispatchers to view where officers are located rather than waiting for a radio response, accelerating response times to crimes. The plan awaits the approval of the City Council. “Nobody likes it. Who wants to be followed all over the place?” one officer said. Officers would be alerted if someone from the public requested GPS records. Meanwhile, developers of license-plate tracking technologies are developing rich databases, the contents of which are sometimes for sale.
Full Story

INTERNET OF THINGS—U.S.

Are Notice and Consent Still Relevant for Internet of Things? (November 20, 2013)
Yesterday, stakeholders met in Washington, DC, to explore and hash out the privacy and security implications of the Internet of Things (IoT). The rapidly emerging landscape of connected sensors and embedded technology has garnered the attention of the Federal Trade Commission of late, but the complexity of the IoT ecosystem was readily apparent during yesterday’s proceedings. In this exclusive for The Privacy Advisor, Jedidiah Bracy, CIPP/US, CIPP/E, covers the event and looks at calls for a new privacy paradigm around the Fair Information Practice Principles and the need for even more robust privacy design initiatives.

PRIVACY LAW—U.S.

How To Handle California’s New DNT Law (November 20, 2013)

Last month, California passed a new amendment to the California Online Privacy Protection Act (CalOPPA) that requires companies that collect personal information from Californians to address how they respond to Do-Not-Track (DNT) signals from browsers in their online privacy policies. According to Stephanie Sharron and Emily Tabatabai, CIPP/US, the legislation “may raise as many questions as it answers,” because, due to the lack of consensus from the W3C, “companies are required to disclose how they respond to a browser’s DNT signals, when there is no consensus on what the DNT signal means in the first place.” So what are companies to do? Discover practical options in this Privacy Tracker blog post. (IAPP member login required. Look for a companion piece, "Five Things You Should Know to Comply with California's DNT Law," in Tuesday's Privacy Advisor.)
Full Story

BYOD

Where IBM Thinks BYOD Technology Is Headed (November 20, 2013)

When IBM announced last week it will soon acquire FiberLink, a maker of cloud-based mobile-device-management technology and the MaaS360 product, the news may have been interesting to privacy professionals on its own, drawing attention to a tech provider that will now have access to IBM’s much larger resources in attempting to solve a problem, in BYOD, with which many struggle. However, the buy is part of what IBM Director of Mobile Security Caleb Barlow called a “string of pearls” that includes the acquisition of Trustseer and the creation of a “cybersecurity software lab” in Israel, staffed with 200-plus researchers who will focus on mobile and application security and privacy. In this exclusive for The Privacy Advisor, Sam Pfeifle talks with Barlow about what IBM sees as the “Holy Grail” of mobile device management.
Full Story

BYOD

Companies Largely Support BYOD, Lack Sufficient Policies for IT (November 20, 2013)

While the majority of IT specialists say their companies support bring-your-own-device (BYOD), a recent survey indicates they don’t use tools or policies to protect corporate data, Bank Systems & Technology reports. The Zix Corporation and Ponemon Institute survey found that 56 percent of respondents say their companies seek to replace current BYOD solutions. “Companies are swiftly adopting BYOD to enable work productivity and create efficiencies but are hitting significant road bumps in cost, security and employee concerns,” said the Ponemon Institute’s Larry Ponemon, CIPP/US. Meanwhile, one security expert cautions against the pitfalls of BYOD policies, including a once-size-fits-all approach.
Full Story

CYBERSECURITY—U.S.

NIST Holds Last Workshop Before Cybersecurity Framework Becomes Final (November 20, 2013)

The National Institute of Standards and Technology held its fifth workshop on President Barack Obama’s executive order for a cybersecurity framework, the last before the framework is due to be finalized in February, Computerworld reports. The workshop was intended to solicit feedback from stakeholders. While many expressed enthusiasm about the swiftness with which the framework has moved from concept to model, there are still questions on how to apply the framework and what adoption will look like. “From my perspective, the framework should be used as a guidance,” said AT&T’s vice president of global public policy.
Full Story

PRIVACY LAW—GERMANY

Court: Google Rules Violate User Rights (November 20, 2013)

A German court has ruled that 25 provisions in Google’s data protection rules violate user rights and German law, Bloomberg reports. The Federation of German Consumer Organizations (VZBV) brought the case, arguing the clauses are too vaguely formulated. Google says it will appeal the ruling, stating it believes its “terms of service and privacy policy comply with all applicable laws.” VZBV has been targeting large corporations’ data practices, including Apple and Samsung, since 2012, winning judgments against their policies in Berlin courts.
Full Story

PRIVACY LAW—EU & U.S.

Albrecht Weighs In Following Reding-Holder Chat (November 20, 2013)

After EU Justice Minister Viviane Reding was making positive noises about a deal with the U.S. on law enforcement access to data, MEP Jan Philip Albrecht told IDG News Service that there is a line in the sand the EU Parliament will not cross: “If a U.S. citizen has a problem with how his data has been treated in the EU, he can take it up with an EU court. We just want the same rights in the U.S. This should be possible. It would be very easy to fast-track change in the U.S.’s privacy act and simply add text to include EU citizens.”
Full Story

PRIVACY LAW—MALAYSIA

Long-Delayed Data Protection Law Now In Effect (November 20, 2013)

Passed originally in 2010, Malaysia’s Data Protection Law is now actually in effect, after years of postponements. Hunton & Williams’ Privacy and Information Security Law Blog reports that the Malaysian Minister of Communications and Multimedia announced on November 14 that the law would go into effect the next day, leaving professionals to scramble to make sure they are in compliance. Major features of the law include: An exemption for Malaysia’s federal and state governments, a category of personal data that is considered so sensitive that it requires explicit consent, cross-border transfer restrictions and criminal penalties of up to $156,000 and imprisonment of up to three years.
Full Story

ONLINE PRIVACY—FRANCE

Ruling Could Set Precedent (November 20, 2013)

In light of a French court’s ruling that Google must remove images of a former Formula One racing mogul from its search algorithms, Wiley Rein’s David Weslow says if the decision is upheld on appeal, “there may be a precedent in France for forcing search engines or other types of Internet service providers to take affirmation actions to disable certain online content even where a ‘take down’ request has not been filed with that Internet service provider.” A recent poll about whether government should play an increasing role in protecting online privacy indicated 52 percent voted yes and 48 percent voted no, indicating “there is not overwhelming agreement” on what should be done, TechRepublic reports, adding tech companies and governments should be prepared to weigh in. Meanwhile, Google says it will voluntarily remove a Google Maps image related to a young boy’s murder.
Full Story

DATA TRANSFER—EU & U.S.

Safe Harbor’s in Trouble—Unless You Ask the U.S. (November 19, 2013)
The U.S. Department of Commerce says Safe Harbor is still viable, and the Federal Trade Commission (FTC) says it has rigorously enforced compliance with the data-transfer mechanism. But privacy regulators and politicians from European countries—Germany in particular—seem hell-bent on putting an end to the agreement and are calling the U.S.’s bluff everywhere but on paper. So far. In this exclusive for The Privacy Advisor, Angelique Carson, CIPP/US, talks with FTC Commissioner Julie Brill, the U.S. Department of Commerce, Covington & Burling’s Henriette Tielemans and Wilson Sonsini Goodrich & Rosati’s Christopher Kuner, both in Brussels, about the impact of new accusations that as many as 400 companies are violating Safe Harbor and what to expect in the European Commission’s December report on the pact’s viability. “I can’t overstress the hostility toward it here,” Kuner said. (Editor's Note: A panel including representatives from the Federal Trade Commission, Department of Commerce, European Commission and CNIL will speak about "Safe Harbour: Lessons Learned and Protocols" at the IAPP Data Protection Congress, Dec. 10-11, in Brussels.)

PRIVACY LAW—U.S.

Google To Pay $17M To Settle Cookies Case (November 19, 2013)

Google has agreed to pay $17 million in a settlement with 37 states and the District of Columbia “over its unauthorized placement of cookies on devices running Apple’s Safari browser,” IDG News Service reports, following Google’s agreement last year to pay a $22.5 million civil penalty to the Federal Trade Commission. In their case, the state attorneys general alleged “Google’s circumvention of Safari’s default privacy settings violated state consumer protection and related computer privacy laws,” the report states. A Google spokeswoman said, “We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.”
Full Story

PRIVACY ON THE GROUND

Six Practical Tips Gleaned from the DHS Annual Privacy Report (November 19, 2013)

Privacy sector folks might think they don’t have much to learn from the Department of Homeland Security Privacy Office’s 2013 Annual Report to Congress, but you may find that the report contains plenty of relevant and useful information to help you manage your organization’s privacy program. IAPP Westin Research Fellow Dennis Holmes tackles the task of analyzing the 86-page report and bubbling up the six practical tips most likely to give your program a boost.
Full Story

PRIVACY LAW—CANADA

What Does Unconstitutional Ruling Mean for Alberta Privacy Law? (November 19, 2013)

In the wake of news that the Supreme Court of Canada has deemed the Alberta Personal Information Protection Act (PIPA) unconstitutional, Shaun Brown of nNovation analyzes what the decision means for the province in this Privacy Tracker exclusive. “It was inevitable that freedom of expression would eventually clash with privacy legislation in the courts,” writes Brown, adding that the ruling was “not surprising.” The broad “prohibition-first” approach of PIPA means “there are bound to be certain purposes that maybe should be exempted from the requirement to obtain consent but could not be conceived by legislatures when privacy laws were initially drafted,” Brown writes. (IAPP member login required.)
Full Story

PRIVACY COMMUNITY—U.S.

FTC Announces New Chief Technologist, Senior Advisor for Privacy and Data Security (November 19, 2013)

The Federal Trade Commission (FTC) has announced the appointments of Harvard University Prof. Latanya Sweeney as chief technologist and University of Pennsylvania Wharton School Assistant Prof. Andrea Matwyshyn as a senior policy advisor on privacy and data security issues. “I am delighted to welcome Latanya to the FTC. She has done groundbreaking work in the anonymization of sensitive consumer information and privacy technology, and I look forward to the contributions she will make to the FTC’s efforts to protect consumers,” said Chairwoman Edith Ramirez, adding, “Andrea is a rising academic star whose insights on the intersection of technology innovation and data privacy and security law will be enormously valuable to the FTC’s efforts to protect consumer privacy while promoting innovation.
Full Story

PRIVACY LAW—U.S.

Judge Who Ruled Against Google To Hear Yahoo Case (November 19, 2013)

Following her ruling against Google’s request to dismiss a privacy lawsuit accusing it of using personal information gleamed from e-mails transmitted via Gmail, U.S. District Judge Lucy Koh is being sought after to hear similar lawsuits against Yahoo. The lawyer who filed a November 15 complaint against Yahoo says Koh’s recent ruling against Google’s request to dismiss the suit against it was “enormously important” for plaintiffs in group privacy suits. Yahoo has requested that three complaints filed against it be combined in an effort to minimize the labor or costs associated should the case be heard by three different judges. Separately, Yahoo has announced that following revelations that the NSA had accessed its data centers, it will add encryption to all of its products by spring 2014.
Full Story

DATA TRANSFER

Things Looking Up for U.S./EU Relations on Law-Enforcement Access? (November 19, 2013)

U.S. Attorney General and Acting Secretary of the Department Homeland Security Rand Beers met yesterday with EU Justice Commissioner Vivane Reding, Lithuanian Justice Minister Juozas Bernatonis and other EU officials at the Justice Deparetment in Washington. Prior to the meeting, reports Bloomberg, Reding spoke of a new accord between the U.S. and EU that would “contribute to restoring trust in trans-Atlantic relations, which is of particular importance at this moment in time” (you can see Reding’s speech here). Later, in an interview with DW, Reding said the EU is “negotiating a framework agreement to protect the data of European and American citizens when there is judicial and police cooperation between the two continents.” Officials on both sides agreed to seek a new accord by mid-2014.
Full Story

WEB CONFERENCE—U.S.

Dealing with Paper in a Paperless World: Privacy Challenges of Paper-Digital Conversions (November 19, 2013)

While much of the transfer of personal and sensitive information during day-to-day internal operations happens digitally, paper is still widely used in most offices, and the conversion from one format to the other creates very real data loss potential. The healthcare industry in particular routinely handles both personal health and financial information, and keeping this data safe during these transitions poses many challenges. Join our panel of legal and operational experts on December 5 as they map out where some of the weakest points exist, what your legal obligations are and what you can do in your organization to prevent data loss at these junctures.
More Information

ONLINE PRIVACY

Hochman: What Are the Ethics of the Internet? (November 19, 2013)

In a piece for Internet Evolution, Jonathan Hochman explores the ethical limits on the Internet and what he sees as a major problem called “paid unpublishing.” In such cases, a website operator obtains embarrassing information, publishes it and then offers to remove it for a fee. A recent example of this can be seen with mugshot website operators. “Unless steps are taken now to confront paid unpublishing, we may increasingly find our secrets or mistakes for sale online by unscrupulous ‘entrepreneurs,’” Hochman writes, adding that ethical online media follows three principles: no paid unpublishing, avoiding conflicts of interest and supporting the right to respond.
Full Story

ONLINE PRIVACY—EU

EDPS: Telecoms Market Reform Plan Would Put Privacy At Risk (November 19, 2013)

New net neutrality laws would mean Internet users’ privacy rights would be at risk, according to the European Data Protection Supervisor (EDPS), Out-Law.com reports. The European Commission’s telecoms market reform plans would allow Internet service providers to engage in “wide-scale, preventive monitoring of communications content,” an affront to data privacy and protection as well as consumer trust in electronic communication services, the EDPS said.
Full Story

PRIVACY LAW—U.S.

FTC v. Wyndham: Round One (November 18, 2013)
Last week, FTC v. Wyndham, a privacy case that commands the close attention of thousands of privacy professionals worldwide, challenging a decade of escalating Federal Trade Commission activity in the field of data security, went to oral arguments on the defendant’s motions to dismiss. Wyndham Worldwide Corporation was charged in June 2012 for “unfair and deceptive acts and practices” arising from alleged data breaches in its franchisees’ computer systems. In this exclusive for The Privacy Advisor, IAPP Westin Fellow Kelsey Finch examines this case, where the company is disputing whether “its failure to safeguard personal information caused substantial consumer injury,” and perhaps more importantly, whether the FTC even has the authority to regulate data security.

PRIVACY LAW

Alberta Privacy Law Ruled Unconstitutional, and More (November 18, 2013)

The Supreme Court of Canada, in a unanimous ruling, has determined that the Alberta privacy law is unconstitutional and has given the province one year to amend it; a federal judge in Vermont has ruled there can be no expectation of privacy when it comes to data exposed online via a peer-to-peer file-sharing network, and the New Zealand Parliament has voted down a bill that would have given the privacy commissioner increased powers. Meanwhile, the U.S. FTC has asserted its power over parental-consent methods; Brazil is calling for a crackdown on government surveillance, and Italy’s data protection authority and intelligence department have entered into a cooperation protocol. This week’s Privacy Tracker roundup has these stories and more. (IAPP member login required.)
Full Story

PRIVACY LAW—EU & U.S.

Reding: U.S. Must Allow Europeans To Sue Agencies That Violate Privacy (November 18, 2013)

EU Justice Commissioner Viviane Reding says the U.S. can win back EU trust by allowing EU citizens the right to sue U.S. agencies that violate their privacy, Bloomberg reports. Reding said today’s meeting between EU and U.S. officials must make progress toward enforceable rights. Meanwhile, the U.S. Supreme Court has rejected a challenge of the National Security Agency’s telephone spying program, and two district courts will hear challenges to NSA snooping. In Luxembourg, Europe v. Facebook wants more specific answers on the federal data protection commissioner’s ruling that Microsoft and Skype did not break privacy law by transferring EU user data back to the U.S.
Full Story

PERSONAL PRIVACY

The Secret Life of Webcams (November 18, 2013)

Webcams are on nearly every laptop and smartphone these days. They are great for video conferencing but can be used for nefarious purposes as well. One such case involves a young adult who hacked into a number of computers to take photos of young women and then used such photos to blackmail them. Moreover, the U.S. Federal Trade Commission recently settled with security company TRENDnet because it allegedly used lax security in protecting its cameras from being hacked and exploited. This Privacy Perspectives post explores these cases and looks at what can be done to prevent such nefarious use of these ubiquitous and potentially invasive features.
Full Story

SOCIAL NETWORKING—U.S.

Facebook Forges Ahead with Planned Changes (November 18, 2013)

While Facebook has moved forward with changes to its privacy policies alerting users it may use their profile pictures, location and other personal information in advertisements, the company has deleted a controversial line in the policy on teens’ use of the site. The line stated Facebook assumed teens had obtained permission from their parents, drawing the ire of critics including Sen. Ed Markey (D-MA), who said Facebook should not profit from the personal information of children and teens. Facebook Chief Privacy Officer Erin Egan said, however, that the company wouldn’t gain additional rights as a result of the statement; rather, it was meant to get kids and their parents discussing the terms, The Washington Post reports. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

User Privacy Perceptions Could Cause Harm (November 18, 2013)

A new study suggests that, though a majority of users believe they have responsibility to protect their privacy, most do not take steps to actually protect it, Network World reports. The disconnection between users' attitude toward privacy accountability suggests that consumers’ perception is more ideological than practical, said Stephen Cobb, a senior security researcher at ESET, the organization that commissioned the Harris Interactive survey of more than 2,000 U.S. adults. “What I think people lack are the resources and education to follow all the way through with (protecting information),” he said, adding, “The average American adult isn’t going to walk through the door well-prepared to protect that company’s information … They need help. They need education.”
Full Story

PERSONAL PRIVACY—U.S.

Screen Actors Guild Backs Privacy Case (November 18, 2013)

The Screen Actors Guild (SAG) has announced it is supporting an actress’s privacy suit against IMDb.com, MediaPost reports. The SAG said the company “committed an unconscionable breach of trust” when it accessed actress Junie Hoang’s credit card information to determine and publicize her real birthdate. “Individual IMDb profiles contain information that most people would consider private and that can be used for improper purposes,” the SAG wrote in an amicus brief to the Ninth Circuit Court of Appeals.
Full Story

PRIVACY LAW—U.S.

Do-Not-Track Kids Bills Proposed (November 15, 2013)
“Do-Not-Track Kids” bills aimed at curbing the tracking of and targeting of advertising to young Internet users were proposed Thursday, The Washington Post reports. The bipartisan legislation, which has won the support of advocacy group Consumer Watchdog, “would prohibit web giants … from collecting personal information, including location data, on children ages 15 and younger” without permission, the report states, describing teenagers as “a group that is leaving extensive digital dossiers” through the use of social media. “We must not allow the era of Big Data to become big danger for children,” said Sen. Edward J. Markey (D-MA), a lead sponsor of the legislation. (Registration may be required to access this story.)

PRACTICAL PRIVACY—U.S.

Online Marketing Highlights from PPS NYC (November 15, 2013)

The latter day of last week’s IAPP Practical Privacy Series in New York City featured two tracks—online marketing and financial services. We reported on some of the takeaways from the financial services track, and this week, privacy lawyer Annie C. Bai, CIPP/US, reports on some important highlights from the online marketing track. In this Privacy Perspectives post, Bai writes, “many of us found that an entire day was barely enough to devote to online marketing. First, it was all about the kids; then it was all about the web, and finally we ended with a rousing roundtable on Big Data. Here are some of the tidbits from the day that caused me to take pause and grab my pen.”
Full Story

STUDENT PRIVACY—U.S.

Experts: Higher Ed Must Lead Gov’t to Negotiating Table (November 15, 2013)

Inside Higher Education reports on a roundtable discussion on privacy issues in healthcare and K-12 education in which privacy experts said as long as federal and state-level authorities “drag their feet on updating privacy standards, higher education institutions and their private-sector partners have an opportunity to lead on the issue and drag governments to the negotiating table.” The panelists called for clearer guidelines on how colleges and universities store and share student data and expressed frustration with cloud storage and the Family Educational Rights and Privacy Act.
Full Story

PRIVACY IN POP CULTURE

The Circle Makes Us Square (November 15, 2013)

In his new novel, The Circle, Dave Eggers creates a world dominated by a search/social/commerce operation that is basically every cliché you’ve ever heard about Google, Facebook, Amazon, Yahoo and Twitter, all wrapped into one. In this exclusive for The Privacy Advisor, Publications Director Sam Pfeifle examines the world Eggers creates—a world devoid of privacy pros, where characters live by slogans like “secrets are lies,” “sharing is caring” and “privacy is theft.”
Full Story

FINANCIAL PRIVACY—U.S.

CIA Allegedly Engaged in Bulk Collection (November 15, 2013)

The New York Times reports on an alleged Central Intelligence Agency (CIA) program that collects bulk records of international money transfers, including transfers inside and out of the U.S. from companies such as Western Union. Unidentified officials said the program operates under provisions within the USA PATRIOT Act and is overseen by the Foreign Intelligence Surveillance Court—similar to the National Security Agency’s phone records metadata program. One official said, “The CIA protects the nation and upholds the privacy rights of Americans by ensuring that its intelligence-collection activities are focused on acquiring foreign intelligence and counterintelligence in accordance with U.S. laws.” Meanwhile, Ars Technica reports on a new social media monitoring service unveiled by LexisNexis to aid local law enforcement in mining social media posts for intelligence. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Pandora: No Cookies? No Problem (November 15, 2013)

Pandora isn’t concerned about the potential shift to a “cookie-less” world, AdAge reports. The Internet radio company can still target listeners by using their sign-in data, including age, gender and ZIP code, to segment audiences. Last month, Pandora segmented the first two groups and plans to add segments every four to six weeks—the next group being listeners with high household incomes. A Pandora spokesman said for now it is taking advantage of the first-party data on its own site but that it’s “reasonable to infer” the company may want to use what it knows about listeners to target ads on other sites, though not without the right privacy measures.
Full Story

PRIVACY

Brick-and-Mortars Catch Up on Tracking (November 15, 2013)

Reuters reports on brick-and-mortar retailers’ use of face scanners in an effort to improve such things as staffing, layout and marketing. Many businesses, aware of consumers’ reticence to be tracked, promise to only use the data in aggregate unless consumers give their consent. Shoppers are also increasingly asked to sign up for loyalty card programs that would allow the retailer to track them in exchange for discounts. “They are just trying to get real smart with data in the way the e-commerce guys are smart with data,” said the head of one tracking-device manufacturer. But the chief executive of a customer science company said, “Too much is happening without consumer consent.”
Full Story

CHILDREN’S PRIVACY—U.S.

FTC Denies Company’s Consent Method (November 14, 2013)
The Federal Trade Commission (FTC) has denied AssertID’s application seeking approval of a parental consent method. The FTC said in a letter to the company that its proposal “failed to provide sufficient evidence that its method would meet the requirements” under the Children’s Online Privacy Protection Act. The company hoped to use a method called “social-graph verification,” but the FTC said in a 4-0 vote there hadn’t yet been sufficient research or testing to prove its efficacy.

SURVEILLANCE—U.S.

At Hearing, Google Says NSA Could Cause “Splinternet” (November 14, 2013)

During a Senate Judiciary Subcommittee hearing on the Surveillance Transparency Act of 2013, Google Director of Law Enforcement and Information Security Matters Richard Salgado expressed concerns that the Snowden disclosures, along with gag orders placed on the company by the U.S. Department of Justice, are hurting U.S. businesses around the world economically and may cause a fractured Internet. Global reaction to the NSA disclosures “could have severe unintended consequences such as a reduction in data security, increased cost, decreased competitiveness and harms to consumers,” he said. This exclusive for The Privacy Advisor covers Salgado’s comments and what they could mean for businesses.
Full Story

INTERNET OF THINGS—U.S.

Opinion: FTC Roundtable Is Appropriate Approach (November 14, 2013)

In a preview of next week’s Federal Trade Commission roundtable on the Internet of Things, Future of Privacy Forum Founder and upcoming roundtable panelist Christopher Wolf opines that the agency’s look into the emerging field is an appropriate approach. In this Privacy Perspectives post, Wolf writes, “No proposals for new laws, regulations or law enforcement initiatives are on the table” and that the agency is simply on a “fact-finding” mission, adding, “it is hard to disagree that understanding the facts about the Internet of Things landscape is a necessary prerequisite to forming an opinion.”
Full Story

DATA PROTECTION—U.S.

Is California Transparency Law Still Effective 10 Years Later? (November 14, 2013)

The American Civil Liberties Union of Northern California (ACLU) has published a policy paper looking at the state’s Shine the Light law of 2003. The paper looks at whether the law, now 10 years old, is still effective in providing transparency about how businesses handle personal data. “From revelations of widespread NSA spying to high-profile data breaches, the need to know what is happening to our personal information is more important than ever,” the ACLU said.
Full Story

SURVEILLANCE

As NSA Fallout Continues, Investigations Called For, Launched (November 14, 2013)

Dutch and Belgian data protection authorities are leading an investigation “into whether consumers’ personal data on the global SWIFT money-transfer network can be accessed by the U.S. National Security Agency (NSA) or other intelligence services,” Bloomberg reports. “We will investigate if the security of the networks and databases of SWIFT containing huge quantities of personal data related to bank transactions of, among others, European citizens, allow for or have allowed for unlawful access,” said Dutch DPA and Article 29 Working Party Chairman Jacob Kohnstamm. In the U.S., advocacy groups including the Electronic Privacy Information Center, Privacy Rights Clearinghouse and Center for Digital Democracy sent a letter to the U.S. Federal Trade Commission calling for an investigation into Internet companies whose networks were accessed by the NSA. “It is inconceivable that when faced with the most significant breach of consumer data in U.S. history, the commission could ignore the consequences for consumer privacy,” the letter states. Meanwhile, a GigaOM report suggests the legacy of Edward Snowden's revelations about NSA surveillance could be "much if not most of the open web will be encrypted by default."
Full Story

PRIVACY BUSINESS

IBM To Acquire Fiberlink Communications (November 14, 2013)

IBM has announced its agreement to acquire mobile management and security company Fiberlink Communications. “In a mobile-first world, clients require a comprehensive mobile management and security offering. Oftentimes they integrate solutions on their own and take on unnecessary risk,” said IBM’s Robert LeBlanc. “To protect and enhance the complete mobile experience, it’s crucial to secure the app, user, content, data and the transaction. The acquisition of Fiberlink will enable us to offer these expanded capabilities to our clients, making it simple and quick to unlock the full potential of mobility.”
Full Story

HEALTHCARE PRIVACY—U.S.

Hospitals Prepare To Digitize Records for Sharing (November 14, 2013)

In Texas, a new program will digitize the medical records of every hospital in the San Antonio region, Texas Public Radio reports. The data—about 600,000 records in total—will eventually be shared in real time with hospitals, doctors and patients themselves. Patients are permitted to opt out if they wish. Meanwhile, VMware has announced a new service aimed at helping with HIPAA security requirements by providing Business Associate Agreements. “The healthcare IT industry needs trusted, reliable and stable business associates that will help address the appropriate administrative, physical and technical safeguard requirements under HIPAA security rules," said the chief information officer at Hackensack University Medical Center.
Full Story

PRIVACY LAW—U.S.

“Ban-the-Box” Laws on the Rise; Not Everyone’s Happy About It (November 13, 2013)
Phil Gordon of Littler Mendelson writes about the current legislative trend toward banning employers from asking applicants to answer the question “Have you ever been convicted of a crime?” on applications. These “ban-the-box” laws “prohibit employers from inquiring into criminal history in the job application,” but they also “create a complex, legislative patchwork” due to variations on the allowed timing for asking whether an applicant has committed a crime—especially for organizations operating in multiple states. Gordon offers tips on how organizations can mitigate risk and reduce liability, as well as exploring the reason for the trend in this Privacy Tracker post. Meanwhile, Texas’ attorney general has sought an injunctive and declaratory relief against the Equal Employment Opportunity Commission mainly over its “prohibition against blanket ‘no felons’ hiring policies.” (IAPP member login required.)

PRIVACY RESOURCES

Where To Get Schooled in Privacy (November 13, 2013)

Prompted by a post to the IAPP Privacy List, our online Resource Center now includes a list of colleges and universities that offer courses in privacy. Currently featuring universities in the U.S., Canada and Europe, we have collected a preliminary list of offerings for those seeking higher education in privacy, but we need your help. Do you know of a school with a strong privacy focus? If so, send us an e-mail and let us know what we’re missing.
View Resource

ONLINE PRIVACY—U.S.

Two Tracking Techs Emerge from Hackathon (November 13, 2013)

Last week, online privacy service Ghostery hosted a hackathon to create new user-friendly technologies to enhance online privacy. AdAge reports on the event and the two highest-rated teams. One team created a browser plug-in to reveal the companies that are tracking users by placing photos of the companies’ top executives on screen. A second top vote-getter focused on measuring the amount of time trackers add to page loading time. The latter system works in tandem with Ghostery and allows users to opt out of tracking. For the next month, users in the Ghostery community have the option to vote for the best service, which will then present its technology at South by Southwest next year.
Full Story

PRIVACY LAW—ITALY

Garante, DIS Enter Cooperative Protocol (November 13, 2013)

The Garante, Italy’s data protection authority, and DIS, the country’s intelligence department, have entered into a cooperation protocol. “This is an extraordinary agreement entered into by very key sensitive functions of the Italian State and a great signal of transparency for the world in reply to all worrying news on Datagate we daily read on newspapers or on the Internet,” writes Panetta & Associati Managing Partner Rocco Panetta in this Global Privacy Dispatch for The Privacy Advisor. “At the same time this is a proof of evidence that a different model of cooperation on the ground of the intelligence services is possible. Citizens have to believe that another world is possible and their rights might be protected together with their security and safety.”
Full Story

DATA LOSS—EU & U.S.

Number Affected by Breach Continues To Rise (November 13, 2013)

More than 1.5 million Europeans have had personal information compromised by a security breach at Loyaltybuild, a company that manages customer loyalty programs across Europe, The Irish Times reports. The Garda has launched an investigation into the incident, which saw nearly 400,000 individuals’ credit card details exposed. Irish Data Protection Commissioner Billy Hawkes said the financial data was not encrypted. Another 150,000 individuals’ details have been “potentially compromised,” and the breach looks to be the result of an external criminal act, Hawkes said. Meanwhile, in the U.S., hundreds have been affected by a data breach dating back to 2001 in Indiana.
Full Story

BIG DATA—U.S.

Schools Share $38 Million Big Data Grant (November 13, 2013)

The University of Washington, New York University and the University of California-Berkeley are sharing a $38 million grant to spread Big Data analysis skills to various professional fields, The Seattle Times reports. “Our goal is to figure out how to rapidly evolve universities to support and utilize data-intensive discovery,” said Ed Lazowska, eScience Institute founder and computer science professor at the University of Washington. “We have been doing this on a small scale, but now we’ll be able to work the problem at a large scale and as a collaboration among three teams that include some of the strongest faculty at some of the nation’s strongest universities.”
Full Story

CHILDREN’S PRIVACY—U.S.

Parents To Sue NY Education Dept. (November 13, 2013)

A group of New York City parents is planning to file suit “to block the state Education Department from sharing their kids’ data—including test scores and discipline records—with private companies,” NYDailyNews.com reports. The suit, which is to be filed in New York Supreme Court, comes in response to “the controversial $100 million inBloom project being built by the company Amplify,” the report states, noting the parents allege the project “violates the state’s Personal Privacy Protection Law, forbidding state agencies from giving personal info to companies without consent, unless state law specifically requires the agencies to do so.” The suit follows concerns about inBloom raised in other states.
Full Story

HEALTHCARE PRIVACY—U.S.

Are There “Limitless” Privacy Risks to New Health Exchanges? (November 13, 2013)

Forbes reports on a government report on the Affordable Care Act health insurance exchanges, which details the “high risks” and potential “limitless” privacy concerns with the site. One key official in the Obama administration testified earlier this month that he was not copied on the memo detailing the risks. Centers for Medicare and Medicaid Services Deputy Director and Deputy Chief Information Officer Henry Chao, who “is in charge of … the operations of the agency’s information systems security program,” said, “It is disturbing” that he was not copied on the memo, adding, “This is … a fairly nonstandard way to document a decision.”
Full Story

SOCIAL NETWORKING—EU & U.S.

Facebook Discloses Gov’t Data Requests (November 13, 2013)

A recent hearing organized by the European Parliament’s civil liberties committee featured Richard Allan, director for public policy for Facebook in Europe, who discussed the number of demands for data by EU governments, The New York Times reports. Allan said Facebook received 8,500 requests from the EU on 10,000 user accounts during the first six months of 2013. By comparison, U.S. officials made 12,000 requests for data on as many as 21,000 user accounts. Meanwhile, CIO reports on the nuances of Facebook’s updated data use policy and statement of rights and responsibilities. And a new poll indicates four out of five people have changed the privacy settings on their social media accounts, most within the last six months. (Registration may be required to access this story.)
Full Story

DATA LOSS—IRELAND

Breach May Hit 70,000 Loyalty Card Holders (November 12, 2013)
As many as 70,000 loyalty card holders may have had personal data compromised after Loyaltybuild sustained a “sophisticated” attack, BBC News reports. Supermarket chain Supervalu has told 62,500 customers who used a holiday offer to contact their banks, and AXA Ireland has said as many as 8,000 of its customers may have been affected. Loyaltybuild has contacted Ireland’s data protection commissioner and law enforcement and is investigating the incident. Supervalu is working with Loyaltybuild to resolve the incident but has also hired its own IT security consultants to investigate Loyaltybuild’s systems, the report states.

CYBERSECURITY—U.S.

NIST Looking for Advisors for Privacy Panel (November 12, 2013)

The National Institute of Standards and Technology (NIST) has announced it is looking for new members to its Information Security and Privacy Advisory Board (ISPAB), Government Security News reports. The board’s objective is to identify emerging issues affecting information security and privacy and advise NIST’s leadership, the secretary of commerce and the Office of Management and Budget on such trends. A NIST notice states, “Nominees should have specific experience related to information security or privacy issues, particularly as they pertain to federal information technology.” Last week, Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, wrote about why privacy professionals are needed in the NIST framework process.
Full Story

INTERNET OF THINGS—U.S.

FTC Set To Examine IoT at Next Week’s Roundtable (November 12, 2013)

Politico reports on next week’s Federal Trade Commission (FTC) roundtable analyzing the Internet of Things (IoT). Earlier this year at the IAPP Global Privacy Summit, FTC Chairwoman Edith Ramirez said this nascent landscape “needs further study,” but industry representatives are warning the agency that regulation of the IoT could harm innovation. David LeDuc, senior public policy director at the Software & Information Industry Alliance, said providing guidance on such a broad topic “isn’t practical.” Future of Privacy Forum Founder Christopher Wolf—who will be a panelist next week—said, “We don’t need a law for the Internet of Things; we just need to think about how existing regulation can be translated onto these new areas.” Hunton & Williams’ Lisa Sotto, CIPP/US, CIPM, said applying existing privacy principles—including notice and choice—may be difficult in an IoT world and that the FTC may need to reconsider what it considers “sensitive” information. (Editor’s Note: Look for IAPP coverage previewing the FTC roundtable and live from the event.)
Full Story

PRIVACY LAW—U.S.

Judge: Peer-to-Peer Data Isn’t Protected Under Fourth Amendment (November 12, 2013)

A federal judge in Vermont has ruled there can be no expectation of privacy when it comes to data exposed online via a peer-to-peer file-sharing network, Computerworld reports. The case involved three men charged with a crime who claimed the police illegally gathered data from their computers using a peer-to-peer search tool and then obtained a search warrant based on that data. The defendants asked the judge to suppress the evidence based on a violation of their Fourth Amendment rights, but District Court Judge Christina Reiss denied the motion, stating the defendants made the data public when they posted it over a peer-to-peer network. Other courts have ruled similarly where peer-to-peer networks are involved.
Full Story

BIG DATA—U.S.

MIT Launches Big Data Privacy Working Group (November 12, 2013)

The Massachusetts Institute of Technology (MIT) Big Data Initiative, under its Computer Science and Artificial Intelligence Lab (CSAIL), has announced it is launching a new Big Data and Privacy Working Group to bring together industry, government and academia to address and find solutions for problems arising out of the intersection of Big Data innovation and privacy. CSAIL Principle Research Scientist Daniel Weitzner said, “The goal of the group is to encourage long-term thinking on the role of technology in protecting and managing privacy, in particular when large and diverse data sets are collected and combined,” and added, “We have a wide variety of technical approaches to privacy protection but don’t have a good handle on how they might actually work at scale or whether we need to develop new technical tools.”
Full Story

PRIVACY LAW—U.S.

Plaintiffs: VPPA Case Should Proceed, Even With Lack of Financial Harm (November 12, 2013)

Hulu users involved in a potential class-action lawsuit are urging a federal judge to allow the case to proceed, MediaPost reports. The Hulu users have asked U.S. District Court Judge Laurel Beeler to reject Hulu’s motion to be awarded summary judgment in the case, saying that the case should proceed even if they do not prove financial harm. The class members claim Hulu violated the Video Privacy Protection Act (VPPA) by allegedly sharing user data with Facebook and comScore, but Hulu claims that consumers were not financially harmed in the case. The consumers argued, “A violation of the VPPA simply does not require a threshold showing of pecuniary damages.”
Full Story

DATA PROTECTION

Facebook Asks Adobe Users To Change Passwords (November 12, 2013)

Facebook is warning users who also use Adobe that if they are using the same e-mail and password combinations on both sites, they should change that, KrebsonSecurity reports. That’s after the recent breach at Adobe in which hackers stole nearly three million encrypted credit card records and users’ login credentials. “We actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service,” said a Facebook spokesman. “When we find these situations, we present messages like the one in the screenshot to help affected people secure their accounts.”
Full Story

PRIVACY LAW—BRAZIL & U.S.

Brazil Calls for End to “Excessive Electronic Surveillance” (November 12, 2013)

Following the country’s outrage over the U.S. National Security Agency’s (NSA) spying scandal and calls for new legislation, Brazil has put forth a resolution calling for an end to excessive electronic surveillance, BBC News reports. Brazilian President Dilma Rousseff, who canceled a trip to Washington, DC, following reports that the NSA had intercepted data from her office, said the U.S. has broken international law. "Friendly governments and societies that seek to build a true strategic partnership, as in our case, cannot allow recurring illegal actions to take place as if they were normal," Rousseff said. "They are unacceptable.”
Full Story

SURVEILLANCE

Gov’t Considers Removing NSA From Military Command (November 12, 2013)

The Obama administration is considering removing the U.S. National Security Agency (NSA) from military command and appointing a civilian to lead it, The Guardian reports. Gen. Keith Alexander is retiring in 2014, and a list of his potential replacements is being compiled. Meanwhile, plans for a European Internet—a direct response to the NSA revelations this summer—is being discussed by German company Deutsche Telekom. The company aims to keep German citizens’ data safe from foreign governments. And Privacy International has announced a new project that seeks to promote data protection within humanitarian efforts.
Full Story

PRIVACY LAW—U.S.

Internet Association Backs Airbnb in NY Privacy Conflict (November 11, 2013)
The Internet Association—a group of web companies including Google, eBay, Facebook and Amazon—have filed papers in New York arguing that an attempt by the state’s attorney general to compel Airbnb to turn over its customers’ data will set a precedent that could harm online business, MediaPost reports. “The prospect of law enforcement authorities, regulators and other government personnel being able to obtain broad swaths of information about consumers under no articulated suspicion of wrongdoing would unduly discourage participation in these online services,” the filed paper states.

DATA PROTECTION—U.S.

Important Takeaways from PPS NYC (November 11, 2013)

Last week, the IAPP hosted a Practical Privacy Series event covering data breach, financial services and online marketing in New York City. In this installment for Privacy Perspectives, Jedidiah Bracy, CIPP/US, CIPP/E, explores some of the event’s big takeaways, including the importance of internal logging for breach investigations and defense, avoiding blacklisting in the payment card industry and the role privacy plays in developing trust. The post also includes some of the PowerPoint presentations that were provided to the IAPP from presenters. Editor’s Note: Registration for the IAPP Practical Privacy Series in Washington, DC, December 3-4, is still open. Tracks for the event include government, the FTC and consumer privacy.
Full Story

DATA LOSS

Breaches More Widespread Than Reported (November 11, 2013)

A new security survey has found that 57 percent of malware analysts said they have worked on enterprise-related data breaches that were not disclosed, ZDNet reports. The ThreatTrack Security survey interviewed 200 security professionals. For larger businesses, with more than 500 employees, the number jumps to 66 percent. According to the ZDNet report, the reason behind not disclosing breaches may stem from attempts to save brand reputation or avoid difficult questions from customers and investors.
Full Story

PRIVACY COMMUNITY

Facebook Settlement Means Digital Trust Foundation Is Off to the Races (November 11, 2013)

After three and a half years of legal wrangling, the U.S. Supreme Court on Monday let stand a $9.5 million settlement between Facebook and class-action plaintiffs, bringing an end to the case triggered by the Beacon advertising program. It is the just the beginning, however, for the Digital Trust Foundation, reports Ad Age. Created by the settlement and led by Berkeley Center for Law and Technology head Chris Hoofnagle, the DTF will now begin developing grant-making guidelines for organizations seeking a portion of the $6 million in funds allocated for the study of online privacy.
Full Story

PRIVACY LAW

Kazakhstan Joins the Crowd and Other Legislative Updates (November 11, 2013)

In the U.S., guidelines and court rulings have offered insight on everything from drone use to workplace audio recordings, while, internationally, questions still loom about the future of Safe Harbor and national leaders have presented an Internet privacy resolution to the UN. Kazakhstan’s privacy law is scheduled to come into effect this month, and Indonesia is looking into consolidating its sectoral coverage into an overarching law. Also in this week’s Privacy Tracker roundup is analysis of India’s privacy bill, California’s spate of privacy laws and insight from the FTC and the New Jersey Attorney General’s Office on how to avoid the wrath of regulators. (IAPP member login required.)
Full Story

PRIVACY LAW—U.S.

Opinion:  A Stronger Cali “Eraser” Law Wouldn’t Work (November 11, 2013)

Privacy expert Woodrow Hartzog writes in New Scientist that California’s recently enacted bill, SB-568, which some call the Internet “eraser” law, is not flawed and that a more robust eraser mandate would be “disastrous” and violate free speech. “While the critics correctly identify the unclear language in the statute,” he writes, “they miss the point when they say it will be ineffective because it won’t remove truly harmful ‘viral’ information that gets widely shared on the Internet,” adding, “What they fail to realize is that the modest protection offered by this eraser law is not a defect, it’s a feature.”
Full Story

STUDENT PRIVACY

Colleges Increasingly Checking Applicants’ Social Media Accounts (November 11, 2013)

According to Kaplan research, 31 percent of admissions officers visited an applicant’s Facebook page or other social media account last year in determining admissions, a five-percent jump over last year. The research is indicative, reports The New York Times, of the increasing role students’ digital footprints play in whether or not they gain admission to college in the U.S. “To me, it’s a huge problem,” said Bradley S. Shear, a social media-focused lawyer. “Often, false and misleading content online is taken as fact.” However, we might all agree that one Bowdoin College applicant’s decision to snarkily tweet mean-spirited comments about fellow applicants while on a tour of the school was ill advised. (Registration may be required to view this article.)
Full Story

DRONES—U.S.

Calo: FAA Plan “Sensible”; Not All Agree (November 11, 2013)

In a column for Forbes, privacy expert Ryan Calo writes about the Federal Aviation Administration’s (FAA) unmanned aircraft systems (UAS) roadmap. “As a long time commentator on the domestic use of drones … I was asked about whether the FAA had made any strides in terms of safeguarding privacy and civil liberties,” adding, “My view was that indeed they had, but I couldn’t help but notice other voices … criticizing the FAA’s plan as not going far enough.” For one, Sen. Ed Markey (D-MA) wrote the roadmap showed a “disregard for the need for strong and comprehensive privacy safeguards,” and called for legislation. A Law 360 report said the FAA “completely ducked controversial matters of privacy, putting the onus instead on test site operators to develop their own privacy plans and on lawmakers to fill in any gaps.”
Full Story

GLOBAL INTEROPERABILITY—EU & U.S.

Trade Talks To Resume This Week Without Privacy (November 11, 2013)

Trade talks between the U.S. and EU are set to resume this week, but according to Euractiv, data protection and secrecy issues will not be on the docket. Instead, the parties are expected to discuss services, investment, energy and raw materials and regulatory issues. EU Justice Commissioner Viviane Reding has been vocal in the past about including data protection issues in the Transatlantic Trade and Investment Partnership. According to the report, the U.S. has been mounting pressure to keep the debate about including data protection in the talks open.
Full Story

PRIVACY LAW—U.S.

What U.S. Privacy Regulators Want To Hear (November 8, 2013)
“Privacy drives trust.” That was the mantra during Thursday’s Practical Privacy Series Financial Services track in New York City. In this exclusive for The Privacy Advisor, Jedidiah Bracy, CIPP/US, CIPP/E, gathers up advice from HSBC Chief Privacy Officer Al Silipigni, CIPP/US; Elizabeth Anne Khalil, senior compliance policy analyst at the FDIC; William M. Rubenstein, Connecticut commissioner of consumer protection; CFPB Deputy Enforcement Director Deborah Morris; Fulbright & Jaworski Partner Pamela Jones Harbour, and Katherine Armstrong, an attorney with the FTC’s Division of Privacy and Identity Protection on how to establish trust with regulators and keep your business free of sanctions and consent decrees.

PRIVACY LAW—U.S.

Judge Rules Wyndham Must Exchange Evidence with FTC, Case Proceeds (November 8, 2013)

A judge has ruled that Wyndham Worldwide Corp. must exchange pretrial evidence with the U.S. Federal Trade Commission in its complaint against the company that alleges breaches at Wyndham and its three subsidiaries comprised more than 619,000 credit card accounts, Bloomberg reports. The company wanted the case dismissed, claiming the FTC doesn’t have the authority to regulate data security. Meanwhile, a government accountability organization has filed a Motion for Protective Order on behalf of LabMD in an attempt to nullify 35 subpoenas issued by the FTC in a single day.
Full Story

PRIVACY

DHS Submits Annual Report on Privacy to Congress (November 8, 2013)

In her first public communication, new U.S. Department of Homeland Security CPO Karen Neuman posted on the DHS blog that she has officially submitted the DHS Privacy Office’s 2013 Annual Report to Congress. “As the Privacy Office enters our tenth year,” she writes, “we will continue to ensure that DHS stays committed to protecting the privacy of all individuals, and providing the greatest level of transparency and accountability possible.” The report, which stretches to 86 pages, opens with a message from Deputy CPO Jonathan Cantor, who acted as CPO for much of the time the report covers, and outlines how the department accomplished goals related to its privacy and disclosure policy, advocacy, compliance, oversight and workforce excellence.
Full Story

PRIVACY LAW—U.S.

Is Cali’s “Eraser” Bill the Wrong Approach? (November 8, 2013)

An Al Jazeera report analyzes recently passed legislation in California that essentially creates an “eraser” option for children and teens. Yet, privacy advocates are asking why only children would have such an option since, often, younger Internet users are more savvy with their privacy in the first place, whereas older users may not be as sophisticated. Center of Democracy and Technology Director of Consumer Protection Justin Brookman said, “It’s directed towards teenagers, which in itself is kind of vague … If you’re going to have privacy rules, you might as well protect everyone.” IAPP Westin fellow Kelsey Finch recently analyzed this bill along with several others in California.
Full Story

SURVEILLANCE—EU & U.S.

Report Finds NSA, GCHQ Violated EU Law (November 8, 2013)

A new study reveals that dragnet Internet surveillance by the U.S. National Security Agency (NSA) and the UK’s GCHQ violated European privacy law, ComputerWeekly reports. The study’s authors, Sergio Carrera of the Centre for European Policy and Francesco Ragazi of Leiden University, have urged the European Parliament to “break the wall of silence,” the report states. Meanwhile, a report in Foreign Policy contends that, in the debate about the NSA’s surveillance programs, “privacy is a red herring.”
Full Story

ONLINE PRIVACY—U.S.

Opinion: We Should Demand More for Our Data (November 8, 2013)

An opinion piece in the Brattleboro Reformer questions why Formula One’s Max Mosley fought to have compromising images of him removed from Google’s Internet search results, when in the end the publicity only brought more attention to the images. In Slate, Josh Klein writes that as personal data has become monetized and used in exchange for a positive user experience, “it puts us in a position to name a price for it,” and we should demand more than “almost nothing.”
Full Story

INTERNATIONAL PRIVACY—GERMANY & BRAZIL

Nations Present Internet Privacy Resolution to UN (November 8, 2013)

Following reports that U.S. intelligence eavesdropped on foreign leaders—including German Chancellor Angela Merkel and Brazilian President Dilma Rousseff—both nations formally presented a resolution to the United Nations urging countries to extend internationally guaranteed rights to privacy online, The Associated Press reports. Such resolutions to the General Assembly are not legally binding. The U.S. was not specifically named in the resolution.
Full Story

DRONES—U.S.

FAA Releases Roadmap for UAS Integration (November 8, 2013)

Wired reports on the release by the Federal Aviation Administration of an official roadmap for the future integration of unmanned aircraft systems (UAS), also known as drones. U.S. Transportation Secretary Anthony Foxx said, “This roadmap is an important step forward that will help stakeholders understand the operational goals and safety issues we need to consider when planning for the future of our airspace.” The five-year plan unveils three phases, including “accommodation” of existing UAS, “integration of future UAS” and “evolution” to create an adaptable framework for the technology. The roadmap also implies, the report states, that unmanned aircraft will be treated like manned aircraft. The FAA has designated six tests sites, which will help “inform the dialogue” with privacy and civil liberties concerns.
Full Story

PRIVACY LAW—U.S.

Federal and State Regulators on How To Get “Off the Hook” (November 7, 2013)
The Federal Trade Commission (FTC) has been a busy agency. It has now brought 47 data security cases against businesses to date, and according to FTC Consumer Protection Bureau Deputy Director Daniel Kaufman, there are more in the pipeline. Together with New Jersey Supervising Deputy Attorney General Kenneth Ray Sharpe, CIPP/US, Kaufman addressed a room full of privacy pros yesterday at the IAPP Practical Privacy Series in New York City on how to avoid the wrath of regulators. Jed Bracy, CIPP/US, CIPP/EU, reports on their advice in this exclusive for The Privacy Advisor.

ONLINE PRIVACY—U.S.

Exclusive Interview with Lavabit Founder on the Day the FBI Came Calling (November 7, 2013)

Ladar Levison remembers June 28 pretty well. Temperatures reached 108 degrees in Dallas, TX, and Sandra Bullock’s The Heat was released nationwide. But Levison was feeling a different kind of heat that day when the FBI showed up unannounced at his Dallas apartment and told him they wanted access to his company’s computer system—a system he’d designed specifically to protect his customers from the threat of surveillance. In this exclusive for The Privacy Advisor, Levison describes his legal ordeal and his new business venture, one he hopes protects data in a way his last service, in the end, did not.
Full Story

CYBERSECURITY

Privacy Professionals Needed in NIST Framework Process (November 7, 2013)

In February of this year, the White House issued an Executive Order (EO) tasking the National Institute of Standards and Technology (NIST) to develop a cybersecurity framework aimed at reducing cybersecurity risk to the nation’s critical infrastructure. Most relevant to privacy pros is that it instructs that the framework incorporate privacy and civil liberties protections. In the latest Privacy Perspectives post, Microsoft CPO Brendon Lynch, CIPP/US, writes “it is critical that members of our profession provide feedback to NIST on its applicability.”
Full Story

PRIVACY LAW—U.S.

Case Over Workplace Audio Recordings Offers Insight (November 7, 2013)

The proliferation of recording devices in our society offers employees the opportunity to easily record conversations in the workplace, which has brought up interesting legal questions in the 37 states where anti-wiretap laws don’t prohibit recording a person without their knowledge. Philip Gordon writes in Littler Mendelson’s Workplace Privacy Counsel about a recent case in which an administrative law judge (ALJ) rejected the National Labor Relations Board’s (NLRB) stance that workers “have a legally protected right to record their coworkers and managers.” In the case, the ALJ found that the company’s ban on workplace audio recording was lawful, and while the decision is not binding on the NLRB, the decision will likely be appealed to the board and offers important guidance for employers.
Full Story

ONLINE PRIVACY—U.S.

Twitter Heads to IPO; Little Scrutiny from DC (November 7, 2013)

Politico reports that as Twitter begins offering up shares on the public market it has seen little attention from Washington, DC, policymakers and privacy advocates. While the report touts Twitter as having “arguably the best privacy reputation of any major tech company,” it also notes the company’s “own regulatory filings say the company is beefing up its ability to offer targeted advertising.” The Telegraph reports that a pre-IPO document acknowledges that concerns for potential investors include the possibility of a data breach, though Politico notes Twitter doesn’t have the treasure trove of data on its users that some other big tech firms have.
Full Story

ONLINE PRIVACY—UK & U.S.

ICO: Cookie Replacements Must Follow Rules (November 7, 2013)

The UK Information Commissioner’s Office (ICO) has acknowledged that it’s aware of initiatives to forego cookies for new tracking technologies and says these new technologies will need to abide by the same rules as cookies, Out-Law.com reports. Encouraging a Privacy by Design approach, an ICO spokesperson said companies must be upfront with customers and offer “users a clear choice as to the options available to them." Meanwhile, Mozilla’s plans to automatically block certain cookies in its browser are on hold after it announced plans to work with the Cookie Clearinghouse initiative at Stanford University on a “more nuanced approach.” The organization now says it’s unsure whether it will adopt the feature.
Full Story

ONLINE PRIVACY

Closed-Circle Feature Added to Google+ (November 7, 2013)

Google has added a new feature to Google+ to ensure private conversations remain private, Think Digit reports. The feature allows businesses to decide if their restricted community will be open to everyone at the company or more limited, the report states. System administrators can decide whether restricted communities will be the default, but communities open to third parties such as business partners and clients can also be created.
Full Story

SURVEILLANCE

U.S. Urges EU To Preserve Safe Harbor; International Reactions to Spying Programs Continue (November 7, 2013)

Across the globe, fallout from reports of U.S. National Security Agency (NSA) and other governmental surveillance programs continues. Politico reports on U.S. regulators urging their counterparts in the EU not to abandon the Safe Harbor Framework amidst “mounting European anger over NSA spying.” Separately “The CIA is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company’s vast database of phone records, which includes Americans’ international calls,” according to a report in The New York Times. NSA General Counsel Rajesh De has attempted to explain the agency’s telephone metadata collection program by saying, “It’s effectively the same standard as stop-and-frisk”—using “reasonable and articulable suspicion” to identify phone numbers to target. Meanwhile, Google has begun encrypting its internal network in an effort to halt broad surveillance, and Kaspersky has said it is designing products “to detect all malware”—even that sponsored by the NSA. In response to allegations of U.S. agencies spying on EU officials, Spiegel examines what the White House might have known and how the NSA sets its priorities, and Indonesia has backed a UN statement indicating “anger at U.S.-led data snooping,” while Australian websites faced cyber attacks “in protest at Canberra's reported involvement in the surveillance network.”
Full Story

ONLINE PRIVACY—FRANCE & U.S.

Court Rules Google Must Remove Images from Search Results (November 7, 2013)

A French court has ruled Google must remove compromising photos of a Formula One car racing chief from its Internet search results, The Economic Times reports. The ruling follows Max Mosley’s lawsuit aiming to force Google to filter images that were originally published in a British newspaper. Mosley claimed French law forbids taking and distributing images of someone in a private space without permission, while Google argued freedom of speech. Google says it will appeal the decision. “At this point in time, the pendulum is swinging toward individuals’ privacy and away from freedom of speech,” said one privacy analyst.
Full Story

PRIVACY RESOURCES

Employee Monitoring: What’s Allowed and What’s Not? (November 6, 2013)
Employers walk the line between protecting company resources and ensuring productivity and becoming big brother to their staff. Technology is available to monitor everything from computer use to hallways, but just because it’s out there, doesn’t mean it’s okay to use it. This IAPP Resource Center Close-Up aims to help you balance organizational security with employee privacy laws across the globe. You’ll find tools, articles and guidance on conducting background checks, accessing employee data and BYOD, plus learn about differing laws from region to region. (IAPP member login required.)

PRIVACY LAW—U.S.

California’s Tidal Wave of Legislation: A Roundup (November 6, 2013)

For more than a decade, California has stood at the forefront of the privacy legislation wave. Two 2003 California statutes have stood out and, in fact, revolutionized the field: the California Online Privacy Protection Act (CalOPPA), which was the first state law to require websites to post a privacy policy, and the law commonly known as “SB 1386,” the first security breach notification statute. In this exclusive for The Privacy Advisor, IAPP Westin Fellow Kelsey Finch examines five new laws as well as legislation that is currently pending in California.
Full Story

ONLINE PRIVACY—U.S.

Apple: “Our Business Does Not Depend On Collecting Personal Data” (November 6, 2013)

Apple published a formal report yesterday on federal government data requests, All Things Digital reports. In it, Apple says its business “does not depend on collecting personal data … We have no interest in amassing personal information about our customers. We protect personal conversations by providing end-to-end encryption over iMessage and FaceTime. We do not store location data, Maps searches or Siri requests in any identifiable form.” It adds that the U.S. government doesn’t allow it to disclose the number of national security orders “or whether content, such as e-mails, was disclosed” and that it opposes such a gag order. Earlier this week, the company lobbied for restrictions on government surveillance.
Full Story

CHILDREN’S PRIVACY—U.S.

Developers Still at a Loss Over COPPA Compliance (November 6, 2013)

Bloomberg reports that four months after changes to COPPA went into effect, “Many developers are still at a loss: Not only are they not complying with the law, they don’t even know how to do so.” Noting that companies are not clamoring to “openly acknowledge a failure of compliance with rules,” the report quotes Matt McDonnell of Famigo, which operates a children’s applications rating service, as saying, “The universal characteristic of these developers that we work with is that they are even further behind than the FTC thinks.” One key reason why, the report suggests, “is the counterintuitive requirement that developers collect more information about the users whose privacy is at stake.” Editor’s Note: The IAPP Resource Center provides answers to FAQs from the FTC related to COPPA enforcement, parental notice and consent and more.
Full Story

HEALTHCARE PRIVACY—U.S.

EHRs Make Audit Trails Much Easier To Follow (November 6, 2013)

Healthcare IT News reports on the way in which electronic health records have made catching unauthorized viewers much easier. And that has illustrated the frequency with which unauthorized access occurs, such as last month’s notification by Minnesota’s Allina Health System that 3,800 patients’ personal health data had been breached by a medical assistant who had been improperly accessing the information for three years. The Department of Health and Human Services reports that since 2009, 27 million individuals have had their personal health data compromised.
Full Story

DATA PROTECTION—U.S.

Inspector General: DHS Lacks Resources To Handle Online Threats (November 6, 2013)

The Department of Homeland Security’s (DHS) inspector general says DHS has struggled to respond to cybersecurity threats because of “lingering technical, funding and staffing woes,” Politico reports. In a report released Monday, the inspector general said DHS lacks the tools and training needed to track hackers who are after U.S. banks and other businesses and needs more resources in order to be able to communicate threats to its cybersecurity workforce in real time. While President Barack Obama has nominated someone for the post, DHS currently lacks a leader.
Full Story

PERSONAL PRIVACY—U.S.

NIST To Update Smart Grid Guidance (November 6, 2013)

The National Institute of Standards and Technology (NIST) is revising its smart grid guidance to address vulnerabilities and privacy issues that have become more of a concern over the past few years, reports BankInfoSecurity. While the U.S. power grid is years away from being a true smart grid, NIST says in the draft of the guidance, "Approaches to secure these technologies and to protect privacy must be designed and implemented early in the transition to the smart grid." Rebecca Herold, CIPP/US, CIPM, CIPP/IT, who leads NIST’s Smart Grid Cybersecurity Committee’s privacy subgroup, told the Daily Dashboard the new draft will “allow all players in the smart grid to proactively address privacy issues as they create the wide variety of services and components involved, instead of waiting until after the fact, and after privacy incidents, to try to tack privacy on as an after-thought, which is never nearly as effective—as history has taught us.”
Full Story

GEO PRIVACY—U.S.

Survey: Shoppers Unsure About Tracking-for-Coupons Model (November 6, 2013)

While consumers are becoming more aware that they may be tracked as they walk around brick-and-mortar stores, “plenty still feel uncomfortable about it,” PC World reports. That’s according to a survey that found that nearly half of respondents said they would find it invasive if a store sent them a text-messaged coupon as they walked past that store. But only 35 percent said they found it invasive for a website to know their geographic location, suggesting “people are less comfortable being tracked on their mobile devices in a store than as they surf around the web,” the report states.
Full Story

SURVEILLANCE—U.S.

U.S Willing To Consider Reforms (November 6, 2013)

Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB) David Medine said the government is open to changes about how it conducts phone and Internet surveillance programs as long as they don’t undermine the programs’ effectiveness, Reuters reports. PCLOB is now examining how to balance thwarting terrorist plots with protecting Americans’ privacy. It will present a report to President Barack Obama on suggested reforms to surveillance programs. In an opinion piece for The Atlantic, Conor Friedersdorf says defenders of digital surveillance programs should apply the logic to the analogue world, where “everyone recognizes the absurdity of effectively outlawing privacy.”
Full Story

PRIVACY LAW—U.S.

SCOTUS Lets Facebook Settlement Stand (November 5, 2013)
The U.S. Supreme Court has let stand a $9.5 million settlement after a Facebook user challenged the agreement objecting to the fact that none of the money will go to the users whose privacy rights were violated, Bloomberg reports. The settlement will go to a foundation to promote online privacy and security, after paying out lawyers’ fees, and stems from Facebook’s use of the Beacon advertising program, which it shut down in 2009 after complaints. While the court didn’t issue a published dissent, Chief Justice John Roberts said it may need a different case in order to reach the “fundamental concerns surrounding the use of such remedies in class-action litigation.”

PRIVACY LAW—U.S.

What Privacy Pros Need To Know About the NIST Cybersecurity Framework (November 5, 2013)

As the U.S. National Institute of Standards and Technology moves into the home stretch of creating the Cybersecurity Framework called for by President Barack Obama back in February, we’re now getting a clearer picture of how privacy will be affected by the resulting document. Considering it may end up being part of regulatory structure, it’s incumbent upon privacy professionals, writes Hogan Lovells Partner Harriet Pearson, CIPP/US, that they understand how the framework ties together cybersecurity and privacy. As the date of the last framework workshop approaches, Pearson hits upon the most important points of the draft Privacy Methodology contained in the Cybersecurity Framework in this exclusive post for Privacy Tracker.
Full Story

PRIVACY TECH

Hack the Trackers Taps Into the Post-Snowden Zeitgeist (November 5, 2013)

What do you get when you put a group of talented, self-motivated developers, tech-savvy judges and folks who built one of the Internet’s most-successful online privacy tools into the same room? This coming Saturday, you’ll get Hack the Trackers. Created by Ghostery, a privacy-enhancing browser service owned by Evidon, the hackathon aims to develop a new generation of online privacy tools by inviting developers to work together on open-sourced technology and then be judged by selected experts. In this exclusive for The Privacy Advisor, Jedidiah Bracy, CIPP/US, CIPP/E, talks with Evidon about how the event came to be and where they plan to take it.
Full Story

ONLINE PRIVACY—U.S.

Healthcare Site Struggles; Privacy Concerns Linger (November 5, 2013)

CBS News reports on the ongoing troubles of HealthCare.gov as millions of Americans attempt to buy insurance via the new site. While the site was being developed, “crucial tests to ensure the security and privacy of customer information fell behind schedule,” the report states, adding that the Obama administration granted itself a waiver to launch the site “with a level of uncertainty … deemed as a high security risk.” Stan Crosley, CIPP/US, director of IU CLEAR Health Information, told the Daily Dashboard that such a waiver would never happen in private industry and that the stakes here are high. “As privacy professionals, we'd never advise clients to take such a high-risk, company-centric approach … In healthcare we like to remind ourselves just how critical the data is that we handle. We know the data is about someone's father, or mother, or son or daughter; with apologies to our food manufacturing friends, in healthcare, we're not making peanut butter. Use or misuse of this data can change someone's life, forever.” Editor’s Note: Crosley will speak on “Specific Data Analytics and Utility within the Health Industry” at PPS Chicago on November 14.
Full Story

DATA LOSS—U.S.

One Million Affected in Software Company Site’s Hack (November 5, 2013)

Internet security firm Hold Security says it has discovered that a limousine software company has been hacked, resulting in credit card numbers and other details on close to one million customers being exposed, Detroit Free Press reports. Jonathan Mayer, a cybersecurity fellow at Stanford University, said Corporatecaronline’s website was running outdated software that made it vulnerable, but “you don’t have to be a big target to be at risk online anymore. This is the new normal, and it underscores the need for improving the regulatory framework.”
Full Story

SURVEILLANCE—U.S.

PCLOB Recommends Limiting NSA Retention (November 5, 2013)

Bloomberg reports on comments by David Medine of the Privacy and Civil Liberties Oversight Board (PCLOB) on a potential proposal aimed at reducing how long the National Security Agency may retain records. Medine said the PCLOB is considering a proposal to reduce the length of time records can be held from five years down to three years, and the board may also propose “that foreigners have more privacy protections under an NSA program that intercepts e-mails and other Internet communications,” the report states. Medine, who said the PCLOB is “taking a very hard look” at the NSA surveillance programs, was also interviewed by Deutsche Welle about the PCLOB’s work.
Full Story

DATA PROTECTION—EU & U.S.

Reding Says Data Protection Outside of TTIP’s Scope, Calls for an EU NSA (November 5, 2013)

Despite a push from Germany to include data protection rules within the Transatlantic Trade and Investment Partnership in the wake of U.S. spying revelations, European Commission Vice President Viviane Reding says data protection is outside of the EU-U.S. pact’s scope, Financial Times reports. “The commission’s view and the position taken by all leaders at the recent European Council is clear: Let’s not mix up the phone tapping issue with the ongoing trade talks,” Reding said. Reding has also called for the EU to create its own intelligence agency by 2020 in order to “level the playing field” with the U.S. Meanwhile, U.S. Attorney General Eric Holder says the U.S. is taking note of Europe’s concerns. (Registration may be required to access this story.) Editor's Note: See the IAPP's Web Conference on "Applied Privacy in the EU" November 14.
Full Story

PRIVACY LAW—U.S.

Markey Introduces Drone Bill (November 5, 2013)

The Hill reports Sen. Ed Markey (D-MA) has filed a bill that would require the Federal Aviation Administration (FAA) “to insert privacy protections in its examination into the possibility of allowing drones to be flown in commercial airspace.” Speaking Monday, Markey explained his Drone Aircraft Privacy and Transparency Act would require the FAA to ensure warrants are in place before using drones for surveillance. “Before countless commercial drones begin to fly overhead, we must ground their operation in strong rules to protect privacy and promote transparency,” he said.
Full Story

PRIVACY

Ten Steps to a Quality Privacy Program, Part Four: PIAs (November 4, 2013)
In part four of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, explores privacy impact assessments, which she calls key to privacy by design—or default. While there are foundational concepts that must be addressed, each organization may need to approach PIAs differently according to its size and needs, writes Rodriguez in this exclusive for The Privacy Advisor.

PRIVACY LAW

Burden Lowered for Breach Compensation, Changes in China (November 4, 2013)

This week’s Privacy Tracker legislative roundup highlights a U.S. case that may have lightened the burden on plaintiffs in order to win compensation in breach cases, plus the introduction of bills inspired by the NSA’s surveillance techniques. China has amended its consumer protection law, and one Canadian provincial minister is trying to address a gap in privacy protection in the private sector by consolidating and adding laws. Meanwhile, Brazil is still considering a data protection law and the European Commission plans to push toward implementing the Data Protection Regulation by spring of 2014 despite attempts to delay it until 2015. (IAPP member login required.)
Full Story

BIG DATA

Business Lessons on Privacy and Data Mining (November 4, 2013)

Computerworld reports on the privacy issues surrounding data mining and how including ethical standards with mining can help bolster trust with consumers and help a company’s brand. One digital strategist said, “The values that you infuse into your data-handling practices can have some very real-world consequences.” The article provides a number of examples of companies getting into trouble because of their data-mining practices, but also provides another positive example. Data analytics firm Retention Science uses predictive algorithms and aggregated data to help better target consumers but refuses to share data across clients or third parties. The company also says its data scientists are not allowed to use or share collected data for their own research or publications. A representative from the company said it “works only with businesses that are fully committed to getting their consumers’ consent in advance to use their data.”
Full Story

CYBERSECURITY—U.S.

Law Firms Beefing Up Cybersecurity Practices (November 4, 2013)

Several law firms are launching cybersecurity and data protection practices, The Pittsburgh Post-Gazette reports. One such firm, Buchanan Ingersoll & Rooney, recently announced it was launching a data protection practice. The addition is part of a larger movement by firms to enter the lucrative data breach practice area. American Bar Association Public Contract Section’s Cybersecurity Committee Chairman David Bodenheimer said, “When boards of directors started turning to senior management and asking, ‘What is this threat and what are we doing about it?,’ they started to call their law firms.”
Full Story

ONLINE PRIVACY—U.S.

Tech Companies Want Restrictions on Gov’t Surveillance (November 4, 2013)

Following news that the National Security Agency (NSA) was tapping into Yahoo and Google data centers, a coalition of tech companies is calling on Congress for restrictions on government surveillance, MediaPost reports. Google, Yahoo, Microsoft, Facebook, Apple and AOL have asked for “substantial enhancements to privacy protections and appropriate oversight and accountability mechanisms.” Meanwhile, a U.S. senator and privacy advocates are raising concerns that a bill introduced last week to amend the Foreign Intelligence Surveillance Act would give the NSA permission to collect massive amounts of not only Americans’ phone records, but e-mails as well.
Full Story

PERSONAL PRIVACY—U.S.

Man Says Data Broker Is Liable in Harassment Case (November 4, 2013)

A New York man has asked the U.S. Supreme Court to review whether data brokerage companies can be held strictly liable under federal law, Law360 reports. The man claims “a data broker illegally sold information gleaned from DMV records to a stranger who later tracked down and harassed him.” A Second Circuit court ruled in July that data broker Softech International could not be held strictly liable under the Driver’s Privacy Protection Act, the report states. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Microsoft Updates Policy Ahead of Launch (November 4, 2013)

Ahead of the launch of the Xbox One this month, Microsoft has updated its privacy policy to clarify how data is collected and used within gaming functions. While Xbox One uses facial recognition to log in users, the data doesn’t leave the console and can be deleted at any time. However, users “should not expect any level of privacy” when it comes to live communication features like chat and video during live-hosted game sessions. Microsoft reserves the right to monitor those communications “to the extent permitted by law,” Ars Technica reports. Users are permitted to disable targeted ads and tracking through an opt-out page. Editor’s Note: For more on privacy concerns related to Kinect 2.0, see attorney David Tashroudian’s exclusive article, “Will Kinect 2.0 and COPPA Play Well Together?,” in The Privacy Advisor.
Full Story

PRIVACY—SWITZERLAND & EU

Cloud Provider Sets Up Swiss Shop, Germany Pushes for Privacy in TTIP (November 4, 2013)

Swiss cloud provider Swisscom decided to set up a home cloud in an effort to cut costs and make its systems more dynamic, according to head of IT services Andreas Koenig, but it also may become important to store data in countries with strict privacy laws, Reuters reports. While the company would be required to hand over data under a judge’s order, data protection and privacy “is a long tradition in Switzerland, and that’s why it’s pretty difficult to get something,” Koenig said. Meanwhile, officials in Brussels say Germany’s plan to push for tough data protection controls for the Transatlantic Trade and Investment Partnership is a “big surprise.”
Full Story

HEALTHCARE PRIVACY—U.S.

Microbe Research Raises Privacy Concerns (November 4, 2013)

NPR reports on the American Gut Project, a “citizen science,” crowd sourced, microbiome initiative designed to help scientists learn more about the friendly and dangerous microbes living in and around the human body. Organizers of the project need reams of personal information—including swabbed samples and detailed logs of a subject’s daily diet—to help illuminate the research, but some bioethicists are expressing privacy concerns. One expert said, “If you have privacy concerns at all, you shouldn’t do it.” Though the information is confidential, there’s no guarantee that it will be protected and it’s possible that a volunteer’s DNA samples might inadvertently become public, the bioethicist noted.
Full Story

BIG DATA—U.S.

What Acxiom Can Teach the NSA About Transparency (November 1, 2013)
For businesses working with massive amounts of data—particularly data brokers such as Acxiom—being transparent about data collection and use is an enormously difficult challenge. Helping consumers understand business practices in order to gain their trust, without giving away trade secrets or potentially compromising security, is another challenge. Likewise, the U.S. National Security Agency is facing a similar challenge of how to be transparent about its programs without compromising national security. How does an organization convey transparency to consumers or citizens who will most likely not take the necessary steps to actually look at an organization’s attempt to be transparent? This Privacy Perspectives post looks at these parallel and daunting challenges.

DATA LOSS

This Week’s Breach Roundup (November 1, 2013)

A former Department of Justice cybercrime prosecutor says organizations should develop a “defensible response” to data breaches and fraud incidents because it’s likely they’ll next face a regulatory investigation or legal action, Bank Info Security reports. It’s advice the companies involved in this week’s breach roundup may want to take into consideration.
Full Story

PRIVACY LAW—U.S.

Tips on Complying With COPPA While Still Making Money (November 1, 2013)

Sara Hanlon, the CEO of a website targeted to kids and their grandparents, offers tips in AdAge on how to meet the challenges of the newly revised Children’s Online Privacy Protection Act (COPPA) while continuing to bring in revenue through your website. “While there are expenses associated with compliance, the complexity of the law and the thought of overhauling an entire business model are bigger issues,” Hanlon writes, noting that for some, “the law has created opportunities to innovate in order to continue to profit.” Tips offered by Hanlon include: Read and understand COPPA, don’t “assume your lawyer, developer or anyone else is handling this for you;” create a "parents area" on your site, and join an FTC-endorsed Safe Harbor program, among others.
Full Story

DATA PROTECTION

After NSA Disclosure, Tech Giants Look To Increase Defenses (November 1, 2013)

Days after the latest National Security Agency leak showing the agency had tapped the data centers of Yahoo and Google—allegedly without either company’s knowledge—The New York Times reports that many large tech companies, including Facebook and Twitter, have been spending time and resources bolstering internal networks to protect their consumers’ data. “What began as a public relations predicament for America’s technology companies has evolved into a moral and business crisis that threatens the foundation of their businesses, which rests on consumers and companies trusting them with their digital data,” the report states. ACLU Senior Analyst Christopher Soghoian said some companies are taking steps to ensure “surveillance without their consent is difficult,” but added, “what they can’t do is design services that truly keep the government out because of their ad-supported business model, and they’re not willing to give up that business model.” (Registration may be required to access this story.)
Full Story

DATA COLLECTION

Facebook Testing More Robust Data Tracking (November 1, 2013)

The Wall Street Journal reports on new software being tested by Facebook to increase the site’s ability to collect great amounts of user information, including the tracking of a user’s cursor on screen. In an interview with The Journal, Facebook Analytics Chief Ken Rudin said the collected data could be added to the company’s data analytics warehouse. According to the report, Facebook can use the stored data “for an endless range of purposes—from product development to more precise targeting of advertising.” Currently, the company collects two types of data: behavioral and demographic. The new tests would expand Facebook’s ability to collect behavioral data, according to Rudin. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Advocates, Industry Still Doubting DNT Talks (November 1, 2013)

Privacy advocates and the ad industry agree on one thing: the Do-Not-Track (DNT) talks should end, but, The Hill reports, the co-chairmen of the World Wide Web Consortium DNT working group announced that talks will continue. Network Advertising Initiative President Marc Groman, CIPP/US, said the NAI “remains concerned about the lack of progress and transparency in the working group as well as recent stories of arbitrary decisions,” but added, “we will continue to engage to ensure that there is a voice for third parties and digital advertising, small- and medium-sized businesses, the long tail of the Internet and frankly the consumer.”
Full Story