Great Privacy News Highlights
22–31 March 2010
Contents:
US – New U.S. Biometrics Agency Created to Manage Dod-Wide Responsibilities. 3
US – New Hampshire Lawmakers Reject Biometric ID Restrictions. 3
CA – Alberta Ponders Provincial Biometric ID Cards for Homeless. 3
CA – New BC Gov’t Powers Raise Privacy Concerns. 4
CA – B.C. Database Would Lead To Big Brother Scenario, Privacy Group Warns. 4
US – NAI Study Shows Value of Targeted Ads. 4
US – CIO Council Creates Privacy Guidance. 5
CA – Toronto Firm Launches Physician-to-Patient SMS app. 5
UK – Scottish Gov’t Launches Paperless Health Records. 5
US – As Health Data Goes Digital, Security Risks Grow.. 5
UK – Survey: Non-Medical Staff ‘Have Access to Health Records’ 6
WW – It Now Takes More Clicks to Escape E-Mail Lists: Study. 6
EU – Privacy Advisor Calls for ‘Privacy by Design’ Laws. 6
UK – European Commission Launches New Privacy Project 7
UK – Compensation Should Be Paid for Personal Data Loss, Says Report 7
UK – ICO Announces Plan to Boost IT Expertise. 7
IE – 46% of Irish Don’t Trust Data Protection Laws – Survey. 8
CA – Study Ranks Riskiest Cities for Online ID Fraud. 8
CH – Google Will Redirect Chinese Users to Uncensored Hong Kong Site. 8
WW – Google Official Calls for Action on Web Restrictions. 8
US – U.S. Concerned by Australian Internet Filter Plan. 8
EU – Germany Resists EU Plans to Block Child Porn Sites. 8
EU – EU to Revive SWIFT Talks, Set Up Tracking Program.. 9
US – FDIC Shows Banks Lost $120 Million In 3 Months to Online Banking Fraud. 9
US – FINRA Releases Social Networking Guidance. 9
US – Open Government Audit Finds Mixed Results for Obama Administration. 9
US – Senators Leahy and Cornyn Introduce Bill to Reduce FOIA Delays. 10
CA – National Gallery Officials Could Face Charges Over Deleted E-Mails. 10
CA – Camera Ban Missed Privacy Point 10
US – DEA Approves Interim Electronic Prescription Rule. 10
WW – Should Doctors Google Their Patients?. 10
US – ECMC Breach Affects 5% of Students (3.3m) with Federal Loans. 11
UK – Personal Data Breach Hits 9,000 Barnet Schoolchildren. 11
US – TJX Hacker Gets 20 Years in Prison. 11
IN – Condom e-Store Exposes Customer Data. 11
CA – Toronto Hydro Failed to Protect Privacy, Watchdog Says. 12
CA – Canadians May Get E-Passports in 2011; Security Experts Voice Concerns. 12
UK – Digital Economy Bill Could Block Websites. 13
NZ – Labour Party Rejects Three Strikes Proposal 13
EU – Cloud Security Weaknesses Prompt Call for Global Data Protection Law.. 13
WW – Coalition Pushes Rewrite of Online Privacy Law.. 13
US – Lawmakers to Hold Hearings on ECPA Reform.. 14
CA – Google Expanding Street View in Canada. 14
EU – Dutch Prosecutors Stop Tapping Lawyers’ Phones. 14
US – NYC Settles Jail Strip-Search Suit For $33 Million. 14
WW – Revised Facebook Policy Hints at Location Tagging. 15
CA – CIPPIC Files Statement of Concern Re: Facebook’s New Privacy Approach. 15
US – Agencies Test Industry’s New ‘You Are Being Targeted’ Icon. 15
UK – Scotland Yard Wants Net Cafés to Spy on Customers. 16
US – Cavoukian on Facebook Privacy. 16
WW – IDRC Gives UK Org $1m for Asian Privacy Network. 16
BR – Phorm Launches Commercial Operations. 16
WW – Microsoft Makes U-Prove Technology Available to Enable Identity with Privacy. 17
US – FTC to Consider New Restrictions on Collecting Data from Children. 17
US – FTC Busts Dave & Buster’s. 17
US – Court to Hear Web ‘Free Speech’ Case. 17
US – U.S. Said to be Eyeing Cybersecurity Ambassador Role. 18
US – Fighting Identity Theft Not a Priority, Report Says. 18
US – Lawmakers Ask for FTC Investigation of Google Buzz. 18
US – Idaho House Limits Information on Driver’s Licenses. 18
WW – Pill with Antenna Ensures Patients Take Meds. 18
UK – Survey Shows 100% of Organizations Targeted for Data Theft 19
UK – Airport Worker Given Police Warning for ‘Misusing’ Body Scanner 19
US – TSA Plans to Double Its Use of Whole-Body Scanners. 19
CN – “Octopus” Card Enters China, Raises Privacy Issues. 20
US – DHS Offers Details on Privacy Controls in Its Secret Einstein 3 IDS/IPS. 20
US – EFF to Press for New Privacy Protections Against Hidden Video Surveillance. 20
US – Senator Inspired to Expand Wiretapping Laws to Web-Cams and Online Photos. 21
US – Airport Device Follows Fliers’ Phones. 21
UK – Tax Man Empowered to Open Mail Without Asking Permission. 21
EU – German Court Strikes Blow Against EU Data-Retention Regime. 22
SL – Slovak Manager to Sue Deutsche Telekom over Spying. 22
UK – Police Refuse to Name Sex Offenders on the Run ‘Because of Right to Privacy’ 22
US – Data Security Concerns Persist in IRS IT Systems. 22
US – Survey: Federal CIOs Push Transparency, Struggle with Cyber-Security. 22
US – Legislators, Industry Leaders Disagree on Impact of Privacy Bill, New FTC Powers. 23
WW – New Big Brother Like Service Monitors Employee Use of Social Sites. 23
US – NJ Court: Employee-Attorney E-Mails are Private. 23
EU – German Commission Finds Employee Blood Tests Illegal 24
Biometrics
US – New U.S. Biometrics Agency Created to Manage Dod-Wide Responsibilities
The role of biometric information in U.S. national security is increasing, and the U.S. government creates the Biometrics Identity Management Agency (BIMA); BIMA, a component of the U.S. Army, will lead Department of Defense activities “to prioritize, integrate, and synchronize biometrics technologies and capabilities and to manage the Department of Defense’s authoritative biometrics database to support the National Security Strategy”; DoD says: “Biometrics is an important enabler that shall be fully integrated into the conduct of DoD activities to support the full range of military operations” As of last week, the United States has a new government national security agency: the Biometrics Identity Management Agency (BIMA). It supersedes a Biometrics Task Force that was established in 2000. The Federation of American Scientists (FAS) Secrecy News reports that BIMA, although nominally a component of the U.S. Army, has Defense Department-wide responsibilities. “The Biometrics Identity Management Agency leads Department of Defense activities to prioritize, integrate, and synchronize biometrics technologies and capabilities and to manage the Department of Defense’s authoritative biometrics database to support the National Security Strategy,” according to a 23 March Order issued by Army Secretary John M. McHugh, an order which redesignated the previous Biometrics Task Force as the BIMA. [Homeland Security Newswire]
US – New Hampshire Lawmakers Reject Biometric ID Restrictions
The New Hampshire House of Representatives turned down a bill proposed earlier in the year that would have restricted the use of biometric IDs within the state. The New Hampshire legislature was considering a bill that would put severe restrictions on the use of biometric IDs within the state’s borders, limiting such use to employee identification. Rejection of the proposed measure was recommended by the committee that heard the bill’s testimony, and the New Hampshire House killed the proposed legislation by a vote of 267-39. The move came last week, and the results hardly shocked the bill’s co-sponsor, New Hampshire state representative Neal Kurk. “I was disappointed but not surprised. It took several years to implement our existing statutory ban on biometrics in connection with motor vehicle registrations and licenses.” But the New Hampshire lawmaker seems undaunted by this setback, espousing the “live free or die” motto the state is so famous for. “It will take several years to extend it to other areas of government in New Hampshire”, Kurk said of the effort to restrict the use of biometric IDs, “but it will happen.” Kurk would go on to clarify the intent of the rejected bill, noting that it did not seek a wholesale ban on the use of biometric information for identification purposes. “Rather, it’s to allow biometrics in any area of state and local government where they make sense and do not unreasonably invade personal privacy, as determined by the legislature,” asserted Kurk. “In other words, a decision to allow biometrics in New Hampshire should be made by the legislature, not administrative officials in Concord or Washington, D.C.” [Infosecurity Magazine] See also: [Senators Unveil Yet Another Flawed Biometric National ID Card Plan: EFF] and also: [A Gathering Storm – How the UID Project Will Tranform India Into a Police State]
CA – Alberta Ponders Provincial Biometric ID Cards for Homeless
Alberta is working on ways to provide ID cards to homeless people that could include biometric samples of fingerprints or facial scans. Housing Minister Jonathan Denis said his department is in discussions with Service Alberta about creating an Alberta ID card for the homeless. Service Alberta Minister Heather Klimchuk said the card would allow homeless people to more easily obtain government ID by making it possible for a social worker to vouch for their identities in the absence of other documentation. It would also allow people to list a homeless shelter as a proxy address, she said. Klimchuk said the card will likely include a photograph, adding the idea of biometrics is also being explored by the government. Fingerprint scans, a type of biometric identification, have been used at the Calgary Drop-In Centre as an entry requirement for almost a year after the shelter noticed its clients kept losing their ID cards. It also allows the centre to keep out people involved with dealing drugs or other criminal activity. The system led to a controversy at the time when a board member and Alberta’s privacy commissioner raised concerns about the creation of a database that would store the information. [Calgary Herald] See also: [AU: A big night out: drinking, dancing, fingerprinting]
Canada
CA – New BC Gov’t Powers Raise Privacy Concerns
In a move that is raising concerns about privacy implications, the British Columbia government presented an 88-page submission seeking expansion of its powers to collect and share citizens’ private information to a special committee reviewing the Freedom of Information and Protection of Privacy Act this week. The Tyee reports that the provincial government has not only proposed the collection of personal information without consent, but also the storage of such information outside of Canada. “It’s the scope of the thing,” said Vincent Gogolek of the Freedom of Information and Privacy Association. “They really are looking to change the basis of the act to remove people’s control over their own information…This is stuff you don’t want bouncing around all over the place.” [Source] [Hansard transcript (blues)] [Times Colonist: BC gov’t push to rewrite the info and privacy law] [CBC: Critics challenge B.C. privacy law proposals] and also: [Ottawa Bureaucrats: no consequence for abusing privacy laws]
CA – B.C. Database Would Lead To Big Brother Scenario, Privacy Group Warns
A government project to merge the personal information of British Columbians who use social services into a giant digital database would result in Big Brother-like scrutiny of citizens, says a provincial privacy advocate. The B.C. Freedom of Information and Privacy Association has called on the province to give more thought to the rollout of the six-year, $181-million Integrated Case Management system, suggesting it could have serious privacy ramifications. “They would know where, what you’re saying, when, how, what you’re reading, what your health is, what your family life’s been like, your educational background – basically everything,” Darrell Evans, the association’s executive director, told reporters this week. “It will be a network of different databases that amounts to complete government scrutiny of your life.” The association and the United Community Services Co-op released a two-year-long, 72-page study funded by the Law Foundation of British Columbia. It makes 11 recommendations to government, social service organizations and their clients on how to proceed on the proposed project. Among them, the study asks the province to refer the database to the B.C. Supreme Court to determine whether it violates privacy protections under the Constitution. It also suggests the province should immediately begin public consultations and carry out a legally required privacy-impact assessment. An official with the B.C. Ministry of Housing and Social Development said staff are reviewing the groups’ recommendations and hope to meet with its representatives. The ministry is also working with the province’s Privacy Commissioner, who has begun the assessment, a spokesman said, speaking on condition of anonymity. [Canadian Press] [FIPA Report: Culture of Care… or Culture of Surveillance?] [ http://privacyresearch.wordpress.com]
Consumer
US – NAI Study Shows Value of Targeted Ads
The Network Advertising Initiative (NAI) has released study results that show targeted ads are more valuable than run-of-network ads. The study surveyed 12 ad networks about their 2009 ad revenues, the report states, finding that marketers paid more than twice as much for ads targeted to Web users’ behaviors than for run-of-network ads. “It’s clear that behavioral targeting has the potential to significantly elevate the value of the inventory—to the advertiser, to the publisher and to the network,” said report author Howard Beales, former head of consumer protection at the Federal Trade Commission (FTC). The NAI plans to submit the study to the FTC, which is exploring the privacy implications of behavioral targeting. [MediaPost News]
E-Government
US – CIO Council Creates Privacy Guidance
The Federal Chief Information Officers Council has created a guidance document calling for privacy protections to be built into new or modified systems within the federal enterprise architecture. According to the report, the guidance would establish “Privacy Control Families” that would be based on Fair Information Practice Principles. The document has been approved by the CIO Council’s privacy committee, but awaits approval by the full council. Roanne Shaddox, a privacy specialist at the Federal Deposit Insurance Corporation, provided an overview of the initiative at a trade show in Washington, DC, yesterday. [Federal Computer Week] [v2 – June 2006] See also [US: Kundra Encouraged by Private-Sector Cloud Efforts for Government]
Electronic Records
CA – Toronto Firm Launches Physician-to-Patient SMS app
The MobiSecure app from Toronto-based Diversinet, which was officially launched earlier this week at the International CITA Wireless conference in Las Vegas, is currently being tested by The Blue Sky Family Health Team in North Bay, Ont. The MobiSecure SMS app designed to allow patients to keep up to date on their personal health records via their mobile phone. In addition to improving the patient-physician relationship, the app also seeks to address the security messaging needs within the health-care industry, Diversinet said. With the app, users can receive appointment reminders, test results, prescription information, immunization records, allergy information, and other related medical data. For users involved in a medical emergency abroad, the app will be able to connect back to a patient medical history and information about insurance coverage. In terms of privacy and security, Diversinet said the app features strong mobile encryption and two-factor bilateral authentication. The app will be PIN-protected for the patient, while the physician is able to confirm delivery via read confirmations. [Source]
UK – Scottish Gov’t Launches Paperless Health Records
In spite of privacy concerns and delays with a similar project in England, a £44 million electronic data system intended to make the NHS paper-free has been launched by the Scottish government. The British Medical Association in Scotland has said that while there are advantages to the electronic system, there is serious concern across the UK about confidentiality and access to online records, the report states. According to the privacy advocate group Big Brother Watch, as many as 140,000 non-medical staff can access patient files in England, and those files will become even easier to access through the new NHS database. [The Times]
US – As Health Data Goes Digital, Security Risks Grow
Over the next four years, the amount of personal medical information online will increase exponentially, opening up new avenues for hackers to expose personal data that, unlike financial information, can result in a permanent violation of privacy. It’s not so much the quantity of information that could be a problem; it’s the different sources of data, its diversity of data and the various network infrastructures on which it resides that could overwhelm the U.S. health system and pose significant risks to privacy, according to Sia Zadeh, director of business development for security software vendor Axway Inc. According to a recent report by IDC’s Health Industry Insights division, health care providers believe it will take a major security scandal to compel organizations to take security seriously. A major health care data breach is inevitable, said Dr. William Braithwaite. He wrote portions of the Health Insurance Portability and Accountability Act of 1995 (HIPPA) and has since contributed to federal health care regulation. “As we build EHRs, that puts more information in place, so the risk that someone will go after that information increases,” said Braithwaite, now chief medical officer with security software vendor Anakam Inc.. “If we don’t understand the threat model we’re dealing with, we’re leaving the back door open; in fact, there will be no back door because they’re already in the house.” [Source] See also: [Deborah Peel in NYT: Opinion: Do-Not-Disclose Registry Needed] and [Expert: Access Control Key to Protection of Online Medical Data] and [OIPC BC – Investigation Report F10-02 – Review of the Electronic Health Information System at Vancouver Coastal Health Authority Known As The Primary Access Regional Information System (“PARIS”) ]
UK – Survey: Non-Medical Staff ‘Have Access to Health Records’
More than 100,000 non-medical staff in NHS Trusts have access to confidential patient records, according to a recent Big Brother Watch Survey. “The number of non-medical personnel with access to confidential medical records leaves the system wide open for abuse,” said Big Brother Watch’s director. But a government spokesman said the NHS’s use of smartcards means that “when managed properly, it is not possible for an unauthorized member of staff to see clinical information.” The Information Commissioner’s Office (ICO) said it is vital that medical records remain private and secure. [BBC News] See also: [Should Medical Professionals Examine Their Patients’ Online Lives? – Harvard Review of Psychiatry]
WW – It Now Takes More Clicks to Escape E-Mail Lists: Study
A study of 100 large online retailers has shown that five times more are requiring at least three clicks to escape from e-mail marketing lists than in 2008. The Responsys survey also indicates that the number requiring just one click to be removed from an e-mail list has dropped to three percent, down six percent in that same time period. The report states that while retailers may not want to let their subscribers get away too easily, Chad White of Responsys recommends they let customers leave with two clicks or fewer as the time it takes to opt out is “being measured against that one click on their report spam button.” [New York Times]
EU Developments
EU – Privacy Advisor Calls for ‘Privacy by Design’ Laws
Data protection laws should change to force people creating new technologies to design privacy features into them, the EU’s data protection advisor has said. European Data Protection Supervisor (EDPS) Peter Hustinx has told the European Commission that the law should change, and be applied to three areas of technology development as a priority. These are social media, RFID and targeted advertising. The EDPS has adopted an opinion and submitted it to the Commission, which is developing a ‘digital agenda’ to guide its government of emerging and existing technologies. “Although the EU has a strong data protection regulatory framework, in many instances ICTs raise new concerns that are not accounted for within the existing framework. Further action is therefore necessary,” said the office of the EDPS in a statement. “To significantly minimise the risks and to secure users’ willingness to rely on ICTs [information and communication technologies], it is crucial to integrate, at practical level, data protection and privacy from the very inception of new ICTs,” said Hustinx. “This need for a ‘Privacy by Design’ approach should be reflected in the EU data protection legal framework at different levels of laws and policy making.” “Privacy by Design needs to be explicitly included as a general binding principle into the existing data protection legal framework,” said the EDPS statement. “This would compel its implementation by data controllers and ICT designers and manufacturers while offering more legitimacy to enforcement authorities to require its effective application in practice.” “Privacy by Design should also be fully endorsed by the forthcoming European Digital Agenda and become a binding principle in future EU policies,” it said. Hustinx said that the change was vital if users were going to learn to trust emerging information services. [Source]
UK – European Commission Launches New Privacy Project
Emerging technologies offer significant benefits but also risks to our privacy. How to deal with these risks is the subject of a new three-year project funded by the European Commission. Called PRESCIENT, the project will be considering the privacy implications of emerging technologies such as new identification and surveillance technologies, biometrics, on-the-spot DNA sequencing and technologies for human enhancement. “New technologies can often be used in a way that undermines the right to privacy because they facilitate the collection, storage, processing and combination of personal data by security agencies and businesses,” says Michael Friedewald, head of the ICT research unit at the Fraunhofer Institute for Systems and Innovation Research (ISI) and co-ordinator of the project. “We have seen that with the rise of social networking websites such as Facebook, MySpace and Bebo. They have led to a dramatic increase in the amount of personal information available online, which is routinely misappropriated for identity theft or other fraudulent purposes. We know that employers also mine these sites in order to vet prospective employees. RFID and biometrics can also be used in ways invidious to our privacy.” “The use of these new technologies is changing the ways in which we understand privacy and data protection. It is not sufficient to look at privacy as only a legal or human right. We need to reconceptualise privacy in ethical, social, cultural and other dimensions and to see how these different conceptualisations impact each other and how they can be bridged. We think part of the solution is much wider use of privacy and ethical impact assessments before new technologies or projects involving personal data are undertaken.” PRESCIENT is the acronym for Privacy and Emerging Sciences and Technologies. The project aims to establish a new framework for privacy and ethical considerations arising from emerging technologies. The project will identify and analyse ethical issues posed by new technologies and discuss them with interested stakeholders and, in due course, provide scientifically based recommendations to policy makers on how to address privacy issues of emerging technologies. [darkreading.com]
UK – Compensation Should Be Paid for Personal Data Loss, Says Report
Compensation should be paid to anyone whose personal details are lost by the Government or a private company, according to a report backed by the information watchdog. Putting a price on privacy will deter organisations from losing or abusing people’s personal details, the influential think tank Demos found. The recommendation comes amid increasing concern that there has been a dramatic expansion of a “surveillance society”, which threatens to erode civil liberties. The report Private Lives, published today, recommended that consumers affected by the misuse or illicit sale of information should be compensated. It has also advocated giving consumers more say over how their data is used. More consent should be required before personal data such as medical data and banking details are released, according to the findings. Regulators should be required to name companies and government departments who mishandle information and produce a ‘Top 100 named and shamed’ list. Furthermore the Information Commissioner’s Office should have new powers to administer fines for misuse of information. The report, commissioned by the ICO and Consumer Focus, the Government-backed watchdog, also recommended A Kite-marking scheme, similar to the Food Standards Agency’s hygiene rating system, to help people to make better consumer decisions about how trustworthy particular organisations were. [Source] [DEMOS Report]
UK – ICO Announces Plan to Boost IT Expertise
The Information Commissioner’s Office (ICO) will be staffing its policy and strategy division with more technical experts as part of its reorganisation process. Speaking before the Home Affairs Select Committee, Information Commissioner Christopher Graham said this technical expertise will help the ICO be more forward-looking and “spot the next big thing before it becomes a huge problem.” Graham noted that while government entities have improved data protection processes, he does not expect issues around data-sharing to go away, the report states. The challenge, he said, is for the ICO to ensure “that what is proposed is proportionate, privacy friendly and thought through and complies with the Data Protection Act.” [Kable]
Facts & Stats
IE – 46% of Irish Don’t Trust Data Protection Laws – Survey
Almost half of Irish Computer Society members taking part in a recent survey said they were not confident they would be contacted should their personal information be compromised in a data breach. Unveiled at the Annual Data Protection Conference yesterday, the March 2010 survey also found that 81% of respondents said legislation should be enacted requiring organisations to notify the Data Protection Commission after a breach. Customers should be notified as well, 80% of respondents said. “Companies need to realize the importance of data protection in their companies and give it the time and training it deserves,” said the Irish Computer Society’s CEO. [SiliconRepublic]
CA – Study Ranks Riskiest Cities for Online ID Fraud
When it comes to online identity fraud, Burlington, Ontario, has made the top of the list for Canada’s riskiest cities. A recent study from Symantec has revealed the country’s top 10 cities most vulnerable to ID theft, the report states. While the list does include large cities, the study found that residents in wealthier suburbs had more access to computers and the Internet and were at greater risk for identity fraud. After Burlington, the remaining top 10 are Port Coquitlam, Langley and Vancouver, BC; Calgary, AB; Oakville, Markham and Toronto, ON; Kelowna, BC, and Kitchener, ON. [Edmonton Sun]
Filtering
CH – Google Will Redirect Chinese Users to Uncensored Hong Kong Site
Google will stop censoring Internet search results for its Chinese users. Instead, users will be redirected to Google’s Hong Kong-based search engine. Although Google has been negotiating with the Chinese government about unfiltered search results, the government there “has been crystal clear … that self-censorship is a non-negotiable legal requirement.” Hong Kong is an administrative region of China, but has its own economic and political systems. Therefore, the search engine is under Hong Kong’s jurisdiction. Google plans to keep its Chinese research and development and sales teams. [Washington Post] [Information Week] [NY Times] [Secure Computing] UPDATE: China has responded quickly to Google’s actions and is now blocking access to Google.com.hk. This is an interesting page on Google’s site to see what China is blocking:
WW – Google Official Calls for Action on Web Restrictions
A top Google executive this week called for new rules to put pressure on governments that filter the Internet, saying the practice was hindering international trade. Alan Davidson, director of United States public policy for Google, told a joint Congressional panel that the United States should consider witholding development aid for countries that restrict certain Web sites. [NY Times]
US – U.S. Concerned by Australian Internet Filter Plan
The United States has raised concerns with Australia about the impact of a proposed Internet filter that would place restrictions on Web content, an official said this week. The concerns of Australia’s most important security ally further undermine plans that would make Australia one of the strictest Internet regulators among the world’s democracies. [AP]
EU – Germany Resists EU Plans to Block Child Porn Sites
Germany’s justice minister is fighting EU plans to block access to child pornography sites because she doesn’t think the measures would work. She wants such sites shut down instead. The opposition Greens and SPD party agree with her. [Spiegel Online]
Finance
EU – EU to Revive SWIFT Talks, Set Up Tracking Program
The European Commission (EC) has revived negotiations on sharing banking data with the U.S. Citing data privacy concerns, the EU Parliament last month rejected the so-called SWIFT deal, which would have enabled the continued transfer of transaction data from the Belgium-based Society for Worldwide Interbank Financial Transactions (SWIFT) to the U.S. for use in counter-terrorism efforts. The EC adopted a mandate yesterday to begin new negotiations with the U.S. EU justice commissioner Viviane Reding said the new deal would address parliamentarians’ data privacy concerns and would require reciprocity in the sharing of data. “We would like to set up our own [terrorist financing tracking program,]” Reding said. [New York Times] See also: {Foreign Policy Journal:Washington Murdered Privacy At Home And Abroad]
US – FDIC Shows Banks Lost $120 Million In 3 Months to Online Banking Fraud
FDIC Examiner Dave Nelson reported March 5 that malware on customer computers cost banks more than $40 million each month during the last full quarter for which he had data, July-September, 2009. The FDIC receives confidential reports from financial institutions, from which Nelson’s estimates were generated. The hackers trick people into opening weaponized emails or into visiting web sites where their systems are infected. Nelson said business accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses – $25 million in the 3rd quarter of 2009. Hackers target small businesses where the security controls are weak. [ComputerWorld] [Kreb on Security] [BankInfoSecurity: 22 Banking Breaches So Far in 2010 – Hacking, Insider Theft Continue to be Top Trends]
US – FINRA Releases Social Networking Guidance
The Financial Industry Regulatory Authority (FINRA) has issued guidance for financial institutions on how to develop social media policies. Regulatory Notice 10-06 covers the use of blogs and social networks. FINRA’s Social Networking Task Force collaborated on its creation. “While many firms may find that the guidance in this notice is useful when establishing their own procedures, each firm must develop policies and procedures that are best designed to ensure that the firm and its personnel comply with all applicable requirements,” the notice states. [BankInfoSecurity] See also: [Phishers Used Facebook to Penetrate Financial Firm’s Computer System]
FOI
US – Open Government Audit Finds Mixed Results for Obama Administration
Here’s a not-so-tiny tidbit of data that’s getting lost in the White House-driven public frenzy over healthcare legislation this month: The White House Democratic administration of Barack Obama, who denounced his presidential predecessor George W. Bush as the most secretive in history, is now denying more Freedom of Information Act requests than the Republican did. One of the exemptions allowed to deny Freedom of Information requests has been used by the Obama administration 70,779 times in its first year, while the same exemption was used 47,395 times in Bush’s final budget year. An Associated Press examination of 17 major agencies’ handling of FOIA requests found denials 466,872 times, an increase of nearly 50% from the 2008 fiscal year under Bush. On March 16 to mark annual Sunshine Week, designed to promote openness in government, Obama applauded himself by issuing a statement: “As Sunshine Week begins, I want to applaud everyone who has worked to increase transparency in government and recommit my administration to be the most open and transparent ever, an effort that will strengthen our democracy and ensure the public’s trust in their government.” However, a new study out March 15 by George Washington University’s National Security Archive finds less than one-third of the 90 federal agencies that process such FOIA requests have made significant changes in their procedures since Obama’s 2009 memo. [Los Angeles Times] [Under Obama, FOIA Requests Down 11% But Rejections Up 50%] [National Security Archive FOIA Audit] and also: [Ottawa Bureaucrats: no consequence for abusing privacy laws]
US – Senators Leahy and Cornyn Introduce Bill to Reduce FOIA Delays
Senators Patrick Leahy and John Cornyn have introduced the Faster FOIA Act of 2010, S. 3111, which would establish a panel to examine agency backlogs in processing FOIA requests. Government reports reveal substantial agency delays in disclosing FOIA records. The bill came at the beginning of Sunshine Week, a national observance of the importance of open government. EPIC makes frequent use of the FOIA to obtain information about privacy issues. EPIC celebrated Sunshine Week by publishing the EPIC FOIA Gallery: 2010. [Faster FOIA Act, S. 3111] [Faster FOIA Act Press Release]
CA – National Gallery Officials Could Face Charges Over Deleted E-Mails
An investigation by the federal information commissioner has concluded there is evidence National Gallery officials broke the law in 2008 by destroying e-mails sought in an Access to Information request. And in a precedent-setting move, interim commissioner Suzanne Legault has referred the matter to the attorney general to determine if charges should be laid. Penalties include fines of up to $10,000 and two years in jail. [The Ottawa Citizen]
CA – Camera Ban Missed Privacy Point
Last week’s widely reported ruling by Judge Tim Preston that cameras will not be permitted into the Brian Sinclair inquest hinged largely on a desire to protect the privacy rights of witnesses. But what if some individual witnesses don’t have privacy concerns and actually want their testimony broadcast to the world? A group of media outlets, supported by Brian Sinclair’s family, argued that cameras should be allowed in the inquest so that as many people as possible could watch the proceedings. The Manitoba Nurses Union and the Winnipeg Regional Health Authority opposed the use of cameras. Both sides made compelling arguments before Judge Preston. But the arguments put forward by both sides were essentially one-size-fits-all scenarios. The media outlets argued that cameras should be permitted to broadcast all witnesses. The Manitoba Nurses Union and WRHA argued that cameras shouldn’t be permitted to broadcast any witnesses. Judge Preston was essentially asked to pick a side. In doing so, he recognized that “privacy has many facets …” and that “serious and valid privacy and security concerns are at stake when the image or the words of a witness are broadcast to the world.” But through all the court arguments and public debate on this issue, the basic privacy principle of “consent” was overlooked. [Winnipeg Sun]
Health / Medical
US – DEA Approves Interim Electronic Prescription Rule
The Drug Enforcement Agency (DEA) has unveiled an interim final rule that would make it easier for physicians to e-prescribe controlled substances. The rule requires two-factor authentication as a replacement for doctors’ signatures and allows for biometric identifiers–such as fingerprints, iris scans or handprints–to be used as acceptable forms. That change aims to alleviate concerns raised by providers about in-person authorization requirements included in a 2008 notice of proposed rulemaking. [Government Health IT]
WW – Should Doctors Google Their Patients?
By now, it’s well known that almost anyone you meet – from a potential employer to a prospective date – might be searching for information about you online. But would you feel strange knowing that your doctor was Googling you? The practice appears to be widespread, according to an essay in the latest edition of the Harvard Review of Psychiatry, and it raises some thorny ethical questions for doctors, particularly those dealing with mental health. In some cases, what the authors call “patient-targeted Googling” is clearly beneficial – for example, when a patient is blogging about her suicidal thinking, or when an unconscious person comes into an emergency room with scant identification. But in other cases, the authors write, doctors are motivated by “curiosity, voyeurism and habit.” In the paper, the authors – Dr. Brendel and fellow doctors Benjamin Silverman and Brian Clinton – outline a framework that doctors, psychiatrists in particular, can use to help decide whether to conduct an Internet search on a patient. [Wall Street Journal] [Google and Facebook raise new issues for therapists and their clients]
Horror Stories
US – ECMC Breach Affects 5% of Students (3.3m) with Federal Loans
A Minnesota company that processes loans for students nationwide has reported a major theft of “personally identifiable information” involving 3.3 million students after a break-in last weekend at its Oakdale headquarters. U.S. Department of Education officials said it is believed to be one of the biggest cases of student identity theft in the nation, affecting 5% of all students with federal loans in the United States. ECMC, founded 16 years ago as Educational Credit Management Corp., said Friday that the stolen data include names, addresses, dates of birth and Social Security numbers. No bank account or other financial information was included in the data. In an e-mail Friday to several members of Congress that was obtained by the Star Tribune, company chief executive Richard Boyle said the theft occurred from a “secured location at ECMC involving portable media with ECMC student loan borrowers’ personally identifiable information.” [Minneapolis Star Tribune]
UK – Personal Data Breach Hits 9,000 Barnet Schoolchildren
Barnet Borough Council has confirmed a data breach surrounding 9,000 Year 11 students attending its schools between 2006 and 2009. The data breach occurred when a council worker experienced a domestic burglary earlier in March, resulting in the loss of encrypted computer equipment and unencrypted CD-ROMs and USB memory sticks holding the data. The breadth of the personal data lost in the breach is wide, and includes surnames, forenames, gender, date of birth, address, postcode, telephone number, ethnicity, in-care indicator, language, gifted and talented indicator, mode of travel to school, entry date to school, special educational needs indicator, and school. The council worker in question has now been suspended. [PublicTechnology]
US – TJX Hacker Gets 20 Years in Prison
Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison this week for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers. The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the United States for hacking or identity-theft. Gonzalez was also fined $25,000. Restitution, which will likely be in the tens of millions, was not decided. Gonzalez’s sentencing this week follows two others related to the TJX hacks. Last December, Stephen Watt, a former coder for Morgan Stanley, was sentenced to two years in prison for providing the sniffer that Gonzalez used in the TJX hack. Watt was also ordered to pay restitution to TJX, jointly with other accomplices, in the amount of $171.5 million. Earlier this month, Humza Zaman, a former network security manager at Barclays Bank, was sentenced to 46 months in prison and fined $75,000 for serving as a money courier for Gonzalez. He was charged with laundering between $600,000 and $800,000 for Gonzalez. On Friday, Gonzalez will be sentenced in another case involving breaches at Heartland Payment Systems — a New Jersey card-processing company — Hannaford Brothers supermarket chain, 7-Eleven and two national retailers that are unidentified in court documents. These hacks involved more than 130 million debit and credit card numbers. He faces a likely sentence of between 17 and 25 years in that case. Under the plea agreements, the sentences will be served concurrently. [Source]
IN – Condom e-Store Exposes Customer Data
An Indian Web site that sold Durex condoms has threatened legal action against the person who exposed a data breach on the site. Earlier this month, a user of the site noticed that he could view customers’ names, addresses, contact numbers and order details. Kohinoorpassion.com fixed the problem after the whistleblower notified all involved parties of the breach. Meanwhile, Durex says in a notice to customers on its India e-Store Web site that it has put modifications in place to “ensure that unauthorized access cannot happen again.” Durex’s parent company and a local marketing agency have jointly accused the whistleblower of downloading customer details, which he disputes. [The Register]
CA – Toronto Hydro Failed to Protect Privacy, Watchdog Says
Ontario’s privacy watchdog says Toronto Hydro Corporation must fix the “security shortcomings” that led to a breach of its e-billing system last year. According to the report from the Information and Privacy Commissioner of Ontario, two major breaches led to the privacy scare. First, an unauthorized third party obtained account numbers for all of Toronto Hydro’s 640,000 customers. Secondly, 179,000 of those numbers were used to create online billing accounts for customers without their consent. At the time, Toronto Hydro had no measures in place to make sure the account number was being used by the correct customer, investigator Mark Ratner wrote in his report. A customer simply had to enter his or her account number and create a user ID and password to view a bill. But instead of the intended online commerce, unauthorized parties got access to addresses, charges, electricity use, and the names of 179,000 Toronto Hydro customers. [Source]