Wednesday, August 31, 2005

Irish bank and VISA develop a disposable credit card

Here's a product that should reduce some fears about shopping online: An Irish bank and VISA international have developed and tested a new personal finance product that is remarkably similar to prepaid cellular service or some long-distance cards. You set up an account, load it up with cash, and use it until it's empty. No credit check required, since it isn't credit. You can top it up or chuck it away when it's empty. The card is accepted by all Visa vendors and using it presents very little risk of fraud. All that's at risk is the balance on the card. No word on whether it will be as anonymous as long-distance cards, but it'll offer some protection for the paranoid and will enable people who don't have credit cards to book flights online and buy junk from eBay. More info: Disposable credit card? That'll do nicely | The Register.

Appealing to customers' sense of privacy

While watching CNN's coverage of the hurricane damage, I caught an ad for a company named e-loan. "Protecting Customer Privacy" was front a centre in the ad and I wandered over to the company's website. I can't say whether the company lives up to its commitment, but I am impressed with the stance they have taken and the things they say in the company's online privacy policy.

E-LOAN privacy policy.:

"PRIVACY POLICY SUMMARY

E-LOAN is dedicated to protecting the privacy of your information. E-LOAN is a licensee of the TRUSTe Privacy Program. TRUSTe is an independent, non-profit organization whose mission is to enable individuals and organizations to establish trusting relationships based on respect for personal identity and information by promoting the use of fair information practices. This privacy statement covers the site www.eloan.com. Because this website wants to demonstrate its commitment to your privacy, it has agreed to disclose its information practices and have its privacy practices reviewed for compliance by TRUSTe.

We do not sell or share your information with third party marketers. So, there is no need for you to ask us not to. In fact, there is no need for you to opt-out of any information sharing because, unlike most financial institutions, we provide you with an opt-in. This means we won't share your information unless you explicitly tell us to, even though the law allows financial institutions to share your information unless and until you tell them not to. Additionally, although the law allows financial institutions to share your information with other financial institutions under a 'joint marketing agreement' without your consent, we don't.

Because we feel that current laws are inadequate in protecting your privacy, we've taken the liberty of providing you more privacy protections than the law requires. Now that you know some things we don't do, here's what we do: ..."

One thing to add, though: The TRUSTe program only applies to websites, so the TRUSTe seal does not extend to any licensee's offline activities.

Is HIPAA, the patients' privacy law, getting in the way of police work?

Today's Gainesville Sun asks the question: Is HIPAA, the patients' privacy law, getting in the way of police work. The answer is "probably". (I can hear in my head some people saying "the Constitution gets in the way of police work; that's what it's supposed to do.") One of the big problems is that hospitals interpret the law in very different ways, leaving police scratching their heads. We have the same problem with PIPEDA, particularly when the consent exceptions are oddly worded and lend themselves to broadly divergent interpretations.

While this will not give the police the carte blanche access they want, hospital associations should make an effort to come up with a consistent interpretation of HIPAA so that the ground rules are understood by all. I have seen some hospital counsel who may have a great facility with general health and employment law issues, but don't grasp the nuances of how privacy laws affect their operations. Without this, patients get different protections at different hosptials and, I expect, the police are sometimes left scratching their heads when an inquiry is accepted at one facility but not at another.

The role of banks in fighting ID theft

Bank Systems & Technology is running a very good article on the role of banks in fighting identity theft. The intended audience is bank CTO/CIOs, but it should be read by a wider audience.

It wisely says that security of personal information is not just a technology issue. It is a people issue and a cultural issue. You have to get everyone involved. It also requires going back to the beginning and looking at your information holistically. Ask yourself whether you really need all that information in the first place. Tax laws may require the bank to have the customer's SSN/SIN, but there really is no reason to have it accessible by tellers or included in ordinary databases. Since most breaches involve insiders, limit access to the bare minimum that is required to support your operations. All good practices.

Read the article here: Bank Systems & Technology : Maximum Security.

New charges in ChoicePoint case

A grand jury in Los Angeles has returned a new indictment against Olatunji Oluwatosin, charging the man with twenty-two counts of identity theft and other miscellaneous crimes in connection with the very high profile ChoicePoint breach. This indictment replaces the previous one, which included only four counts of identity theft. In February, Oluwatosin pleaded "no contest" to one charge of identity theft and is presently serving a sixteen month sentence.

More info: New charges in ChoicePoint identity theft case - Consumer Security - MSNBC.com.

EPIC petitions FCC on sale of phone records

Last month, I blogged about the fact that a number of companies online are selling telephone records without the consent or knowledge of the individuals concerned. The records appear to be obtained by "pretexting" or from employees of the telcos (See: The Canadian Privacy Law Blog: Online Data Gets Personal: Cell Phone Records for Sale). Now, the Electronic Privacy Information Center is petitioning the FCC to put a stop to the practice. Read about it at Red Herring: FCC's Privacy Petition.

In the US, not all medical info is private

Another good link from HIPAA Blog: Bankrate.com, a publication for the banking industry, ran an article yesterday on what is not covered by HIPAA in the US and the many loopholes that exist in the law. Check it out: Private medical information isn't so private.

Tuesday, August 30, 2005

"Prefetching" webpages

For some time, Google has had a feature that allows you to search for a term and automatically be redirected to the top scoring page. It's called "I feel lucky." I don't know how often it is used, but I'd guess often enough for Google to keep it there on the default search page.

In an effort to speed up browsing, Google is implementing "prefetching" of top search results. They'll put in a link that is, in effect, a command to your browser that it should go and retrieve the top result in the background so it'll already be loaded if you click on it. Sounds convenient. But it has more than a few SlashDotters worried. To anyone reviewing your cache or looking at your network connection (such as a sysadmin), it looks as though you manually surfed to that page which may not reflect well upon you. It will really depend upon what you search for, but there are a number of other unpleasant possibilities of this "feature". Anybody can capriciously put tags into their pages and have completely unknown pages loaded onto your computer. I could put this on my page "<link rel="prefetch" href="http://www.someplacenasty.com/">" and whoever reviews the firewall logs at your workplace will think you're up to no good. Or I could prefetch a link to an advertiser from my site so it'll look like every visitor has clicked on an ad, putting pennies in my pocket.

The "prefetch" function is enabled by default in Mozilla browsers such as FireFox. I don't think that IE has this feature, but it may in future versions. Users would be sensible to disable it.

See:Slashdot | Google Prefetching for Mozilla Browsers;

See: Google Information for Webmasters; and

See: Link Prefetching FAQ.

Monday, August 29, 2005

US Federal Data Miners Urged To Better Address Citizen Privacy

The US GAO is chastising a number of US government agencies for not following privacy laws when using citizen information for data mining. From Information week (via Privacy.org): InformationWeek > Data Mining, Privacy > Federal Data Miners Urged To Better Address Citizen Privacy > August 29, 2005.

Teenagers and access to their own health information

HIPAA Blog is pointing to a very interesting and lengthy article from the Wall Street Journal (but reprinted in the Pittsburg Post Gazette) on the legal minefield associated with the medical records of teenagers. Check it out here: Parents barred from teen health files.

Incident: CSU Warns Financial Aid Recipients Of Possible Security Breach

I thought it has been a little while since I'd heard of a new privacy/security incident at a university. I knew it wouldn't be long: NBC11.com - Education - CSU Warns Financial Aid Recipients Of Possible Security Breach.

Grand Theft Identity

The upcoming September 5, 2005 edition of Newsweek magazine is running an extensive feature on identity theft, including a number of related stories. The focus is on companies that, in its words, fail to protect the privacy of consumers:

Grand Theft Identity - Newsweek: International Editions - MSNBC.com:

"Grand Theft Identity

Be careful, we've been told, or you may become a fraud victim. But now it seems that corporations are failing to protect our secrets. How bad is the problem, and how can we fix it? "

Car Black Boxes, Redux

Rob Hyndman is pointing to an interesting story about a new use for in-car black boxes: to monitor and rehabilitate drivers who habitually run afoul of the law. See his post here: Car Black Boxes, Redux.

Sunday, August 28, 2005

Does Canada Need a No-Fly List?

Mathew Englander, who many of the readers of this blog may know becuase of his mostly-successful fight against his phone company and the Privacy Commissioner that wound up in the Federal Court of Appeal, has recently put some of this thoughts on the proposed Canadian No Fly List on his website. Check it out at: Mathew Englander -- Does Canada Need a No-Fly List?.

Privacy Risks of Used Cell Phones

A few months ago, I used a loaner Blackberry for a week or so. When I was bored and fiddling around with it, I discovered the "saved messages" folder on the device had about a dozen e-mails in it from a previous user. Not good. I deleted them all and then did a bit of research to make sure that I didn't leave any data behind when I returned it.

This has just happened on a massive scale, according to Schneier on Security. He's blogging about a recent incident that has more than a few cellular customers hopping mad. When trading up, customers of a certain cellular provider were asked if they wanted to donate their older phones to charities, such as local women's shelters. The phones ended up on e-bay and the company didn't even bother purging the phones of data. Not good in more ways than one. See Schneier on Security: Privacy Risks of Used Cell Phones.

San Fran Chronicle wants RFID privacy bill back on the agenda

I blogged yesterday about the shelving of SB 682 in the California legislature (See: The Canadian Privacy Law Blog: California legislature shelves RFID ban). Today, the San Francisco Chronicle has a strong editorial demanding that it be put back on the legislative agenda and urging readers to contact their legislators about it:

FOLLOW-UP / Don't hide this privacy bill:

"... Should the state have the ability to track your movements with tiny radio transmitters? This is the essence of the debate behind Senate Bill 682, which reaches a critical juncture today in the Assembly Appropriations Committee. The bill, authored by Sen. Joe Simitian, D-Palo Alto, would wisely put some restrictions and safeguards on government's use of radio frequency identification (RFID) technology. Simitian's bill was inspired by the controversy that erupted when middle-school students in Sutter County were required to wear badges that allowed the school to track their movements around campus. The school board last year scrapped the experimental program in the face of parental objections, but the implications of expanded government use of this technology are truly chilling."

Researchers say distorting biometric images enhances security, privacy

Biometrics are lauded as among the most secure and accurate methods of verifying identites, but they are not foolproof. Fingerprint recognition systems have been fooled by Gummi Bears and I expect that dozens of people are toiling away in basements trying to figure out how to trick other forms of biometric identification.

Another threat to biometrics is the security of the database against which physical characteristics are compared. If you crack that database, you'll have all the datapoints you need to present to defeat the system. The Detroit News is reporting today on research being carried out by IBM to improve the security of those databases. It involves using an algorithm to distort the image collected, which is then compared to a database of similarly distorted images. This way, the database does not contain "cleartext" data that aligns with the actual data to be collected. If the system is comproised, a new distortion algorithm is introduced and the old data is supposedly useless. I'd think that coupling this with a one-way hash of the data would also be a good idea, but what do I know?

Saturday, August 27, 2005

AOL and E-Trade offer login tokens to users

The title of this recent Washington Post article is another example of the overuse of the term "identity theft": A New Key to Fighting Identity Theft. The article is not about assuming someone's identity and getting credit in their name, but it is interesting nevertheless ...

Both America Online and E-Trade are offering their users an additional level of login security by using RSA's number generating tokens for a two-factor authentication.

"That number acts as an extra, one-time password by matching up with an identical number generated at the same time by a computer at AOL or E-Trade's offices. Both the token and the computer had their clocks synchronized at birth, ensuring that each would generate matching random six-digit numbers at the same intervals.

The idea here is to ensure that password theft has no value. Each six-digit number's utility expires once it's used, but without it a regular user name and password alone won't log a customer in."

This is obviously a good thing, though it won't do a lot for real identity theft and we could end up with a whole mess of these things on our keychains.

The growing problem of ID theft

Articles on ID theft are a dime a dozen these days, but The growing problem of ID theft from BankRate.Com (via Yahoo! News) is worth a read. It considers the problem and legislative initiatives, but also delves into problems that banks are having in trying to retrofit modern security onto legacy databases and systems.

The known unknowns of a national ID card

Bruce Ramsay's column in the Seattle Times on Wednesday was devoted to discussing the US RealID scheme. He particularly focuses on the as of yet unanswered questions: He asks, if a foreign birth certificate is not acceptable documentation to get a new super-license, how will the millions of Americans and legitimate immigrants born overseas get the card? Not a whole lot of doubt about his position ... See The Seattle Times: Opinion: The known unknowns of a national ID card.

California legislature shelves RFID ban

A California senate committee has shelved SB 682, also known as the Identity Information Protection Act of 2005., until the next session. The bill would have outlawed embedding wireless identification technology (read: RFID) in state-issued documents, such as drivers' licenses. The bill had been supported by the ACLU, the EFF and the Privacy Rights Clearinghouse but had been opposed by a number of industry groups. According to ZDNet, the industry groups won out, resulting in the bill being shelved. See California shelves RFID ban | Tech News on ZDNet.

People search site to add commenting features

You can find a lot of information about people just by using the internet. One of the premier "personal data search engines" is Zabasearch. Enter any name and, optionally, their state, and you'll get surprisingly accurate contact information: Name, address, phone number, birth month and year. With a few additional clicks, you can order a background check on anyone in your search results.

Making all this available online has upset privacy advocates (Wired News: Your Identity, Open to All), but they are now taking it a step further. The "public domain" information can now be supplemented by anyone with a grudge or too much time on their hands. Starting September 1, 2005, ZabaSearch will offer a "ZabaBlog" to let anyone comment about anyone. I can't see that anything good will come of this. David Lazarus, of the San Francisco Chronicle, has written a recent column on the development and solicited the views of the Privacy Rights Clearinghouse (Search site to add free blogs). The company itself doesn't see anything wrong with this. Collecting and displaying public information isn't illegal and blogs are constitutionally-protected free speech, they say.

The feature isn't live yet, but it'll be interesting to see how it is used and what sort of fuss ensues.

Friday, August 26, 2005

How to respond to a privacy/security breach

Darwin Magazine has an article by Larry Ponemon of the Ponemon Institute on how a company should respond to a security/privacy incident: Darwin - Online Feature - Keeping the Trust. In fact, you should bookmark it in case you need it later.

Thursday, August 25, 2005

Inside the web of companies processing your credit card transaction

Today's International Herald Tribune has an interesting look into the data centre of Visa international and highlights the many intermediaries that handle your transaction between the point of sale and the centre that is housed in an undisclosed location in the central United States. Check out: Credit card companies now turn to security - Technology - International Herald Tribune.

Go ahead and complain to the privacy commissioner ...

CFCN of Calgary, Alberta is running a story about an individual who was called by a telemarketer on behalf of a life insurer, who got the individual's personal information from one of Canada's large retailers. The individual was upset that they had his birthdate, which was also obtained from the same source. The individual had not opted out from the information sharing.

The story is interesting also because it suggests that readers complain to the Information and Privacy Commissioner of Alberta: See the article here: CFCN.ca - Calgary news from CFCN, CTV

Patent petitions reveal inventors' data

Thanks again for Rob Hyndman pointing me to an intersting story with a privacy angle ...

A couple days ago, the Washington Times reported on the sorts of weird information that may be available in public patent files. It appears that inventors who fail to renew their patents are required to provide a reason why in order to renew without interruption. The files containing their submission are open to the public and contain an ecclectic range of very personal information to support the inventors' failure to renew:

Patent petitions reveal inventors' data:

"More than 1,000 inventors petition to reclaim their patent rights each year. Inventors typically provide the information to prove that hardship prevented them from paying their maintenance fees on time. The fees range from $450 for independent inventors to up to $3,800 for large companies.

The records, which are not required but frequently are submitted as supporting documentation, include divorce decrees, tax returns, records of psychological therapy, professional license suspensions, hospital bills, credit reports, telephone numbers and home addresses.

Richard Pierce, a Brea, Calif., resident who owns a patent on a device to help emergency responders administer cardiopulmonary resuscitation with flashing light signals, has his credit report listed in patent office records...."

Commissioner releases report concerning collection and security of credit information

From the Alberta Information and Privacy Commissioner's Office:

Commissioner releases report concerning collection and security of credit information:

"Commissioner Frank Work authorized an investigation under the Personal Information Protection Act ("PIPA" or "the Act') after receiving a complaint alleging that SAS Institute Canada ("SAS") Inc. collected personal credit information in contravention of the Act.

The complainant had applied for a job with SAS as an Administrative Assistant/Receptionist. During the recruitment process, she signed a consent authorizing the organization to obtain a credit inquiry report; however, she subsequently complained that the organization's collection of her personal credit information was not reasonable. She was also concerned about the security of her personal information held by the organization contracted by SAS to conduct background checks.

SAS advanced the following purposes for collecting the complainant's personal credit information during the recruitment process:

  • To assess the applicant's suitability to manage petty cash.
  • To minimize the risk of employee corporate credit card fraud.
  • To validate employment history by identifying past employment listed in a credit report but not described on the applicant's resume.

The investigator found that the personal credit information collected by SAS was not reasonably required to establish an employment relationship because:

  • The organization had less intrusive and likely more effective means to assess the complainant's ability to manage petty cash, including contacting previous employers;
  • The complainant had not yet applied for a corporate credit card, and so the information was not required at this stage to minimize the possibility of fraud; and,
  • The organization had less intrusive and more effective means to validate the complainant's employment history.

The investigator found that the organization's purposes of collecting personal information to assess suitability to manage petty cash and validate employment history were reasonable; however, the extent of the collection was excessive for meeting those purposes. Further, the organization's collection of personal information to minimize the risk of corporate credit card fraud was not a reasonable purpose considering the complainant had not yet applied for a corporate credit card.

The investigator also found that SAS had implemented reasonable measures to ensure that personal information collected on its behalf is safeguarded as required under the Act.

Prior to this investigation, SAS had taken steps to bring its practices into compliance with privacy legislation; however, the organization agreed to refine its hiring practices and implement the following recommendations:

  • Review the responsibilities of a position when hiring to ensure that credit information is reasonably required to determine a candidate's suitability.
  • Where credit information is reasonably required, clearly state the purpose(s) for collection.
  • Where credit information is reasonably required, clearly state in all job postings/advertisements that a credit check may be required of the successful candidate.

SAS was cooperative throughout this investigation and demonstrated a commitment to ensuring the protection of privacy."

Wednesday, August 24, 2005

Dutch bad-debt name-and-shame website publisher accused of payment default

From the "reap what you sow" department:

Digital Media Europe: News - Dutch bad-debt name-and-shame website publisher accused of payment default:

"BNR Nieuwsradio, a Dutch radio broadcaster, has reported that Hans van Heertum still owes it €6,000 for radio ads. Dutch financial daily Financieele Dagblad said he has not yet paid the paper €2,000 for a 2003 ad. And De Telegraaf, another daily, claims Mr Van Heertum has other outstanding debts.

Nothing really out of the ordinary, one might add, except that Mr Van Heertum runs a website, Incassoregister.nl, that names and shames bad debtors.

Incassoregister.nl also maintains an online database on defaulters, to which debt-collection agencies, bailiffs and other business can subscribe...."

Companies dinged on Web privacy

Thanks to Rob Hyndman for pointing out the following survey, reported on by CNET news:

Companies dinged on Web privacy | CNET News.com:

"... The Customer Respect Group, the Boston research firm that conducted the study, rated the privacy practices of a whopping 72 percent of 464 North American companies it surveyed earlier this year as 'poor' with respect to reusing personal data for marketing purposes...."

New jury duty scam being used by ID thieves

Scam Busters is reporting on a new scam being used by identity thieves to dupe people into exposing their personal information:

Brand New Jury Duty Scam::

"Here's a new twist scammers are using to commit identity theft: the jury duty scam. Here's how it works:

The scammer calls claiming to work for the local court and claims you've failed to report for jury duty. He tells you that a warrant has been issued for your arrest.

The victim will often rightly claim they never received the jury duty notification. The scammer then asks the victim for confidential information for 'verification' purposes.

Specifically, the scammer asks for the victim's Social Security number, birth date, and sometimes even for credit card numbers and other private information -- exactly what the scammer needs to commit identity theft.

So far, this jury duty scam has been reported in Michigan, Ohio, Texas, Arizona, Illinois, Pennsylvania, Minnesota, Oregon and Washington state...."

Tuesday, August 23, 2005

Use of GPS in rental cars surveyed

Anita Ramasastry has written more than a few interesting privacy-related columns for FindLaw. Her most recent one, Tracking Every Move You Make Can Car Rental Companies Use Technology to Monitor Our Driving? discusses the use of GPS as a monitoring technology, particularly in rental cars. There have been a few cases in the US and Ramasastry dicusses how GPS can be used, with clear notice and consent.

Thanks to beSpacific for the link: beSpacific: Rental Cars, GPS Tracking and Your Privacy.

Confusion when social security numbers are truncated

The Pittsburgh Channel is reporting on an incident of confusion in credit reports when consumer reporting agencies are required to truncate social security numbers. When all digits are used, the number is unique to an individual. But when only a portion of them are used, there are hundreds of others with similar numbers, some of whom you don't want added to your credit report: Social Security Number Privacy: Check Your Credit Report.

Incident: Hacker Steals Air Force Officers' Personal Information

The Washington Post, and others, are reporting that someone used a legitimate user's credentials to acquire personal information on 33,000 US Air Force officers via an online career management system. The investigation is ongoing: Hacker Steals Air Force Officers' Personal Information.

Monday, August 22, 2005

US Constitutional right to privacy in prescription drug records

Over at HIPAA Blog, Jeff Drummond is linking a recent US Circuit Court of Appeals decision that found a constitutional right to privacy in prescription drug records: Constitutional Right to Privacy.

ID insurance? Who needs this stuff?

Money Magazine has a review of the range of ID theft products and services out there, and suggests more than a few free alternatives:

MONEY Magazine: ID insurance? Who needs this stuff? - Aug. 22, 2005

"NEW YORK (MONEY Magazine) - Scared by all the doom-saying from security experts and the identity theft stories in the news? Well, don't lose sight of your common sense. Below are some of the services you could buy -- and the free alternatives...."

The paparazzi snap back

Today's Globe & Mail, just in time for the film festival in Toronto, is running an article on paparazzi. The writer contacted me a little while ago and paraphrases my comments about halfway down the article:

The Globe and Mail: The paparazzi snap back:

"... David Fraser, a privacy lawyer with the firm McInnes Cooper, believes that's because the Canadian media are just a whole lot kinder. At the same time, federal privacy laws specifically exclude journalists and protect freedom of the press, he says. Celebrities who run into problems with paparazzi must turn to trespassing and stalking laws, which may keep the rare pushy snappers at bay...."

I would add that some provinces have a statutory tort of invasion of privacy and the non-statutory tort is evolving in Canada. Even for journalistic purposes, invasions of privacy that are "undue" and "unreasonable" can be condemned by the courts in the form of money damages or an injunction. There just hasn't been a lot of cause in Canada for celebrities to invoke these laws.

National Post editorial against Lawful Access

Today's editorial in the National Post has come out against aspects of Canada's proposed lawful access rules:

National Post

"...There will be a temptation for some to forgive this excess in light of enhanced concerns for security after 9/11. But this incorrectly assumes that the new laws would be reserved for extreme cases such as threats to national security. Think again: The Privacy Commissioner reveals that the initiative to reform Canada's lawful access laws predates the Sept. 11, 2001, attacks.

In any case, our judiciary is not insensible to the terrorist threat. And so in cases where tapping an e-mail account or cell phone truly is warranted, the police should have no problem convincing a judge that a warrant should be issued. Removing the robed gatekeeper does little to enhance safety, but merely increases the chance of a rogue officer invading someone's privacy for no valid reason.

We share the Privacy Commissioner's skepticism "about the need for these potentially intrusive and far-reaching measures." We agree that the government should be able to get just about any information it needs to protect national security. But that information should be protected from invasive fishing expeditions by the usual safeguard we have come to expect in a free society: a vigilant judge."

Sunday, August 21, 2005

Colleges struggle to combat identity thieves

Universities are constantly being hacked. On this blog alone, I have referred to dozens and dozens of privacy/security incidents involving post-secondary institutions (check this out).

Today's Boston Globe is running a story on how vulnerable universities are and what some are trying to do about it.

Colleges struggle to combat identity thieves - The Boston Globe

"... ''[Universities] are certainly getting a collective black eye," said Beth Givens, director of the San Diego nonprofit group Privacy Rights Clearinghouse. ''I suspect there's a lot of hand-wringing in universities these days. Those in the IT departments are starting to tell administrators, 'See, I told you so, we have to have better control.' "

Universities provide a target-rich environment for identity thieves -- an abundance of computer equipment filled with sensitive data and a pool of financially naive students.

''A lot of times younger people think, 'I don't have a lot of money, so I don't have to worry about this.' " said Dennis Jacobe, chief economist at Gallup. A recent Experian-Gallup poll indicated that a quarter of surveyed consumers under 30 said their personal information had been stolen.

The academic culture that embraces the open exchange of information lends itself to identity theft. Add to that diffuse tech systems and independent departments and the struggle to stifle breaches becomes even more challenging.

''Because we're so big we're kind of decentralized," said Anthony Wood, director of academic computing at the University of California, San Diego, which has experienced several data breaches in the past year. ''Academic freedom [tends] to have people doing things on their own. And because we have so many [Internet] addresses, we're more visible."..."

Ontario government not doing enough to protect private data

In response to a high-profile privacy incident in December 2004 (see The Canadian Privacy Law Blog: Another privacy breach to round out the week), the Ontario government commissioned a study of privacy practices by Deloitte & Touche. The report is in (I haven't tracked down a copy yet) and it calls for "more robust privacy policies, procedures and other initiatives." See London Free Press: News Section - Government not doing enough to protect private data: report.

Warning: These premises are under video surveillance

This one is pretty amusing ...

In the PIPEDA age, store owners and others who use CCTV on their premises for security and other purposes are required to post notices that the area is under video surveillance. This is because you have to make a reasonable effort to bring this form of collection of personal information to the person's attention so they can decide whether to enter the premises. How much is "reasonable" and does anyone pay attention to the signs?

You can likely assume that a company specialising in video surveillance would have the place covered by CCTV. But just for good measure, the owner of a Manchester CCTV supplier put up signs. You would think that was enough, but some dolt actually went onto the property and stole a laptop worth £700. Reports say he was picked up by eight separate cameras and was also seen casing the place half an hour before. See the story on Sky News : CCTV Shop Raid: Britain's Thickest Thief?.

What are the lessons to be learned?

  1. People don't read signs?
  2. CCTV signs don't deter theft?
  3. Surveillance doesn't deter theft?
  4. Some people are too thick to read signs that might actually affect them?
  5. All of the above?

Saturday, August 20, 2005

Taping of phone calls in the United States

The Reporters Committee for Freedom of the Press has produced an online guide to the laws that govern recording of phone calls in the United States. Worth bookmarking: "Can We Tape?".

Security Breach Notification Chart

Perkins Coie, a US law firm, has produced a handy-dandy chart showing the US laws that require notification of security/privacy breaches:

Perkins Coie: Security Breach Notification Chart:

"This chart provides information regarding security breach notification legislation which has been enacted in U.S. jurisdictions. The pioneering statute on this issue, California's Security Breach Notification Act (Senate Bill No. 1386), is used as the baseline for comparisons herein. "

It looks like it is a client bulletin, so I do not expect it will be updated (at least not at this link).

Assistant Privacy Commissioner concludes that initiating a lawsuit is implied consent to video surveillance

McInnes Cooper recently acted for one of Canada’s largest automobile insurers in achieving a favourable result in two related complaints to the Office of the Privacy Commissioner, both stemming from a decision by the insurer to use video surveillance to verify the claimed injuries.

Following a motor vehicle accident, the plaintiff advanced a claim against the driver of the vehicle, whose insurer responded to defend the claim. During the examinations for discovery, the insurer concluded that there were inconsistencies in the reported injuries and hired a private investigator to conduct video surveillance of the plaintiff. Surveillance captured the plaintiff, sometimes with her husband, carrying out daily activities. The tape was used at trail to impeach the witness.1

The plaintiff and her husband each brought separate complaints to the Privacy Commissioner, both alleging that the use of video surveillance was a collection of personal information without consent, contrary to the Personal Information Protection and Electronic Documents Act (PIPEDA). The Assistant Commissioner concluded that both complaints were not well-founded. For the plaintiff’s husband, the Assistant Commissioner reviewed the tapes and saw that he was not recognizable in the images. Thus, she concluded, the information was not “identifiable” and there was no collection of “personal information”, as that term is defined in PIPEDA.

With respect to the plaintiff, the Commissioner agreed with the insurer’s argument that, by initiating a lawsuit in which injuries are at issue, the plaintiff has impliedly consented to the insurer collecting personal information that is necessary to defend its insured. This implied consent only extends to information that is relevant to the merits of the case and the conduct of the defence. The Assistant Commissioner concluded that "the collection of her personal information was limited to what was necessary for [the insurer] to defend itself against … Court action."

The insurer argued, following the Ontario decision of Ferenczy v. MCI Medical Clinics, 2004 CanLII 12555 (ON S.C.) (see The Canadian Privacy Law Blog: PIPEDA and Video Surveillance: Guidance from the Ontario Courts), that PIPEDA does not apply to third-party personal injury claims as the insurer is an agent for the defendant and the relationship between the parties to litigation is not a commercial one. Unfortunately, the Assistant Commissioner did not refer to this line of argument in her finding.

As of yet, the Assistant Commissioner’s finding is not reported on the Commissioner’s website.


1  Counsel for the plaintiff argued that the video was made in violation of PIPEDA and should be inadmissible. The court decided, from the bench on voire dire, that PIPEDA did not apply and, if it did, any violation of PIPEDA would not render the evidence inadmissible.

Friday, August 19, 2005

Findings from the Australian Privacy Commissioner

The Australian Regulatory Review has links to and some dicussion of recent findings from the Australian Privacy Commissioner:

Australian Regulatory Review: Privacy Case Notes:

"The Privacy Commissioner, Karen Curtis, has released case notes 8 to 18 regarding personal information handled by credit providers, insurance providers, employment agencies, a telecommunications service provider, an internet service provider and federal government agencies...."

Much of it sounds familiar.

OT: Another Nova Scotia lawyer joins the blogosphere

David Brannon, a personal injury lawyer at Patterson Palmer in Truro, Nova Scotia, has recently started a blog on personal injury matters. He has a background as an occupational therapist, so has an interesting perspective. Check out his blog at www.injurylawblog.com.

Fuss over fraud by hospital clerk

There's currently a big fuss going on in Aspen over credit card fraud allegedly perpetrated by a claims clerk at the Aspen Valley Hospital. The hospital has since outsourced this function, saying this move "virutally guaranteed" it could not happen again.

Aspen Valley Hospital: All care taken to prevent identity theft

"... When asked if AVH had performed a thorough background check on Lozano, Jellinek became extremely agitated with a reporter. He said the facility wouldn't spend $10,000 for a background check on a $10-per-hour clerk. He accused The Aspen Times of attempting to blow the story out of proportion and making the identity theft appear to be an extensive problem with the hospital's billing and collections procedures.

Jellinek later apologized and stressed that he and other AVH officials have worked hard to fix a financial crisis there and didn't want to see the progress harmed. One part of the solution was outsourcing billing and collections to First Consulting Group, he said...."

Methinks a background check may be in order if the clerk will have privileged access to patient information ... or you don't give privileged access to a $10-an-hour clerk.

As an aside, it looks like it was simple theft of credit card numbers, so "identity theft" may not be the appropriate term.

Lawful access coming: Ottawa to give police more power to snoop on digital communications

Today's Globe &apmp; Mail is reporting that "lawful access" legislation will be introduced in the fall to give law enforcement greater access to digital communications of Canadians:

The Globe and Mail: Ottawa to give police more power to snoop:

"... The law would force Internet service providers to retain records on the Internet use of its clients in such a way that it can be easily retrieved by police, doing away with the need in many cases to seize an individual's computer as part of an investigation.

In her submission to the government earlier this year, Privacy Commissioner Jennifer Stoddart concluded that Ottawa and the police have not provided enough justification to warrant such a law.

'We remain skeptical about the need for these potentially intrusive and far-reaching measures,' she wrote. Ms. Stoddart noted the law could give police access to global-positioning-system data from cellphones combined with electronic banking data that could allow the government to track an individual's every move.

'The digits we punch into a modern telephone do not just connect us to another party, they can also reveal our financial transactions, PIN numbers and passwords, or even health information.' Michael Geist, a University of Ottawa law professor who took part in the consultations, said the proposed law goes 'well, well beyond' updating references to analog technology. 'For individual Canadians, this is an issue that should attract enormous interest because it fundamentally reshapes the Internet in Canada, creating significant new surveillance powers,' he said...."

No reasonable expectation of privacy in Internet subscriber information

InternetCases.com has a summary of a recent American decision in which the Court found that AOL subscribers have no reasonable expectation of privacy with respect to their identities. AOL disclosed a subscriber's identity to police without a warrant and the subscriber sued:

InternetCases.com: No reasonable expectation of privacy in Internet subscriber information:

"...First, by signing up for service, a subscriber knowingly discloses information to the ISP, which is accessed and used by the ISP to provide services. Second, AOL's terms of service provided that AOL would release subscriber information 'in special cases such as a physical threat to [its customer] or others.' Such a provision was especially relevant given the underlying facts of this case. Third, the Electronic Communications Privacy Act, 18 U.S.C. ss 2510 et seq. provides that subscriber information can be divulged in situations where the risk of physical injury justifies its release..."

Thursday, August 18, 2005

PIPEDA Case Summary 310: Commissioner initiated complaints against Internet pharmacies

The Office of the Privacy Commissioner has just released the summary of a new finding. This is the first time that I can remember where the complainants have asked to remain anonymous and the Commissioner proceeded to initiate a complaint of her own accord, as is provided for under PIPEDA. In this case, a number of residents of the United States complained that a Canadian-based internet pharmacy had unlawfully disclosed their personal information without consent to two American companies, who used the information without consent. The disclosure, which was by unauthorized employee activity, took place before 2004 and the Assistant Commissioner concluded she was without jurisdiction to issue a finding in that regard. Though the companies that acquired the lists did so without notice that it was purloined, the use was still without consent and the Assistant Commissioner concluded that portion of the complaint was well founded. Read the full finding on the Commissioner's website here: PIPEDA Case Summary #310: Commissioner initiated complaints against Internet pharmacies.

Loophole lets man skirt Pennsylvania's privacy law

A man from Virginia has been acquitted of charges under Pennsylvania's privacy law after he used a cameraphone to take pictures up a woman's skirt. The judge lamented that the law, as it stands now, doesn't cover this kind of mischief.

Loophole lets man skirt state's privacy law:

"CARLISLE - A Virginia man didn't break the state's privacy law when he used a camera phone to take a photo up a woman's skirt at a midstate shopping mall, a Cumberland County judge ruled yesterday.

It is a case where Pennsylvania law simply hasn't caught up with advances in technology, Judge Edgar B. Bayley concluded. Pennsylvania's privacy statute, last revised in 1998, didn't anticipate camera phones and has no provisions barring their use for what most people would consider the indecent act of 'upskirting' in public places, he said...."

The article does note that recent amendements to the law, which are not yet in force, have been made to address "up-skirting", "down-blousing" and other voyeuristic practices.

Wednesday, August 17, 2005

The National ID Challenge

Dennis Bailey at Open Society Paradox is putting his money where his mouth is; he has put up $1000 (US) saying that the new Real ID legislation in the US will lead to a measureable drop in identity theft. Check it out: The Open Society Paradox: The National ID Challenge.

Jail sentence for personal info theft

A former AOL employee has been sentenced to a year and three months in jail for stealing screen names and e-mail addresses from the company and selling them to spammers. More details here: AOL Worker Who Stole E-Mail List Sentenced - Yahoo! News.

Stan State suffers breach of security to file servers

Enough is enough. Yet another university privacy breach: Stan State suffers breach of security to file servers .

Businesses see profits in fear of identity theft - The Boston Globe

The Boston Globe is running an interesting article on the businesses that are offering services to calm consumers' fears about identity theft, including one that has been found by the Federal Trade Commission to have engaged in deceptive marketing:

Businesses see profits in fear of identity theft - The Boston Globe:

"... Yesterday, ConsumerInfo.com, which is owned by the credit-reporting bureau Experian, settled with the Federal Trade Commission on charges that it had deceptively marketed ''free credit reports' and did not adequately disclose that customers who signed up for the report would also be enrolled in a credit-monitoring service and be charged $79.95 if they didn't cancel within 30 days..."

Tuesday, August 16, 2005

Incident: Medical records found dumped in the street in Birmingham, UK

An outraged physician happened to find confidential medical files that had been dumped in the street near his house in Birmingham, UK. The records related to the conditions of two women, named in the files, who had medical issues of a particularly sensitive nature. For coverage, see RedNova News - Health - Dumped Medical Records Outrage.

Australia may provide private sector to ID verification system

In response to the recent arguments raised by Dun and Bradstreet that privacy laws are actually feeding the increase of identity theft, the Australian Broadcasting Corporation is reporting that the government is considering providing the private sector with access to ID verification databases: Radio Australia - News - Australia seeks to combat increase in identity theft cases.

Monday, August 15, 2005

Calgary student challenges nightclub over scanning ID

I've been waiting for this complaint for some time. When people (usually younger and with more interesting social lives) make the mistake of asking me what I do for a living, the description is usually follwed by the question "can bars legally scan your driver's license?" According to the Globe & Mail, an Alberta law student has complained to the Alberta Information and Privacy Commissioner about the increasingly common practice of requiring bar patrons to have their ID scanned before being allowed entry.

Presumably the basis for the complaint is that the bar is requiring patrons to consent to the collection and use of personal information that is not necessary. Section 7(2) of the Personal Information Protection Act (Alberta) reads:

An organization shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information about an individual beyond what is necessary to provide the product or service.

I have heard bar owners in Halifax quoted as saying that the practice is only to verify that the ID has not been altered because the readers check that the info encoded on the magnetic strip is the same what appears on the face of the license. OK. But readers also record all the data (name, address, date of birth, license restrictions, etc.) and download them into a central system at the end of the day.

This should be an interesting case, since it will have to consider why the bars want this information and whether it is reasonable.

Read the Globe & Mail article here: Globetechnology: Calgary student challenges nightclub

Incident: University of North Texas hacked

Yawn. Yet another university privacy/security incident. This time, it's the University of North Texas:

UNT warns of potential ID theft :

"DENTON - University of North Texas officials are recommending that almost 39,000 students and alumni protect themselves from identity theft after discovering that hackers accessed a UNT computer server last week...."

Address 'gaping hole' in privacy laws, Saskatchewan Commissioner says

Gary Dickson, the Privacy Commissioner of Saskatchewan, has released a report that calls for some significant changes to the province's public sector privacy law. The Sask. statute is similar to Nova Scotia's in that it lacks any requirement to safeguard personal information:

The Globe and Mail: Address 'gaping hole' in privacy laws, officer says:

"Saskatchewan's privacy commissioner says the province must address a 'gaping hole' in privacy laws and require public organizations to protect personal information more stringently.

In the report, Privacy Commissioner Gary Dickson said that the current Freedom of Information and Protection of Privacy Act does not require a government body to ensure personal information in its possession or under its control is protected.

'The effect is that Saskatchewan citizens continue to experience an unreasonably high level of risk that their personal information entrusted to public bodies will be used or disclosed inappropriately.'..."

Geist: Canadian Telecommunications Policy Needs New Roadmap

Michael Geist has a few things to say about telecommunications law reform in Canada, including how privacy of internet customers fits into the mix:

Michael Geist - Canadian Telecommunications Policy Needs New Roadmap:

"...It is essential that Canadian law ensure that subscriber information is only disclosed under court order with the privacy interests of the individual fully considered and protected. Moreover, strong Internet privacy protections will be needed in the face of Ottawa's lawful access plans, which will reportedly require ISPs to implement new network interception and surveillance capabilities...."

Australian credit bureau claims that privacy laws leaving identity fraud unchecked

I blogged earlier about a story out of Australia in which Dun and Bradstreet claims that privacy laws are feeding identity theft in that country (The Canadian Privacy Law Blog: Credit bureau in Australia blames privacy laws for rise of identity fraud). Here is a transcript of the Australian Broadcasting Corporation's report: PM - Claim privacy laws leaving identity fraud unchecked.

So You Think Your Data Is Secure?

If you want your eyes opened to the threat of insiders to your confidential company and customer information, look no further: So You Think Your Data Is Secure? - Computerworld.

Personal details of Australians for sale in India

After British journalists reported that information on UK citizens is for sale from call centres operated in India (see The Canadian Privacy Law Blog: How secure are India's call centres?), Australian reporters have found the same with respect to Australian data:

Personal details up for grabs in India - Breaking - Technology - smh.com.au:

"Frauds are offering to sell the personal details of thousands of Australians, culled from information gathered at call centres in India.

The ABC's Four Corners program has revealed it was offered information on 1000 Australians.

Four Corners says it was offered a deal on the information, through an unidentified broker, which it turned down.

The information included names, addresses, telephone numbers, birth details, Medicare numbers, driver's licence numbers, ATM card numbers and even passport information. The program verified that the information belonged to real people....

Sharing of data 'could block identity theft'

Martin Gill, a UK criminologist, is calling for increased sharing of data among credit agencies as a way of making life more difficult for identity thieves. From the Independent:

Independent Online Edition > Business News : Sharing of data 'could block identity theft'

"Thousands of cases of identity fraud could be prevented if financial services companies and credit reference agencies shared more data, according to a report from a leading criminologist. Professor Martin Gill said criminals behind ID fraud, now the fastest growing type of theft in the UK, were exploiting the fact that people's credit files contain different information, depending on which company holds them....

Sunday, August 14, 2005

Canadian Privacy Commissioner seeks info on 'no-fly' list

Jennifer Stoddart was on CTV's Question Period today to discuss the proposed Canadian "no-fly list". She has been looking for particular information on the plan and hasn't gotten the answers from the federal government that she's looking for. CTV.ca | Privacy commissioner seeks info on 'no-fly' list.

Among her questions:

  • What will be the specific selection criteria for adding names to the "no-fly" list?
  • Will all individuals with a criminal record have their names placed on the list?
  • Will Transport Canada independently verify the names and other information to ensure that the information is accurate, complete, and up-to-date and warrants inclusion on the list?

Credit bureau in Australia blames privacy laws for rise of identity fraud

Dun and Bradstreet, a consumer reporting agency serving clients in Australia, is suggesting that privacy laws are feeding the growth of identity theft. As an example, D&B is saying that more fraudsters are impersonating dead people because the credit agencies are not able to get the information necessary to determine whether a named applicant is actually alive: Privacy laws blamed for identity fraud rise.

UPDATE: I forwarded this article to Dennis Bailey at Open Society Paradox, because I was sure he would have something interesting to say. I was not disappointed: The Open Society Paradox: Privacy to Blame for Identity Theft?.

This particular article really highlights the tensions between privacy and identity. On one hand, I'm sure that most people who are concerned about privacy would not want credit agencies to be directly plugged into the massive government vital statistics databases. At the same time, reasonable people would say that there should be a way for credit grantors to check to make sure that the person asking for credit is who they say they are and that they are in fact not quite dead.

Dennis has always been a proponent of robust identity for a number of reasons, one of which is the issue at hand. If credit agencies take steps to verify the physical person applying is the same person named on the form, using reliable ID, much of the risk of fraud is eliminated. But this will slow down the "instant credit" that consumers are now used to.

In Canada, the only credit facility that really requires ID is getting a mortgage because lawyers are supposed to check ID before registering the mortgage at the registry. Every bit of credit I've ever gotten have relied upon other means of "identification". (To give my bank some credit, I've personally known my banker for years.) If you look at your average credit card application, you'll see the current system relies on the information provided by the applicant to determine identity, which is as unreliable as the data to which it is compared. If the name, address and date of birth on the application match the data at the credit bureau, we have a match! If that database doesn't say person X is dead, then someone with person X's information can pretend to be him and get credit in that name.

It's an important problem that needs to be solved by informed discussion between those in Dennis Bailey's camp and those in the pro-privacy camp. I hope it is solved, sooner rather than later.

High-tech record: Less paperwork, less privacy

Today's Arizona Republic has an article on the move towards electronic health records, which discusses the privacy implications of switching to digital records: High-tech record: Less paperwork, less privacy.

Browsable Hold Shelves? With Names!

Mary Minow at the Library Law Blog is a little purturbed that her local library has started putting customer hold books in a rack in the lobby with slightly truncated names on them "to protect patrons' privacy". Not a lot of protection, Mary thinks, and not a good idea: LibraryLaw Blog: Browsable Hold Shelves? With Names!.

Man Faces More Charges in Fraud Scheme

The only person criminally charged in connection with the ChoicePoint fiasco and the resultant fraud is now facing additional charges of identity theft, according to the Associated Press (via The Washington Post): Man Faces More Charges in Fraud Scheme.

Saturday, August 13, 2005

Man convicted in Acxiom information theft case

The Associated Press (via Yahoo! News) is reporting that a jury has convicted Scott Levine in connection with the Acxiom data theft. Sentencing will take place in the beginning of next year:

Man Convicted in Huge Computer-Theft Case - Yahoo! News:

"...The jury convicted Scott Levine, the owner of defunct e-mail marketing contractor Snipermail.com, on 120 counts of unauthorized access to data, two counts of access device fraud and one count of obstruction of justice.

Jurors cleared Levine of 13 counts of unauthorized access of a protected computer, one conspiracy count and one count of money-laundering.

Statutory maximum sentences for his convictions total 640 years in prison and fines of $30.7 million, though his punishment likely will be much less under federal sentencing guidelines. Sentencing was set for Jan. 9.

Prosecutors said Levine and his company stole 1.6 billion customer records - the equivalent of 550 telephone books filled with names, e-mail and postal addresses. The government did not charge anyone with identity theft...."

"Identity theft" of an entire British Columbia law firm

Reports of identity theft are pretty common (at least here on the Canadian Privacy Law Blog), but what is the likelihood that the identity of an entire law firm would be stolen? Hang onto your hats folks, but it has happened and lawyers need to be on the lookout for similar scams.

According to Legal Mutual, scammers replicated a British Columiba law firm's website to suggest that the lawyers were "transfer agents" for an offshore investment scam. Doing this would mean that soon-to-be bilked investors would be able to confirm that the supposed transfer agents were, in fact, members of the BC bar. This is scary stuff. Check out Theft of Law Firm Website Behind Investment Scam. Thanks to The Insurance Defense Blog for the link.

From the article:

Theft of Law Firm Website Behind Investment Scam

"... Victoria law firm McConnan Bion O’Connor & Peterson discovered firm photos and lawyer names had been copied from their website (www.mcbop.com) and used to create a website for a fictitious Vancouver firm called Bion McConnan & Associates.

A company called First Independent Capital Resources, Inc., purportedly from Tokyo, then began soliciting investments in Australia claiming “Bion McConnan & Associates” was its transfer agent for the investment. First Independent’s website listed a number of impressive deals the company had allegedly been involved in and provided a link to the fictitious “Bion McConnan & Associates” website. First Independent had also been circulating a fictitious letter purportedly signed by one of the Bion McConnan & Associates lawyers, confirming that certain items would be held in escrow by Bion McConnan & Associates as part of the bogus deal.

Because the fictitious website used the names of real British Columbia lawyers, anyone checking their status in telephone books, law directories or with the Law Society of British Columbia would see that they were Law Society of British Columbia members....

Friday, August 12, 2005

New York enacts notification law

As of today, New York has joined the list of states that have mandatory notification of breaches of personal information: New law requires consumers to be notified when identity 'stolen'.

Incident: Cash register tape with credit card details found in an alley in Teesside, UK

Another reminder of why it is important that full credit card numbers not be written on receipts:

icTeesside - Credit card details found in the street:

"Credit card details of 17 shoppers were discovered in an alley among rubbish dumped by a major department store on Teesside.

The till roll, containing full credit card numbers and expiry dates, was found in Middlesbrough town centre when environmental enforcement officers examined the discarded bag...."

Dilbert and Phishing

Sadly, this is probably all too realistic:

Thursday, August 11, 2005

New report plays down privacy fears as Canadian government proposes to blend databases

The Canadian federal government is proposing to break down the barriers between government databases to provide more seamless service to citizens and residents. According to the Globe & Mail, the "Crossing Boundaries National Council", a private think-tank supported by senior bureaucrats, has polled Canadians who say that they are willing to trade privacy for better service:

The Globe and Mail: New report plays down privacy fears:

"...In a series of discussion groups, the Crossing Boundaries National Council, an organization stacked with prominent bureaucrats and politicians, found that Canadians do worry about the Big Brother nightmare of governments holding extensive files on citizens but most are willing to make trade-offs for better services as long as safeguards are in place...."

Loukidelis appointed as "interim" BC Commissioner

BC's legislation has a one-term limit for Information and Privacy Commissioners. The current Commissioner's term was due to run out on August 15, 2005. To work around this, current Commissioner David Loukidelis has been named as "acting Commissioner" until the BC government gets a successor or amends the legislation. In any event, David is very well regarded within the privacy community and any additional time at the helm will be welcomed. See Straight.com Vancouver | Commentary | Premier takes his chances on stock market.

Buyers beware Identity theft is world's most prolific crime

From the overstatement department: According to the Standard-Journal Online, identity theft is "the most widespread crime being committed in the world" (!) Buyers beware Identity theft is world's most prolific crime. The article is unclear on when ID theft supplanted jaywalking and misuse of milk crates as the most commonplace crime, but it must have just happened.

Cellphone Camera Use Policies

I often see articles about purient uses of cell phone cameras, which I seldom link to because they're as mundane as university security incidents. Rob Hyndman (Celphone Camera Use Policies) is linking to a post at IP Counsel Blog about camera phones and IP protection (IP Counsel Blog: Camera Phones And Corporate Espionage). It's a good post and any company with sensitive IP should carefully consider the issue.

In my practice, I'm seeing policies that try to address this technology from the perspective of protecting the privacy of employees and customers. For example, daycares should at least turn their minds to developing rules about who can photograph kids and should the organization get consent in advance from the parents to allow photography on the site? Gyms should (and many do) think about policies for allowing the devices in locker rooms and in exercise areas. Hospitals also need to think about whether visitors should be able to take pictures that may include unrelated patients in the background. Some people are very sensitive and would get upset if a photo from the Christmas party shows up on the staff bulletin board.

Phones with cameras installed are ubiquitous. The more prevalent they are, the harder they are to regulate. Also, as they become commonplace, it is easy to lose sight of the risks that they may pose and its harder to get people to give them up at the door.

The Man, your garbage, and the law

After a judge in Montana ruled that the police don't need a warrant to rummage through a person's garbage, the fine people at Boing Boing are pointing to some interesting articles online and have a suggestion from a reader of Declan McCullag's PoliTechBot:

Boing Boing: The Man, your garbage, and the law: followups

"I think someone could come up with a business plan around this: truly private garbage collection. You don't put the trash out at the corner, but contract with the garbage collector to pick up the garbage in your yard, with some sort of contract that the garbage is still yours until properly incinerated, and the collector would dispose of it in a way that guarantees privacy - incineration...."

ChoicePoint SEC investigation may widen

The US Securities and Exchange Commission is looking into stock sales made by executives at ChoicePoint which were made after they became aware of he massive security/privacy incident, but before it was made public. The SEC's probe has been escalated the "informal inquiry" to a full-blown investigation. See: HoustonChronicle.com - ChoicePoint investigation may widen.

The latest oxymoron? ‘Internet Privacy.’

The Arkansas Times, Arkansas's Newspaper of Politics and Culture, is running an article on all the interesting personal information you (or a stalker) can find out about people without leaving the comfort of your internet connection: The latest oxymoron? ‘Internet Privacy.’

Incident: University Of Utah Computer Server Hacked; Identities Compromised

Oh my. Yet another university security/privacy incident:

ABC 4 - University Of Utah Computer Server Hacked; Identities Compromised.

(ABC 4 News/U of U) -- The University of Utah announced Tuesday its computer server has been compromised by an unknown outside source, ultimately leading to unauthorized access of the server, according to the University of Utah Office of Information Technology.

The server contained library archival databases including a file with approximately 100,000 names and social security numbers of former University employees. The database included information used as an index for archives for paper employee files from 1970 to 2003...."

Wednesday, August 10, 2005

Hackers Break Into Two Universities, 100,000 Identities At Risk

Techweb is carrying a report on two recent security/privacy incidents at US universities. Most interesting in the article is the following statement:

TechWeb | News | Hackers Break Into Two Universities, 100,000 Identities At Risk

"...The compromised data was limited to name and Social Security numbers, so the hackers could not have obtained credit card or driver's license numbers, bank account data, or any other financial information, the school said...."

I'm not sure that this should be any reassurance in this day and age. Just the names and social security numbers are enough for an identity theft to go to town on the credit of the students.

Privacy Commissioner Raises Concerns That No-fly List Will Infringe on Privacy Rights

The Privacy Commissioner has come out -- not surprisingly -- against the proposed Canadian no-fly list. Here's the release:

Privacy Commissioner Raises Concerns That No-fly List Will Infringe on Privacy Rights:

"Ottawa, August 9, 2005 -- "The no-fly list announced last Friday represents a serious incursion into the rights of travelers in Canada, rights of privacy and rights of freedom of movement," says the Privacy Commissioner of Canada, Jennifer Stoddart, following an announcement made on August 5, 2005, by the Honourable Jean-C. Lapierre, Minister of Transport Canada. The federal government will conduct consultations with key stakeholders over the upcoming months on the creation of a "no-fly list", entitled "Passenger Protect", with a view to enhancing aviation security in the context of ongoing concerns about terrorism. In addition to the no-fly list, the Minister announced a review of how new technology can be used in assessing security risks posed by passengers in Canada.

The Privacy Commissioner called on Transport Canada, nearly a year ago, to explain what they were planning with respect to the potential development of a no-fly list. In July 2005, Ms. Stoddart wrote to Transport Canada officials reiterating her concerns about such a list, and enclosing a list of questions (see list of questions). These are the kinds of questions which would form part of a Privacy Impact Assessment that the Commissioner must receive from Transport Canada according to government policy.

"Despite assurances from Minister Lapierre that Canadians' privacy rights will be protected, I have not yet received an in-depth briefing about the initiative. However, one is scheduled for the end of August," says Commissioner Jennifer Stoddart. "We will be pressing for the strongest privacy protections for individuals. We want those protections to be in place before this program is implemented, including the rights of access and correction."

"I will reiterate, however, that the growing culture of security in this country and abroad causes me great concern as it does the majority of Canadians, according to a recent EKOS Research Associates survey commissioned by my Office, said Ms Stoddart."

Commissioner Stoddart has already spoken with many provincial/territorial privacy commissioners regarding the creation of a working group to assess the privacy risks associated with the no-fly project and other transport security measures such as video surveillance on buses and rail systems.

Several commissioners have already agreed to participate. "We will work together to tackle the privacy implications of these initiatives," said Information and Privacy Commissioner David Loukidelis of British Columbia. "We welcome this opportunity to collaborate on an issue that is troubling on many levels, to those of us who are concerned about privacy and openness in government." Information and Privacy Commissioner Ann Cavoukian of Ontario agreed, saying "as Privacy Commissioner, I have repeatedly said that we are not opposed to stronger security measures, provided that they are effective and balanced. However, expanding the net of surveillance and gathering more personal information does not necessarily result in better security." Jacques Saint-Laurent, Quebec's President of the Commission d'accès à l'information, said "given that we all face these common challenges in our respective jurisdictions, we can all learn from sharing our experiences and knowledge."

Privacy Commissioner Stoddart believes that national security and the protection of the privacy of individuals in Canada need not be seen as trade-offs: "One value does not necessarily need to be sacrificed in the interest of the other. Both can be achieved with well-designed law, prudent policy, and effective checks and balances". The questions outlined in the Commissioner's letter to Transport Canada officials will contribute to the achievement of this goal.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada."

Lessons learned from corporate security breaches

Jay Cline, over at Computer World, is writing about "lessons learned" from the recent string of privacy/security breaches. He concludes with a bit of a "to do" list:

Lessons learned from corporate security breaches - Computerworld

"So what projects need to be at the top of your organization's agenda for the next 12 months?

  • Adopt a comprehensive information security program based on the ISO 17799 and Payment Card Industry standards.
  • Require any sensitive information stored on laptops to be encrypted.
  • Formalize a process where employees can contact a central phone number or e-mail to report suspicious activity with company information.
  • Validate the security of suppliers that handle your sensitive information, including backup tapes and documents.
  • Train employees on your security policies and procedures and performing periodic spot checks to measure compliance.

Completing these types of projects is no guarantee of avoiding a publicized security breach. But they'll go a long way in properly allocating your limited budgets toward the areas of greatest risk."

All that makes sense, but I'd add a few elements to the mix:

  1. Review all your information holdings to make sure that you only have information that you should, that the information has been collected with the consent of the individuals and that you are not retaining any information longer than is reasonably necessary for the purposes for which it was collected. (If you don't need it, don't keep it around. What you don't have can't be stolen or misused.)
  2. Adopt a privacy/security policy that strictly delineates what information can be collected, how it will be used and for how long it will be retained.
  3. Train all your employees to be sensitive to security and privacy issues.
  4. Encrypt all information on any computer, not just laptops. (Servers and desktop computers are easily stolen.)
  5. To the extent that's possible, keep all sensitive information on a central server that is well secured.
  6. Collect audit trail information for all access to sensitive information, so you know who had access to it and when. Review the audit records for anything suspicious.

This isn't comprehensive, but it's a start ...

Tuesday, August 09, 2005

The Panopticon: Pictures Of Surveillance Cameras Pool

Flickr, the very cool picture sharing site, is home to a user created pool of photos of surveillance cameras: Flickr: The The Panopticon: Pictures Of Surveillance Cameras Pool.

Thanks to Boing Boing for the pointer.

Security, Identity Theft and Credit Professionals

Below is an article that is in the latest edition of the National Credit Journal:

Security, Identity Theft and Credit Professionals

David T.S. Fraser

The credit industry in North America has recently found itself both in the spotlight and the legal crosshairs, primarily due to two factors: privacy laws and identity theft. Both demand increased vigilance on the part of credit grantors to protect both their customers and complete strangers from identity theft.

In March of this year, the spotlight turned to the industries that rely on or traffic in personal information. A number of high profile personal information leaks wound up on the front pages of newspapers in Canada and the United States. In the US, scammers gained access to the personal information of 310,000 individuals via a Lexis-Nexis subsidiary, Seisint.[1] One of the largest American data aggregators, ChoicePoint, was similarly scammed, leading to the disclosure of personal information on 1.2 million Americans.[2] The Bank of America lost a set of backup tapes containing sensitive credit information of thousands of US government employees.[3] In Canada, we have had similar information breaches; the highest profile being the accidental faxing of information from CIBC branches to a junkyard in West Virginia. [4] In addition, police in Alberta this past winter were shocked to discover piles of credit reports on senior provincial bureaucrats at a methamphetamine lab, leading to the finding that drug addicts are being hired by identity thieves to “dumpster dive” for such information. [5] Hand in hand with these incidents, the crime of identity theft[6] continues to increase. This species of fraud is said to be the fasted growing crime on the continent.

The result of this has been significantly increased customer awareness of industries that otherwise operated in the background. Also, lawmakers have turned their legislative agendas toward increased regulation and accountability in this area. A number of remedial bills are currently pending before the U.S. Congress while commentators have suggested that Canada’s private sector privacy laws are not up to the task of dealing with incidents such as this. A private member’s bill introduced in the Ontario legislature would require companies to notify all individuals whose information is inappropriately accessed. [7] Stronger remedies will likely be on the agenda when the Personal Information Protection and Electronic Documents Act comes up for review in Parliament next year.

Class action lawyers and the courts are not waiting for the legislators to catch up to the current situation. In April, the Michigan Court of Appeals upheld a class action lawsuit that found a trade union liable for inappropriate security of personal information after the information was used for identity theft. [8] Class action lawyers have commenced litigation against CIBC as a result of the faxing incidents[9]. The Michigan case related to actual identity theft that had occurred. The CIBC case alleges that the bank should be responsible for the increased vigilance required to protect the individuals against identity theft and for the increased likelihood that they may be subject to identity theft. It will not be long before individuals whose identities are stolen will seek recourse against the credit grantors who offered facilities to the impostors, arguing that they did not do enough to verify the identity of the person seeking credit. These plaintiffs will be seeking damages related to the cost of repairing their credit, which can run pretty steep.

What does this all mean to credit grantors? Anybody in possession of information that would be useful to commit identity theft has an obligation to protect it from being inappropriately used or otherwise compromised. This obligation is already set out in PIPEDA and the common law will likely also impose a duty of care where the risk of identity theft is foreseeable. (In the current climate, it would be difficult to argue that it is not foreseeable.)

Custodians of personal information may have a legal duty to inform individuals if their information is compromised. This obligation may be statutory if the private members bill in Ontario becomes law, or may be imposed by the courts if a duty of care and a standard of care in negligence is established. Individuals whose information is compromised should be given the opportunity to keep a watch on their credit reports. If they are not informed of the situation, they will have no such warning.

Finally, credit grantors have to be even more vigilant in establishing the identities of those to whom they extend credit. This is not only to protect against credit losses, but to reduce the likelihood that your company will be the subject of privacy complaints and litigation. In this effort, privacy laws pull credit grantors in two different directions. On one hand, grantors should clearly establish the identity of any applicant. On the other hand, they can only require information that is reasonably necessary for the articulated purpose. To satisfy both, credit grantors should establish clear and reasonable policies related to how they will verify identity. Requiring two pieces of government issued identification, with at least one or both containing the applicant’s current address and photo would appear to be reasonable. The adoption of privacy best practices, including greater security and identify verification, can decrease the legal and credit risk faced by credit grantors. The courts and the legislators see that custodians of sensitive information are part of the problem. Being part of the solution makes business sense as well.


David T.S. Fraser is the chairman of the privacy practice group at McInnes Cooper, Atlantic Canada’s largest single law partnership. He is also the principal legal advisor the National Privacy Services, a company that offers end-to-end training and compliance solutions to clients across Canada. He can be reached at david.fraser [at] mcinnescooper.com or (902) 424-1347.

[1] “LexisNexis begins notifying possible victims”, CNN International (19 April 2005). Online at http://edition.cnn.com/2005/TECH/04/19/lexisnexis.breach.ap/.

[2] “Database giant gives access to fake firms”, MSNBC.com (14 February 2005). Online at http://www.msnbc.msn.com/id/6969799/. [3] “Bank of America loses customer data”, MSNBC.com (1 March 2005). Online at http://www.msnbc.msn.com/id/7032779/.

[4] “CIBC faxes go to scrapyard”, The Globe and Mail (26 November 2004). Online at http://www.theglobeandmail.com/servlet
/story/RTGAM.20041126.wxcibc1126/BNStory/Business/
.

[5] “Civil Servants See Red”, Edmonton Sun (14 November 2004).

[6] For the purpose of this article, “identity theft” means the fraudulent impersonation of an innocent third-party in order to obtain credit facilities and other benefits in the name of the victim.

[7] An Act to Amend the Consumer Reporting Act, Bill 174.

[8] Health Care Assn. Workers Comp. Fund v. Bureau of Workers Disability, (15 February 2005) Michigan Court of Appeals (Wayne Circuit), No. 246684.

[9] Statement of Claim is available online at http://www.cacounsel.com/CIBC%20Class%20Action%20Claim.pdf.

Privacy protection should not suffer at the expense of security: B.C. Commissioner

The Information and Privacy Commissioner of BC, David Loukidelis, has issued his annual report in which he recommends that privacy not be swept aside on the quest for greater security:

Privacy protection should not suffer at the expense of security: B.C. report - Yahoo! News

"VICTORIA (CP) - Personal privacy should not take a back seat to national security as officials try to anticipate and protect against terror attacks, B.C.'s privacy commissioner said Monday.

"The constitutional and statutory privacy protections we enjoy should not be set adrift in the name of national security to founder on the rocks of law enforcement expedience," Information and Privacy Commissioner David Loukidelis said in his annual report released on Monday.

"While extraordinary powers are often necessary to protect national security, such powers must be clearly linked to the objectives they are created to achieve, must be no more extensive than absolutely necessary."..."

The report is not yet available on the OIPC's website, but I'll link to it when it becomes available.

UPDATE: The Commissioner's press release is here and his 2004-2005 Annual Report is here.

Monday, August 08, 2005

Privacy cartoon

Michael de Adder is the editorial cartoonist for the Halifax Daily News. Today, he's taking a cynical look at the surveillance society in England following the London bombings. Click the image (or the red X!).

PIPEDA Case Summary #309: Daycare denied parent access to his personal information

The Assistant Privacy Commissioner of Canada has recently released a finding that addresses the question of whether PIPEDA applies to "not for profit" organizations. In this case, an individual was seeking access to personal information in the custody of a daycare. The Assistant Commissioner concluded that PIPEDA does apply to this daycare as it was not municipally run:

Commissioner's Findings - PIPEDA Case Summary #309: Daycare denied parent access to his personal information - April 18, 2005:

"...The first matter that needed to be determined in this case was the issue of jurisdiction. Daycare officials said that the centre was a non-profit organization subsidized by city funding. They also claimed that the centre was subject to provincial and municipal legislation. This Office confirmed that the centre is not a municipal-run day care. We also found that there was a commercial activity involved, namely, payment for child care services. As such, this Office determined that the daycare was subject to the Act...."

This finding is interesting and could be instructive but ... the dearth of details about this particular daycare leaves little assistance in trying to surmise whether a particular organization is in or out of PIPEDA. My local YMCA runs a daycare that charges for its services. Commercial activity? The university up the street has a daycare. Commercial activity? Sadly, this summary of the Assitant Commissioner's decision provides almost no help for answering those questions, which pop up with surprising regularity.

No Need to Click Here - I'm just claiming my feed at Feedster feedster:053382c93026c10ad94bd10eb39541e8

Incident: Sonoma State Confirms SSNs Hacked

Yet another university privacy/security incident:

Sonoma State Confirms SSNs Hacked:

"ROHNERT PARK (KRON) -- Officials at Sonoma State University confirm that the names and Social Security numbers of more than 60,000 people in the school's databases were hacked in a security breach.

The hacker broke into seven of the school's computers, exposing files containing the names and Social Security numbers of 61,709 people who applied to, attended or graduated from the university between 1995 and 2002. Files containing information on faculty between 1999 and 2005 were also exposed. The attack happened in July, but officials don't think anyone actually accessed the exposed data...."

Call to protect shareholder information in Australia

The Chartered Secretaries Australia, a corporate governance association, is calling for changes to the law that currently allows anyone to have access to companies shareholder lists. The current state of the law poses a threat to privacy, the CSA says: Call to protect shareholder information.

FTC settles with Advertising.com: future downloads must clearly disclose presence of adware

The Register is reporting that the US Federal Trade Commission has settled charges with Advertising.com that relate to including adware in a security download, the presence of which was only alluded to in the end user license agreement. The settelment does not include any penalties, but only a promise to make the presence of adware more prominent in the future: Security download must clearly disclose adware | The Register.

Sunday, August 07, 2005

Europe Zips Lips; U.S. Sells ZIPs

Once again, the Sunday New York Times is running a privacy-related story. This week, Eric Dash discusses the differences between the US and Europe, highligting the legal, business and cultural differences between the jurisdictions:

Europe Zips Lips; U.S. Sells ZIPs - New York Times

"Why [are all these privacy/security incidents] happening here, and not, say, in Britain, Germany or France? One reason may be that every other Western country has a comprehensive set of national privacy laws and an office of data protection, led by a privacy commissioner.

The United States, by contrast, has a patchwork of state and federal laws and agencies responsible for data protection.

"In Europe, the question has been settled: citizens have strong legal rights," said Joel R. Reidenberg, a Fordham University law professor who is an expert on international data privacy rules. "In the United States, we basically have a mess, and we are still trying to sort it out."

More fundamentally, these two systems for dealing with data arise from a cultural divide over privacy itself. In broad terms, the United States looks at privacy largely as a consumer and an economic issue; in the rest of the developed world, it is regarded as a fundamental right...."