Thursday, September 29, 2005

Edmonton Police cleared of alleged leak of personal information to skinhead defendant

You may recall the allegations made in December of last year that the Edmonton Police Service leaked personal information about an Alberta lawyer to a criminal defendant in the US. See The Canadian Privacy Law Blog: Authorities give US prisoner detailed personal information on Albertans.

The Edmonton Sun is reporting that the Alberta Information and Privacy Commissioner has cleared the police service of responsibility for the leak:

edmontonsun.com - Alberta - EPS cleared in info leak to con:

"...Tom Engel theorized that information about his tax deductions, social insurance number, income and RRSP contributions - and similar files on his law partner, their wives and four legal assistants - ended up in the U.S. jail cell of convicted skinhead Daniel Sims back in December because Edmonton cops were somehow targeting him as an enemy of the service.

But a spokesman for privacy commissioner Frank Work said an investigation by the group showed EPS made no such disclosure to Sims...."

Wednesday, September 28, 2005

DHS privacy officer to resign?

Ryan Singel at Secondary Screening is reporting that the privacy officer at the Department of Homeland Security is resigning unexpectedly. The DHS is the only US Federal Agency that is rquired by law to have a privacy officer: Secondary Screening: Privacy Czarina Resigns.

EFF goes after warrantless cell-phone tracking

The Electronic Freedom Foundation has filed a brief in a New York court arguing that law enformcement should be prohibited from tracking cell-phones without probable cause:

Privacy Advocates Attack Cell-phone Surveillance

"...Yesterday’s friend-of-the-court brief by the Electronic Frontier Foundation cited evidence uncovered as part of a court finding last month that the Justice Department was using cell-phone taps without having to first show likelihood that a crime was being or had been committed. The group asked Magistrate Judge James Orenstein to stand by his decision to officially extend privacy protections to the cell-phone-using public...."

Survey says security breaches cost companies customers

The Ponemon Institute, which is a good source of such things, has conducted a survey of consumers in the United States which suggests that consumers are willing to show their displeasure over security breaches by ending relations with companies that have compromised their data:

Data Security Breaches Impact Corporate Bottom Lines:

"...'Companies lose customers when a breach occurs. Of the people we surveyed who received notifications, 19 percent said that they have ended their relationship with the company after they learned that their personal information had been compromised due to security breach. A whopping 40 percent say that they are thinking about terminating their relationship,' said Larry Ponemon, founder and head of the Ponemon Institute.

Even more disconcerting, the survey also reveals that five percent of Americans have hired lawyers upon learning that their personal information may have been compromised.

'Five percent may not seem like much, until you realize that anywhere between 23 million and 50 million Americans have received notification of a data security breach. That means that over one million people out there are likely seeking legal counsel,' said David Bender, co-head of White & Case's privacy practice. 'This should be particularly troubling to companies, especially in light of several putative class-action lawsuits recently filed in California against companies that experienced security breaches.'

Bender added that while it's unclear just how any court might calculate damages for customers whose personal information has been breached, but have not suffered any clear harm, the fact that the plaintiff's bar is taking on such suits means they anticipate that courts may commiserate with customers' frustration over breaches...."

More coverage at Computerworld: Survey: Security breaches could prove costly to data companies.

Monday, September 26, 2005

Effect of privacy/security incidents on stock prices

Kenneth Belva, a New York-based information security officer, has written an interesting review of the effect of privacy and security breaches on the stock prices of the companies involved (How It's Difficult to Ruin A Good Name: An Analysis of Reputational Risk). The purpose of the report is to "begin the conversation", but it does note some interesting trends: the closer privacy and security is to your core business, the greater the impact upon stock prices.

"In the cases were there was a temporary loss or no loss at all [in share price], it appears that the breach was not in an area that effected [sic] the core business. In other words, even though Citigroup and UPS lost 3.9 million customer records, Citigroup was still able to lend money and UPS could continue shipping packages.

I am willing to leave an open hypothesis on the table: The greater the financial impact or potential financial impact from the information security incident, the greater the reputational damage; the less the financial impact or potential financial impact from an information security incident, the less the reputational damage."

I might add something to the conversation (which I am basing only on my gut): consumers are more fickle than companies and companies are more afraid of the bad reputation of associated companies rubbing off on them. A credit card issuer won't get a big hit when one of their service providers loses data, but it is very easy and likely prudent for the credit card company to cut the service provider loose. If a company like CardSystems loses contracts with two of three major credit card issuers, that's the death of the company. The further down the chain you go, the greater the impact of these incidents. It makes sense if you look at the impact of these incidents on potential revenues: the person at a credit car company who recommends service providers has a number of companies to choose from, puts her personal reputation on the line when she recommends a provider and does due diligence on all prospective providers. A provider with a big blemish sticks out and doesn't get chosen. Consumers as a group are less discerning than the handful of people who make business-critical decisions. Simply put, if you are a critical service provider to other businesses, your reputation matters more.

Also, as Belva points out in his report, stock price may not be the only indicator of the hit companies take if they are associated with a privacy/security incident. It is just the most visible measure.

Greg Keizer at Information Week has an article on Belva's report that's worth reading: InformationWeek > Security > Report: Security Slip-Ups Don't Ding Stock Prices For Long > September 23, 2005.

Incident: Back-to-back hacking attacks at California universities

Separate -- and so-far unrelated -- hacking incidents at Cal Poly and Cal State universities in California have apparently disclosed pesonal information of tens of thousands of students. See: The Poly Post - Campus Computer System Infiltrated.

Incident: Sensitive personal information stolen from California non-profit devoted to assisting disabled children

The Mercury News is reporting that personal information related to 5,000 clients and 700 past and present employees was stolen from the Children's Health Council in California. The organization works with emotionally-troubled and developmentally delayed children. The information included names, dates of birth, social security numbers, financial, healthcare and psychiatric information. See: MercuryNews.com | 09/20/2005 | Medical records theft from clinic alarms parents.

Privacy as a pretext

The headline for this should have been "Privacy Law used as a Pretext to Keep Parents from Classrooms":

Privacy Law Keeps Parents Out of Classrooms

"September 26, 2005

INDEPENDENCE, Mo. - Six Independence schools say no more parents in the classroom.

The principals of the schools cite a federal privacy law that limits access to student records.

Principal Jon of Bryant Elementary says he implemented the rule to prevent parents from gossiping about other people's children.

But state lawyers say they interpret the privacy rule to deal only with student records, not parents visiting classrooms.

The superintendent of Independence schools says he agrees with the state, but that the six schools started the ban because of disruptive parents.

The six schools include Bryant, Mill Creek, Randall and Proctor Elementary schools as well as Bridger Middle School and Truman High School."

Incident: Tiscali in UK consumer data security breach

Tiscali, an ISP in the UK, has sent around a notice to its subscribers about a an inadvertent disclosure of some customers' personal information. The company rolled out a new service level and invited users to sign up at a special web page. Loggin in actually provided account information of other users. The company says it was a scripting error. See: Tiscali in UK consumer data security breach | The Register.

Sunday, September 25, 2005

Skype security and privacy concerns

News that Skype has been bought by eBay has caused some concerns among privacy advocates, principally because eBay's policy of providing extensive user information to law enforcement, even without a warrant or subpoena. In his column in Security Focus, Scott Granneman writes:

Skype security and privacy concerns

"...I'm nearly speechless after reading Sullivan's comments. Think about what he's saying: if eBay receives a fax on offical letterhead (not that that would ever be faked, oh no) - just a simple fax, mind you, just a fax, unaccompanied by a court order - it will gladly fork over the following info about you, or any other eBay user:

  • Full name
  • User ID
  • Email address
  • Street address
  • State
  • City
  • ZIP code
  • Phone number
  • Country
  • Company
  • Password
  • Secondary phone number
  • Gender
  • Shipping information (including name, street address, city, state, ZIP)
  • Bidding history on an item
  • Items for sale
  • Feedback left about the user
  • Bidding history
  • Prices paid for items
  • Feedback rating
  • Chat room and bulletin board posts

Understatement of the week: that is one hell of a list! It's long, it's scary, and it's troubling. So what do we have? Software that says it's completely secure, but without a good way to verify that claim, now owned by a company that will basically give up an astonishing amount of personal information about you at the slightest peep from the authorities. This looks and smells bad. It's a questionable act to trust your personal and business phone calls, instant messages, and file transfers to Skype already, but it seems almost the height of foolhardiness to do the same now with a Skype owned by eBay...."

Thanks to Privacy Digest for the link.

Saturday, September 24, 2005

Hoofnagle: Penalties Alone Won't Reduce Identity Theft

Chris Hoofnagle, counsel to the Electronic Privacy Information Center, blogs that police are overwhelmed with complaints about identity theft and are only able to solve a minute fraction of the cases. Increased penalties, which are often espoused by legislators, are not having any effect on the prevalence of this sort of fraud. See: EPIC West: Penalties Alone Won't Reduce Identity Theft.

Friday, September 23, 2005

Cardsystems assets being sold to CyberSource

CyberSource, a California-based electronic transactions company, has announced that it signed a letter of intent to buy the assets of embattled Cardsystems. The sale is supposed to close sometime in the fourth quarter of this year and the likely purchaser is in talks with Visa and Amex to take over the transactions that are slated to be terminated in October due to the high-profile security breach at Cardsystems. See: CyberSource seeks to buy CardSystems.

BC school board incident involved much more info than first reported, but tapes are found

The school board incident that I first reported on earlier this week (The Canadian Privacy Law Blog: Personal information stolen from Vancouver Island school board office) involved much more information than first reported. The backup tapes had payroll info for two other school boards, but the Saanich School Board didn't mention it to the media or police because it apparently wasn't their story to tell.

Stolen data includes banking information from other districts

"...As many as 1,000 employees in Saanich had their bank account information on the stolen tapes and roughly 9,000 students had their grades and contact information backed up as well, leading to concerns about identity theft..."

The affected school board now has an update, saying the safe and tapes have been found:

School District 63 Home Page:

"The safe stolen from the Saanich School Board Office on Monday September 19, 2005 has been recovered, as have the majority of its contents. The safe was found in the ocean in two parts, suggesting that it was opened violently. The contents, including encrypted backup tapes, were strewn along the ocean front, either floating or embedded in kelp, along a 60m stretch of water. The police continue to search for evidence, and appreciate the assistance of the public in providing them with information either through Crimestoppers or by calling 652-4441."

Thanks to Mathew Englander for the updated info.

US Gov't agency to drop screening travelers using commercial databases

According to CNN and the Wall Street Journal, the Transportation Security Agency has dropped its controvertial plan to use commercial databases to screen travelers for the "do not fly list". See: CNN.com - Report: TSA dropping airline data to screen terrorists - Sep 22, 2005.

Credit card companies head to court over disclosure obligation

According to Wired News, both Visa and Mastercard are planning to argue in a Cardsystems-related lawsuit that the card associations do not have an obligation to notify individuals of security and privacy incidents. If there is an obligation, it falls to the member banks who have the immediate relationship with the customers. Interesting question: Wired News: Card Companies Keep Theft Quiet.

ACLU launches online ads against the Partiot Act

I just got an interesting "pop-up" ad from the ACLU that's worth a look-see. I don't recall what site I was reading when it popped up (perhaps the New York Times?), but you can see the flash ad here: ACLU. At the end of the ad, it links to the ACLU's site devoted to the issue: ACLU Freedom Files.

Wednesday, September 21, 2005

Personal information stolen from Vancouver Island school board office

Thanks to Mathew Englander for pointing me to the following press release, from a school board in Saanich, a suburb of Victoria, British Columbia:

Media Release

As a result of a break-in at the Saanich School Board Office on Monday, September 19, 2005, a number of items were stolen including a small safe. Damage was also done to the two buildings affected as the thieves broke into locked and secured areas.

The contents of the safe included back-up computer tapes that contained employee, financial and student information records. All information was saved in a secure manner which would require significant technical expertise and the use of specialized computer equipment and software to access. While the potential for the data to be accessed in a usable format is small, the School District is now taking steps to inform employees and parents of the theft of these backup tapes. Releasing this information sooner had the potential of compromising the police investigation.

Employees will be advised to take precautionary steps to address potential identity theft. Parents will be advised that the backup tapes included student information such as names, addresses, phone numbers, courses and grades.

Superintendent Keven Elder said, “We regret that this incident occurred, and have been assured by the police and our insurance providers that appropriate procedures for safeguarding this information were in place. We are working closely with the Central Saanich Police Department to support the ongoing investigation and retrieve the stolen goods.”

From the carefully worded release, it's apparent that the data was not encrypted. The tapes may require a "specialized" reader and specific backup/restore software, but I don't think this will be of any comfort to a sophisticated person whose information was on the tape.

All together now: "Encrypt your data."

Tuesday, September 20, 2005

New finding from the Privacy Commissioner: Bank employee's actions deemed reprehensible

The Office of the Privacy Commissioner of Canada has recently posted a new summary of a finding related to a number of unauthorized credit checks carried out by an employee of a bank. The credit checks, plus a whole range of sensitive financial information were disclosed by the employee to the complainant's former business partner.

As is always the case, the Commissioner did not name the bank and there is no word on what the bank actually did to address this "reprehensible" conduct by an employee who violated her clear obligations of confidentiality.

Commissioner's Findings - PIPEDA Case Summary #312: Bank employee's actions deemed reprehensible (August 30, 2005):

"... The bank indicated that three credit inquiries that the complainant questioned were conducted as part of the normal procedure for opening accounts with the bank. However, it was determined that eight inquiries made over a two-year time period were performed by, or at the request of, a bank employee. The bank agreed that these inquiries were conducted without the complainant's knowledge or consent, and for non-business purposes. The bank apologized to him, indicated that it had taken appropriate action as a result of the matter, and offered to have the inquiries removed, with his consent, from his credit report...."

MasterCard plans 4 million RFID cards

According to MSNBC, Mastercard is planning to introduce RFID, touchless cards into the market beginning with four million cards in the next year. The coverage I've seen doesn't seem to address any of the security risks presented by this technology nor does it say how far away the readers need to be.

I know that I can get through the RFID locks in my office building by brushing my wallet near the sensor. It can read the proximity card through the leather of the wallet and through the cloth of my jacket. I've seen women hold their purses up to the sensor, which can apparently see through the layers of stuff that accumlate in an average purse. I'd think that a payment card reader would be able to read all the cards in my wallet if the sensor was strategically positioned. Interesting stuff, in any evetn .... See: MasterCard plans 4 million 'pay pass' cards - Tech News & Reviews - MSNBC.com.

Monday, September 19, 2005

New technologies for scanning IDs

For those bar and nightclub owners who are not content with reading the magnetic stripes of patrons' ID cards, a UK company has added to the ID-capturing arsenal with ClubScan. It's a all-in-one scanner, OCR driver and database management system to slice and dice customer information:

idscan

"idscan incorporates the cutting edge of Optical Card Recognition OCR technology. It uses advanced image processing and field identification capabilities to read and process the information on driver licenses, Idcards, passports and other forms of ID.

idscan application has an OCR system that is pre-trained to recognize and interpret a wide variety of font types on ID cards. Including Passports, Provisional UK, European, US, Australian, Middle East and Far East IDS & Driving Licenses.

idscan OCR technology begins reading the text information, the application uses its intelligent processing engine to correctly place the text data into appropriate text fields i.e. ID Number, Name, Address, Issue Date, Expiration Date and Date of Birth.

The combination of accurate OCR with advanced image processing yields a perfect system for scanning and filing driver licenses and ID cards and offers the only OCR system that delivers 99% accuracy. ..."

For those who want to share with other users, Sharescan adds "troublesome" former customers to a worldwide database accessible to other idscan customers. Oddly, there's no mention on the website of how this jibes with the UK Data Protection Act.

Via Engadget: The Clubscan ID scanner for nightclubs.

For a somewhat related blog entry, check out: The Canadian Privacy Law Blog: Calgary student challenges nightclub over scanning ID.

Put this up your skirt or down your blouse to protect against digicams

CNet News is reporting that resarchers at Georgia Institute of Technology have developed a device that will render digital cameras useless by detecting the cameras and directing a beam of light to the lens. The prototype will barely fit under a victorian bustle, but they intend to make it much smaller: Crave privacy? New tech knocks out digital cameras | CNET News.com.

The business of hacking, cracking, etc.

According to Symantec, one of the biggies in anti-virus protection, more and more hackers/crackers are in it for the money. Previous hacking and virus incidents were often driven by a desire for notoriety among the 7337 hacking community. Now, there's big bucks to be had in taking personal information and credit card fraud, so professional weasels are moving in to the scene. What does this mean? Cracking is no longer a hobby done by caffeine-fueled amateurs in the midnight hours, but a livelihood. Make way for the professionals: .

Sunday, September 18, 2005

Researchers say Australian privacy laws hinder research

Like colleagues around the world, Australian medical researchers are attacking privacy laws saying they hinder research. Researchers are looking for more consistency among Australian states and for more circumstances where they can have access to health information without permission. See: The Australian: Privacy laws 'hinder medical research' [September 19, 2005],

Saturday, September 17, 2005

Privacy-enhanced computer display

Photo of glasses decrypting otherwise jumbled computer screenIn my experience, airline flights are often unproductive because I'm very wary of showing confidential client information to everyone who has a chance to oogle my laptop screen. I've seen privacy shields, but the guy who can glance between the seats is probably within its field of view. Now, the clever folks at Mitsubishi Electric Research Labs have come up with a combination of hardware and software that limits what can be read to the wearer of special ferroelectric glasses. I don't pretend to know what that means from a scientific point of view, but it looks promising and the photo from the MERL website makes sense. For more info, check out: MERL � Privacy Enhanced Computer Display.

Push to remove social security numbers from common cards (and elsewhere) and bureaucratic resistance

The Los Angeles Times (via Yahoo! News) has a good article on the ubiquity of the social security number for many federal government programs in the United States. While consumers are told to make sure they don't have their SSNs in their wallets in case they are stolen, federal medicare cards use that number as the identifier and are routinely collected when medical and drug services are used. This, some feel, leave the users of this program more vulnerable to identity theft.

More egregious (and nothing short of criminal), according to Beth Givens, executive director of the Privacy Rights Clearinghouse, is that military personnel use the SSN as their primary identifier and are required to stencil it on their luggage.

While the risk is acknowledged, the costs of retooling systems is coupled with bureaucratic intertia to thwart change.

Read the full article here: U.S. Policy on Medicare Cards Is a Boon for Identity Thieves - Yahoo! News.

Incident: Another mailing label incident

Kaiser Permanente, a large US-based health management organization, is asking its members to destroy the mailing labels used on their latest magazine to its members. An error of some sort meant that the plan member numbers were printed on the labels, perhaps contrary to the US health privacy law, the Health Insurance Portability and Accountability Act (HIPAA). See: Rocky Mountain News: Business.

Since old magazines often end up in laundromats and hospital waiting rooms, an incident such as this probably presents a greater risk than printing such information on envelopes for other kinds of mailings.

Incident: U of Miami students' Social Security Numbers posted online for past three years

A Miami TV station is reporting that personal information, including SSNs, has been posted on the internet for the last three years. It appears that a professor placed a standard grade report on an internet-accessible computer, which was indexed by a search engine and found by a former student who was googling him/herself. See: Students' Social Security Numbers Posted Online - Yahoo! News.

Having one's embarassing English 101 mark put online is probably bad enough, but incidents such as this really highlight why universities should not use social security numbers (or social insurance numbers, in Canada) as student identifiers.

Incident: Japanese tax office loses PCs with info on 470,000 taxpayers

A tax office in Japan has fessed up to losing two PCs that contained sensitive personal information on 470,000 self-employed taxpayers. The office said that the computers need a boot password and that the information is 'coded', "leaving little chance of a data leakage." See: Info on 470,000 at risk after bureau loses PCs : National : DAILY YOMIURI ONLINE (The Daily Yomiuri).

ChoicePoint alleges misuse of its data, alerts affected consumers

ChoicePoint has recently fingered employees of four of its significant customers for likely misusing the company's massive databases. The most significant incident relates to an employee of the Miami Dade police department, who gained access to records of over four thousand individuals. ChoicePoint is holding up its auditing tools for successfully determining the misuse of data by employees of legitimate users and has begun to notify the affected consumers. See: Florida cop misused data, ChoicePoint claims - Consumer Security - MSNBC.com.

Friday, September 16, 2005

Arrest made in Berkeley laptop theft case

Avid readers may recall the theft of a laptop from Berkeley University that contained personal information on 100,000 students, staff, alumni and applicants. (To refresh your memory, check out The Canadian Privacy Law Blog: Incident: Stolen Berkeley Laptop Exposes Data of 100,000). Well, an arrest has been made after the laptop was sold online. Investigators can't tell whether any of the information was nefariously used: Arrest made in Berkeley laptop theft case | The Register.

Teen jailed over Paris Hilton hack

A teenager charged with hacking into Paris Hilton's mobile phone among other things (see The Canadian Privacy Law Blog: Paris Hilton's Sidekick gets hacked), has been sentenced to eleven months in a juvenile facility, along with a prohibition from using the internet for two years following his release. See: Teen jailed over Paris Hilton hack | The Register.

Phishers faxing fake tax forms

The Hawaii Society of CPAs has issued a release to alert Hawaiian residents of an ID theft scam that involves fraudsters posing as the IRS and faxing tax forms to unsuspecting people, requesting that the information be filled out to protect the taxpayer's exemptions. See: Hawaii Society of Certified Public Accountants.

The HSCPA also has a copy of fake letter and form here.

Thursday, September 15, 2005

IBM's new privacy-minded encryption technology

According to Computerworld, IBM has developed a novel technology to allow sharing of data on common individuals without compromising the privacy of those who are not known to the two parties. I may not fully understand the math behind it, but it appears that the technology allows two separate organizations to encrypt databases for sharing with the other. Information that is common to both will be the same when double-encrypted, but information encrypted by one of them will not be readable by the other. So if Person A is known by both Company I and Company II, they can each decrypt and read the info about Person A. But if only one knows Person B, the company that does not know him/her cannot read that data. This is not the holy grail of privacy, but the article outlines some interesting applications: IBM Almaden Research Center's Sovereign Information Integration Privacy-Minded Security - Computerworld.

Dutch database to track residents from cradle to grave

According to Wired News, information related to all Dutch residents maintained by the government will be deposited into a single database, from cradle to grave. To protect privacy, apparently nobody will have access to the whole data record. Hmm. It sounds a bit like a mega-Longitudinal Databank. See: Wired News: Dutch Treat: Personal Database.

Tuesday, September 13, 2005

Smut and personal data left on resold PCs

The Register is reporting that seven out of ten resold PCs and memory cards (in the UK) contain personal information and/or porn, showing that the vast majority of people don't take measures to protect themselves when they get rid of old computers. In carrying out the survey, Disklabs reports finding child porography as well, which they report to authorities: Smut and personal data left on resold PCs | The Register.

Monday, September 12, 2005

Proposed Ontario law about adoption records raises important privacy issues

Today's Globe & Mail is reporting on a debate that has been simmering for some time in Ontario. The province's legislature is debating Bill 183, the Adoption Information Disclosure Act, 2005, which turns the existing system on its head by presuming disclosure of adoption records at the request of either the adoptee or the birth parent. The current regime requires both parties to register with the government if they want to be contacted or to receive informaiton on the other party. The proposed law requires a "do not contact" notice if the individual does not want their information handed over. Ontario's Information and Privacy Commissioner has come out strongly against the proposed change. Years ago mothers gave children up for adoption on an implied promise that they could do so without the risk of the information being provided later. Now, that promise is threatened. See The Globe and Mail: Adoption changes would open door to the past.

Canada's Do-Not-Hesitate-To-Call List

Michael Geist's latest LawBytes column is devoted to Canada's proposed "Do Not Call" legislation. Or, the "Do Not Hesitate To Call" law, as he calls it. The law has been, in his words, gutted by the parliamentary committee to the point that it is no longer recognizable. There are a number of exceptions for charities, pollsters, politicians and those with a pre-existing business relationship. Micheal does not take kindly to the committee, which he says excluded consumer groups from their hearings. Check out the column on Michael's site here: Michael Geist - Canada's Do-Not-Hesitate-To-Call List.

Sunday, September 11, 2005

Fraud Reveals Workings of Internet Theft

ABC News.com is running an interesting and lengthy story about the inner workings of a phishing fraud and how it was traced to Quebec. Check it out: ABC News: Fraud Reveals Workings of Internet Theft.

Saturday, September 10, 2005

US Panel agrees that government needs new rules and guidelines for use of private data resources

The US Department of Homeland Security convened a two-day workshop on privacy, which wrapped up yesterday. Among the outcomes was an apparent consensus among panelists that new rules and guidelines are required for US government use of personal information, particularly the government's use of private sector information providers like ChoicePoint and Acxiom. See: Panel: New rules, tech needed for data privacy | CNET News.com.

More from Government Computer News:

Task force: IT systems' design should incorporate privacy safeguards:

"By Alice Lipowicz

Contributing Staff Writer

New IT tools such as data mining ought to be used for homeland security only if their intrusiveness on privacy and infringement of due process rights can be adequately addressed in advance, according to a new report from a task force sponsored by the New America Foundation, a Washington-based think tank.

The task force of academics examined technologies including data mining, link analysis, data integration and biometrics, and recommended that they be deployed in efforts to counteract terrorism “if and only if” privacy protections are in place. It also suggested principles to follow to ensure the protections...."

European telcos come out against proposed retention law

European telecommunications companies are coming out strongly against the proposed data retention rules that would require telcos to collect and retain information about users of telecommunications services throughout the continent. The proposal, if implmented, would cost millions of pounds/euros, they say and would violate European data protection laws. See: Belfast Telegraph: Storing mobile records 'would cost millions'.

ChoicePoint unit to help in Katrina recovery efforts

ChoicePoint's press coverage has been uniformly negative, but it appears that the company and a subsidiary will be called upon to help in a number of ways in the wake of Hurricane Katrina. A subsidiary, Bode Technologies, will be assisting in the DNA analysis to identify victims, while ChoicePoint's databases will be used by evacuees who don't have identitication documents to prove who they are. See: ChoicePoint unit to help identify dead.

Reporting data loss debatable

David Canton's regular column in the London Free Press is about wheter companies should be required to notify affected individuals about data breaches. See London Free Press: Business Section - Reporting data loss debatable.

Friday, September 09, 2005

The internet changes petitions

A petition to have the definition of marriage in Massachusetts restricted to one man and one woman has garnered further debate in that state. Now, an organization called Know Your Neighbour.Org, Inc. has put the names and addresses of all the signers of the petitioners online to encourage discourse among neighbours.

KnowThyNeighbor.org - Protect marriage for ALL families in MA!:

"KnowThyNeighbor.org is a grassroots, non-profit organization dedicated to removing barriers to public information by making it available online. If it's public information, it should be simple for a member of the public to access it!

Initiative Petition # 05-02, The Constitutional Amendment to Define Marriage, represents a public political effort that could negatively affect the lives of many families, individuals, and children within the Commonwealth. By posting the names and addresses of the 65,825+ signers, KnowThyNeighbor.org is supporting the Democratic Process by providing the public with direct access to information that they are entitled to see and that is relevant to this controversial topic."

Information such as this has always been accessible, but not so readily. Putting it online may make some think twice before they sign political petitions.

Don't show your new Master Card to the guy with the camera

Hurricane Katrina evacuee Latesha Vinnett holds a debit card from the Red Cross with her daughter Mychal Boykins outside the Reliant Center in Houston, Texas.(AFP/Stan Honda)Relief authorities in the southern United States have decided to distribute some individual financial relief in the form of special Master Card debit-type cards. While the program has had its problems, there really isn't much of a privacy angle other than the fact that I was very surprised to trip over the picture on the right. Note to self: when a news photographer asks me for a picture of me and my new credit card, say no thanks. I wouldn't be too surprised to see that account drained before she gets to the store. See: Hurricanes & Tropical Storms on Yahoo! News Photos.

New Jersey bank sued in connection with information breach by bank employees

A New Jersey resident, Charles W. Pornovets, has filed a class-action lawsuit against the Commerce Bank, alleging that five employees of the bank sold customer information to collection agencies and third parties. The suit alleges that the bank did nothing to help the affected individuals and seeks damages for negligence, invasion of privacy, failure to protect customer confidentiality, violation of the New Jersey Consumer Fraud Act, and breach of contract. See: CourierPostOnline - South Jersey's Web Site.

In fairness, I note it does not appear that a defence has been filed or that the bank has had a full opportunity to comment on the suit.

Thursday, September 08, 2005

Free VoIP service harvests your contacts

A new VoIP service called adcalls allows users to make free calls over the internet. It appears to be supported by advertising, but Engadget points out that the end user license agreement suggests that the company will harvest the numbers you call in order to market to them.

From the adcalls "Privacy Policy":

"AdCalls Inc/AdCalls.com Inc. (hereinafter referred to as "AdCalls") acknowledges the importance of protecting the privacy of personal information provided by our users, and is deeply committed to privacy protection. ...

Third Party Information. If you originate a telephone call or send an email message to a third party, you give us the third party's contact information, such as email address. We complete the call and retain that person's information to contact them later to solicit them to join our AdCalls service or for other purposes. AdCalls has a program where we solicit the names and addresses of people who may be interested in our services. We use the information received under that program to send potential users email invitations to join our service....

All I can say is read the fine print (and only use it to call people you don't like).

See: Get free VoIP calling from AdCalls, lose all your friends - Engadget - www.engadget.com

Information Commissioner opposes proposed merger with Privacy Commissioner

John Reid, the current and departing Information Commissioner has come out against the proposed merger of his office with that of the Privacy Commissioner. See: Information watchdog opposes proposed merger with privacy czar - Yahoo! News.

Wednesday, September 07, 2005

More on disclosures of sensitive personal information at the US Patent Office

About a week ago, I blogged about how personal information filed with the US Patent Office is routinely released (See: The Canadian Privacy Law Blog: Patent petitions reveal inventors' data). Today, PHOSITA is pointing to a more extensive article on the subject: PHOSITA : U.S. Patent Office Discloses Confidential Data.

Privacy International demands Yahoo boycott

I just read on Yahoo! News that Privacy International is calling for a boycott of ... Yahoo!

PI and others are upset that Yahoo's Hong Kong subsidiary gave the Chinese government information about a journalist's e-mail activities that resulted in the jailing of the journalist. If you aren't yet boycotting Yahoo!, read the story here: Privacy International demands Yahoo boycott - Yahoo! UK & Ireland News. If you'd rather an alternative source, read here: Privacy International demands Yahoo boycott - ZDNet UK News.

Indian call center worker arrested for stealing customer information

CNet News.com is reporting that an arrest has been made in India of a call centre employee who is alleged to have be caught in the act of copying customer data onto a CD. Another black eye for the Indian outsourcing industry: Indian call center worker arrested | CNET News.com.

Group Files FOIA Request for Gov. Docs on Katrina Responses

Sabrina I. Pacifici's excellent blog beSpacific is reporting that Citizens for Responsibility and Ethics in Washington has filed Freedom of Information Act requests to the Department of Homeland Security, the Federal Emergency Management Agency and the Department of State for records related to hurricane Katrina and emergency preparedness. (beSpacific: Group Files FOIA Request for Gov. Docs on Katrina Responses).

Part of my practice includes advising public bodies on freedom of information requests and I understand the significant consumption of resources that requests -- particularly broad ones -- involve. All I can think is that the resources of these departments would be better served dealing with Katrina at this time, not tracking down and collating documents that are currently being generated. The records aren't going anywhere and there will be ample opportunity to get them when the crisis has subsided.

SOX and privacy laws collide

Thanks to Rob Hyndman for pointing me to an interesting blog posting at Ideoblog about difficulties that some US companies are encountering in reconciling Sarbanes Oxley and privacy laws. SOX requires anonymous and confidential whistleblower mechanisms, while European privacy laws may not be compatible, depending upon the national implementation and interpretation of the European privacy directive. See Ideoblog: Another fine mess Sarbox has gotten us into.

Comments on California's on-again-off-again RFID Bill

The comments sections on this blog are usually pretty quiet, but I've gotten some interesting comments related to California's RFID bill (SB 768), including some made by Paul Nicholas Boylan who was involved with the well publicised "RFID in schools" story. Check them out:

University of Texas system phases out social security numbers as student identifiers

The University of Texas is joining the majority of other post-secondary institutions by phasing out the use of SSNs as student numbers. The process will take place over the next year and the university is also implementing a policy that will require officials to advise students, when an SSN is asked for in the future, whether it is mandatory or voluntary. I'd suggest that if it is not mandatory, they shouldn't collect it. See: The Shorthorn Online | News | ID numbers to be changed.

Just so you know: Pager message are not super secret

New York Newsday is reporting that there is great surprise that the New York Police were able to subpoena pager messages in connection with a money laundering and drugs investigation: New York City - Crime.

Why is this a surprise? I'm not a New York lawyer or particularly knowledgeable about the US Bill of Rights, but it seems clear that (i) if it exists, (ii) is relevant and (iii) is not privileged, it can be compelled. Period. This applies to surveillance tapes, computer logs, computer hard-drives, Blackberry PIN messages, diaries, e-mail, blog entries, paintings and (this is untested) engraved stone tablets.

If there is any surprise, it should be that the paging company hangs onto data long enough that it can hand 150,000 messages to the police when they show up with a warrant.

Blue Cross upsets plan members by printing social security numbers on envelopes

Blue Cross and Blue Shield of Florida has upset a number of plan members by accidentally printing social security numbers on the outside of envelopes sent out in the last couple of weeks.

From the reports, this shouldn't have happened. Sure, mistakes happen but the company had phased out using SSNs for its plan members ... except for this one group of policy holders. Why they didn't include this group is not clear in the article.

I have to applaud the company, however, for they way it has responded to the incident. The spokesperson acknowledges that it has upset people and that it should not have happened. He also invites affected members to contact the company so they can see what can be done to "make it right":

RedNova News - Health - Blue Cross Faux Pas Ticks Off Clients

"Two years ago, Blue Cross voluntarily began to do away with Social Security-based policynumbers. The old IDs, however, were not updated for one group of customers. In addition, the policynumber field that should have been omitted from the label was still present, said Randy Kammer, the company's vice president of regulatory affairs and public policy.

"We made an error and we apologize," Kammer said Wednesday. "If people feel like they're damaged, they should come to us and tell us what they feel the nature of the damage was and see what we can do to make it right."

"But I don't think there is any damage."

But just in case, the insurer said it will pay affected policyholders any expenses involved in monitoring of their credit reports.

Kammer refers to the error as case of "no harm, no foul," because all the affected letters were believed to have reached their recipients, since none were returned.

"There shouldn't be any identity theft unless you've got rogue postal carriers out there copying down numbers," she said."

Tuesday, September 06, 2005

Manitoba ombudsman chastises school for hidden cameras

Manitoba's ombudsman has concluded that a high-school administration violated the province's Freedom of Information and Protection of Privacy Act by installing covert video surveillance cameras, including one hidden as a smoke detector. Two of the cameras were hidden in teachers' offices. From The Brandon Sun: Online Edition via Privacy.org.

Incident: Iowa Student Loan CD With Personal Information Disappears

A CD containing names, social security numbers and other personal information of 165,000 Iowa student loan recipients has gone misssing while being couriered: TheIowaChannel.com - News - Student Loan CD With Personal Information Disappears.

Monday, September 05, 2005

UK Labour admits ID card 'oversell'

Privacy advocates in the United Kingdom have had their knickers in a twist over a government proposal for a biometric national ID card. It has been sold as a solution to identity theft, terrorism and other ailments of modern society. Now, a British parliamentarian has suggested that the Labour Party has, perhaps, "oversold" the benefits of the National ID but they are still detrmined to go ahead with the plan. See BBC NEWS | Politics | Labour admits ID card 'oversell'. The BBC also has an interesting "fact page" on the ID proposal: BBC - Action Network - - A2319176 - ID cards: an Action Network briefing.

Tasmanian public sector privacy law goes into effect today

Tasmanian readers take note: The Personal Information Protection Act of 2004 comes into effect today, regulating how the public sector handles personal information: Personal Information Protection - Judy Jackson, MHA - Tasmanian Government Media Releases.

Privacy compliant merchandise return policies

David Canton's weekly column in the London Free Press is devoted to implementing privacy-respectful merchandise return policies, following a recent decision from the Alberta Information and Privacy Commissioner that faulted two retailers. See: Return policies changed.

Spyware creator indicted on US privacy charges

The creator of a program designed to allow "jealous lovers" to eavesdrop on computers has been indicted under US federal privacy laws, according to the Associated Press (via Yahoo! News): Jealous Lover Program Creator Is Indicted.

Embattled Cardsystems submits audit report to credit card companies

On Thursday, the embattled CardSystems submitted an audit of its practices to Visa, Mastercard and American Express in hopes of ensuring the survival of the company. According to the Arizona Daily Star, Visa has been pursuaded by an Arizona congressman to reconsider its decision to cut ties with Cardsystems: CardSystems hopes audit will help.

For previous postings about CardSystems, click here.

Technological measures to remove sensitive information from public records

The Wisconsin State Journal is reporting that Florida has contracted with Exact Systems of Wisconsin to implement an automated system to redact sensitive information from public records. The system reviews documents for social security numbers, bank account numbers and the like and blacks it out. See Company offers shield from identity theft.

I just hope they use a different technique than the one discussed in this previous post: The Canadian Privacy Law Blog: Security problems with hidden data in Acrobat PDF files.

Reliance on new technology may increase identity theft

Dr. Emily Finch, a British criminologist, recently suggested that an over-reliance on technical measures such as id cards and smart credit cards may not alleviate problems with fraud. Criminals are tenacious and will find ways around the technology, while consumers may become lax in thinking that their information is better protected. From South Africa's Independent Online: New technology may increase identity theft.

Sunday, September 04, 2005

Research study at Indiana University suspended following privacy breach

A research study about smoking at Indiana University has been suspended by the university's Institutional Review Board (the US equivalent of a Research Ethics Board) after information related to study participants was released to someone trying to track down former students in connection with organizing a class reunion. The research project, funded by the National Institutes of Health was one of the largest longitudinal studies into smoking and attitudes towards smoking in the US. See TheIndyChannel.com - News - Smoking Study Suspended Because Of Privacy Concerns. Also, Washington Post: University Suspends 25-Year Smoking Study.

Finding on implied consent to video surveillance in litigation

The Office of the Privacy Commissioner has published a summary on its website of the finding I referred to in my previous post about video surveillance and personal injury litigation (see The Canadian Privacy Law Blog: Assistant Privacy Commissioner concludes that initiating a lawsuit is implied consent to video surveillance). You can view the summary here: Commissioner's Findings - PIPEDA Case Summary #311: A woman's activities recorded and videotaped by a private investigator hired by an insurance company (August 9, 2005).

We advised the insurance company in this case.

The summary also addresses the complaint brought by the plaintiff against the private investigator, but the Assistant Commissioner unfortunately does not deal with the status of the insurer or the private investigator as an agent for the defendant in the underlying personal injury lawsuit. Though we raised the argument in the submissions to the Commissioner, we'll unfortunately have to wait until another case arises to have greater certainty on that issue.

As an aside, the insurance company in this case has decided not to seek judicial review of the decision of the Assistant Commissioner to assume jurisdiction. It was argued that PIPEDA did not apply in the circumstances because there is no commercial relationship between the plaintiff and the defendant in the personal injury lawsuit, and the insurer and PI were merely agents of the defendant.

From the published summary:

Commissioner's Findings - PIPEDA Case Summary #311: A woman's activities recorded and videotaped by a private investigator hired by an insurance company (August 9, 2005):

"Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use and disclosure of personal information, except where inappropriate.

The Assistant Privacy Commissioner reviewed the circumstances surrounding the insurance company's decision to conduct surveillance, including video surveillance on the woman. She agreed that when an individual initiates a lawsuit there is an implied consent that the other party to the suit may collect information required to defend itself against the damages being sought by the individual who filed the suit. When the woman initiated her lawsuit against the insurance company's client and when her testimony and medical reports revealed discrepancies and were inconsistent with the injuries claimed, the Assistant Privacy Commissioner concluded that she gave her implied consent to the collection of her personal information.

That being said, the Assistant Privacy Commissioner emphasized that implied consent is not without limitations. Implied consent does not authorize unlimited or uncontrolled access to an individual's personal information, but only to the extent it is relevant to the merits of the case and the conduct of the defense. In this case, the Assistant Privacy Commissioner noted that the collection of the woman's personal information was limited to what was necessary for the insurance company to defend itself against her Court action."

Two US airlines install surveillance cameras for pilots to view aircraft cabins

According to the Washington Times (via Privacy.org), JetBlue and Sun Country airlines in the United States have used post-9/11 FAA grants to install surveillance cameras in the cabins of all of its aircraft. The purpose, according to the airlines, is to give pilots a view of the aircraft cabin so a decision about emergency landing can be made in the event of a hijack. The author of the Washington Times article was not able to get a comment from the airlines directly, so is it unclear what policies and procedures are in place to deal with the privacy issues raised by the cameras. See: JetBlue, Sun Country install cameras for pilots - Nation/Politics - The Washington Times, America's Newspaper.

Arkansas criminal records clerk fired for checking boyfriend's file

The Associated Press (via Yahoo! News) is reporting that a clerk in the Arkansas Crime Information Centre has been fired, put on probation and fined for looking up her boyfriend in state and federal criminal records databases. The incident was discovered by the FBI. See Clerk Fired for Checking Beau's Background - Yahoo! News.

Thursday, September 01, 2005

ChoicePoint says it's securing public's data better

In an interview with Cox News Service, ChoicePoint's Chief Privacy Officer, Carol DiBattiste, says that the company has made great strides in securing the information that it holds but can't guarantee that everything's perfect: Macon Telegraph | 09/01/2005 | ChoicePoint says it's securing public's data better.