Wednesday, November 30, 2005

NJ to Enjoy Strong Identity Theft Protections

Chris Hoofnagle at EPIC West reports on new anti-ID theft legislation in New Jersey that is said to be among the strongest in the US: EPIC West: Electronic Privacy Information Center West Coast Office: NJ to Enjoy Strong Identity Theft Protections.

His post also links to a convenient table of US credit freeze and security notification legislation maintained by US PIRG: State Breach and Freeze Laws.

Tuesday, November 29, 2005

Hawai'i puts anti-ID theft law on the books

According to Identity Theft Spy, Hawai'i has joined the growing list of states with laws designed to prevent identity theft and to require notification of consumers for certain security breaches: Identity Theft Spy: Hawaii implements anti-identity theft laws.

Michael Geist: Canada's Privacy Wake-Up Call

Michael Geist, in his regular Toronto Star column, is calling for immedate reforms to Canada's privacy laws to deal with the problem of cross-border issues and to give the Commissioner more substantial powers: Michael Geist - Canada's Privacy Wake-Up Call.

Monday, November 28, 2005

Canadian polling on ID theft

The Canadian Press is reporting on a handful of statistics related to identity theft in Canada, compiled by Phone Busters:

IDiots? Bank warns against identity theft miscues:

TORONTO (CP) - More than 9,000 people in Canada have had their identities stolen this year, and a new poll indicates 77 per cent of Canadians worry about identity theft but only 10 per cent feel they know what to do about it.

Identity theft occurs when criminals steal and use personal information, such as a social insurance number and date of birth, to assume a person's identity and make purchases or open credit card accounts and other debt lines in the assumed name.

According to PhoneBusters, the central agency that collects information on identity theft in Canada, there were 9,034 victims of identity theft reported in the first 10 months of this year, with losses totalling $7.2 million.

The early-November poll for the Canadian subsidiary of U.S.-based Capital One Financial Corp. found 45 per cent of the 2,002 adults surveyed do not monitor their credit reports on a regular basis for errors or suspicious items.

The Ipsos Reid survey, which claims a margin of error of 2.2 percentage points, 'reveals that consumers should be more cognizant of some simple practices that could help protect against identity theft,' says Capital One Bank....

Shred-a-thon in North Carolina

From News 14 Charlotte:

News 14 Carolina | 24 Hour Local News | TOP STORIES | New law to require document shredding:

"RALEIGH, N.C. � North Carolina celebrated a new law going into effect this week that will require companies to shred people's personal documents in an effort to curb the increasingly costly problem of identity theft...."

Teed Up for '06: Data Breaches, Spyware

eWeek is chronicling the twists and turns of various privacy laws through the Senate and Congress in the US: Teed Up for '06: Data Breaches, Spyware.

US access to data a concern

David Canton's regular column in the London Free Press is on cross-border privacy issues. Check it out: eLegal Canton: November 2005 Archives.

NYTimes editorial on Google and privacy

Google has been the target of a number of privacy critics, most likely because of the huge amount of information it is privy to and the lack of transparency about how much of it is kept in a personally identifiable state and for how long. An editorial in today's New York Times calls for a "privacy upgrade" at Google.

Here's a snippet:

What Google Should Roll Out Next: A Privacy Upgrade - New York Times:

The biggest area where Google's principles are likely to conflict is privacy. Google has been aggressive about collecting information about its users' activities online. It stores their search data, possibly forever, and puts "cookies" on their computers that make it possible to track those searches in a personally identifiable way - cookies that do not expire until 2038. Its e-mail system, Gmail, scans the content of e-mail messages so relevant ads can be posted. Google's written privacy policy reserves the right to pool what it learns about users from their searches with what it learns from their e-mail messages, though Google says it won't do so. It also warns that users' personal information may be processed on computers located in other countries.

The government can gain access to Google's data storehouse simply by presenting a valid warrant or subpoena. Under the Patriot Act, Google may not be able to tell users when it hands over their searches or e-mail messages. If the federal government announced plans to directly collect the sort of data Google does, there would be an uproar - in fact there was in 2003, when the Pentagon announced its Total Information Awareness program, which was quickly shut down.

In the early days of the Internet, privacy advocates argued that data should be collected on individuals only if they affirmatively agreed. But businesses like Google have largely succeeded in reversing the presumption. There is a privacy policy on the site, but many people don't read privacy policies. It is hard to believe most Google users know they have a cookie that expires in 2038, or have thought much about the government's ability to read their search history and stored e-mail messages without them knowing it.

Google says it needs the data it keeps to improve its technology, but it is doubtful it needs so much personally identifiable information. Of course, this sort of data is enormously valuable for marketing. The whole idea of "Don't be evil," though, is resisting lucrative business opportunities when they are wrong. Google should develop an overarching privacy theory that is as bold as its mission to make the world's information accessible - one that can become a model for the online world. Google is not necessarily worse than other Internet companies when it comes to privacy. But it should be doing better.

Sunday, November 27, 2005

Germany considers unlocking toll road data for police purposes

Andreas Busch at Politics of Privacy Blog reports that pressure is building up to allow police access to databases that are the foundation of Germany's automated highway tolling system. See: Politics of Privacy Blog: Mission creep par excellence? Germany considers using road toll data for police purposes.

To prove how much we respect your privacy, we'll spam you using your personal information leaked from a competitor

Techdirt often discusses interesting privacy stories. This one is pure gold:

Techdirt:We're Spamming You To Tell You How Much We Respect Your Privacy:
Contributed by Mike on Wednesday, October 26th, 2005 @ 11:22AM from the who-comes-out-looking-worse? dept.

Yesterday there was the story of a startup that sent a marketing message that revealed all the email addresses of people on their list. While the company blamed it on a 'technical error' rather than the very human error that it was, they also insisted that the addresses were 'secure' despite not being able to really promise that. As if to drive that fact home, a competitor has now spammed the entire list, childishly claiming that they would do a better job 'respecting your privacy.' Of course, as theRegister points out, if that were true, they wouldn't have gone out and spammed that whole list, would they? In this case, both firms come out looking bad. The first one for not admitting how badly they screwed up, and the second one for exploiting the situation. "

The original post at Techdirt has links to the original news stories.

Another great privacy cartoon

Chris Slane has some absolutely brilliant cartoons related to privacy. I just happened upon this one that is worth checking out.

US Military seeking new domestic surveillance powers

According to the Washington Post, the maze of intelligence agencies operating within the United States may be expanding. A proposal advanced by the White House would give the little-known Counterintelligence Field Activity (CIFA) additional powers to investigate treason, sabotage and economic espionage. The Pentagon is simultaneously pushing an intelligence exception to the US Privacy Act. Both initiatives would see an increased ability for the military to gather intelligence about US citizens domestically. See: Pentagon Expanding Its Domestic Surveillance Activity.

Canadian Do-Not-Call Legislation Receives Royal Assent

Michael Geist reports that the new Do-Not-Call legislation (Bill C-37) quickly passed through the Senate last week and was given Royal Assent on Friday at 4:57 PM. It will come into force on the date set by the Governor in Council. See: Michael Geist - Canadian Do-Not-Call Legislation Receives Royal Assent.

Saturday, November 26, 2005

Incident: Hacker hits Troy Group's eCheck Secure service, affects customers of Scot Trade online brokerage

Thanks to Brian Krebs on Computer and Internet Security for pointing me to this story ...

One of the largest online brokerage houses in the United States has started informing a large group of its customers that a hacker has obtained access to information on customers of Troy Group's eCheck Secure service, which is used by a number of Scot's customers to settle their accounts. Scot is the fifth or sixth largest such service provider in the US. Customers received the following letter:


November 11, 2005

Re: Alert for users of the eCheck Secure™ Service

Dear Customer:

We are contacting you to inform you that Scottrade has experienced a data security issue with the eCheck Secure™ service. Our records indicate that you have used eCheck Secure™ for the purpose of electronically moving funds from your bank to Scottrade. We will detail what we know about the situation and also what steps you should consider taking to safeguard your information.

On October 25, 2005, Troy Group Inc., the provider of the eCheck Secure™ service and other services to the financial services industry, reported to us that a computer hacker had compromised its eCheck Secure™ servers. As a result, some of your personal information, including your name, driver's license or state ID number, date of birth, phone number, bank name, bank code, bank number, bank routing number, bank account number and Scottrade account number may have been compromised. If you used your Social Security number as your driver's license or state ID number, your Social Security number may have been compromised as well. We do not know whether the hacker has actually accessed and/or used any of your personal information. However, Troy has notified us that it has blocked further unauthorized access to the information. The eCheck Secure™ service cannot be used to withdraw funds from your Scottrade account. Troy has filed a report with the FBI and is investigating in conjunction with a forensic analysis firm that it has retained. Scottrade has also contacted the FBI on this matter, and has a dedicated team to work on this issue and assist our customers who may have been affected.

We suggest taking the following steps for all your accounts that have eCheck Secure™ activated.

  1. Contact your local Scottrade branch office for additional information or to change your Scottrade account number. If it is not possible or convenient for you to contact your local Scottrade branch office, then you can reach our Service Center at 866-476-6500. Our Service Center is open Monday - Friday, 7 a.m. to 11 p.m. EST. Although this is not a situation where Scottrade's network was breached, you may, nevertheless, want to consider changing your Scottrade account number for additional protection.
  2. Remember to review your Scottrade account activity regularly and statement promptly. Report any suspicious activity to us.
  3. Although this was not an Internet security issue, you may want to change your Scottrade account access password periodically (a secure password that is easy for you to remember, but difficult for others to guess) by using our online change password process.
  4. Since your bank information could have been accessed, contact your bank immediately so it is aware of the situation and can monitor for unusual activity in your bank account.
  5. Review your bank activity and statements promptly to detect and prevent fraud. Look for transactions with strange payees or amounts you do not recognize. The more frequently you review your activity and statements, the easier it will be to detect suspicious transactions.
  6. If you use your Social Security number for your driver's license or state ID card, we strongly urge you to change your account number and place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. For more information on placing a fraud alert on your credit file, please see, a website that we have dedicated to this issue.

We are extremely sorry about this matter and will strive to rectify the situation to the best of our abilities. If you have any questions or concerns, please contact us, so we may be of assistance.


Ellis Hough
Risk Management

I haven't heard of any other eCheck customers being notified.

Privacy laws block help path to teens

Today's London Free Press has an article on the obstacle faced by parents of alienated teens who are trying to get information about their kids but are thwarted by privacy laws. See: London Free Press - City & Region - Privacy laws block help path to teens.

Dutch Court Orders Lycos To Reveal Client's Identity

A Dutch high court has ordered the Lycos wrongly withheld the identity of one of its users who allegedly anonymously posted a defamatory message about an internet-based stamp dealer. According tho the article on Yahoo! News, this is the first time that such an order has been made by a Dutch court in connection with a civil matter, which probably has repurcussions for future suits related to alleged copyright violations. See: Dutch Court Orders Lycos To Reveal Client's Identity - Yahoo! News.

Study of information practices of US companies

eCommerce Times is reporting on a study carried out by a Boston-based research firm on the personal information management practices of US companies. The results are not chock full of high scores, but they do suggest that companies are slowing changing how they handle customer information: E-Commerce News: Best of ECT News: What Is Happening to Your Personal Data?.

Army's proposed database of sexual assault victims comes under fire from privacy advocates

The United States Army, in an attempt to deal with the problem of sexual assaults within its ranks, is proposing to develop a database to track all sexual assaults and victims. Privacy advocates are concerned about the risks associated with this database and the chilling effect it may have on victims coming forward. See:

Some Oppose Army's Sexual Assault Database - Yahoo! News:

...The planned Army system would include the victim's name, Social Security number, date of birth, other demographic information, military service data, assault investigation and police reports, medical and other support records, and any actions taken against offenders...

Just imagine what would happen if this database on a laptop or a USB thumb drive gets "lost" ...

Denver woman charged for not showing ID to security guard on bus

Via Boing Boing, a woman in Denver has been charged and will be araigned early next month for refusing to show ID to a security guard on a public bus. I can't imagine what security purpose something like this is supposed to serve. For more, check out Deborah Davis.

Friday, November 25, 2005

BC Legislature Committee recommends re-appointment of David Loukidelis as Information and Privacy Commissioner

A special committee of the BC Legislature has unanimously recommended that David Loukidelis be re-appointed as Information and Privacy Commissioner of BC. The committee's report is here:

Special thanks to Cappone D'Angelo of McCarthy T├ętrault LLP for the head's up.

Thursday, November 24, 2005

Privacy Battle Could Halt European Flights to U.S.

Further to my posting of Tuesday, The Canadian Privacy Law Blog: EU Advocate General says European-US passenger data sharing agreement violates European law, there is speculation that a ban on cross-Atlantic data sharing may result in European airlines being prevented from flying to the US: RedOrbit - Technology - Privacy Battle Could Halt European Flights to U.S.. I doubt it'll come to that, but ...

Entertainment industry accused of 'trying to hijack data retention directive'

Many people are willing to sacrifice some privacy to gain increased security. In this "age of terrorism", initiatives such as the European Data Retention Directive and the Canadian Lawful Access proposals seem more palatable when we are told they are essential to protecting against serious crimes such as terrorism. The European Data Protection Directive has consistenly been "sold" as being limited to protecting the continent against terrorism. Now, representatives of the entertainment industry are making the request that the retained information be available for investigations of copyright and other IP violations. Critics are saying that the entertainment industry is trying to hijack the directive. See: Entertainment industry 'trying to hijack data retention directive' - ZDNet UK News.

Also, check out the discussion on Slashdot: Slashdot | Music Industry 'trying to hijack EU data laws'.

Update (20051127) from Schneier on Security: European Terrorism Law and Music Downloaders:

"Our society definitely needs a serious conversation about the fundamental freedoms we are sacrificing in a misguided attempt to keep us safe from terrorism. It feels both surreal and sickening to have to defend out fundamental freedoms against those who want to stop people from sharing music. How is possible that we can contemplate so much damage to our society simply to protect the business model of a handful of companies."

Alberta bar to continue scanning IDs despite Commissioner's advice not to

The saga related to the scanning of IDs in Alberta bars continues. The Gauntlet, a University of Calgary student publication, reports that the bar in question is planning to ignore the Information and Privacy Commissioner's recommendation by continuing to use the Secureclub system. The investigation by the IPC will likely continue and may culminate with an order under the Personal Information Protection Act of Alberta in the new year. In the meantime, the univeristy pub is going ahead with using the technology. See Gauntlet News - Private info or no beer.

For some background on this complaint and the issue generally:

No blame in case of info leaked to US prisoner

I blogged some time ago about a case in which the personal information of an Edmonton lawyer was found in the cell of a prisoner in the US (The Canadian Privacy Law Blog: Authorities give US prisoner detailed personal information on Albertans and The Canadian Privacy Law Blog: The Commissioner is on the case of leaked lawyer's personal information). The case is apparently now closed and the federal Privacy Commissioner has cleared both the RCMP and the Canada Revenue Agency of wrongdoing. See: - World - Dead end in leaked info case.

Wednesday, November 23, 2005

Leger Marketing poll on ID theft and perceptions in Canada

The Ottawa Business Journal is reporting on a survey by Leger Marketing on perceptions of identity theft and threats to personal information:

Ottawa Business Journal:

... An overwhelming majority of Canadians are concerned about the privacy of information stored in online databases, and more than half of companies admit their data is at risk

A Leger Marketing poll found 83 per cent of Canadians are concerned about the privacy of their personal data, and 55 per cent of companies say their confidential and private data is at risk of an attack. According to the poll, 58 per cent of consumers say they would immediately terminate their relationship with a company that compromised their personal information....

Interesting privacy protest: Irate client gives Visa pennies for his thoughts on cross-border data processing

Dan Rogers is a retiree in Kingston, Ontario. He isn't too thrilled that the bank that issues his Visa card sends his data to the United States for processing. He has complained to them, but to no avail. So what does he do? He pays his bill online, one penny at a time. I don't really see the connection between the two, but he is rather pleased with it and Visa is not impressed. Apparently his latest statement was almost an inch think and Visa had to process many of the payments by hand.

The Globe and Mail: Irate client gives Visa pennies for his thoughts

"It's difficult for the average citizen to get large corporations to listen," explained Mr. Rogers, who nevertheless managed to get a one-on-one conversation with the bank's chief executive officer this year, and has had a dialogue with its privacy officer.

"Us retired guys are the most dangerous, because we have time on our hands. You have to look for the weaknesses in their system, and I think I found it."

I *still* know who you called last month

With the renewed interest in companies that sell others' cell phone and other records, the Red Tape Chronicles at MSNBC takes another look at the issue. Bob Sullivan discusses the issue and talks about steps that Verizon in particular is taking to protect customer information: I *still* know who you called last month - The Red Tape Chronicles -

Tuesday, November 22, 2005

New findings from the Privacy Commissioner of Canada

The Privacy Commissioner of Canada has today issed two new findings under PIPEDA, has clarified one that caused confusion, and noted a "settled" case. More on each of them shortly.

EU Advocate General says European-US passenger data sharing agreement violates European law

The top legal advisor to the European Court of Justice has determined that the agreement between the European Union and the United States to allow for sharing of air passenger information is illegal under European law and must be annulled. See: RTE News - Overturn data sharing law, says EU law officer.

Thanks to Boing Boing for the link.

Incident: Missing laptop affects 500 Safeway employees

From the Santa Cruz Sentinel:

Safeway discloses possible security compromise - By Gwen Mickelson - Sentinel staff writer - November 22, 2005:

About 500 Safeway employees in Santa Cruz County could be affected by a company laptop theft.

In October, Pleasanton-based Safeway Inc. notified employees in California and Hawaii that certain personal information may have been compromised when a company laptop was stolen in August from a division director's home, along with other unrelated items.

In a letter to Safeway employees dated Oct. 17, Human Resources Director Bob Carlson said the computer contained several reports that include names, Social Security numbers, hire dates and work locations for a number of Safeway employees. The computer was protected by a power-on password, the company said, but nonetheless recommended that employees place a fraud alert on their credit files and request copies of their credit reports every three months for the next year.

No information breaches have been reported, spokeswoman Jennifer Webber said.


But union leaders criticized the company, asking why it took so long to notify employees and why the information was stored on a laptop.


Members of the union, which represents about 1,200 employees in Monterey, Santa Cruz and San Benito counties, "don't want to hear 'no one's been compromised yet,'" he said. "They want to hear 'we're sorry, we apologize for the 60-day delay, we assure you you're not going to pay out-of-pocket for one thing, we've put measures in place so that this won't happen again.'"


Briley said the password protection doesn't soothe his members, and said he wants assurance from Safeway that if anyone does fall victim to identity theft down the road, the company would take responsibility and help out.

He criticized the grocer for keeping members information on a laptop, saying he'd "bet a hundred-dollar bill" that Safeway Club Card data the company keeps on consumers is "kept on a safer computer than my members' information."

Webber called Safeway security processes "incredibly tight," and said procedures "have been and will be to keep information as secure as possible."


Monday, November 21, 2005

Incident: Medical records found in dumpster behind Detroit-area mall medical centre

According to, a number of medical records have been found in a dumpster behind a Detroit shopping centre. The information was of the usual variety and the operator of the medical centre says they were supposed to be securely stored and destroyed. Guess that didn't happen. See: - News - Patients' Private Records Found In Dumpster.

Office of the Privacy Commissioner responds to complaint against US data-broker: No jurisdiction to investigate outside of Canada

In response to a complaint against US-based data-broker (see The Canadian Privacy Law Blog: CIPPIC complaint raises a number of novel and interesting issues), the Assistant Privacy Commissioner has posted a letter on the Commission's website lamenting that office's lack of ability to investigate beyond Canada's borders:

Letter released about, an on-line data broker in the U.S. - Privacy Commissioner of Canada:

... In order to investigate based in Cheyenne, Wyoming, our Office must have the requisite legislative authority to exercise our powers outside Canada. However, basic principles of sovereignty and comity under international law state that a country cannot legislate outside its borders. The general convention is that Canada only legislates for Canada and only regulates activities within its borders. While Parliament may legislate with extraterritorial effect, this is rarely done. In the infrequent case that it is, it is for national security purposes or for a limited class of other purposes. In assessing whether a statute is to be applied outside Canada, a court will consider the intention of the legislature when it enacted the statute. There is a strong presumption that, absent an explicit or implicit contrary intention, Canadian legislation will only apply to the persons, property, juridical acts and events that occur within the territorial boundaries of the enacting body’s jurisdiction.

There is nothing explicit in PIPEDA to suggest that it was meant to apply outside of Canada or that the powers of the Commissioner would extend beyond Canada’s borders. According to leading case law, where the language of a statute can be construed so as not to have extraterritorial effect, then that construction must be adopted. It seems clear that this Act should not be construed to have extraterritorial effect. In the absence of any express or implied legislative intent, I must conclude that PIPEDA has no direct application outside of Canada.

While it is clear that the Commissioner may request information from anyone who she believes may have information relevant to an investigation, the formal investigative powers apply only within Canada. has not responded to our request for the names of its Canadian-based sources. As such, we have no means of identifying - let alone investigating - those who would represent a Canadian presence for this organization and further, have no ability to compel an American organization to respond.

Although you referred only to, we noted that an existed and enquired with respect to its registration information, on the understanding that a “.ca” registration could not be granted without a Canadian presence. We learned that the registrant of the “.ca” may be a Canadian citizen, but is still residing and working in the United States. In other words, despite the existence of a “.ca” registration, there are still insufficient connecting factors to indicate a real and important link between Canada and’s operations in the U.S. As such, we cannot bring within Canadian jurisdiction and deem them subject to PIPEDA. As for the legitimacy of the website registration application, we have referred this matter to the Canadian Internet Registration Authority (CIRA) to pursue further.

Global e-commerce poses challenges to all national governments that attempt to safeguard privacy and protect consumers. As you are aware from ongoing meetings with our Office, we share your concerns about the indiscriminate, non-consensual collection, use, and disclosure of personal information by profiling and data broker organizations. We agree that this raises serious privacy considerations. To this end, we have asked the Government of Canada to advise us what formal protocols, if any, exist that would allow us to investigate potential privacy breaches which may violate Canadian data protection laws. As important as it is, however, the specific instance you raise cannot be resolved through the complaint mechanism under PIPEDA....

For more on this issue, see The Canadian Privacy Law Blog: Jurisdictional limits on Canadian privacy law.

CIPPIC, which launched the complaint about Abika in the first place is not pleased by the OPC's response:


"In a letter dated Nov.18, 2005, the Assistant Privacy Commissioner of Canada responded to CIPPIC's 2004 complaint about, a US-based online investigative service that offers to dig up detailed personal information about individuals, including telephone records. The Assistant Commissioner determined that "we cannot proceed with your complaint as we lack jurisdiction to compel U.S. organizations to produce the evidence necessary for us to conduct the investigation". Interestingly, however, the Privacy Commissioner's office recently launched an investigation in respect of another US-based online investigative service,, using the information provided by a journalist who purchased the Privacy Commissioner's cell phone records and published a cover story on the issue. "

I'm not sure if you can make a direct comparison between the Abika complaint and the investigation of, since it is pretty clear where in Canada that information actually came from (see: The Canadian Privacy Law Blog: MacLean's cover story on privacy and information brokers).

CRTC demands investigation after three phone companies' records leaked to reporter

As blogged about here last week, a reporter for MacLean's Magazine recently purchased the phone records of the Canadian Privacy Commissioner to prove the point that huge amounts of personal information are available for sale online (The Canadian Privacy Law Blog: MacLean's cover story on privacy and information brokers). It was a pretty effective illustration.

Now, the CRTC wants to know how it happened:

Halifax Live - CRTC Directs Three Phone Companies Investigate Privacy Breach Exposed by A National Magazine:

The Canadian Radio-television and Telecommunications Commission (CRTC) is calling the country's phone companies onto the carpet over revelations in Maclean's magazine that U.S. databrokers are selling the home and cellphone records of Canadian consumers.

In a terse letter dated Nov. 18, the telecommunications regulator demands that three phone companies immediately launch internal investigations into how the magazine was able to obtain the phone records of Canada's privacy commissioner, and another customer, via a Tennessee-based online service.

The companies have been given a strict 10-day deadline to report back to the commission with a host of information, including descriptions of the safeguards that were in place when the breaches occurred, explanations of how the companies verify customer identity and new measures being taken to improve security.

The phone carriers have had little to say publicly about what steps are being taken to tighten internal security. But, in response to the Maclean's cover story, Bell Canada did issue a press release in which the company provided assurances that its customers' privacy was considered a priority and in the case of the Maclean's magazine ability to breach security, the information was obtained through "subterfuge and misrepresentation" acording to Bell's press release.

The Bell press releases continues, "This problem has affected others in our industry, both in Canada and the U.S. The Company is continuing to investigate whether there are any legal actions, either criminal or civil, that Bell or others in the industry, or government agencies can take to stop these fraudulent practices and protect consumers."

A modest proposal for security breach notification

Currently, there's a significant debate raging in the United States as the Congress considers a whole range of proposals related to an organization's obligation to notify individuals if the security related to personal information is compromised. The "gold standard" is that set out in California's legislation (Civil Code Sections 1798.29 and 1798.82), which requires notification of consumers if certain kinds of unencripted personal information is disclosed. Other states have followed California's lead with varying degrees of similarity.

Many pro-privacy commentators are concerned that Congress will ultimately enact legislation, such as HR 4127, which will pre-empt state laws and will only require notification if there is a "a reasonable basis to conclude that there is a significant risk of identity theft". This threshold is too high, it is argued, and consumers will never know when their information has been released. (See: DATA bill will not effectively help deal with the very real threat of ID theft.) Other commentators are concerned that if the threshold is too low, too many notices will be sent out to consumers and the notices will eventually be ignored and be meaningless.

For the purposes of the debate, allow me to suggest a compromise:

  1. The following information shall be defined to be "Sensitive Personal Information":
    • Social security number.
    • Driver's license number.
    • State-issued identification card number.
    • Passport number.
    • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
    • Information related to an individual's physical or mental health.
    • Telephone number, if it is unlisted.
    • Income information.
    • Information related to an individual's pardoned criminal convictions.
    • Information related to an individual's religious, political or other personal beliefs, unless such beliefs have been publicly communicated by the individual in a context where there is no reasonable expectation of privacy.
  2. Every orgnaization shall be required to report all breaches or suspected breaches of Sensitive Personal Information (communication of such information to an unauthorized third party) to the Federal Trade Commission, along with details of the breach or suspected breach.
  3. The FTC shall develop guidelines to determine what information, if compromised, may reasonably place the individual at greater risk of fraud or other harms.
  4. The FTC shall promptly determine, with reference to the guidelines, whether the individuals should be notified. If the FTC is of the view that notification is warranted, it shall issue a binding order to the organization.
  5. A summary of all notifications made by organizations to the FTC shall be made available by the FTC on its website.

I don't think this is the magic bullet, but I expect it would satisfy the stated objectives of both sides of the debate.

Any thoughts? Comments are welcomed, either using the blog's comment feature or via e-mail.

UPDATE 20051121: Added reference to letter by privacy and consumer groups.

Sunday, November 20, 2005

Your life secrets, left in a taxi

I didn't hear about this incident: Apparently last month, a USB "thumb drive" containing sensitive personal information of ONE HUNDRED TWENTY THOUSAND current and former patients of Wilcox Memorial Hospital in Hawai'i went missing. No word on where it went. (See: TheHawaiiChannel - KITV 4 News - Kauai Hospital Missing Drive With Patients' Social Security Numbers.)

Bob Sullivan, at MSNBC, uses it as an example of the latest challenges facing custodians of personal information: information is mobile and huge quantities of personal information can leave your control on thumb-drives, laptops, iPods, Blackberries and the like. See Your life secrets, left in a taxi - Security -

As I mentioned in a previous post about the Boeing missing laptop incident, the solution is to not let this information go on a walkabout. If you have an employee who needs access to sensitive data offsite, provide access using a secure VPN. And two-factor authentication. And a dumb terminal. That doesn't address all the data that goes on an unauthorized sojourn, but it does deal with those companies that let relatively unsecured data wander about in easily stolen devices.

South Africa considering privacy law

From the Independent Online:

IOL: New legislation to protect privacy:

Giving out or selling people's personal information could land you behind bars for 10 years. With the introduction of laws protecting personal information, the police will also be barred from seizing documents containing communication between a professional legal adviser and his client.

And, if the Protection of Personal Information Bill is passed by parliament, it will be against the law to insist on being given certain information such as a person's sexual orientation, age, or religion.

The bill will introduce new laws protecting the right to privacy and regulating the way in which information is gathered.

Earlier this year, after a request from the minister of justice and constitutional development to beef up laws relating to personal information, the South African Law Reform Commission released a discussion document and draft legislation.

Who is reading your privacy statement and why?

I've written loads of privacy statements and have probably reviewed five times as many since I started practicing privacy law. One of the first things that the writer of a privacy statement has to ask is, "who is the intended audience?" "Our customers" is invariably the reply. That's a start and gets you part-way there. I've found that not many people read privacy statements. Most are aware they exist, but don't care.

The main audience for privacy statements is almost always a subset of your customers: those who are privacy aware, those who have a specific question and those who are really upset about something. There's a secondary audience, too: regulators (such as the privacy commissioner), privacy activists and journalists who are looking for a "gotcha!". Writers of privacy statements need to keep this in mind.

Your privacy statement may make your lawyer happy and may be legally correct, but writing it in legalese and burying important provisions in the text are actually counter-productive. Nobody in your intended audience appreciate this and doing so actually undermines whatever good stuff may be in your policy.

From time to time, journalists and columnists read the privacy policies from the companies with whom they deal and are often surprised with what they find. That certainly was the case with Nicole Brodeur of the Seattle Times, who took a gander at the Starbucks privacy policy and wrote a column for today's paper:

The Seattle Times: Local News: Your life is theirs to share:

Thought you were just getting a happy holiday Peppermint Mocha from Starbucks?

If you paid for it with a Starbucks card, you weren't so much warming yourself up as opening yourself up to a world where your personal information is traded like animal skins. After years of surfing, searching and shopping online, I took the time to read the coffee company's just-revised privacy policy, which opens by stressing the company's "foundation of trust."

A later paragraph made me wonder: "Unless permitted by law, no personal information is collected, without first obtaining your consent for the collection, use and sharing of that information."

Fine, but read on: "The provision of personal information to Starbucks means that you agree and consent that we may collect, use, and share your personal information in accordance with this privacy policy."

In other words, the simple act of giving personal information is implied consent for Starbucks to share that information with its "consultants, strategic partners, agents, distributors, suppliers, contractors and other companies," as well as third-party, credit-card processors, mailing houses, Web hosts and e-mail vendors.

That's a lot of people to share a couple of pounds of Christmas Blend with, isn't it?

Indeed, Starbucks is as connected as Santa. The company sees where you are surfing. It knows when you're online. It knows just what you bought for whom, so be patient as you try to "opt out." ...

The "problematic" paragraph in the policy reads:

Our website may also share information with companies that provide support services to us (such as credit card processors, mailing houses or web hosts) or that help us market our products and services (such as email vendors). These companies may need information about you in order to perform their functions. These companies are not authorized to use the information we share with them for any other purpose.

Frankly, all of this "sharing" of information is entirely reasonable (if you pay with Visa, that transaction won't process itself and Starbucks ain't your bank), but you can easily see how an upset customer or someone looking make a story can read this paragraph to suggest they throw your personal information to the four winds.

If you have the task in your organization of writing or updating your privacy statement, be very aware of who will be reading it and how it can be interpreted.

I'll just run your card through our computer ...

No wonder some people are paranoid about the returns procedures at some stores:

Dilbert cartoon from 20 November 2005
(Click on image for full size.)

But seriously, folks ... it has caused some complaints to the privacy commissioners in Canada:

Saturday, November 19, 2005

The Rootkit of All Evil

Dan Mitchell at the New York Times sums up some lessons learned from the Sony rootkit fiasco: The Rootkit of All Evil - New York Times. The same lessons apply for privacy problems (see Choicepoint, especially): "One, bloggers will catch you. And two, it's not the screw-up, it's the cover-up."

Cartoon: False sense of security

Thanks to Bruce Schneier for pointing to this great cartoon: False sense of security.

Incident: PC containing personal information on +160K Boeing employees and retirees stolen

A personal computer containing sensitive personal information on current and former Boeing employees has been stolen. The information included names, addresses, social insurance number and, in some cases, banking information. Boeing says that the information was password protected. The PC was being used by an employee off-site, but the company wouldn't elaborate on the details of the theft. See: The Seattle Times: Business & Technology: PC stolen from Boeing packed with employees' personal data.

Saying it is "password protected" isn't a lot of assurance, given that Windows login passwords are not very secure. (See The Canadian Privacy Law Blog: Don't worry, your data is password protected. Yeah? How?)

Rob Hyndman comments:

"All interesting, etc. etc., but really just another day in the wacky world of data security. For my part, it's difficult to understand why one would ever need the personal and banking information of 161,000 people on a laptop - so one can read it on the sofa? Or take it to that HR Symposium in Duluth, 'just in case'?"

In this day and age, with the widespread adoption of relatively secure remote access by VPN, it is difficult to see why this sort of sensitive information really needs to be on an easily stolen laptop.

Friday, November 18, 2005

Canadian Passport Office caught in document mix-up

The Halifax Chronicle Herald is reporting on a mix-up from the Canadian Passport Office that has at least one person upset.

The Passport office passing the buck in document mix-up, woman says

When Alana Hines opened an envelope from Passport Canada recently, it contained more than her newest passport — she also found the complete credit card information, phone number, address and original marriage certificate for a stranger in Ontario.

Ms. Hines was not surprised, because the woman had called her at work earlier to say she received Ms. Hines’s marriage certificate and driver’s licence with her own new passport.

"I had her Visa number and her expiry date. I’m an honest person so I didn’t do anything with it but if it had gotten into the wrong hands, that could have been very serious," said Ms. Hines, of Dutch Settlement, Halifax County.

She called Passport Canada immediately but said the agency wasn’t any help.

"They tried to make excuses, they just said that they’d have to look into it and have somebody call me back. But they told me that I should try and contact (the Ontario woman) and see if she’d send my information back to me, and I didn’t believe that was acceptable, as they’re the ones that messed up."

Ms. Hines, who got married in August, had applied for a new passport Oct. 4 to reflect her married name. The passport arrived correctly but without the accompanying personal documents she had sent along with her application. And the ones she did receive had little in common to possibly explain the mix-up, she said.


Darce Fardy of the Nova Scotia Freedom of Information and Protection of Privacy Review Office said the mix-up is unacceptable.

"That is really awful, particularly for a government body."

Mr. Fardy said privacy concerns are becoming a big issue and easy access to personal information can quickly lead to fraud and identity theft.

"Those two people, they obviously knew that there was something wrong with this and that it was a privacy concern."

A Passport Canada spokesman said he was unaware Ms. Hines had not heard from the agency.

"We’re certainly going to recognize that incidents like this do happen but they are very rare,"" Dan Kingsbury said. "Obviously we take this kind of stuff very seriously."


Ms. Hines said she just wants to know how the mix-up happened and is disappointed with Passport Canada’s handling of the situation. "It was like they didn’t care."

Thursday, November 17, 2005

Careful when you send mass e-mails

Any time you send an e-mail to 1780 people, make very sure what you are sending and to whom:

VTNZ currently investigating privacy botch up after customers' details circulated by e-mail:

18 November 2005

A computer glitch is being blamed after the private details of more than a thousand Vehicle Testing New Zealand customers were accidently circulated by e-mail.

Yesterday, the company sent out reminder e-mails alerting motorists their registration was due.

However, attached was a list of 1780 names and addresses of other customers who were also sent reminder notices.

VTNZ is currently investigating the privacy botch up, but say at this stage it appears only a small number of customers received the attachment.

Incident: Indiana University says hacker had access to records of 5,300 students

Another university-related security/privacy incident:

IU says hacker had access to records of 5,300 students

The Associated Press

BLOOMINGTON, Ind. - Personal information about nearly 5,300 Indiana University students might have been accessed by a computer hacker, school officials said.

Technicians discovered during a routine scan that three malicious software programs had been installed on a Kelley School of Business instructor's computer in mid-August, said James Anderson, the school's director of information technology.

'You're not going to find folks who are not malicious hackers who have access to these programs,' Anderson said. 'They are not something your average computer user would use. They are very cryptic and non user-friendly.'

The programs were accessed in early October, but it could not be determined whether any personal information was removed, the school said.

A letter was sent Friday to 5,278 students notifying them of the security breach. All of the students had been enrolled in an introduction to business course between 2001 and 2005.

Anderson said no misuse of personal information had been reported, but encouraged students who received the letter to take precautions, including a check of their credit report.

'We are completing an audit of all computers in the school to ensure that they are configured properly to automatically update antivirus software and system patches,' Kelley Dean Daniel Smith said."

Tuesday, November 15, 2005

Lawful access hits the house

The federal government's "lawful access" legislation, also known as the Modernization of Investigative Techniques Act (MITA) was introduced in the House today. The government's press release is here: Legislation to modernize investigative techniques introduced today. I guess the bill's many critics are hoping for a quick election call.

Update: Michael Geist, who has been critical of the proposal since the beginning, has some things to say about Bill C-74: Michael Geist - The Lawful Access Spin.

MacLean's cover story on privacy and information brokers

I pointed yesterday to a preview of MacLean's magazine's most recent cover story (see The Canadian Privacy Law Blog: That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net). I saw the magazine on the new stand today and, luckily, the article is available on the MacLeans' website. A snippet: | Top Stories | Canada | You are exposed:

...Yet Maclean's was able to purchase the privacy commissioner's phone logs online from a U.S. data broker, no questions asked. For about US$200 per order, delivered months of long-distance records from her Bell Canada home and cottage accounts. They were also able to access her Telus Mobility cellphone call logs for October -- a monthly bill she probably hadn't even received at the time. And all the Internet requests were turned around in a matter of hours. (In a test run, the company was also able to obtain the cell records of a senior Maclean's editor from Fido, a division of Rogers, the company that owns this magazine.) Reverse phone number lookup engines on federal government and phone company websites provided the identities of many of the people Stoddart called, or who called her. On Sept. 15, for example, there was a call from her Montreal home to a relative in Frelighsburgh, Que. On Oct. 15, she called the house of one of her communications advisers from her cellphone. And on Oct. 27, she twice called the desk of another. While many of the numbers on the bills were cellphones or unlisted, anyone looking to fill in the blanks would only have to call until they hit voicemail recordings.

Confidential phone records are just the latest breach in the levee of government laws and corporate policies intended to protect private and personal data. Abuses -- whether it is medical records being scattered about a Toronto street as "garbage" for a film shoot, or Edmonton police running the names of pesky reporters and lawyers -- are reported almost every week. And in the wired world, almost anything is available for a price. A British teen recently tracked down his sperm-donor father using his own DNA and two different for-hire databases.

Many of the same websites that offer call records advertise even more invasive services like "personality profiles," complete with sexual preferences, names of exes, and gossip from neighbours. Or email and instant messenger traces that will provide the name of the person who owns the account, and their location, sometimes down to the street they live on. While some of the sites demand a signed release from the person being sought for items like credit reports and driver's records, the "verification" process wouldn't be much of an impediment for anyone willing to commit some garden-variety forgery.

Stoddart, whose office website offers tips to foil those trying to access or steal personal information -- including the prompt removal of incoming mail from your mailbox and shredding those pre-approved credit card applications -- was not a particularly easy catch. Despite her years in the public eye, and the numerous interviews she has given to journalists, there was little on the record beyond her professional qualifications. No one Maclean's contacted had her cellphone number, knew her home address, or even basic family information like the name of her spouse. "I've always been fairly mistrustful of people," she says. "If people want my personal data, I want to know why." Nonetheless, a thorough Internet search with Google yielded enough bits and pieces of information to start the process rolling.

Monday, November 14, 2005

Bell Canada begins damage control after MacLean's cover story

The most recent MacLeans magazine has a cover story on privacy, including one in which a reporter acquired the cell phone records of the federal Privacy Commissioner, Jennifer Stoddart (see: The Canadian Privacy Law Blog: That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net).

Bell Canada has just issued this press release to deal with the fallout from the story:

Bell Canada statement on the protection of customer information: Financial News - Yahoo! Finance:

Monday November 14, 6:00 pm ET

MONTREAL, Nov. 14 /CNW Telbec/ - Bell Canada today issued the following statement in response to an article in Maclean's Magazine about some customer call information obtained from Bell and other telecommunications companies.

Bell has learned that a journalist working for Maclean's hired a U.S.- based information brokerage company to seek privileged call information records of a few customers of Canada's leading telecommunications providers including the Federal Privacy Commissioner.

Bell wishes to assure its customers that protecting the privacy of customer information is a serious matter for the Company. To this end, Bell has systems and procedures in place that are continually updated to better protect customer information.

In this case, the information was obtained through subterfuge and misrepresentation. Bell, other telecommunications companies and the customers involved were victims of fraudulent and unethical activity. We sincerely regret any embarrassment or inconvenience that has occured.

As soon as the Company was made aware of this incident, it took additional steps to further tighten the safeguards in place to protect customer information. Unfortunately this may cause some inconvenience to customers legitimately requesting their personal information. We ask for their understanding as these procedures are for the protection of their private account information.

This problem has affected others in our industry, both in Canada and the U.S. The Company is continuing to investigate whether there are any legal actions, either criminal or civil, that Bell or others in the industry, or government agencies can take to stop these fraudulent practices and protect consumers.

Perhaps they can complain to the Privacy Commissioner?

Bill Requiring Notice of Breaches Goes Forward

HR 4127, also known as the Data Accountability and Trust Act (DATA), has apparently crossed a preliminary hurdle in the House by passing the House Energy and Commerce committee's Subcommittee on Commerce, Trade and Consumer Protection.

This bill, among others, is rather unpopular as it sets a very high threshold for requiring notification of consumers of security breaches. "Security breach" is defined in a way that requires "a reasonable basis to conclude that there is a significant risk of identity theft":

(1) BREACH OF SECURITY- The term `breach of security' means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates. The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised.

And by the way, it pre-empts all similar state laws.

Read about the latest and some commentary on the bill: Bill Requiring Notice of Breaches Goes Forward - Computerworld

Ramasastry: Printers and Privacy Why Government-Sponsored Printer Identification Raises Serious Privacy Concerns

Anita Ramasastry's most recent column on FindLaw is about the controvertial printer tracking technology that was recently decoded by EFF: FindLaw's Writ - Ramasastry: Printers and Privacy Why Government-Sponsored Printer Identification Raises Serious Privacy Concerns.

Australian Privacy Commissioner deals with backlog; complaints take a year to be investigated

Canadian privacy complainants have faced delays because of the backlog in the Office of the Privacy Commissioner. Notwithstanding that PIPEDA says the Commissioner's findings should be issued within twelve months, it has taken longer in many cases. The Australian Privacy Commissioner is facing similar problems, according to the annual report released recently. In some cases, it is taking twelve months to even begin an investigation and reports take an average of seventeen months. See: Delays raise privacy fears - National -

Taking a closer look at "identity theft" statistics

The Associated Press is distributing an article by Brian Bergstein that takes a closer look at the oft' cited statistics related to "identity theft." He, and the folks he has interviewed, suggest that the statistics of identity theft, particularly those based on public surveys, are probably overstating the problem. Probably a big part of the difficulty of coming up with meaningful statistics is lack of agreement on what is identity theft.

We need to refine our vocabulary so that we are sure of what we are discussing. At least to me, "identity theft" is not simple cheque forgery or using a stolen credit card. That's basic fraud. Identity theft is not the ilicit obtaining of personal information, by hacking, dumpster diving or otherwise. That might be theft of identifying information, but nobody's identity is stolen. To me, identity theft is the impersonation of an individual, without their knowledge, to obtain credit facilities or other such services. Perhaps a better term would be "identity hijacking", since the criminal is taking over that person's identity for his or her own purposes. Fraudulent charges and cheque forgery may be part of it, but it also includes obtaining new identity documents, new loans, mortgages and the like.

"Identity-related fraud" is the term I'd use for the larger basket of crimes that the media often call identity theft.

In any event, take a look at the informative AP article at the Chicago Tribune site: Chicago Tribune | Identity theft fears may be overblown.

That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net

CBC Arts is running an article on the newly revamped MacLean's Magazine. What does this have to do with privacy? Well, it offers a preview of the cover story in the next edition:

CBC Arts: Revamped Maclean's revives current affairs format

The cover story of the redesigned magazine is a "special investigation" of the way data brokers, most of them in the U.S., are accumulating private and personal information about Canadian citizens.

To prove the vulnerability of Canadians' private information, national correspondent Jonathon Gatehouse bought the phone records of Canada's privacy commissioner Jennifer Stoddart.

The redesigned cover has dropped its borders in favour of a full-page photo of Stoddart, looking startled, and five throw boxes pointing to stories inside. In the future, cover photos will be "candid," Whyte says. Also, a maple leaf has replaced the apostrophe in Maclean's.

Sunday, November 13, 2005

Georgia set to switch to state-wide student ID and database

The State of Georgia is in the final phases of a fourteen million dollar effort to centralize massive amounts of information related to elementary, middle and senior school students in the state. Each student will be assigned a random number that will follow the student throughout their academic careers and will link to a central database of their academic records.

The system is meant to replace ad hoc, disparate data depositories that have used social security numbers to link students to their data. As with any project such as this, there are privacy concerns:

Macon Telegraph | 11/13/2005 | Statewide student ID system almost ready:

There's also a concern among teachers and parents about protecting students' private records.

"I have a problem with it. It could fall into the hands of the wrong people," said Ella Carter, principal of Northeast High School in Macon. Carter said the state already can access all of the information, so why store it in a giant database?

Carter said she received a letter in the mail two weeks ago that alerted her to monitor her credit report because she is on the state health benefit plan, and the Georgia Technology Authority, which has access to state records, had a recent data breech.

"As a parent, I really don't like the fact that my child's personal information is out there for someone to break into," said Kathy Brown, a Houston County High School parent. "We seem to be doing fine" without a statewide student ID system.

Any large state office keeping personal data brings concerns, said Woodard, the state information officer.

"We have built enormous security systems. Only a designated person from a district can get in," he said.

And that designated person can view only their local student records, he said.

At the state level, the data is open to the Office of School Readiness, the Department of Education, the Department of Technical and Adult Education and the Board of Regents.

And a designated state official can access the information for lawmakers.

"As long as it's used for honorable purposes, I'm all for it," said Rep. Larry O'Neal, R-Warner Robins. "Having direct student data means more than political whim or emotions we get from lobbyists. We are always glad to have valid data to explore in the lawmaking process."

Woodard said the state is talking to state education officials in Tennessee and South Carolina about sharing information to track students who move across state lines.

There doesn't seem to be any suggestion that the state has undertaken a privacy impact assessment, which would at least provide assurances that privacy issues have been thoroughly thought through.

Saturday, November 12, 2005

ChoicePoint sells access to FBI and Pentagon to track terrorists and others

According to, a Freedom of Information Act request has revealed that embattled ChoicePoint has been providing extensive services to the FBI and the Defense Department, essentially providing access to its enormous databases that the US government would not be able to compile on its own. - FBI, Pentagon pay for access to trove of public records (11/11/05):

"To help the government track suspected terrorists and spies who may be visiting or residing in this country, the FBI and the Defense Department for the past three years have been paying a Georgia-based company for access to its vast databases that contain billions of personal records about nearly every person -- citizens and noncitizens alike -- in the United States.

According to federal documents obtained by National Journal and Government Executive, among the services that ChoicePoint provides to the government is access to a previously undisclosed, and vaguely described, 'exclusive' data-searching system. This system in effect gives law enforcement and intelligence agents the ability to use the private data broker to do something that they legally can't -- keep tabs on nearly every American citizen and foreigner in the United States."

Thanks to beSpacfic for the link: beSpacific: Gov't Pays Aggregator for Access to Extensive Database of Personal Info.

Friday, November 11, 2005

Sony to Stop Controversial CD Software

According to the Associated Press, Sony music has just announced that it will no longer use the controvertial XCP/Rootkit rights management software that many have criticized as oppressive and a potential security/privacy threat. From Yahoo!: Sony to Stop Controversial CD Software - Yahoo! News.

Thursday, November 10, 2005

Hawaiian criminal records now online

Hawai'i is now making criminal and motor vehicle conviction records available online:

Criminal pasts now displayed on Web - The Honolulu Advertiser - Hawaii's Newspaper:

...'It provides a service where you don't force the public to come into the police station or downtown Honolulu to our offices and stand in line,' said Liane Moriyama, the data center director. 'We're trying to get electronic and provide more services out in the community.'...

The power of blogs to spread privacy stories

I am amazed with the power of blogs and amateur journalists to start the ball rolling on what become news stories. Not long ago, nobody knew about Sony's rootkit. Then, a lone blogger posted Sony, Rootkits and Digital Rights Management Gone Too Far. Now, there are more than five hundred separate stories in the more convential media that show up when you search Google news' for "rootkit". Amazing.

Privacy advocates cheer lack of federal privacy law ... for now

The US Congress is not likely to pass any of the personal information protection laws that are currently in consideration before the Christmas break, and consumer groups are actually happy. That's because many of the bills are weaker than state laws and will pre-empt those laws. See: Wired News: No Fed Security Laws, Hurrah!!.

Wednesday, November 09, 2005

California HealthCare Foundation Survey Finds Americans Have Acute Concerns about the Privacy of Their Personal Health Information

The majority of Americans are concerned about the privacy of their health information and are unaware of their rights, according to a survey by the California HealthCare Foundation. Not a surprising finding, but needs to be said. From the Foundation's media release:

California HealthCare Foundation Survey Finds Americans Have Acute Concerns about the Privacy of Their Personal Health Information:

Wednesday November 9, 12:24 pm ET

However, Consumers Are Willing to Share Information If It Benefits Their Health

Study Underscores and Informs Efforts to Build National Health Care Network

WASHINGTON--(BUSINESS WIRE)--Nov. 9, 2005--Despite new federal protections, 67% of Americans remain concerned about the privacy of their personal health information and are largely unaware of their rights. Moreover, many consumers may be putting their health at risk with such behaviors as avoiding their regular doctor or forgoing needed tests, according to the National Consumer Health Privacy Survey 2005. The survey, released today by the California HealthCare Foundation (CHCF), also found that a majority of consumers are concerned that employers will use their medical information to limit job opportunities.

Despite these concerns, the survey revealed that consumers have a favorable view of health information technology and are willing to share their personal health data when it offers a benefit, such as improving the coordination or safety of their care. For example, 65% of consumers recognize that computerization could potentially reduce medical errors.

"These findings will help inform and guide efforts to build a nationwide health information network. Americans' privacy concerns pose potential barriers to realizing the significant benefits of health IT to improve health care quality, reduce medical errors, and lower health care costs," said Sam Karp, Chief Program Officer of CHCF, a nonprofit health care philanthropy based in Oakland, CA. "Without better education about their rights, strong privacy safeguards and vigorous enforcement, the public's support for health IT may be in jeopardy."

The new survey, conducted by Forrester Research, follows a groundbreaking 1999 study on medical privacy by CHCF. Since that time, national privacy protections have been implemented under the Health Insurance Portability and Accountability Act (HIPAA) and President Bush has pushed to adopt electronic medical records. The 2005 survey found that 67% of Americans continue to show high levels of concern about the privacy of their personal health information. Ethnic and racial minorities (73%) and chronically ill populations (67%) show the greatest concern. The survey also found that one in four consumers is aware of recent privacy breaches reported in the media. Of those who are aware of these incidents, 42% said the reports increased their concern about their own medical privacy.

Consumers are Unaware of Their Rights

A majority of survey respondents (67%) have some level of awareness of federal laws that protect the privacy and confidentiality of their personal health information. However, consumer awareness of privacy rights varies with education and race. Ethnic and racial minorities (60%) are the least likely to acknowledge or recall receiving a notification of their privacy rights.

Increase in Concern about Employer Access to Medical Information

Additionally, the survey found that concerns about employer use of medical claims information increased dramatically since 1999 (52% in 2005; 36% in 1999). Ethnic and racial minorities (61%), the chronically ill (55%), older workers (51%) and people with less education (53%) were significantly more concerned that an employer would use medical information to limit their job opportunities.

"Although employers work to ensure that their health plans or third party administrators always keep all medical claims data private and confidential, in line with federal and state laws as well professional ethics, this survey suggests that we need to work harder and communicate more effectively to reassure employees and their dependents," noted Helen Darling, President of the National Business Group on Health. "We need to demonstrate through frequent communications that trustworthy systems with many safeguards are in place to ensure that their records are safe and can never be used in ways they haven't authorized."

Consumers are Practicing Privacy Protective Behaviors

The survey found that one in eight consumers engage in behavior intended to protect his or her privacy. These "privacy protective behaviors" - asking their doctor to not record a health problem, going to another doctor to avoid telling their regular doctor about a health condition, and avoiding medical tests - suggest some consumers are putting their own health at risk. The chronically ill are more likely to risk their health over privacy concerns. Privacy protective behaviors have also increased for people with certain diseases, such as cancer, diabetes and depression.

"People should not have to sacrifice their health in order to shield themselves from job discrimination and loss of health benefits," said Janlori Goldman, Director of the Health Privacy Project, and a research scholar at Columbia University's College of Physicians and Surgeons. "The large rise in people fearful that their medical information will be used against them on the job makes it imperative to expand the scope of health privacy law to cover employers."

Consumers are Willing to Share their Health Information for a Benefit

Despite increased concerns about health care privacy, the survey found that most Americans (59%) are willing to share their personal health information when it is beneficial to their care, or could result in better coordination of medical treatment. The largest motivating factors for consumers to share their medical data are better treatment coordination (60%), enhanced coverage benefits (59%), and access to experimental treatments (58%). Consumers are most willing to share their medical information with their regular doctor (98%) or other doctors involved in their care (92%), but are less willing to share their data with drug companies (27%), and government agencies (20%).

Although consumers are more willing to share the medical information for a benefit, the survey found that 66% of consumers believe that health information stored in paper files is more secure, compared to 58% who believe electronic records are more secure.

An Executive Summary and detailed survey findings can be downloaded from the CHCF Web site at

The California HealthCare Foundation (CHCF), based in Oakland, is an independent philanthropy committed to improving California's health care delivery and financing systems. Visit for more information.

"Live phishing" shows risk of personal info

Don't talk to strangers. Oh, and don't give them personal information.

United Press International - Hi-Tech - Live phishing shows risk of personal info

WASHINGTON, Nov. 9 (UPI) -- Despite all the warnings about giving out personal information, many people still freely give away seemingly innocuous details that can be used to crack their passwords, according to the results of a "live phishing" survey.

The 18-question survey, conducted by RSA Security in New York City, asked respondents for information such as birth date, mother's maiden name and pet's name. The survey was touted as being about tourism in New York.

It found that 70 percent of the 108 respondents gave their mother's maiden name, and 90 percent gave their date and place of birth, according to a news release from RSA.

Additionally, almost 85 percent of respondents provided their full name, street address and e-mail address.

"A lot of personal information actually functions like a password and, as such, needs to be robustly protected," said Chris Young, RSA's vice president of consumer authentication services.

Incident: TransUnion notifies 3,600 consumers of data loss

From ComputerWorld:

TransUnion notifies consumers of data loss - Computerworld:

NOVEMBER 09, 2005 (COMPUTERWORLD) - TransUnion LLC, one of the three major credit reporting companies in the U.S., today confirmed that a desktop computer containing the Social Security numbers and other sensitive information belonging to more than 3,600 consumers was stolen from one of its facilities in October....

Incident: Michigan reporter finds health information in medical centres' dumpsters

Fraudsters, blackmailers and identity theives are usually pretty quiet about what they find while dumpster diving. Reporters, on the other hand, are more than happy to tell you what they've found. This is the case with Amy Fox of WZZM in Michigan. Ms. Fox went on an expedition to check out the dumpsters in the vicinity of medical centres. She found that half of all unsecured dumpsters had personal health information, incuding some very sensitive information. Today is a day that I'm glad that I'm not Dr. Dorsey Ligon:

WZZM 13 Grand Rapids - Medical Privacy: Trashed

In the same dumpster, outside the same medical office complex, we found multiple documents from OB/GYN, Dr. Dorsey Ligon's office. We found forms with patient's names, addresses, social security numbers, and other identifiers like where they work. We also found a patient's hospital discharge report with detailed information about her hysterectomy and her history of treatment for depression. It's a document that disturbed Denise Chrysler of the Department of Community Health. She asked, “You said, in a dumpster?" That's right; we found the documents in an unprotected dumpster just outside of a doctor's office. Dr. Ligon's office gave us a statement about the strict measures in place to protect patient's privacy, including paper shredders throughout the office. The statement also says, "When a flaw in the system has been recognized we take immediate action to resolve the issue. Our patients can be assured that their expectation for privacy will be met."

Part II is here: WZZM 13 Grand Rapids - MEDICAL PRIVACY TRASHED PART 2

Verizon moves to thwart illicit info acquisition by investigative company

Verizon, one of the largest wireless service providers in the United States, has obtained a court injunction to prevent Global Information Group Inc. from seeking customer information under false pretenses. Though the ComputerWorld article does not go into details, I have a hunch that this is part of the hubub about companies that claim to sell cellular records (See: The Canadian Privacy Law Blog: Online Data Gets Personal: Cell Phone Records for Sale). Check out the ComputerWorld article: Verizon moves to thwart ID theft by Fla. investigative firm - Computerworld.

Purdue ceases use of Social Security Number as student IDs

Purdue University is joining the hundreds of other universities that have given up on using social security numbers as a form of student ID number. See: The Exponent - Purdue's Independent Student Newspaper.

Tuesday, November 08, 2005

Southcoast Blood Bank stops using SS numbers for ID

If you don't need particular information, don't collect it. Do not collect it particularly if that information can put others at risk. A bloodbank in Bedford, Mass. learned the heard way and has stopped requiring social security numbers from donors. A employee allegedly tried to steal the identity of a donor, forcing the rethink. See: Southcoast Blood Bank stops using SS numbers for ID.

ChoicePoint filing suggests further 17,000 affected consumers

ChoicePoint's most recent 10-Q filing with the SEC suggests that an additiona 17,000 consumers were affected by the high-profile data breach. See: ChoicePoint filing: 17,000 more may be fraud victims - 2005-11-08.

It's interesting to look at the filing itself, just to get a flavour of the cost of this issue to ChoicePoint and its impact upon their bottom line:

CHOICEPOINT INC (Form: 10-Q, Received: 11/08/2005 15:01:50):

Fraudulent Data Access

ChoicePoint’s review of the Los Angeles fraudulent data access described in the Company’s Form 10-K for the year ended December 31, 2004 and other similar incidents is ongoing. The Company currently expects that the number of consumers to which it will send notice of potential fraudulent data access will increase from the approximately 162,000 consumers it has notified to date, but the Company does not anticipate that the increase will be significant.

As previously disclosed in the Company’s Form 10-K for the year ended December 31, 2004, ChoicePoint is continuing to strengthen its customer credentialing procedures and is recredentialing components of its customer base, particularly customers that have access to products that contain personally identifiable information. Further, the Company continues to review and investigate other matters related to credentialing and customer use. The Company’s investigations as well as those of law enforcement continue. The Company believes that there are other instances that will likely result in notification to consumers. As previously stated, the Company intends for consumers to be notified, irrespective of current state law requirements, if it is determined that their sensitive personally identifiable information has been acquired by unauthorized parties. The Company does not believe that the impact from notifying affected consumers will be material to the financial position, results of operations or cash flows of the Company.

On March 4, 2005, ChoicePoint announced that the Company will discontinue the sale of certain information services that contain sensitive consumer data, including social security numbers, except (1) where there is either a specific consumer driven transaction or benefit, or (2) where such services serve as authentication or fraud prevention tools provided to large accredited customers with existing consumer relationships, or (3) where the services support federal, state or local government and law enforcement purposes. The Company cannot currently accurately estimate the future impact that the customer fraud, related events and the decision to discontinue certain services will have on our operating results and financial condition. The Company will review various technology investments in this small business segment as well as other related costs incurred in serving this segment.

ChoicePoint incurred $5.4 million ($3.3 million net of taxes) in the first quarter of 2005, $6.0 million ($3.7 million net of taxes) in the second quarter of 2005, and $4.0 million ($2.5 million net of taxes) in the third quarter of 2005 for specific expenses related to the fraudulent data access previously disclosed. Approximately $2.0 million of the $15.5 million total charges through September 30, 2005 were for communications to, and credit reports and credit monitoring for, individuals receiving notice of the fraudulent data access and approximately $13.5 million for legal expenses and other professional fees. The Company currently estimates that it will incur additional incremental expenses as a result of the fraudulent data access of approximately $3 to $5 million in the fourth quarter of 2005. In addition, the publicity associated with these events or changes in regulation may materially harm the business and ChoicePoint’s relationship with customers or data suppliers.

The Company is involved in several legal proceedings or investigations that relate to these matters, as described in “Legal Proceedings” of this Form 10-Q. ChoicePoint is unable at this time to predict the outcome of these actions. The ultimate resolution of these matters could have a material adverse impact on the financial results, financial condition, and liquidity and on the trading price of the Company’s common stock. Regardless of the merits and ultimate outcome of these lawsuits and other proceedings, litigation and proceedings of this type are expensive and will require that substantial Company resources and executive time be devoted to defend these proceedings.

Security Breaches and Misuse of Information Services

Security breaches in the Company’s facilities, computer networks, and databases may cause harm to ChoicePoint’s business and reputation and result in a loss of customers. Many security measures have been instituted to protect the systems and to assure the marketplace that these systems are secure. However, despite such security measures, the Company’s systems may be vulnerable to physical intrusion, computer viruses, attacks by hackers or similar disruptive problems. Users may also obtain improper access to the Company’s information services if they use stolen identities or other fraudulent means to become ChoicePoint customers or by improperly accessing ChoicePoint’s information services through legitimate customer accounts. If users gain improper access to ChoicePoint’s databases, they may be able to steal, publish, delete or modify confidential third-party information that is stored or transmitted on the networks. A security or privacy breach may affect ChoicePoint in a variety of ways, including but not limited to, the following ways:

  • deterring customers from using ChoicePoint’s products and services or resulting in a loss of existing customers;
  • deterring data suppliers from supplying data to the Company;
  • harming the Company’s reputation;
  • exposing ChoicePoint to litigation and other liabilities;
  • increasing operating expenses to correct problems caused by the breach;
  • affecting the Company’s ability to meet customers’ expectations;
  • causing inquiry from governmental authorities; or
  • legislation that could materially affect the Company’s operations.

The Company expects that, despite its ongoing efforts to prevent fraudulent or improper activity, in the future it may detect additional incidents in which consumer data has been fraudulently or improperly acquired. The number of potentially affected consumers identified by any future incidents is obviously unknown. "

Lawful Access on CBC's The Current

The second hour of CBC Radio's "The Current" was devoted to a very interested discussion of latest on lawful access in Canada. You can listen in Real Audio by clicking here. A synopsis is here:

CBC Radio | The Current | Whole Show Blow-by-Blow:

The Current: Part 2

Lawful Access – Part One

We started this segment with the music of Robin Rimbaud, also known around the world as Scanner. He's a British musician and artist who began his career as a self-titled "techno data-pirate." Using a portable radio scanner, he would pluck cell-phone conversations from the ether--anything from arguments to phone-sex sessions to gossip---and then layer these voice snippets over music and sound. His work is haunting but controversial because he's often accused of invading other peoples' privacy.

Well, they're not planning to make music, but Canadian law enforcement groups are facing some similar privacy accusations when it comes to their latest plans to sample things from peoples' personal cyberspace.

This month, parliament debates a bill that will give the RCMP and CSIS access to everything WE access on the Internet---from the sites we surf, to the things we buy, to the people we instant message and e-mail. It's called the Lawful Access Initiative, and it's been in the works since October of 2000.

Those in favour say the new law will replace a terribly outmoded one, drawn up in the days before cell phones, voice mail and high speed internet. The original 1974 law HAS been updated but police say the latest technological leaps have left some of their investigations in the dust.

And so the debate over when email should just be between friends, has begun in earnest. Michael Geist is the Canada Research Chair in Internet & E-commerce Law at the University of Ottawa, and we reached him at his home.

Lawful Access – Part Two

Proponents of the new lawful access bill say that far from threatening our security and privacy, these changes go a long way towards increasing our government's ability to protect us.

Wesley Wark is one of them. He's a national security expert and professor at the University of Toronto's Munk Center for International Studies. He joined us from Guelph this morning.

Listen to The Current: Part 2

Montreal pair charged with N.B. debit card scam

CTV News is reporting the arrest of two people in New Brunswick for allegedly skimming debit cards at a bank machine near Moncton: | Montreal pair charged with N.B. debit card scam.

Monday, November 07, 2005

Wal-Mart Installs New Equipment to Protect Financial Privacy of Wal-Mart Shoppers With Visual Impairments

Here's a good news story: Wal-Mart is rolling out a new device that make it easier for the visually impaired to enter their own PINs and other confidential information at the point of sale. Without device such as these, blind customers apparently have had to rely upon having someone do the data entry for them, raising the risk that the information will be overheard or even abused by the person who assists them. See the media release via Yahoo! Finance: Wal-Mart Installs New Equipment to Protect Financial Privacy of Wal-Mart Shoppers With Visual Impairments: Financial News - Yahoo! Finance.

Website for lovers scorned

I wrote about a month ago about a relatively new website,, that allows women to share their stories of cheating boyfriends and husbands. These are apparently to serve as a warning to others. It's a veritable rogues' gallery on the site. (See: The Canadian Privacy Law Blog: On website, women identify cheaters.)

CanWest News Service has run a feature about the site in many of its papers today. I spoke with the reporter on Friday and the article is an interesting read. Unfortunately, it is available only to subscribers to the network and the individual newspapers, but the bit about the legal aspect of the site is below:

The men profiled on the site would probably agree. At present, a number of them are attempting to launch a class-action lawsuit against the site.

But Ms. Joseph, who created the online database with legal counsel, believes she is protected by U.S. law.

According to a privacy lawyer from Halifax, that may not be the case in Canada.

“If the person’s reputation is in Canada, and they are in Canada, and likely the person who posted the information is in Canada, there’s more than enough connection for Canadian defamation law to apply,” says David T.S. Fraser, chairman of the Privacy Practice Group at McInnes Cooper. But he hastens to add the statements aren’t considered defamatory if they’re true.

“If you’re a slug,” says Mr. Fraser, “it’s only appropriate people know you’re a slug.”