Sunday, December 30, 2007

2007 "worst year ever" for data breaches

Looking back, 2007 has been the worst year ever for privacy breaches. This may only be the case because of mandatory breach reporting in many US jurisdictions, but the numbers are pretty staggering. See: Personal data theft reaches all-time high Chron.com - Houston Chronicle, which includes:

Major 2007 breaches

Some major data breaches disclosed in 2007:

  • Discount retailer TJX Cos. reports hackers broke into its computer systems and accessed at least 46 million customer records, primarily credit card data. Banks later sue TJX and estimate the breach involved at least 94 million records.
  • Britain's tax and customs department loses two computer disks containing personal information such as addresses and bank account numbers for about 25 million people. The disks were sent via internal government mail to the government's audit agency, but never arrived.
  • Dai Nippon Printing Co., a Japanese commercial printing company, says a former contract worker stole nearly 9 million pieces of private data on customers from 43 clients.
  • A check-authorizing subsidiary of Fidelity National Information Services says information on 8.5 million consumers was stolen, allegedly by a former employee.
  • Online brokerage TD Ameritrade Holding Corp. said one of its databases was hacked and contact information for its more than 6.3 million customers was stolen.
  • The online job site Monster Worldwide Inc. discovered that con artists had grabbed contact information from resumes of 1.3 million people.

Source: Associated Press research

The Year in Law and Technology from A to Z

Continuing the "year in review" trend, Michael Geist's annual A to Z of techlaw in Canada is heavy on privacy content. See: Michael Geist - The Letters of the Law: The Year in Law and Technology from A to Z.

Offsite surveillance in Halifax bar may set precedent

I was interviewed the other day by Chris Lambie of the Halifax Chronicle Herald in response to the recent decision to restore the liquor license of a well-known Halifax bar on the condition that it double its surveillance cameras and allow the feeds to be reviewed off-site by the police (See: Canadian Privacy Law Blog: Halifax bar gets liquor license back on condition that cops have off-site access to surveillance system). I didn't realize that my comments would form its own article ...

Dome agreeing to let cops monitor patrons via in-house cameras could set precedent, privacy expert fears - Nova Scotia News - TheChronicleHerald.ca

By CHRIS LAMBIE Staff Reporter

Sun. Dec 30 - 5:27 AM

The decision to give law enforcement officials access to surveillance cameras at the Dome bar complex in downtown Halifax could mean other bars will be forced to do the same if they want to keep selling booze, says a privacy expert.

Authorities closed the Dome after a brawl early on Dec. 24 resulted in 38 arrests. The bar is back in business now, but only after it agreed to implement a long list of security measures, which include giving police and liquor inspectors full access to surveillance cameras at the premises or via the Internet.

"The biggest risk is this can become more common, and once you start doing that it’s very easy to extend it further and extend it further," said David Fraser, a privacy lawyer in Halifax.

"They see it work in once place and they extend it all over the place. And then it’s impossible to go out and have a drink without actually being watched by the police. A lot of people would get freaked out by that."

Once police and liquor inspectors get access to surveillance cameras in bars with a history of violence, authorities could make it mandatory in establishments with potential for problems, Mr. Fraser said.

"As these things become more normal or more standard, the less jarring it is for those who actually care about privacy.

"If you put a frog in a pot of cold water and you turn up the heat, it’s not going to jump out because it doesn’t notice the incremental changes."

There would be few limits on what authorities could do with the information they gather from surveillance cameras, Mr. Fraser said.

"It’s really no different than, theoretically, having a cop sitting at the bar or walking around the establishment. It’s just a whole lot more convenient and probably more pervasive."

Mr. Fraser said he’d be less likely to have a drink in a bar if he knew authorities could be watching.

"The idea of being watched at all has a psychological kind of a factor. For some people, it adds enough of a creep-out factor that, if you’re given the choice of two places that are otherwise identical, one has video surveillance which you know is being watched by cops and the other one doesn’t, regardless of whether or not you intend to do anything unlawful, you’d probably go to the place that was slightly less creepy. At least that would be my own inclination."

The more people watching surveillance cameras in bars, the more room there is for abuse, Mr. Fraser said.

"Sometimes on cable (TV) you’ll see these shows of weird things caught on surveillance," he said.

"Many of them come from the United Kingdom, where there’s pervasive surveillance by law enforcement. And people are making copies of these tapes when they see funny things. And you can tell, when you see how the cameras zoom, that they follow attractive women’s bottoms and things like that. Stuff like that really has the potential to be abused."

Police aren’t sure yet how they’ll use 64 surveillance cameras at the Dome.

"This is something new to us. We’ve never had access to their cameras, other than, as in any establishment, you would have after (a crime) for the purpose of investigation," Halifax Regional Police Supt. Don Spicer said after Friday’s Utility and Review Board hearing that reinstated the Dome’s liquor licence.

"So we really have to look at what we really will be doing with the access that we will be gaining."

There are signs outside the Dome indicating the bar is under video surveillance.

"When you go to a public place, which a bar is, and the signs are posted, I don’t think there will be any problems," said Environment and Labour Minister Mark Parent, who is responsible for the alcohol and gaming division.

The new camera system means liquor inspectors will be able to monitor the bar without being there, Mr. Parent said.

"That was something that the bar owner offered voluntarily and it makes our job that much easier," he said.

It does set a precedent "for bars like the Dome," Mr. Parent said.

"It clearly sends a signal to any other establishment that’s having problems that they need to take some dramatic steps."

At first, Mr. Parent said it’s not akin to the all-seeing Big Brother in George Orwell’s novel Nineteen Eighty-four.

"I guess Big Brother if you want to put it in that sense, if you’re out to do something wrong," he said. "If you’re not out to do something wrong, then I think you’d see it as a safeguard."

The cameras are "an effective low-cost tool because we don’t have the staffing to be everywhere at once," Mr. Parent said. "So I think the important thing is that notices are up so people know, so that it’s not a surprise to them."

Surveillance video could be used to both indict and clear people of any wrongdoing, he said.

"Certainly there are privacy concerns that need to be addressed," Mr. Parent said. "The tapes would need to be used only by official people. You’d have to be very careful how you used them and they would have to make sure that there was no abuse of that in any way. . . . It’s always a balance between public safety and public privacy."

Update: I was just interviewed by CBC Radio News here in Halifax on the story. Here's the piece:

Here, also, is the order of reinstatement from the Utility and Review Board of Nova Scotia.

Update: Here's a CBC online report: Police plans for Halifax bar surveillance cameras cause concerns.

The Worst Privacy Quotes of the Year for 2007

More "year in review" content, this time the worst privacy quotes of the year from CSO Magazine:

Privacy: The Worst Quotes of the Year - Web Exclusives - Online Column - CSO Magazine

...And the Privvy for Doubleplusgood Newspeak of the Year goes to... Deputy Director of National Intelligence Donald Kerr

"Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture.... But in our interconnected and wireless world, anonymity—or the appearance of anonymity—is quickly becoming a thing of the past.... We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment. Protecting anonymity isn’t a fight that can be won. Anyone that’s typed in their name on Google understands that."

Privacy advocates seized on Kerr’s Orwellian attempt to singlehandedly change the definition of privacy because, hey, it’s really hard. (Source: Office of the Director of Naval Intelligence.)

Thanks to Pogo for the link.

TJX creates executive jobs to deal with privacy issues

In the better late than never department: TJX creates executive jobs to deal with privacy issues - The Boston Globe. (Thanks to Pogo for the link.)

Saturday, December 29, 2007

UK considers proposal that execs be directly accountable for personal information

In the wake of the UK's recent huge privacy incident, parliamentarians are considering a proposal that executives be directly accoutable for information security and perhaps even have to certify -- a la Sarbox -- its information practices. See: Call for CEOs to carry can for data leaks - Times Online.

Canada on top in international privacy survey

Privacy International's latest report puts Canada at the top of the heap (along with Greece and Romania), but sinking into the mire.

The Canadian Press: Canada, Greece and Romania have best privacy records, global report says

Canada, Greece and Romania have best privacy records, global report says 59 minutes ago

LONDON - Individual privacy is best protected in Canada but is under threat in the United States and the European Union as governments introduce sweeping surveillance and information-gathering measures in the name of security and border control, an international rights group said in a report released Saturday.

Canada, Greece and Romania had the best privacy records of 47 countries surveyed by London-based watchdog Privacy International. Malaysia, Russia and China were ranked worst.

Both Britain and the United States fell into the lowest-performing group of "endemic surveillance societies."

"The general trend is that privacy is being extinguished in country after country," said Simon Davies, director of Privacy International. "Even those countries where we expected ongoing strong privacy protection, like Germany and Canada, are sinking into the mire.

"I'm afraid that Canada has kind of lost the plot a plot a little bit this year and hence its move downwards," Davies told the Canadian Press in comments about Canada.

He cites the C-I-A's accessing the banking records of Canadians through the SWIFT banking information system, the Canadian no-fly list, and the Toronto Transit Commission's installation of security cameras as examples of the erosion of privacy rights.

He also decried the increasing number of programs involving the United States, which he said unfortunately has no federal privacy law.

"What's happening, is that Canadian information, sensitive information, is flowing across the border in increasing volumes," Davies said.

"Frankly, that's the sort of situation where government should put pressure on the U.S. government to protect that information legally," he said, "But it's not doing so."

The report came two days after Privacy Commissioner Jennifer Stoddart warned in a release that 2008 will be "another challenging one for privacy in Canada."

"Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent - and growing - threats to privacy rights," Stoddart said.

In the United States, President George W. Bush's administration has come under fire from civil liberties groups for its domestic wiretapping program, which allows monitoring - without a warrant - of international phone calls and e-mails involving people suspected of having terrorist links.

"The last five years has seen a litany of surveillance initiatives," Davies said.

He said little had changed since the Democrats took control of Congress a year ago.

"We would expect the cancellation of some programs, the review of others, but this hasn't occurred," Davies said.

Britain was criticized for its plans for national identity cards, a lack of government accountability and the world's largest network of surveillance cameras.

Davies said the loss earlier this year of computer disks containing personal information and bank details on 25 million people in Britain highlighted the risks centralizing information on huge government databases.

The report said privacy protection was worsening across western Europe, although it was improving in the former Communist states of eastern Europe.

It said concern about terrorism, immigration and border security was driving the spread of identity and fingerprinting systems, often without regard to individual privacy.

The report said the trends "have been fuelled by the emergency of a profitable surveillance industry dominated by global IT companies and the creation of numerous international treaties that frequently operate outside judicial or democratic processes."

The survey considers a range of factors including legal protection of privacy, enforcement, data sharing, the use of biometrics and prevalence of CCTV cameras.

The 2007 Security Hall of Shame

Another "year in review" ... this time the Computerworld nominees to the security hall of shame:

The 2007 Security Hall of Shame

A brace of breaches: 2007's five worst

In a league of its own: The TJX Companies Inc.

The U.K.'s VA: HMRC misplaces records on 25 million kids In November

The system was broken brokered: Fidelity National Information Services

Some honor among thieves: TD Ameritrade Holding Corp. Brokerage firm Ameritrade

Creatures from the hack lagoon: Monster.com

Ummm ... oops?

Notable meltdowns

Do you copy?: DHS's self-created DDoS attack

Bag that: Supervalu gets phished

Undiplomatic relations: Symantec in China

Hear me, see me: House outs whistle-blowers

Arrrrr! WGA sees pirate people

... and your 2007 poster boys

Consultant turns bot herder: John Schiefer

Exit strategy: Gary Min

Don't drop the soap: Ivory Dickerson

Unbirthday boy: Yung-Hsun Lin

Pick a hat already: Maxwell Butler

Halifax bar gets liquor license back on condition that cops have off-site access to surveillance system

Early on Christmas Eve a huge brawl at one of Halifax's largest bars resulted in the suspension of the property's liquor license. After a hearing yesterday, the license was restored on a number of conditions. Among them, the bar has to double the number of surveillance cameras on the premises and has to provide liquor regulators and the police with real-time access via the internet.

This is a first in Nova Scotia, but likely not the last time we'll hear of this. Why not have them mandatory in all licensed establishments? In all hotels? Hmm. Drinking takes place in university residences, so maybe we should require police surveillance of those places? The thin edge of the wedge.

See: Buck-a-drink binge nights bite the dust: Dome gets liquor licence back with vow to hike prices, beef up security

Friday, December 28, 2007

Security breach affects hundreds of thousands of porn consumers

Personal information on hundreds of thousands of users of adult websites may have been compromised in a breach that is said to have the potential to undermine the confidence that most consumers have in porn websites. Hmm.

See: Porn Industry Frets Over Security Breach Internet: Customers' Personal Data Accessed. - Technology - RedOrbit.

Privacy resolutions from the PCC

Privacy resolutions from the Privacy Commissioner of Canada:

News Release: Do you resolve to protect your privacy in 2008? (December 27, 2007) - Privacy Commissioner of Canada

Do you resolve to protect your privacy in 2008?

OTTAWA, December 27, 2007 – Threats to the privacy rights of Canadians will intensify in 2008 unless organizations resolve to do more to protect personal information, warns Privacy Commissioner of Canada Jennifer Stoddart.

“Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent – and growing – threats to privacy rights,” says Commissioner Stoddart.

“The coming year will be another challenging one for privacy in Canada.”

With that prediction in mind, Commissioner Stoddart today released her 2008 list of top 10 suggested New Year’s resolutions for businesses, individuals and government.

Resolutions for businesses in Canada:

1. Protect personal information with strong security.

More than 162 million records were compromised by theft or loss in 2007, triple the number of data losses for the previous year, according to a USA Today analysis of breaches in the US, Canada and other countries. This alarming trend can be reversed if businesses begin to recognize the value of personal information. The disastrous breach involving Winner’s and HomeSense stores is an example of what can go wrong if businesses don’t invest in the latest security.

2. Use encryption to protect personal information on mobile devices such as laptops.

We are seeing too many headlines about personal information at risk because a laptop has been lost or stolen. Organizations must ensure personal information on a mobile device is encrypted – protecting information stored on a laptop with a password is simply not enough.

3. Ensure credit card processing equipment masks complete card numbers on receipts.

Complete credit card numbers should not be printed on receipts for electronically processed transactions. Businesses were supposed to switch to electronic processing equipment that masks card numbers – for example, by printing Xes – by the end of 2007. Printing complete card numbers exposes customers to the risk of identity theft. (Some very small businesses may still be manually taking imprints of cards because it is not economically feasible for them to purchase electronic equipment. They should still take all steps necessary to protect the information they collect.)

Resolutions for Canadians:

4. Think twice before posting personal information on social networking sites.

Many Facebook and Myspace users think of these sites as private, when, in reality, the information they post can often be seen by just about anyone. Before posting something, ask questions such as: How would I feel defending this comment or photo during a job interview five years from now? Am I harming someone else or invading someone’s privacy by posting this comment, photo or video? We like this simple rule of thumb: If Grandma shouldn't know, it shouldn't be posted.

5. Ask questions when someone asks for personal information.

It’s a good idea to understand why information such as your phone number or postal code, or driver’s licence is being requested and how it will be used. If you are concerned about receiving junk mail or telemarketing calls, decline to provide the information. Canada’s privacy laws offer you a choice about providing personal information that is not necessary for a transaction.

6. Take steps to protect your personal information.

Invest in a good shredder or burn all documents that include your name, address, SIN, financial information or other sensitive personal information. Papers containing personal information don’t belong in the recycling bin.

Resolutions for the federal government:

7. Overhaul the no-fly list to ensure strong privacy protections for Canadians.

The no-fly list involves the secretive use of personal information in a way that has very serious impact on privacy and other human rights. Innocent Canadians face the very real risk they will be stopped from flying because they’ve been incorrectly listed or share the name of someone on the list.

8. Move forward with proposed reforms to Canada’s privacy laws.

The federal government is currently holding consultations on important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). These proposed changes include mandatory breach notification, a step that would encourage businesses to take security more seriously and protect Canadians against identity theft.

We also urge the federal government to open a review of the Privacy Act, which will be celebrating its 25th anniversary in 2008. Canadians should be offered the same level of legal protection under the Privacy Act as they have, as consumers, under PIPEDA.

9. Ensure that identity theft legislation is swiftly passed.

The government has introduced Criminal Code amendments to help police stop identity thieves or fraudsters before Canadians suffer actual financial harm. The changes include explicit penalties for collecting, possessing and trafficking in personal information.

10. Develop anti-spam legislation.

Canada remains the only G-8 country without anti-spam legislation, raising the danger that we will become a harbour for spammers. Halting the proliferation of spam is another important measure necessary to address identity theft.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Thursday, December 27, 2007

The top science-and-tech privacy threats of 2007

'Tis the season for the year in review. Slate kicks it off with the The top science-and-tech privacy threats of 2007. The list includes:

  1. Surveillance cameras.
  2. The war on smoking.
  3. The war on junk food.
  4. The war on salt.
  5. Pedestrian cell-phone use.
  6. Naked body scanners.
  7. Phone-surveillance ads.
  8. Human chip implants.
  9. Mind-reading.
  10. Manipulating sexual orientation.

Identity Theft Cartoon

Thanks to Schneier on Security for the link.

Sunday, December 23, 2007

More UK data breaches come to light

I think we'll be seeing even more of these out of the UK as government authorities and the media turn their attentiont to the issue.

It's being reported that a number of National Health System trusts have "lost" the personal information of hundreds of thousands of British residents in the past little while. See: BBC NEWS UK Nine NHS trusts lose patient data

Saturday, December 22, 2007

FTC green lights Google and DoubleClick merger

This past week, the US Federal Trade Commission gave the green light to the merger of Google and DoubleClick. As is highlighted in the official Google blog entry on the topic, privacy didn't play any part in the FTC's decision:

Official Google Blog: Analysis: The FTC clears our acquisition of DoubleClick

Privacy not a part of the merger review. Though we strongly believe in protecting our users' privacy, the FTC clearance decision reaffirmed the law by noting that privacy concerns played no role in its merger review. This is an important principle, as privacy issues need to be addressed on an industry-wide basis, and not on a company-by-company basis. The FTC wrote, "although such issues may present important policy questions for the Nation, the sole purpose of federal antitrust review of mergers and acquisitions is to identify and remedy transactions that harm competition. Not only does the Commission lack legal authority to require conditions to this merger that do not relate to antitrust, regulating the privacy requirements of just one company could itself pose a serious detriment to competition in this vast and rapidly evolving industry." The FTC also noted, however, "that the evidence does not support a conclusion" that this particular transaction will harm consumer privacy.

Data combination wouldn't pose problems. The FTC rejected the suggestion from competitors that Google would combine user information with DoubleClick's customers' data to obtain an advantage in the market, writing that the data is owned by DoubleClick’s customers and that "at bottom, the concerns raised by Google’s competitors regarding the integration of these two data sets -- should privacy concerns not prevent such integration -- really amount to a fear that the transaction will lead to Google offering a superior product to its customers." Moreover, "a number of Google’s competitors have at their disposal valuable stores of data not available to Google. For instance, Google’s most significant competitors in the ad intermediation market, Microsoft, Yahoo!, and Time Warner have access to their own unique data stores."

FBI aims for world's largest biometrics database

This sort of stuff no longer surprises me, but this bit of the story on Yahoo! News is interesting:
FBI aims for world's largest biometrics database - Yahoo! News

... At an employer's request, the FBI will also retain the fingerprints of employees who have undergone criminal background checks, the paper said....

Thursday, December 20, 2007

Surgeon snaps pictures of patient's privates

I don't think there's much debate that the relationship between a physician and a patient is one where confidentiality and trust are absolutely critical. This is why there's such outrage when a physician takes advantage of this position of trust.

Yahoo! News is running an article about a Chief Resident of General Surgery from an Arizona hospital who took a picture of a patent's tattooed genitals when the patient was sedated. The surgeon apparently was showing the picture around to other doctors, thinking the tattoo "HOT ROD" was funny. It may be funny, but the actions of this physician are appalling and bring the whole profession into disrepute. See: Tattooed privates prove not so private - Yahoo! News.

UPDATE: No HIPAA charges expected: Doctor in penis case likely will avoid federal charges.

Wednesday, December 19, 2007

Alberta faults Ticketmaster for requiring consent to secondary purposes

The Alberta Information and Privacy Commissioner has found that Ticketmaster violated that province's privacy law by requiring that purchasers consent to use of their information by concert promoters. From the Commissioner:

OIPC

Office of the Information and

Privacy Commissioner of Alberta

December 19, 2007

Ticketmaster investigated under Personal Information Protection Act

The Office of the Information and Privacy Commissioner has found that Ticketmaster Canada Ltd (Ticketmaster) contravened the Personal Information Protection Act (PIPA) by requiring on-line customers to consent to the use of personal information for the event provider’s marketing purposes, as a condition of a ticket sales transaction. The investigation also determined Ticketmaster’s on-line opt-out process did not allow customers to make an informed decision about consent nor did it offer customers a reasonable opportunity to decline or object to the use of their personal information for event providers’ marketing purposes. Ticketmaster’s on-line privacy policy was also found to be complex and ambiguous.

The Complainant went on Ticketmaster’s website, www.ticketmaster.ca to purchase tickets for an event. During the on-line transaction, the Complainant was unable to proceed with his on-line ticket purchase unless he consented to Ticketmaster’s “Use of Personal Information” privacy statement. The Complainant was particularly concerned with the contents of this privacy statement, which authorized Ticketmaster to share his email address with event providers for the event providers’ marketing purposes.

Ticketmaster agreed to implement the Investigator’s recommendations, which included launching, across Canada, a new on-line and telephone opt-in mechanism for event providers’ marketing communications. This mechanism offers on-line and telephone customers the opportunity to opt-in to receiving marketing materials from event providers by checking a box during the on-line ticket purchase process. In conjunction with the new on- line opt-in mechanism, Ticketmaster posted its revised on-line privacy policy with an easily navigable table of contents linking to appropriate section of the policy. To obtain a copy of Investigation Report P2007-IR-007, please visit our website at: www.oipc.ab.ca

CBC has some coverage of the story here: CBC.ca Arts - Ticketmaster's online sales violated Alberta privacy law.

Tuesday, December 18, 2007

Google Maps with "my location"

I just got a new Blackberry Curve 8310, with built-in GPS. But just before giving up my old Blackberry 8700 I installed the new Google Maps with the "my location" feature. The "my location" feature is somewhat handy but the privacy geek in my has a few questions.

The feature uses signals from the cell phone network to approximate your location within a few hundred metres (depending on the density of cell towers in your area). When I installed it, I didn't have to give it any special permission to get access to carrier information or other stuff. Handy if I want it, but it makes me wonder whether any software installed on my Blackberry can get access to this data and perhaps transmit it in the background. That certainly raises privacy issues.

If anyone knows, please let me know.

In the meantime, here's a Google promotional video on the new Google Maps:

Monday, December 17, 2007

New device may end drunk driving?

Friend and compatriot PGuy pointed me to this story about a new device that would be built into new cars that would prevent the car from starting if the driver shows evidence of having too much alcohol in their blood. The technology would sense it from the driver's skin through the steering wheel: New device may end drunk driving The News is NowPublic.com. He asked if I thought it raises privacy issues.

I don't really see privacy issues per se, unless the thing records the readings. But I'm not sure it's a good idea. Those most likely to otherwise drink and drive will bypass the system or will hit the reefer if they intend to take the car home.

I just wonder where these things will end. A sensor that you're too tired, too jittery, too easily distracted, listening to an iPod, eating a cheese burger, have squabbling kids in the back?

Thursday, December 13, 2007

People don't really like surprises

Seth Godin has an interesting take on privacy, particularly online:

Seth's Blog: People don't truly care about privacy

People don't truly care about privacy

There's been a lot of noise about privacy over the last decade, but what most pundits miss is that most people don't care about privacy, not at all.

If they did, they wouldn't have credit cards. Your credit card company knows an insane amount about you.

What people care about is being surprised.

If your credit card company called you up and said, "we've been looking over your records and we see that you've been having an extramarital affair. We'd like to offer you a free coupon for VD testing..." you'd freak out, and for good reason.

If the local authorities start using what's on the corner surveillance cameras to sell you a new kind of commuter token, you'd be a little annoyed at that as well.

So far, government and big companies have gotten away with taking virtually all our privacy away by not surprising most of us, at least not in a vivid way. Libertarians are worried (probably with cause) that once the surprises start happening, it'll be too late.

This leads us to Ask.com's new Eraser service, which promises to not remember stuff about your searching. The problem they face: most people want Google and Yahoo and Amazon to remember their searches, because it leads to better results and (so far) rarely leads to surprises.

The irony is that the people who most want privacy are almost certainly the worst possible customers for a search engine. These are the folks who are unlikely to click on ads and most likely to visit the dark corners of the Net. If I were running a web property, I'd work hard to attract the people who least want privacy and want to share their ideas with everyone else

Make promises, keep them, avoid surprises. That's what most people (and the profitable people) want.

Monday, December 10, 2007

Boy awaits bone-marrow transplant

This has nothing to do with privacy, but I'm trying to get the word out as widely as I can.

Many in Atlantic Canada may recall hearing about Zachery Hall in the newspapers and on the regional television news some time ago. Zachery was a little boy who suffered from the disease Adrenoleukodystrophy (ALD) [http://en.wikipedia.org/wiki/Adrenoleukodystrophy]. It is a very rare disease in which the body's myelin is progressively destroyed by a mechanism that is not well understood. (Myelin is the insulation for our body's nerve cells.) The disease causes progressive deterioration of the nervous system, leading to failure to develop, seizures, loss of coordination, then blindness, deafness, dementia and ultimately death.

Members of the community were very generous to support Zachery's family while he was undergoing treatment. Our support also helped him to go to Disneyland with his family while he was still able to enjoy it. Zachery Hall died in 2006 at age 10.

Zachery's little brother, Bretton, has been diagnosed with the same horrendous disease. They have been able to identify it at a much earlier stage than Zachery's and are hopeful that earlier treatment may be able to provide him with a longer life with greater quality of life.

Bretton's family is not well off to begin with. He will be receiving very long and expensive treatments in Ontario. We hope to be able to assist the family with their expenses in this.

Bretton's aunt and I have set up a trust account at ScotiaBank to assist the family. We hope to be able to help with his treatments, assist with his quality of life and to help the family in what is a devastatingly difficult time. The community has been very generous in the past and I'm hopeful that we may be able to help this family in our community. If you are able to make a donation, please let us know. You can send a cheque to either of us, payable to “Jo Anne Conrod and David Fraser in Trust”, or you can make a deposit at any Scotiabank Branch (Name: Jo-Anne Conrod & David T. Fraser (In Trust for Bretton Kinslow) / Act#: 700030255629 / Transit#: 70003).

David Fraser

c/o McInnes Cooper

1300-1969 Upper Water Street

PO Box 730

Halifax, NS B3J 2V1

Jo-Ann Conrod

c/o St. Matthew’s United Church

1479 Barrington Street

Halifax, NS B3J 1Z2

Donations are gratefully received through the account shown above, or via PayPal.


From today's Halifax Daily News:

Halifax, The Daily News: News Boy awaits bone-marrow transplant

Not unlike other boys his age, six-year-old Bretton Kinslow spent a good chunk of time before bed last night jumping off the couch, trying out new wrestling moves and practising tricks on his skateboard.

Unlike other boys his age, Bretton and his family are standing by at their Hatchet Lake home for a call from Sick Kids Hospital in Toronto with the news that there's a stem-cell match for the grade primary student.

On Nov. 8, Bretton was diagnosed with the same genetic disease that killed his brother Zachery Hall just last year at the age of 10.

Adrenoleukodystrophy or ALD - a rare disease that was depicted in the 1992 film Lorenzo's Oil - causes damage to the myelin sheath that insulates the nerve cells in the brain.

Severely affected

The most common type of ALD is linked to the x-chromosome and, with only one x-chromosome, men are more severely affected.

Young boys are the most common victims of the disease, which causes progressive deterioration of the nervous system leading to loss of co-ordination, blindness, deafness, dementia and, ultimately, death.

By the time doctors realized what was wrong with Zach, his mother Lisa Kinslow said, it was too late.

But after he became sick, the IWK kept a close eye on Bretton.

"They monitored Bretton every six months," Kinslow said.

At the last six-month checkup, it was confirmed Bretton had developed ALD.

He's now on the list for a bone- marrow transplant, which is conducted using the stem cells from an umbilical cord.

With the transplant, every cell in Bretton's body will be renewed, hopefully staving off the deterioration of his nervous system.

"He won't even have the same blood type anymore," Kinslow said.

While Bretton bounced himself off the couch, showing off for the photographer, Kinslow and her husband Mark explained there are no guarantees the transplant will save Bretton, but he has a better chance than his older brother, who was diagnosed too late.

"With Zach, it was different; we knew the outcome," she said.

"With this one, we're fighting for it."

Some understanding

Kinslow said Bretton has some understanding of what's going on.

He knows he's going to Toronto for the doctors to make him better; he knows he'll have to take a lot of medication; and because of chemo-therapy before the transplant, he knows he'll probably lose his hair.

"I don't want to be bald," he said at one point last night, grinning and rubbing his head.

Kinslow admitted it's been a rough go for the family.

She's trying to keep it together for Bretton and trying not to let his illness become the focus.

"We spend every day with him, we play with him, we talk with him," she said.

"There's nothing that he wants to do that we don't try."

Bretton's aunt, Jo-Anne Conrod, and family lawyer David Fraser with McInnes Cooper have set up a trust fund for Bretton and his family to help get them through their time in Toronto and future challenges.

Donations can be deposited at any Scotiabank branch under the name Jo-Anne Conrod and David T. Fraser (In Trust for Bretton Kinslow/Acct. # 700030255629/ Transit #70003)

Wednesday, December 05, 2007

Credit-card company facing liquidation

I am surprised this hasn't received more coverage. Cardsystems is facing bankruptcy as a result of the very high profile data breach in 2005. See: Credit-card company facing liquidation | www.azstarnet.com ®.

Alberta drug testing case one to watch

Daniel J. Michaluk has a great comment on an Alberta case that's pending dealing with employee drug testing, which is a very common practice in that province's oil sands projects. Check it out: One to watch - Drug testing case at Alberta CA « All About Information.

US judge denies feds' request for Amazon customer list

A US federal judge has denied a request by the Federal Government for a subpoen of a list of Amazon.com customers, citing the chilling effect that such a subpoena may have:

The Associated Press: Feds Cancel Amazon Customer ID Request

....

"The (subpoena's) chilling effect on expressive e-commerce would frost keyboards across America," U.S. Magistrate Judge Stephen Crocker wrote in a June ruling.

"Well-founded or not, rumors of an Orwellian federal criminal investigation into the reading habits of Amazon's customers could frighten countless potential customers into canceling planned online book purchases," the judge wrote in a ruling he unsealed last week.

Seattle-based Amazon said in court documents it hopes Crocker's decision will make it more difficult for prosecutors to obtain records involving book purchases. Assistant U.S. Attorney John Vaudreuil said Tuesday he doubted the ruling would hamper legitimate investigations.

Crocker — who unsealed documents detailing the showdown against prosecutors' wishes — said he believed prosecutors were seeking the information for a legitimate purpose. But he said First Amendment concerns were justified and outweighed the subpoena's law enforcement purpose.

"The subpoena is troubling because it permits the government to peek into the reading habits of specific individuals without their knowledge or permission," Crocker wrote. "It is an unsettling and un-American scenario to envision federal agents nosing through the reading lists of law-abiding citizens while hunting for evidence against somebody else."

Tuesday, December 04, 2007

Incident: Passport applicant finds massive privacy breach

This is interesting:

globeandmail.com: Passport applicant finds massive privacy breach

A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports....

Thanks to Michael Geist for the link.

Nevada Passes Data Encryption Law

The Business and Technology blog from Scott & Scott reports that Nevada has just passed a law requiring the encryption of personal information when in transit. See:

Nevada Passes Data Encryption Law (Business and Technology Law)

Nevada recently passed a law requiring businesses to encrypt customers’ personal information during transmission of an electronic transaction. While other data protection laws require the shredding of records or the implementation of reasonable security measures to protect sensitive information, Nevada’s mandates use of encryption technology....

Monday, December 03, 2007

Identity theft bill will help in battle

David Canton's most recent Canoe column provides a good overview of the anti-ID theft legislation: Identity theft bill will help in battle.

Sunday, December 02, 2007

TJX Agrees to Pay $40.9 Million to Visa Card Issuers

According to the New York Times, TJX has agreed to settle claims brought against it by Visa card issuing banks if they accept the offer by December 19. Claims will be paid by year end. See: TJX Agrees to Pay $40.9 Million to Visa Card Issuers - New York Times.

Saturday, December 01, 2007

There's No Such Thing As An Anonymized Dataset

Techdirt has an interesting report, culled from Slashdot, about an experiment that went in an unanticipated direction. Neflix released a chunk of deidentified data hoping that researchers could use thed data to tweak and improve the company's recommendation algorithm. Other researchers used the data to match Neflix reviewers to IMDB reviewers, which identified many of the supposedly anonymous Neflix users. See: Techdirt: There's No Such Thing As An Anonymized Dataset (and thanks to Rob Hyndman for sending me the link.)

What's the big deal? Two things: first, those Neflix viewers thought their information would remain private and some of it would reveal personal attitudes toward sex, violence and other matters. Secondly, it is a lesson for anyone else who thinks that releasing an "anonymized" dataset would be ok.