Teens, Social Media, and Privacy by Mary Madden, Amanda Lenhart, Sandra Cortesi, Urs Gasser, Maeve Duggan, Aaron Smith. May 21, 2013
ABCNews: "The Department of Justice complied with the letter of the law and responded to a Freedom of Information Act request from the ACLU seeking insight into the Obama Administration’s policy on intercepting text messages from cell phones. But -- it didn’t release any actual information. Or even any words or letters. As one Reddit comment put it, “[the document is] so transparent it’s completely invisible.” Instead, the Justice Department released 15 pages that were entirely redacted, shaded over in heavy black from top to bottom. All that was visible is the subject of the memo: “Guidance for the Minimization of Text Messages over Dual-Function Cellular Telephones” It is all part of a larger legal battle between civil rights activists and the federal law enforcement about electronic communications. The ACLU has argued that current government surveillance practices on electronic communications violate citizens’ Fourth Amendment rights, which are meant to protect Americans from unlawful searches and seizures. With the FOIA request they were trying to determine if the FBI had properly complied with a 2010 appeals court decision that concerned when email providers must turn over messages to law enforcement and whether the guidelines apply to text messages."
"The Federal Trade Commission testified before a U.S. Senate Commerce subcommittee on a recent FTC study examining the accuracy of consumer credit reports, as well as the agency’s efforts to improve credit report accuracy through enforcement and education. On behalf of the agency, Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, told the Subcommittee on Consumer Protection, Product Safety, and Insurance that errors in credit reports can cause consumers to be denied credit or other benefits or pay a higher price for them. It may also lead credit issuers to make inaccurate decisions that cause them to deny credit to a potentially valuable customer or issue credit to a riskier customer than intended."
EPIC: "Today the Senate voted to confirm David Medine as the Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), an agency established to review executive branch actions and to protect privacy and civil liberties after 9/11. EPIC urged the creation of an independent privacy agency after 9/11. At the first meeting of the agency in 2012, EPIC set out several priorities for PCLOB, including (1) suspension of the fusion center program, (2) limitations on CCTV surveillance, (3) removal of airport body scanners, (4) establishing privacy regulation for drones, (5) updating data disclosure standards, and (6) ensuring Privacy Act adherence. For more information, see EPIC: The 9/11 Commission Report and EPIC: The Sui Generis Privacy Agency."
"The Federal Trade Commission has issued an updated set of frequently asked questions designed to help website operators, mobile application developers, plug-ins and advertising networks operating on child-directed websites and online services prepare for upcoming changes to the Children’s Online Privacy Protection Rule. The document, titled Complying With COPPA: Frequently Asked Questions contains information directed to websites and online services whose work online may involve the collection of personal information from children under age 13. The document provides guidance from the FTC staff that supplements the rule and other COPPA–related material previously published by the FTC."
Citizen Lab [University of Toronto] "released a new report, For Their Eyes Only: The Commercialization of Digital Spying. The report features new findings, as well as consolidating a year of our research on the commercial market for offensive computer network intrusion capabilities developed by Western companies. Our new findings include:
"Transparency is a core value at Google. As a company we feel it is our responsibility to ensure that we maximize transparency around the flow of information related to our tools and services. We believe that more information means more choice, more freedom and ultimately more power for the individual. In this report, we disclose:
News release: "As you search the Internet, visit websites, and update your social media accounts, you entrust a wealth of data to service providers: your thoughts, your photos, your location, and much more. What happens when the government wants access to all of this information, held by companies like Google and Facebook and AT&T? Will these providers help you fight back against unfair demands for data about your private life? Today the Electronic Frontier Foundation (EFF) releases its third annual report, Who Has Your Back?, which looks at major technology service providers' commitment to users' rights in the face of government data demands. EFF's report examines 18 companies' terms of service, privacy policies, advocacy, and courtroom track records, awarding up to six gold stars for best practices in categories like "require a warrant for content," "tell users about government data demands," and "publish transparency reports."
A Secure Submission System for Online Whistleblowing Platforms. Volker Roth, Benjamin Güldenring, Eleanor Rieffel, Sven Dietrich, Lars Ries (Submitted on 26 Jan 2013) An abridged version has been accepted for publication in the proceedings of Financial Cryptography and Data Security 2013.
"The Internal Revenue Service is collecting a lot more than taxes this year -- it's also acquiring a huge volume of personal information on taxpayers' digital activities, from eBay auctions to Facebook posts and, for the first time ever, credit card and e-payment transaction records, as it expands its search for tax cheats to places it's never gone before. The IRS, under heavy pressure to help Washington out of its budget quagmire by chasing down an estimated $300 billion in revenue lost to evasions and errors each year, will start using "robo-audits" of tax forms and third-party data the IRS hopes will help close this so-called "tax gap." But the agency reveals little about how it will employ its vast, new network scanning powers. Tax lawyers and watchdogs are concerned about the sweeping changes being implemented with little public discussion or clear guidelines, and Congressional staff sources say the IRS use of "big data" will be a key issue when the next IRS chief comes to the Senate for approval. Acting commissioner Steven T. Miller replaced Douglas Shulman last November."
EPIC: "EPIC has submitted Freedom of Information Act requests for the release of the privacy assessments of Facebook and MySpace submitted to the Federal Trade Commission. As a result of privacy violations, both companies are required to implement comprehensive privacy programs and submit to independent, biennial evaluations for 20 years. Previously, EPIC obtained a copy of Google's initial privacy assessment that redacted information about the standards by which the assessment was completed, the test procedures used to assess the effectiveness of Google's privacy controls, the procedures Google uses to identify privacy risks, and the types of personal data Google collects from users. The FTC settlements with Facebook and Google arose from complaints brought by EPIC and other consumer organizations. In comments to the agency on the proposed settlements, EPIC recommended that the privacy assessments be publicly available. For more information, see EPIC: Federal Trade Commission and EPIC: Open Government."
Privacy Impact Assessment for the Office of Operations Coordination and Planning - Publicly Available Social Media Monitoring and Situational Awareness Initiative, DHS, Update April 1, 2013
EPIC: "The Department of Homeland Security has released a Privacy Impact Assessment for Einstein 3 - Accelerated. Einstein 3 is a government cybersecurity program that monitors Internet traffic. The monitoring includes scanning email destined for .gov networks for malicious attachments and URLs. According to DHS, the basis of the government’s authority to perform the monitoring is National Security Presidential Directive 54. EPIC is pursuing FOIA litigation to force the government to release the Directive to the public. For more information, see EPIC v. NSA - Cybersecurity Authority."
"Verizon’s 2013 Data Breach Investigations Report (DBIR) provides truly global insights into the nature of data breaches that can help organizations of all sizes to better understand the threat and take the necessary steps to protect themselves. The breadth and depth of data represented in this year’s DBIR is unprecedented. It combines the efforts of 19 global organizations: law enforcement agencies, national incident-reporting entities, research institutions, and a number of private security firms — all working to study and combat data breaches. Over the years the number of contributors has grown. Since we started publishing the DBIR in 2008, our partners have contributed data information on more than 2,500 confirmed data breaches — totaling more than a billion compromised records."
EFF: "Recently, we published a blog post that described how to opt out of seeing ads on Facebook targeted to you based on your offline activities. This post explained where these companies get their data, what information they share with Facebook, or what this means for your privacy. So get ready for the nitty-gritty details: who has your information, how they get it, and what they do with it. It’s a lot of information, so we’ve organized it into an FAQ for convenience."
CRS - Submission of Mental Health Records to NICS and the HIPAA Privacy Rule, April 15, 2013
Machine-to-Machine Communications - Connecting Billions of Devices, Publication Date, 30 Jan 2012. Bibliographic information No.: 192 Pages. 45. DOI 10.1787/5k9gsh2gp043-en
"EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents about "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. The EPIC lawsuit follows the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other identifying information. The FBI will use facial recognition to match images in the database against facial images obtained from CCTV and elsewhere. For more information, see EPIC v. FBI - Next Generation Identification, EPIC: Biometric Identifiers and EPIC: Face Recognition."
Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses. Richard M. Thompson II, Legislative Attorney. April 3, 2013
News release: "The Internal Revenue Service...issued its annual “Dirty Dozen” list of tax scams, reminding taxpayers to use caution during tax season to protect themselves against a wide range of schemes ranging from identity theft to return preparer fraud. The Dirty Dozen listing, compiled by the IRS each year, lists a variety of common scams taxpayers can encounter at any point during the year. But many of these schemes peak during filing season as people prepare their tax returns. "This tax season, the IRS has stepped up its efforts to protect taxpayers from a wide range of schemes, including moving aggressively to combat identity theft and refund fraud," said IRS Acting Commissioner Steven T. Miller. "The Dirty Dozen list shows that scams come in many forms during filing season. Don't let a scam artist steal from you or talk you into doing something you will regret later." Illegal scams can lead to significant penalties and interest and possible criminal prosecution. IRS Criminal Investigation works closely with the Department of Justice (DOJ) to shutdown scams and prosecute the criminals behind them."
Via Firefox Aurora Notes - Firefox getting smarter about third-party cookies: "On Friday, Mozilla released a Firefox patch into its “Nightly” channel that changes how cookies from third party companies function. Users of this build of Firefox must directly interact with a site or company for a cookie to be installed on their machine. The patch also provides an additional control setting under the “Privacy” tab in Firefox’s Preferences menu. Many years of observing Safari’s approach to third party cookies, a rapidly expanding number of third party companies using cookies to track users, and strong user support for more control is driving our decision to move forward with this patch. We have a responsibility to advance features and controls that bring users’ expectations in line with how the web functions for them."
"EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process of the Cyber Intelligence Sharing and Protection Act (CISPA) to the public. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." Some in Congress believe that the proposal should be adopted in a secret committee meeting. EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority."
"EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process of the Cyber Intelligence Sharing and Protection Act (CISPA) to the public. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." Some in Congress believe that the proposal should be adopted in a secret committee meeting. EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority."
EPIC: "Data protection agencies in six European countries have announced enforcement actions against Google. The agencies acted after Google ignored recommendations to comply with European data protection law. "It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation," the French data protection authority said. The enforcement action follows from Google's March 2012 decision to combine user data across 60 Internet services to create detailed profiles on Internet users. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. Google's revised privacy policies also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order."
"A federal judge in Washington, DC today issued an Opinion denying the FBI's motion to delay the release of records sought under the Freedom of Information Act. The decision follows from a lawsuit filed by EPIC against the FBI for records about the agency's use of cell-site simulator technology, commonly referred to as "StingRay." These devices track cell phones and collect a vast amount of data from telephone customers. The Court found that the FBI was not facing the "exceptional circumstances" necessary to justify its proposed two-year delay. The Court ordered the agency to produce all records, except those subject to classification review, by August 1, 2013. For more information, see EPIC v. FBI - StingRay."
The Dangers of Surveillance, Neil M. Richards. Washington University in Saint Louis - School of Law, March 25, 2013. Harvard Law Review, 2013. Via SSRN
Peter Fleischer, Global Privacy Counsel for Google: "On the global stage, Europe is convincing many countries around the world to implement privacy laws that follow the European model. The facts speak for themselves: in the last year alone, a dozen countries in Latin America and Asia have adopted euro-style privacy laws. Not a single country, anywhere, has followed the US-model. Indeed, what is the US model? People in the privacy profession know that the US has a dense "patchwork" model of privacy laws: every individual US State has numerous privacy laws, the Federal government has numerous sectoral laws, and numerous other "non-privacy" laws, like consumer protection laws, are regularly invoked in privacy matters. Regulators in many corners of government, ranging from State attorneys general, to the Federal Trade Commission, and armies of class action lawyers inspect every privacy issue for possible actions..."
Report of the Select Committee on Intelligence to United States Senate covering the period January 5, 2011 - January 3, 2013, 113th Congress, 1st Session, Senate Report 113-7.
Proposed new EU General Data Protection Regulation: Article-by-article analysis paper, V1.0
12 February 2013. UK Information Commission Office (ICO).
Unique in the Crowd: The privacy bounds of human mobility, Yves-Alexandre de Montjoye, César A. Hidalgo, Michel Verleysen & Vincent D. Blondel. Scientific Reports 3; Article number:1376; doi:10.1038/srep01376; Published 25 March 2013
CRS - Cloud Computing: Constitutional and Statutory Privacy Protections, Richard M. Thompson II, Legislative Attorney. March 22, 2013
Bruce Schneier is a security technologist and author of "Liars and Outliers: Enabling the Trust Society Needs to Survive."
"New research, published today in the journal PNAS, shows that surprisingly accurate estimates of Facebook users’ race, age, IQ, sexuality, personality, substance use and political views can be inferred from automated analysis of only their Facebook Likes - information currently publicly available by default. In the study, researchers describe Facebook Likes as a “generic class” of digital record - similar to web search queries and browsing histories - and suggest that such techniques could be used to extract sensitive information for almost anyone regularly online. Researchers at Cambridge’s Psychometrics Centre, in collaboration with Microsoft Research Cambridge, analysed a dataset of over 58,000 US Facebook users, who volunteered their Likes, demographic profiles and psychometric testing results through the myPersonality application...The researchers also tested for personality traits including intelligence, emotional stability, openness and extraversion. While such latent traits are far more difficult to gauge, the accuracy of the analysis was striking. Study of the openness trait – the spectrum of those who dislike change to those who welcome it – revealed that observation of Likes alone is roughly as informative as using an individual’s actual personality test score."
"Attorneys general for 38 states and the District of Columbia today reached a "$7 Million Settlement" with Google over consumer protection and privacy claims. The company engaged in the unauthorized collection of data from wireless networks, including private WiFi networks of residential Internet users. A detailed Assurance of Voluntary Compliance, setting out the terms of the settlement, is now available. In 2010, EPIC urged the Federal Communication Commission to investigate the Google Street View program after it became clear that Google had intercepted the private communications of millions of users of wi-fi networks in the United States. EPIC subsequently pursued FOIA requests regarding the FCC and the Department of Justice investigations. Federal wiretap claims concerning Street View are still pending in federal court. For more information, see EPIC: Investigations of Google Street View and EPIC: Joffe v. Google."
Lois Beckett - ProPublica: "Data companies are scooping up enormous amounts of information about almost every American. They sell information about whether you're pregnant or divorced or trying to lose weight, about how rich you are and what kinds of cars you have. Regulators and some in Congress have been taking a closer look at these so-called data brokers — and are beginning to push the companies to give consumers more information and control over what happens to their data. But many people still don't even know that data brokers exist.
EFF: "Facebook has announced that it’s teaming up with four of the world’s largest corporate data brokers to “enhance” the ad experience for users. Datalogix, Epsilon, Acxiom, and BlueKai obtain information gathered about users through online means (such as through cookies when users surf the web) as well as through offline means (such as through loyalty cards at supermarkets and product warranty cards). Through the new relationship with Facebook, companies will be able to display advertisements to Facebook users based on data that these data brokers have on individuals...We recommend you use a tool such as Ghostery (now available on Firefox, Safari, Chrome, Opera and Internet Explorer) or Abine's DoNotTrackMe (available in Firefox, Safari, Chrome and Internet Explorer) or AdBlockPlus with EasyPrivacy Lists. See more comprehensive instructions in our 4 Simple Changes to Stop Online Tracking."
VA Office of Inspector General, Office of Audits and Evaluations - Review of Alleged Transmission of Sensitive VA Data Over Internet Connections, March 6, 2013
EFF: "Last year, Maryland became the first state to explicitly prohibit employers from forcing applicants or workers to disclose their personal names or passwords as a condition of employment. California followed soon after with its own measure, which further bars private employers from even requesting access to their workers social-media accounts. According to the National Conference of State Legislatures, some 28 states are weighing legislation addressing the issue in one regard or another in 2013. Broadly speaking, an individual should not have to open up their online private lives to get or keep a job. Not only is it an invasion of the job-seeker’s privacy, but such practices expose personal information belonging to friends and family members who thought they were communicating privately within a closed network."
EFF: "In an unprecedented win for transparency, yesterday Google began publishing generalized information about the number of National Security Letters that the company received in the past year as well as the total number of user accounts affected by those requests. Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act, the National Security Letter (NSL) power provided by five statutory provisions is one of the most frightening and invasive. These letters--the type served on communications service providers such as phone companies and ISPs and are authorized by 18 U.S.C. 2709--allow the FBI to secretly demand data about ordinary American citizens' private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters' existence to anyone."
Silent Listeners: The Evolution of Privacy and Disclosure on Facebook by Fred Stutzman, Ralph Grossy, Alessandro Acquistiz. Journal of Privacy and Confidentiality. Issue 4/2/2012 [via Study: Facebook Users More Protective Even as They Reveal More About Themselves]
"Secure deletion involves the use of special software to ensure that when you delete a file, there really is no way to get it back again. When you "delete" a file — for instance, by putting the file in your computer's trash folder and emptying the trash — you may think you've deleted that file. But you really haven't. Instead, the computer has just made the file invisible to the user, and marked the part of the disk drive that it is stored on as "empty," meaning that it can be overwritten with new data. But it may be weeks, months, or even years before that data is overwritten, and the computer forensics experts can often even retrieve data that has been overwritten by newer files. Indeed, computers normally don't "delete" data; they just allow it to be overwritten over time, and overwritten again. The best way to keep those "deleted" files hidden, then, is to make sure they get overwritten immediately. Your operating system probably already includes software that can do this for you, and overwrite all of the "empty" space on your disk with gibberish (optionally multiple times), and thereby protect the confidentiality of deleted data. Examples include GNU Shred (Linux), Secure Delete (Mac OS X), and cipher.exe (Windows XP Pro and later)."
"The use of surveillance drones is growing rapidly in the United States, but we know little about how the federal government employs this new technology. Now, new information obtained by the ACLU shows for the first time that the U.S. Marshals Service has experimented with using drones for domestic surveillance. We learned this through documents we released today, received in response to a Freedom of Information Act request. The documents are available here. (We also released a short log of drone accidents from the Federal Aviation Administration as well as accident reports and other documents from the U.S. Air Force.) This revelation comes a week after a bipartisan bill to protect Americans’ privacy from domestic drones was introduced in the House."
"EPIC Appellate Advocacy Counsel Alan Butler testified before the Maryland House Judiciary Committee on H.B. 887, a location privacy bill that will establish a search warrant requirement for the collection of private location information. Mr. Butler discussed the current state of location tracking and privacy under the state and federal constitutions. The Maryland bill will require a warrant for location tracking and an annual report on electronic surveillance reports, similar to the federal wiretap reports. EPIC recently submitted amicus briefs in State v. Earls and In re US regarding location privacy. For more information, see EPIC: Locational Privacy and EPIC: State v. Earls."
"Cell phone searches are a common law enforcement tool, but up until now, the public has largely been in the dark regarding how much sensitive information the government can get with this invasive surveillance technique. A document submitted to court in connection with a drug investigation, which we recently discovered, provides a rare inventory of the types of data that federal agents are able to obtain from a seized iPhone using advanced forensic analysis tools. The list, available here, starkly demonstrates just how invasive cell phone searches are—and why law enforcement should be required to obtain a warrant before conducting them."
"The Department of Homeland Security has released a previously internal memo regarding the establishment of a working group to "Safeguard Privacy, Civil Rights, and Civil Liberties in the Department's Use and Support of Unmanned Aerial Systems" (drones). The memo states, "[t]he overarching goal of the working group is to determine what policies and procedures are needed to ensure that protections for privacy, civil rights, and civil liberties are designed into DHS and DHS-funded [drone] programs." DHS has developed a program to explore the expansive use of small drones for law enforcement. Customs and Border Protection currently operates 10 Predator B drones in the United States. In testimony before Congress in July 2012, EPIC said that federal agencies operating drones should adopt privacy regulations. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones."
"Mobile apps offer consumers fun and functionality via the one device that stays with them throughout the day. The explosion of the apps ecosystem is driven by new business models where many apps are free or heavily discounted which of course consumers love, but where developers monetize the information they collect on their users. The report, supported by AVG Technologies, was carried out in partnership with mobile specialists On Device Research to understand global consumer understanding and perceptions of apps that gather and use personal data such as address book information and location. The ten country study of 9,500 respondents reveals consumer attitudes towards the use of their personal information by mobile app providers, scrutinizing four key factors of privacy, Transparency, Comfort, Security and Control."
Secrecy News, February 14, 2012: "Legal restrictions on the use of unmanned aircraft systems in domestic operations are numerous," the manual states. The question arises particularly in the context of Defense Support of Civil Authorities (DSCA), refering to military assistance to government agencies in disaster response and other domestic emergencies. "Use of DOD intelligence capabilities for DSCA missions--such as incident awareness and assessment, damage assessment, and search and rescue--requires prior Secretary of Defense approval, together with approval of both the mission and use of the exact DOD intelligence community capabilities. Certain missions require not only approval of the Secretary of Defense, but also coordination, certification, and possibly, prior approval by the Attorney General of the United States...[...from 2003 to 2010, small, unmanned aircraft systems flew approximately 250,000 hours]"
EPIC - "In the fifth interim release of documents in EPIC v. FBI, a Freedom of Information Act lawsuit, the agency has turned over nearly 300 pages about the surveillance technique directed toward users of mobile phones. The documents obtained by EPIC reveal that agents have been using "cell site simulator" technologies, also known as "StingRay," "Triggerfish," or "Digital Analyzers" to monitor cell phones since 1995. Internal FBI e-mails, also obtained by EPIC, reveal that agents went through extensive training on these devices in 2007. In addition, a presentation from the agency's Wireless Intercept and Tracking Team argues that cell site simulators qualify for a low legal standard as a "pen register device," an interpretation that was recently rejected by a federal court in Texas. For more information, see EPIC v. FBI (StingRay)."
"The National Highway Traffic Safety Administration has proposed regulations for event data recorders (EDR) that will become mandatory in all cars and small trucks by 2014. Building on state privacy laws, EPIC has urged the federal agency to adopt comprehensive privacy safeguards for vehicle owners and operators, including driver ownership of data, limitations on disclosure, and better security for the data collected. EPIC has also launched a national campaign to encourage public comments to the federal agency."
Google Official Blog: "..January 28, is Data Privacy Day, when the world recognizes the importance of preserving your online privacy and security. If it’s like most other days, Google—like many companies that provide online services to users—will receive dozens of letters, faxes and emails from government agencies and courts around the world requesting access to our users’ private account information. Typically this happens in connection with government investigations. It’s important for law enforcement agencies to pursue illegal activity and keep the public safe. We’re a law-abiding company, and we don’t want our services to be used in harmful ways. But it’s just as important that laws protect you against overly broad requests for your personal information...Today, for example, we’ve added a new section to our Transparency Report that answers many questions you might have. And last week we released data showing that government requests continue to rise, along with additional details on the U.S. legal processes—such as subpoenas, court orders and warrants—that governments use to compel us to provide this information."
CDT: "The privacy protections guarding the care and handling of your medical records just got stronger… a lot stronger. The new rules bolster prohibitions against use of a patient's medical records without consent for marketing communications; extend federal privacy and security protections to contractors (and subcontractors) of doctors, hospitals and insurers; improved your right to be notified when your medical records are lost, stolen or otherwise compromised; and clarifies your right to receive a copy of your medical records when you ask for it. The new protections stem from the long-awaited final regulations to implement most of the improvements to federal health privacy protections enacted by Congress in the HITECH provisions of the 2009 economic stimulus legislation."
News release: "When writing or speaking, good grammar helps people make themselves be understood. But when used to concoct a long computer password, grammar — good or bad — provides crucial hints that can help someone crack that password, researchers at Carnegie Mellon University have demonstrated. A team led by Ashwini Rao, a software engineering Ph.D. student in the Institute for Software Research, developed a password-cracking algorithm that took into account grammar and tested it against 1,434 passwords containing 16 or more characters. The grammar-aware cracker surpassed other state-of-the-art password crackers when passwords had grammatical structures, with 10 percent of the dataset cracked exclusively by the team's algorithm. "We should not blindly rely on the number of words or characters in a password as a measure of its security," Rao concluded. She will present the findings on Feb. 20 at the Association for Computing Machinery's Conference on Data and Application Security and Privacy (CODASPY 2013) in San Antonio, Texas. Basing a password on a phrase or short sentence makes it easier for a user to remember, but the grammatical structure dramatically narrows the possible combinations and sequences of words, she noted."
News release: "This morning, Google released their semi-annual transparency report, and once again, it revealed a troubling trend: Internet surveillance around the world continues to rise, with the United States leading the way in demands for user data. Google received over 21,000 requests for data on over 33,000 users in the last six months from governments around the world, a 70% increase since Google started releasing numbers in 2010. The United States accounted for almost 40% the total requests (8,438) and the number of users (14,791). The total numbers in the US for 2012 amounted to a 33% increase from 2011. And while Google only complied with two-thirds of the total requests globally, they complied with 88% of the requests in the United States."
Via Public Intelligence: "The following request for participants (RFP) was issued by the San Francisco Public Utilities Commission on June 8, 2012. The RFP concerns the construction of a wireless control and communications system for managing the city’s future network of dimmable LED streetlights. The RFP states that future uses for the secure wireless network may include street surveillance, gunshot monitoring, public information broadcasts, electric meter reading and pollution monitoring. For more information on the project, see Rebecca Bowe’s recent article in the San Francisco Bay Guardian."
EFF news release: "Earlier this week, Facebook launched a new feature—Graph Search—that raised some privacy concerns with us. Graph Search allows users to make structured searches to filter through friends, friends of friends, and strangers. This feature relies on your profile information being made widely or publicly available, yet there are some Likes, photos, or other pieces of information that you might not want out there. Since Facebook removed the ability to remove yourself from search results altogether, we've put together a quick how-to guide to help you take control over what is featured on your Facebook profile and on Graph Search results. (Facebook also has a new video explaining how to control what shows up in Graph Search.)"
Follow up to previous postings on airport use of full body scanners, news from EPIC: "the US Transportation Security Administration will end the contract for backscatter x-ray devices. As a consequence, all devices that produce a detailed naked image of air travelers will be removed from US airports. Beginning in 2005, EPIC and then a coalition of privacy advocates, scientists, legal experts and lawmakers urged the TSA not to deploy the devices. The groups petitioned DHS Secretary Napolitano to suspend the program pending a thorough review. The agency went forward and EPIC sued. In EPIC v. DHS, the DC Circuit held that the devices could be used as long as passengers were able to opt-out. The federal appeals court also ordered the agency to "promptly" begin a public rulemaking. That process will likely begin in March 2013. For more information, see EPIC: EPIC v. DHS and EPIC: Body Scanners."
Privacy on the Go - Recommendations for the Mobile Ecosystem, Kamala D. Harris, Attorney General, California Department of Justice. January 2013
"Facebook Messages has a feature that tells you when a chat recipient has seen a message. This "read receipt" is, in true Facebook fashion, both nifty and unsettling. And it brings with it tons of potential for abuse. Unfortunately, there's no built-in method to opt out. Facebook's privacy interface has undergone change upon change, yet some needed controls simply don't exist—and these days consumer privacy depends heavily on control. Luckily, the developers over at Crossrider have an extension, Chat Undetected, that disables the read receipt feature. The extension is available for Chrome, Firefox, Internet Explorer, and Safari. By nature of its popularity, Facebook is inviting developers to customize users' experiences and create useful tools. We're hoping Facebook adopts a policy that allows its users to innovate, create, and—in the spirit of Facebook—hack. Currently, an overly vague Terms of Service has led Facebook to shut down helpful add-ons like Fluff-Busting Purity, which let users configure what news items were shown to them. As FB Purity's developer notes, many of his users stuck around Facebook only because their experience was tailored to their liking."
"This document contains proposed regulations that create a new taxpayer identifying number known as an IRS truncated taxpayer identification number, a TTIN. As an alternative to using a social security number (SSN), IRS individual taxpayer identification number (ITIN), or IRS adoption taxpayer identification number (ATIN), the filer of certain information returns may use a TTIN on the corresponding payee statements to identify the individual being furnished a statement. The TTIN displays only the last four digits of an individual’s identifying number and is shown in the format XXX-XX-1234 or ***-**-1234. These proposed regulations affect filers of certain information returns who will be permitted to identify an individual payee by use of a TTIN on the payee statement furnished to the individual, and those individuals who receive payee statements containing a TTIN."
December 17, 2012: "the European Data Protection Supervisor (EDPS) published his Report on the Status of Data Protection Officers (DPOs) as part of his ongoing task to monitor the compliance of EU institutions and bodies with Article 24 of the European Data Protection Regulation, which obliges the appointment of DPOs...Article 24 of the Data Protection Regulation (EC) No 45/2001 provides that each EU institution/body has to appoint at least one Data Protection Officer (DPO) to ensure in an independent manner its internal application. Article 24 sets out the conditions of appointment of the DPOs, their status and the general conditions governing the performance of their duties. Personal data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data."
New release: "The Federal Trade Commission adopted final amendments to the Children’s Online Privacy Protection Rule that strengthen kids' privacy protections and give parents greater control over the personal information that websites and online services may collect from children under 13. The FTC initiated a review in 2010 to ensure that the COPPA Rule keeps up with evolving technology and changes in the way children use and access the Internet, including the increased use of mobile devices and social networking. The updates to the COPPA Rule reflect careful consideration of the entire record of the rulemaking, which included a public roundtable and several rounds of public comments sought by the agency."
Intelligence Identities Protection Act, Jennifer K. Elsea, Legislative Attorney/ December 13, 2012
FindLaw - "Data stored on personal cell phones is not protected by the Stored Communications Act (SCA), the U.S. Court of Appeals for the Fifth Circuit has ruled. As mobile technology changes rapidly, legal questions remain about the extent of digital privacy protection. The Fifth Circuit determined that the act does not protect information stored on personal devices such as cell phones, laptops and personal computers. The lawsuit was brought by a former police dispatcher who was dismissed after photos and text messages on her cell phone revealed that she was violating police department rules. The plaintiff's cell phone was removed from her locker and searched without her permission. The SCA only protects "facilit[ies] through which an electronic communication service is provided" and not the device that is used to access those communication services, the court explained."
Curt Hopkins for The Daily Dot: "When a user “deletes” an email in the normal fashion, it becomes invisible to that user and is immediately a candidate to be overwritten. But until it is in fact overwritten, it exists. And it may persist longer on company servers. So, even if it is taken off your computer, it may still be available on the host’s server. Given that email-hosting companies are legally obliged to turn over user information to law enforcement and intelligence authorities with warrants—and these days even without them—the impossibility of being certain of a deletion means you must presume that any email you compose will be available remain accessible forever."
News release and Federal Register Notice: "In August 2006, NHTSA established a regulation that sets forth requirements for data elements, data capture and format, data retrieval, and data crash survivability for event data recorders (EDRs) installed in light vehicles. The requirements apply to light vehicles that are manufactured on or after September 1, 2012, and are equipped with EDRs. However, the regulation does not mandate the installation of EDRs in those vehicles. This notice of proposed rulemaking would establish a new safety standard mandating the installation of EDRs in most light vehicles manufactured on or after September 1, 2014. The EDRs in those vehicles would be required by the new standard to meet the data elements, data capture and format, data retrieval, and data crash survivability requirements of the existing regulation. This proposal would not modify any of the requirements or specifications in the regulation for EDRs voluntarily installed between September 1, 2012 and September 1, 2014."
"Privacy has truly become an issue of global resonance. A quick glance at policy agendas in countries around the world shows that privacy and surveillance issues are increasingly important. The challenge, however, is improving the ability of governments and policy stakeholders to engage in a policy debate that is informed about the dangers of surveillance and the importance of protecting privacy. This is the primary objective of our Privacy in the Developing World programme. In this report, A New Dawn: Privacy in Asia, we summarise our partner’s research into privacy in developing countries across Asia. The experiences of privacy in these countries are illustrative of the many opportunities for and challenges to the advancement of privacy, not only the developing world but across the world. Click here for individual country reports for India, Pakistan, Bangladesh, Indonesia, Nepal, Malaysia, Thailand, Hong Kong, China and the Philippines."
News release: "The Federal Trade Commission issued a new staff report, Mobile Apps for Kids: Disclosures report Still Not Making the Grade, examining the privacy disclosures and practices of apps offered for children in the Google Play and Apple App stores. The report details the results of the FTC’s second survey of kids’ mobile apps...Staff examined hundreds of apps for children and looked at disclosures and links on each app’s promotion page in the app store, on the app developer’s website, and within the app. According to the report, “most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data. Even more troubling, the results showed that many of the apps shared certain information with third parties – such as device ID, geolocation, or phone number – without disclosing that fact to parents. Further, a number of apps contained interactive features – such as advertising, the ability to make in-app purchases, and links to social media – without disclosing these features to parents prior to download.”
WSJ.com: "The widening ability to associate people's real-life identities with their browsing habits marks a privacy milestone, further blurring the already unclear border between our public and private lives. In pursuit of ever more precise and valuable information about potential customers, tracking companies are redefining what it means to be anonymous...the sheer ease with which personal details can be shared online makes it difficult for people to know whether their information is safe. A Wall Street Journal survey of 50 popular websites, plus the Journal's own site, found that 12 sent potentially identifying information such as email addresses or full real names to third parties...The Journal tested an additional 20 sites that deal with sensitive information, including sites dealing with personal relationships, medical information and children. Nine of these sent potentially identifying information elsewhere."
"The U.S. government isn’t allowed to wiretap American citizens without a warrant from a judge. But there are plenty of legal ways for law enforcement, from the local sheriff to the FBI, to snoop on the digital trails you create every day. Authorities can often obtain your emails and texts by going to Google or AT&T with a simple subpoena. Usually you won’t even be notified. The Senate last week took a step toward updating privacy protection for emails, but it's likely the issue will be kicked to the next Congress. Meantime, here’s how police can track you without a warrant now..."
News release: "Today EFF posted several thousand pages of new drone license records and a new map that tracks the location of drone flights across the United States. These records, received as a result of EFF’s Freedom of Information Act (FOIA) lawsuit against the Federal Aviation Administration (FAA), come from state and local law enforcement agencies, universities and—for the first time—three branches of the U.S. military: the Air Force, Marine Corps, and DARPA (Defense Advanced Research Projects Agency)."
Via EPIC: "NASA has announced that the theft of an unencrypted laptop has compromised the personal information of a "large number" of NASA employees and contractors. A similar theft earlier this year exposed the data of thousands of Kennedy Space Center employees. The federal agency said that by the end of the year all NASA laptops must have full-disk encryption. The recent developments follow a 2010 United States Supreme Court case, NASA v. Nelson, in which a federal contractor challenged NASA's overly broad collection of personal information. EPIC filed an amicus curiae brief in support of the contractor Robert Nelson, arguing that there were insufficient legal protections and that NASA's systems are vulnerable to data breaches. Robert Nelson is among the employees and contractors who this week received a notice from NASA about the data breach. For more information, see EPIC: NASA v. Nelson and EPIC: Privacy Act."
AVG Official Blog: "All the latest versions of the major browsers today include do-not-track user preference controls, but these merely express your wishes. Many third-party sites will honor your request, but many don’t. And they only let you decide whether you want to block online tracking or not. AVG offers a do-not-track feature in its AVG Anti-Virus Free Edition. AVG takes it a step further by allowing you to customize your blocking preferences at a granular level. Permanent Identifiers - One company to be aware of is BlueCava. Unlike cookies, which can be blocked or removed, BlueCava provides tracking technology that allows sites to permanently identify whatever device you’re using to connect to the web. The good news is, you can opt-out by going to http://www.bluecava.com/preferences, but you have to connect using each device you want to remove from their system."
Parents, Teens, and Online Privacy, by Mary Madden, Sandra Cortesi, Urs Gasser, Amanda Lenhart, Maeve Duggan, Nov 20, 2012. "Most parents of teenagers are concerned about what their teenage children do online and how their behavior could be monitored by others. Some parents are taking steps to observe, discuss, and check up on their children’s digital footprints, according to a new survey by the Pew Research Center’s Internet & American Life Project.
News release: "Federal Trade Commission Bureau of Consumer Protection Director David Vladeck issued the following statement regarding a federal judge’s approval of the FTC proposed order and $22.5 million civil penalty settling charges that Google misrepresented privacy assurances to users of Apple’s Safari Internet browser in violation of a previous FTC settlement Order: “The court’s approval of the Commission’s record setting $22.5 million fine against Google is a clear victory for consumers and privacy. As this case and many others demonstrate, the Commission will continue to ensure that its orders are obeyed, and that consumers’ privacy is protected.”
EFF: "Each year, Google receives thousands of demands from governments around the world seeking information about its users. People who use any of the search engine giant’s free online services – such as Gmail, YouTube, Google+ or Blogger – leave digital footprints behind, and information relating to their accounts is increasingly sought out by law enforcement agencies. To raise awareness about this, Google publishes a Transparency Report every six months documenting how many requests it received for user data, and from which countries. The practice was recently emulated by Twitter."
Privacy: An Overview of the Electronic Communications Privacy Act, Charles Doyle - Senior Specialist in American Public Law - October 9, 2012
"According to a recent report from Google, the company received 20,938 requests for user data in the first half of 2012, up from 18,257 requests in the second half of 2011. The United States accounted for 7,969 requests in the 2012 report. And of these requests, Google provided user data to the US government in 90% of the cases. Over the last several years, Google has pursued an aggressive effort to promote computing services that store personal data on Google's servers even as the number of government requests has grown. And earlier this year, Google reduced safeguards for Gmail users, over the objections of many lawmakers and users when it consolidated privacy policies across its various Internet services. In 2009, EPIC L3[urged] the Federal Trade Commission to look more closely at the privacy risks of cloud-based services. For more, see EPIC - "Cloud Computing"."
EPIC: In U.S. v. Bormes, the U.S. Supreme Court held that the government could not be sued for violating the Fair Credit Reporting Act under an 1887 law that waived governmental immunity for certain claims "premised on other sources of law." The case arose after an attorney paid a federal-court filing fee with his credit card and noticed that the receipt included personal information in violation of the Fair Credit Reporting Act. He then sued the government under the Little Tucker Act, which waives sovereign immunity "for claims premised on other sources of law." Justice Scalia, writing for a unanimous Court, held that the attorney could not sue the government under the Little Tucker Act because the Fair Credit Reporting Act has its own detailed damages provision, and "[w]here...a statute contains its own self-executing remedial scheme, we look only to that statute to determine whether Congress intended to subject the United States to dam¬ages liability." The Court sent the case back to the Seventh Circuit Court of Appeals to determine whether the government may be sued under the Fair Credit Reporting Act itself. For more information, see EPIC: Fair Credit Reporting Act."
"How do the “digital footprints” of Internet and cellphone users affect privacy, and what impact does this have on freedom of expression? These questions lie at the heart of a new study released by UNESCO this week...This publication seeks to identify the relationship between freedom of expression and Internet privacy, assessing where they support or compete with each other in different circumstances. The book maps out the issues in the current regulatory landscape of Internet privacy from the viewpoint of freedom of expression. It provides an overview of legal protection, self-regulatory guidelines, normative challenges, and case studies relating to the topic.
News release: "A bipartisan group of lawmakers, including Reps. Edward J. Markey (D-Mass.) and Joe Barton (R-Texas), co-Chairmen of the Congressional Bi-Partisan Privacy Caucus, today released responses to letters sent to nine major data brokerage companies querying each about how it collects, assembles and sells consumer information to third parties. The companies – Acxiom, Epsilon (Alliance Data Systems), Equifax, Experian, Harte-Hanks, Intelius, Fair Isaac, Merkle, and Meredith Corp. – responded to lawmaker questions about policies and practices related to privacy, transparency and consumer notification. Data brokers represent a multi-billion dollar industry, aggregating information about hundreds of millions of Americans from both online and offline sources, which they then may sell to third parties for targeted advertising and other purposes. Consumers often have little knowledge of the existence of these companies."
Telecommunications data retention - an overview, October 24, 2012:
Monitoring Hacker Forums ADC Monthly Web Attacks Analysis, October 2012: "Imperva analyzed one of the largest-known hacker forums with roughly 250,000 members, as well as other smaller forums. Using search capabilities, we analyzed conversations by topic using specific keywords. We found:
"Mobile devices and applications are no longer an accessory – they’re central to our daily lives. Gartner predicts the number of mobile apps downloaded will double to 45 billion this year – and they’re only getting smarter. Today’s apps are increasingly essential to accessing critical business applications, connecting with friends on the go and even adopting digital wallets. While these apps make our lives easier, they also give a wider group of application developers and advertising networks the ability to collect information about our activities and leverage the functionality of our devices. At the same time, the companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information. Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust. More concerning is that many apps collect information or require permissions unnecessary for the described functionality of the apps. This is not the first time this issue has surfaced – reports of popular apps collecting irrelevant information or transmitting data when devices are turned off has led to significant backlash. However, less is known about the state of privacy across the entire application ecosystem. To get a sense of the state of application privacy today, Juniper Networks’ Mobile Threat Center (MTC) analyzed over 1.7 million apps on the Google Play market from March 2011 to September 2012."
News release: "From cell phone location tracking to the use of surveillance drones, from secret interpretations of electronic surveillance law to the expanding use of biometrics, EFF has long been at the forefront of the push for greater transparency on the government’s increasingly secretive use of new technologies. With the launch of our new Transparency Project, we’ve made the information we’ve received easier to access and added new tools to help you learn about the government and file your own requests for information. The new name—Transparency Project—reflects the fact that EFF’s work has expanded far beyond filing and litigating federal Freedom of Information Act requests. While that work still makes up a solid core of what our Transparency Team does, we also seek information from state and local governments, regularly report on transparency issue more broadly, and provide tools to help you find out more about our government and what it’s up to."
News release: "The Federal Trade Commission released a staff report Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies for the increasing number of companies using facial recognition technologies, to help them protect consumers’ privacy as they use the technologies to create innovative new commercial products and services...Facial recognition also has raised a variety of privacy concerns because – for example – it holds the prospect of identifying anonymous individuals in public, and because the data collected may be susceptible to security breaches and hacking."
TSA Removes X-Ray Body Scanners From Major Airports: "The replacement machines, known as millimeter-wave scanners, rely on low-energy radio waves similar to those used in cell phones. The machines detect potential threats automatically and quickly using a computer program. They display a generic cartoon image of a person's body, mitigating privacy concerns...Here's a side-by-side comparison of the two types of body scanners the TSA uses."
News release: "The Federal Trade Commission today issued the National Do Not Call Registry Data Book for Fiscal Year 2012. The FTC’s National Do Not Call Registry lets consumers choose not to receive telemarketing calls. In its fourth year of publication, the Data Book contains a wealth of information about the Registry for FY 2012 (from October 1, 2011 to September 30, 2012)...According to the Data Book, at the end of FY 2012, the Do Not Call Registry contained 217,568,135 actively registered phone numbers, up from 209,722,924 at the end of FY 2011. In addition, the number of consumer complaints about unwanted telemarketing calls received increased from 2,273,516 during FY 2011 to 3,840,572 during FY 2012."
EPIC: "The Federal Bureau of Investigation has exempted the FBI Data Warehouse System, from important Privacy Act safeguards. The database ingests troves of personally identifiable information including race, birthdate, biometric information, social security numbers, and financial information from various government agencies. The database contains information on a surprisingly broad category of individuals, including "subjects, suspects, victims, witnesses, complainants, informants, sources, bystanders, law enforcement personnel, intelligence personnel, other responders, administrative personnel, consultants, relatives, and associates who may be relevant to the investigation or intelligence operation; individuals who are identified in open source information or commercial databases, or who are associated, related, or have a nexus to the FBI’s missions; individuals whose information is collected and maintained for information system user auditing and security purposes." The Federal Bureau of Investigation has exempted these records from the notification, access, and amendment provisions of the Privacy Act. Earlier this year, EPIC opposed the Automated Targeting System, another massive government database that the Department of Homeland Security exempted from Privacy Act provisions. For more information, see EPIC: The Privacy Act of 1974 and EPIC: Automated Targeting System."
Mobile Device Location Data - Additional Federal Actions Could Help Protect Consumer Privacy, GAO-12-903, Sep 11, 2012
Hoofnagle, Chris Jay, Urban, Jennifer M. and Li, Su, Privacy and Modern Advertising: Most US Internet Users Want 'Do Not Track' to Stop Collection of Data about their Online Activities (October 8, 2012). Amsterdam Privacy Conference, 2012. Available at SSRN.
"Through a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained Google's initial privacy assessment. The assessment was required by a settlement between Google and the FTC that followed from a 2010 complaint filed by EPIC over Google Buzz. The FTC has withheld from public disclosure information about the audit process, procedures to assess privacy controls, techniques to identify privacy risks, and the types of personal data Google collects from users. EPIC intends to challenge the agency withholdings. For more information, see EPIC: Google Buzz."
Naomi Gilens: "Justice Department documents released today by the ACLU reveal that federal law enforcement agencies are increasingly monitoring Americans’ electronic communications, and doing so without warrants, sufficient oversight, or meaningful accountability. The documents, handed over by the government only after months of litigation, are the attorney general’s 2010 and 2011 reports on the use of “pen register” and “trap and trace” surveillance powers. The reports show a dramatic increase in the use of these surveillance tools, which are used to gather information about telephone, email, and other Internet communications. The revelations underscore the importance of regulating and overseeing the government’s surveillance power. (Our original Freedom of Information Act request and our legal complaint are online.)"
EFF: "We’ve been seeing a range of reports about Facebook partnering up with marketing company Datalogix to assess whether users go to stores in the physical world and buy the products they saw in Facebook advertisements. A lot of the reports aren’t getting into the nitty gritty of what data is actually shared between Facebook and Datalogix, so the goal of this blog post is to dive into the details. We’re glad to see that Facebook is taking a number of steps to avoid sharing sensitive data with Datalogix, but users who are uncomfortable with the program should opt out (directions). Hopefully, reporting on this issue will make more people aware of how our shopping data is being used for a lot more than offering us discounts on tomato soup. Datalogix is an advertising metrics company that describes its data set as including “almost every U.S. household and more than $1 trillion in consumer transactions.” It specifically relies on loyalty card data – cards anyone can get by filling out a form at a participating grocery store."
News release: "Seven rent-to-own companies and a software design firm have agreed to settle Federal Trade Commission charges that they spied on consumers using computers that consumers rented from them, capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers. The software design firm collected the data that enabled rent-to-own stores to track the location of rented computers without consumers’ knowledge according to the FTC complaint. The settlements bar the companies from any further illegal spying, from activating location-tracking software without the consent of computer renters and notice to computer users, and from deceptively collecting and disclosing information about consumers."
Airport Body Scanners: The Role of Advanced Imaging Technology in Airline Passenger Screening. Bart Elias, Specialist in Aviation Policy, September 20, 2012
Via LLRX.com, Privacy Resources and Sites on the Internet - Marcus P. Zillman's guide is a comprehensive listing of both free and low cost privacy resources currently available on the Internet. It includes associations, indexes and search engines, as well as websites and programs that provide the latest technology and information on Web privacy. This guide will help facilitate a safer interactive environment for your email, your internet browsing, your health records, your data storage and file sharing exchanges, and internet telephony.
News release: "Following a public comment period, the Federal Trade Commission has approved a final order settling FTC charges that Myspace misrepresented its protection of users’ personal information. The settlement bars Myspace from future misrepresentations about its privacy practices, requires the company to implement a comprehensive privacy program, and calls for regular, independent privacy assessments for the next 20 years."
CRS - Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses. Richard M. Thompson II, Legislative Attorney, September 6, 2012
Sliter, John R., 'Techno-Risk - the Perils of Learning and Sharing Everything' from a Criminal Information Sharing Perspective (September 9, 2012). 30th Symposium on Economic Crime in Cambridge, England on September 5th, 2012. Available at SSRN.
"[On September 4, 2012, CDT] joined the ACLU, EFF and EPIC in calling on the 6th U.S. Circuit Court of Appeals to rehear U.S. v. Skinner, the GPS cell phone location tracking case. A panel of the 6th Circuit ruled that tracking a cell phone's location by repeatedly "pinging" the phone over a three-day period did not require a warrant. The amicus brief we filed yesterday asked the full Sixth Circuit to consider this issue in light of the concurring opinions filed by five justices in the U.S. v. Jones U.S. Supreme Court case which came down earlier this year. We also pointed out that the panel's legal conclusion was based on a material misunderstanding: that cell phones normally "give off" GPS location information. Instead, mobile providers have to take a special step - sending a signal to the phone to direct it to produce the GPS data. Unless they take that step, there is no location data at the provider for the government to seize. As a result, the court should not have analyzed the case under the third party records doctrine, which says a person has no Fourth Amendment interest in information shared with a third party."
Privacy and Data Management on Mobile Devices, by Jan Lauren Boyles, Aaron Smith, Mary Madden. Sep 5, 2012.
"More than half of mobile application users have uninstalled or avoided certain apps due to concerns about the way personal information is shared or collected by the app, according to a nationally representative telephone survey conducted by the Pew Research Center’s Internet & American Life Project. In all, 88% of U.S. adults now own cell phones, and 43% say they download cell phone applications or “apps” to their phones. Among app users, the survey found:
News release: "The Federal Trade Commission has published a guide to help mobile application developers observe truth-in-advertising and basic privacy principles when marketing new mobile apps. The FTC’s new publication, Marketing Your Mobile App: Get It Right from the Start, notes that there are general guidelines that all app developers should consider. They include:
A Behavioural Understanding of Privacy and its Implications for Privacy Law, Kirsty Hughes, University of Cambridge, September 2012. The Modern Law Review, Vol. 75, Issue 5, pp. 806-836, 2012
News release: "DISH Network, one of the nation's largest providers of satellite television service, faces a Federal Trade Commission lawsuit alleging that it illegally called millions of consumers who had previously asked telemarketers from the company or its affiliates not to call them again. The calls allegedly violated provisions of the FTC's Telemarketing Sales Rule that state that even if a consumer is not on the National Do Not Call Registry, a telemarketer may not call him or her again if the consumer specifically asks to be placed on the company's own entity-specific do-not-call list...According to the FTC's complaint, DISH Network violated the agency's Telemarketing Sales Rule while calling consumers nationwide in an attempt to sell its satellite television programming. DISH Network makes these telemarketing calls both directly to consumers and via a network of authorized dealers who make calls on its behalf. Specifically, the FTC alleges that DISH has made millions of outbound telephone calls since about September 1, 2007 to consumers who had already told them that they did not want to receive any more telemarketing calls from the company."
Recommended Guidelines for the use of Unmanned Aircraft, The International Association of Chiefs of Police
News release: "A new school year usually means filling out paperwork like registration forms, health forms, and emergency contact forms, to name a few. The Federal Trade Commission wants parents to know that many school forms require personal and sensitive information that, in the wrong hands, could be used to commit fraud in their child’s name. A criminal can use a child’s Social Security number to get government benefits, open bank and credit card accounts, or rent a place to live. Most parents and guardians don’t expect their child to have a credit file, and rarely order or monitor a child’s credit report. Child identity theft may go undetected for years – until the child applies for a job or loan and discovers problems in a credit report. To help limit the risks of child identity theft, the Federal Trade Commission offers Protecting Your Child’s Personal Information at School. It explains how the federal Family Educational Rights and Privacy Act protects the privacy of student records and gives parents of school-age children the right to opt out of sharing contact information with third parties. It also suggests that parents ask their child’s school about its directory information policy, learn about privacy policies of sports or music activities that are not school-sponsored, and find out what to do if their child’s school experiences a data breach. The second publication, Safeguarding Your Child’s Future, offers tips on how to keep your child’s data safe at home and online, and explains the warning signs of child identity theft. It also explains how parents and guardians can check whether their child has a credit report, and what to do if the report has errors."
Gray, David C. and Citron, Danielle Keats, A Technology-Centered Approach to Quantitative Privacy (August 14, 2012). Available at SSRN
News release: "Following a public comment period, the FTC has accepted as final a settlement with Facebook resolving charges that Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including by giving consumers clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings, by maintaining a comprehensive privacy program to protect consumers' information, and by obtaining biennial privacy audits from an independent third party. The settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including by giving consumers clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings, by maintaining a comprehensive privacy program to protect consumers' information, and by obtaining biennial privacy audits from an independent third party."
News release: "Google Inc. has agreed to pay a record $22.5 million civil penalty to settle Federal Trade Commission charges that it misrepresented to users of Apple Inc.’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC. The settlement is part of the FTC’s ongoing efforts make sure companies live up to the privacy promises they make to consumers, and is the largest penalty the agency has ever obtained for a violation of a Commission order. In addition to the civil penalty, the order also requires Google to disable all the tracking cookies it had said it would not place on consumers’ computers."
Statement: 27 July 2012 - "The Information Commissioner’s Office (ICO) has issued the following statement today in response to information received from Google about the retention of payload data collected by its Street View vehicles. An ICO spokesperson said: “Earlier today Google contacted the ICO to confirm that it still had in its possession some of the payload data collected by its Street View vehicles prior to May 2010. This data was supposed to have been deleted in December 2010. The fact that some of this information still exists appears to breach the undertaking to the ICO signed by Google in November 2010. “In their letter to the ICO today, Google indicated that they wanted to delete the remaining data and asked for the ICO’s instructions on how to proceed. Our response, which has already been issued, makes clear that Google must supply the data to the ICO immediately, so that we can subject it to forensic analysis before deciding on the necessary course of action. "We are also in touch with other data protection authorities in the EU and elsewhere through the Article 29 Working Party and the GPEN network to coordinate the response to this development. “The ICO is clear that this information should never have been collected in the first place and the company’s failure to secure its deletion as promised is cause for concern.”
Via NIH: "The Stop Trading on Congressional Knowledge (STOCK) Act, enacted on April 4, 2012, contains several requirements for employees who file a Public Financial Disclosure Report (OGE Form 278). The following resources are provided for filers and ethics officials. Filers should consult with their IC's ethics officials if they have questions.
via Placecast: How Consumers Really Feel About Data Privacy - "2,307 people were surveyed and it was found that use of data where the value exchange is explicit are most acceptable (grocery coupons, Amazon), while Facebook’s data usage is least acceptable. Also, use of location data from either merchants or cell phone carriers is acceptable by significant group with permission and an explicit value exchange."
News release: "The Federal Trade Commission is publishing a Federal Register Notice seeking public comments on additional proposed modifications to the Children's Online Privacy Protection Rule. In updating the Rule to keep current with technology advances, in September 2011, the FTC issued a Notice of Proposed Rulemaking seeking comment on proposed changes to the Commission's COPPA Rule. The Commission received 350 comments. In response to those comments and informed by its experience in enforcing and administrating the Rule, the FTC now proposes to modify certain definitions to clarify the scope of the Rule and strengthen its protections for the online collection, use, or disclosure of children's personal information."
Via CDT: "The chart below compares on civil liberties grounds three bills that seek to promote cybersecurity and it updates a similar chart we issued on April 4, 2012 based on prior versions of all three bills. The Senate is set to consider the Cybersecurity Act, S. 3414 (“Lieberman-Collins” bill), introduced on July 19. The chart shows that the Lieberman bill better protects privacy than do either of the competing bills, and that it should be further improved by dropping monitoring and countermeasures language. The leading alternative Senate bill, SECURE IT, S. 3342, was re-introduced by Senator McCain and other co-sponsors on June 27 (“SECURE IT”). Despite a White House veto threat, the House passed the Cyber Intelligence Sharing and Protection Act, H.R. 3523 (“CISPA”) on April 26 on a vote of 248-168. It will be reconciled with cybersecurity legislation that the Senate passes. (Lieberman-Collins and SECURE IT include cybersecurity measures unrelated to information sharing that are not reflected in this chart.)
"The Federal Trade Commission welcomed the approval of the United States' participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules system, which was announced by the U.S. Department of Commerce today. The APEC privacy system is a self-regulatory initiative to enhance the protection of consumer data that moves between the United States and other APEC members through a voluntary but enforceable code of conduct implemented by participating businesses. President Obama and representatives from the other APEC economies endorsed the system in November 2011. On July 25, 2012 the United States was approved as the first formal participant in the system and the FTC as the system's first privacy enforcement authority...Additional information about the Cross Border Privacy Rules is available via the APEC Electronic Commerce Steering Group website."
"YouTube is proud to be a place where citizens and activists come to tell their stories -- stories that may otherwise go unnoticed. A study released this week by the Pew Research Center’s Project for Excellence in Journalism found that YouTube is a top destination for news and that “citizens play a substantial role in supplying and producing footage.” But this level of exposure can be risky to the citizens shooting the footage and the people who appear in their videos. Today, we announced a new face blurring tool that represents a first step toward providing visual anonymity in video. Of course, anonymity is never a guarantee, and people who capture sensitive video footage should consider taking other precautions to keep themselves and their subjects safe. Here are three suggestions..."
News release: "The Federal Trade Commission today told a Senate Judiciary subcommittee that the FTC is examining the benefits to consumers, as well as privacy and security concerns regarding current and possible future commercial uses of facial recognition technologies and will make recommendations later this year on best practices for companies that use these new technologies. The recommendations will build on comments from a recent FTC workshop on facial recognition technology, and on the three core principles from the agency's March 2012 Privacy Report – privacy by design, simplified consumer choice, and transparency."
Via EFF: Josh Smith: "Proposals to increase cybersecurity by allowing businesses and government to share information may enjoy bipartisan support in Washington, but Americans aren’t sold on the idea, the latest United Technologies/National Journal Congressional Connection Poll finds. Almost two-thirds of respondents—63 percent—said government and businesses should not be allowed to share information because it would hurt privacy and civil liberties. But 29 percent of those surveyed said information-sharing should be allowed to better protect computer networks. The United Technologies/National Journal Congressional Connection Poll, conducted by Princeton Survey Research Associates International, surveyed 1,004 adults from July 5-8. The poll has a margin of error of plus or minus 3.7 percentage points."
"In response to recent letters from Congressman Ed Markey (D-MA), nine mobile wireless carriers have provided detailed reports of law enforcement requests for user cell phone records. These requests come from agencies - across all levels of government - seeking text messages, caller locations, and other information in the course of investigations. The reports show that companies turn over thousands of records a day in response to subpoenas, court orders, police emergencies, and other requests. The volume of requests has increased as much as 16 percent for some companies over the last five years, and some carriers have rejected as many as 15 percent of all requests that they found legally questionable or unjustified. EPIC recently filed amicus briefs in the Fifth Circuit and New Jersey Supreme Court arguing that disclosure of historical and real-time cell phone location information violates a reasonable expectation of privacy and thus requires a warrant under the Fourth Amendment. For more information, see EPIC: In re Historic Cell-Site Location Information, EPIC: State v. Earls."
Privacy, Security and Trust in Cloud Computing, by Siani Pearson, HP Laboratories, HPL-2012-80R1, June 28, 2012
Follow up to previous postings on drones, via EPIC: "The Association for Unmanned Vehicle Systems International, the organization representing drone manufacturers and operators, has released an Industry "Code of Conduct". Compliance with the guidelines is both voluntary and not enforceable. The association acknowledges that invasive drone surveillance technology poses a risk to the public, and specifically tasked users to "respect the privacy of individuals." In February, EPIC, joined by over 100 organizations, experts, and members of the public, submitted a petition to the FAA requesting a public rulemaking on the privacy impact of drone use in U.S. airspace. The Agency has not yet responded or addressed these concerns. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones."
"Wednesday marks Independence Day here in the United States. Beyond the fireworks and barbecue, July 4th serves as an important reminder of the need to hold governments accountable, especially on behalf of those who may not have a chance to do so themselves. With that in mind, today we’re unveiling our first Twitter Transparency Report. Inspired by the great work done by our peers @Google, the primary goal of this report is to shed more light on: government requests received for user information, government requests received to withhold content, and DMCA takedown notices received from copyright holders. The report also provides insight into whether or not we take action on these requests. One of our goals is to grow Twitter in a way that makes us proud. This ideal informs many of our policies and guides us in making difficult decisions. One example is our long-standing policy to proactively notify users of requests for their account information unless we’re prohibited by law; another example is transmitting DMCA takedown notices and requests to withhold content to Chilling Effects. These policies help inform people, increase awareness and hold all involved parties––including ourselves––more accountable; the release of our first Transparency Report aims to further these ambitions."
"According to the 2011 Wiretap Report, released by the Administrative Office of the US Courts, federal and state applications for wiretap orders dropped 14 percent in 2011, compared to the number reported in 2010. The reduction in wiretaps resulted primarily from a drop in applications for intercepts in narcotics offenses. In 2011, a total of 2,732 intercept applications were authorized by federal and state courts, with 792 applications by federal authorities and 1,940 by the states. In 2011, 98 percent, or 2,674, of all authorized wiretaps were designated as portable devices. The Wiretap Report does not include interceptions pursuant to the Foreign Intelligence Surveillance Act of 1978. For more information see: EPIC: Wiretapping and Administrative Office of the US Courts: Wiretap Reports."
"The Article 29 Working Party, representing the privacy agencies of European Union countries, has released a new Opinion in which it states that cloud service providers will be subject to the EU Data Protection Directive. The expert group also advises users of cloud-based services to conduct a comprehensive and thorough risk analysis of cloud services. In 2009, EPIC urged the US Federal Trade Commission to develop privacy standards for Cloud Computing services. See EPIC - Cloud Computing."
Ars Technica: "As the result of a Freedom of Information Act request filed by the American Civil Liberties Union, the Department of Justice has revealed, for the first time, the types of secret letters that the government can send out to ISPs and other tech companies being asked to reveal personal data about their users and customers who are being investigated for national security reasons. In 2009, over 6,000 Americans received such National Security Letters (NSLs). According to the Wall Street Journal, the “letters show that the FBI is now informing people who receive the letters how they can challenge the documents in court. But some key elements of the letters remain blocked from view—including lists of material the FBI says companies can send in response to the letter.”
WSJ: "In the past, publishers and authors had no way of knowing what happens when a reader sits down with a book. Does the reader quit after three pages, or finish it in a single sitting? Do most readers skip over the introduction, or read it closely, underlining passages and scrawling notes in the margins? Now, e-books are providing a glimpse into the story behind the sales figures, revealing not only how many people buy particular books, but how intensely they read them."
"What are cookies? - A cookie is a small file of letters and numbers that is downloaded on to your computer when you visit a website. Cookies are used by many websites and can do a number of things eg remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website. The rules on cookies are covered by the Privacy and Electronic Communications Regulations. The Regulations also cover similar technologies for storing information, eg Flash cookies. The Regulations were revised in 2011, and the ICO is responsible for enforcing these new rules...Where to find information about controlling cookies:
EPIC: The Senate Judiciary Committee held a hearing on “Prohibiting the Use of Deceptive Practices and Voter Intimidation Tactics in Federal Elections." The Senate is considering new legislation to address the problem of deceptive practices and voter intimidation. Committee Chairman Patrick Leahy cited "burdensome identification laws" as one of the obstacles to public participation in federal elections. A new report highlights similar problems in the recent Canadian national election. EPIC has published reports on deceptive campaign practices and filed briefs in opposition to unnecessary voter ID requirements. For more information see EPIC Voting Privacy and EPIC - Crawford v. Marion County."
"EPIC has asked the Federal Trade Commission to review Facebook's decision to change the default email address of Facebook users. The company recently removed email addresses, selected by users, with a @facebook.com address assigned by Facebook. EPIC asked the FTC to review this practice as it finalizes the terms of a settlement with Facebook. "Facebook's willingness to disregard user choice...raise[s] important questions about the company's ability to comply with the terms of the proposed Consent Order," EPIC wrote. EPIC also said that the change is a deceptive business practice because Facebook did not tell users that their preferred email address could be removed by the company. And EPIC noted that the change would result in user email being sent to Facebook's servers that would otherwise have gone to the user's email service. The FTC's settlement with Facebook follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement would bar Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement."
Berkeley Center for Law and Technology: "The Web Privacy Census is intended to formalize the benchmarking process and measure internet tracking consistently over time...This effort was developed and executed in partnership with Abine, Inc. Abine has been our technical collaborator and resource partner, helping us develop a reliable method for web crawling and analysis of tracking vectors. We seek to explore:
"The Federal Trade Commission, the nation's consumer protection agency, offers updated information explaining how to protect your child's information and your own, and the immediate steps to take to limit the damage identity theft can cause. Taking Charge: What To Do If Your Identity Is Stolen is a step-by-step guide that includes sample letters, forms and essential contact information. A brochure, Identity Theft: What To Know, What To Do, explains the basic steps of protecting information and responding to identity theft. Safeguarding Your Child's Future tells parents how to protect their children's information, find out if a credit report has been created for them, and respond to problems."
The Public Domain: Surveillance in Everyday Life, Alice Marwick. Surveillance & Society, Vol 9, No 4 (2012)
News release: "Check Point® Software Technologies Ltd...announced the results of a new ZoneAlarm report revealing differences in the use of computer security between Gen Y and Baby Boomers. The report, The Generation Gap in Computer Security, found that Gen Y is more confident in its security knowledge than Baby Boomers. However, 50 percent of Gen Y respondents have had security issues in the past two years compared to less-than-half of Baby Boomers. The broad adoption of digital media and social networking, combined with the increasing amount of sensitive data that is stored online, is making personal computer security more important than ever before. Yet the ZoneAlarm study reveals that 78 percent of Gen Y respondents do not follow security best practices while cybercriminals are launching new and more sophisticated attacks on consumers every day. In comparison, Baby Boomers are more concerned about security and privacy and twice more likely to protect their computers with additional security software."
U.S. Department of Justice, Office of Legislative Affairs, Applications Made to the Foreign Intelligence Surveillance Court During Calendar Year 2011, submitted pursuant to sections 107 and 502 of the Foreign Intelligence Surveillance Act of 1978, as amended, 50 U.S.C. Sec. 1801 et seq., and section 118 of USA PATRIOT Improvement Act and Reauthorization Act of 2005, Pub. L. No. 109-177 (2006)
Follow up to DHS IG - Customs and Border Protection Use of Unmanned Aircraft Systems in Nation’s Border Security - via EFF: "DHS’s Office of Inspector General (OIG) recently released a report (pdf) detailing multiple problems with the drones used to patrol US borders. This report, combined with the Federal Aviation Administration’s lack of openness about its drone authorization program and failure to disclose the true number of entities flying drones, shows that the federal government is moving far too quickly in its plans to dramatically expand the number of domestic drones flying in the United States over the next few years. The DHS OIG report, which reviewed the drone program run by Customs & Border Protection (CBP), noted several serious problems with the program, including lack of appropriate equipment and staff to fly the drones safely and lack of processes or procedures to prioritize requests for drone flights. This is especially troubling, given the agency has been flying drones since 2004. CBP currently has nine unarmed Predator drones in its arsenal, each purchased at a cost of $18 million dollars. The drones cost $3,000 per hour to fly, and, according to the OIG report, the agency spent over $55 million (pdf) to operate and maintain the drones between 2006 and 2011. Despite these costs, CBP never made a specific budget request to Congress for the funds, and has thus far failed to seek compensation from the other federal and state agencies it loans its drones to. Instead, the agency diverted $25 million from other programs to cover these costs."
Mail Online: "Spy planes able to photograph sunbathers in their back gardens are being deployed by Google and Apple. The U.S. technology giants are racing to produce aerial maps so detailed they can show up objects just four inches wide. But campaigners say the technology is a sinister development that brings the surveillance society a step closer. Google admits it has already sent planes over cities while Apple has acquired a firm using spy-in-the-sky technology that has been tested on at least 20 locations, including London. Apple’s military-grade cameras are understood to be so powerful they could potentially see into homes through skylights and windows. The technology is similar to that used by intelligence agencies in identifying terrorist targets in Afghanistan."
"In recent years, online tracking companies have begun to monitor our clicks, searches and reading habits as we move around the Internet. If you are concerned about pervasive online web tracking by behavioral advertisers, then you may want to enable Do Not Track on your web browser. Do Not Track is unique in that it combines both technology (a signal transmitted from a user) as well as a policy framework for how companies that receive the signal should respond. As more and more websites respect the Do Not Track signal from your browser, it becomes a more effective tool for protecting your privacy. EFF is working with privacy advocates and industry representatives through the W3C Tracking Protection Working Group to define standards for how websites that receive the Do Not Track signal ought to response in order to best respect consumer's choices. The following tutorial walks you through the enabling Do Not Track in the four most popular browsers: Safari, Internet Explorer 9, Firefox, and Chrome."
June 13, 2012: The ICO writes to Google about Street View - "Following the publication of the Federal Communications Commission report, the ICO has written to Google and will consider what further action, if any, needs to be taken."
Follow up to June 6, 2012 posting, LinkedIn Member Passwords Compromised, this update via the LinkedIn Blog: An Update On Taking Steps To Protect Our Members, June 9, 2012: "...In this post, we want to address questions we’ve been receiving and share what we’ve learned so far about the incident, how we’ve responded, and what we’re doing to protect our members going forward. First, it’s important to know that compromised passwords were not published with corresponding email logins. At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves."
Vicente Silveira, June 6, 2012: "We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
News release: "This morning, the House Judiciary Committee held an important hearing on the FISA Amendments Act (FAA) and the scope of the NSA’s warrantless wiretapping program. The FAA, which gutted privacy protections governing the interception international phone calls and e-mail to and from the United States, is set to expire at the end of the year, and Attorney General Eric Holder says it is his “top priority” to see it renewed."
U.S.-EU Cooperation Against Terrorism, Kristin Archick, Specialist in European Affairs, May 21, 2012
Via EPIC FOIA release, Analyst’s Desktop Binder 2011 Redacted, Department of Homeland Security National Operations Center Media Monitoring Capability, Desktop Reference Binder.
A Global Reality: Governmental Access to Data in the Cloud - A comparative analysis of ten international jurisdictions Governmental access to data stored in the Cloud – including cross-border access – exists in every jurisdiction, by Winston Maxwell, Paris, France Christopher Wolf, Washington, DC; May 23, 2012. A Hogan Lovells White Paper.
News release: "The Federal Trade Commission testified before Congress about the agency’s efforts to protect consumer privacy, including the FTC’s support for implementation of a “Do Not Track” mechanism that would allow consumers to control the tracking of their online activities across websites, and other approaches recommended in its recent privacy report. In delivering Commission testimony before the Senate Committee on Commerce, Science and Transportation, FTC Chairman Jon Leibowitz said the current time is a “critical juncture” for consumer privacy, and described the FTC’s recent privacy report, including its call for final implementation of a Do Not Track mechanism. The testimony notes that the Commission recommends Congress consider enacting general privacy legislation, and that it enact data security and breach notification legislation and targeted legislation to address data brokers."
"Today the Immigration Policy Center (IPC) and the Electronic Frontier Foundation (EFF) release From Fingerprints to DNA: Biometric Data Collection in U.S. Immigrant Communities and Beyond. The paper outlines the current state of U.S. government collection of biometric information and the problems that could arise from these growing databases of records. It also points out how immigrant communities are immediately affected by the way this data is collected, stored, and shared."
Ohm, Paul, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization (August 13, 2009). UCLA Law Review, Vol. 57, p. 1701, 2010; U of Colorado Law Legal Studies Research Paper No. 9-12. Available at SSRN
House Committee on the Judiciary Subcommittee on Crime, Terrorism, and Homeland Security - Hearing on the Geolocation Privacy and Surveillance (GPS) Act - Statement for the Record of Professor Matt Blaze, May 17, 2012
"The Senate Committee on the Judiciary has approved President Obama's five nominees for the Privacy and Civil Liberties Oversight Board. The Board is an independent entity charged with ensuring that fundamental rights are protected in the implementation of government programs, including cybersecurity. Originally convened in 2004, the five seats on the Board have remained vacant for the past five years. Senator Leahy, the Chairman of the Judiciary Committee, said, "When we worked to create this board, we did so to ensure that our fundamental rights and liberties would be preserved…The Senate should move quickly to confirm the nominees to the board so that they can get to their important work." For more information, see EPIC: 9/11 Commission Report and "The Sui Generis Privacy Agency: How the United States Institutionalized Privacy Oversight After 9-11."
EPIC: "The Federal Aviation Administration has announced new procedures for government agencies that operate drones in the United States. The procedures will streamline the process through which government agencies, including local law enforcement, receive drone licenses. However, the FAA has so far failed to establish privacy safeguards for drone use. On February 24, 2012, EPIC, joined by over 100 organizations, experts, and members of the public, submitted a petition to the FAA requesting a public rulemaking on the privacy impact of drone use in US airspace. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones."
Via the ACLU, Letter from Senator Al Franken Chairman, Subcommittee on Privacy,
Technology and the Law to Attorney General Holder on May 10, 2012, which reads in part: "I was very concerned to read recent reports suggesting that state and local law enforcement agencies may be working around the protections of United States v. Jones by requesting the location records of individuals directly from their wireless carriers instead of tracking the individuals through stand-alone GPS devices installed on their vehicles. I was further concerned to learn that in many cases, these agencies appear to be obtaining precise records of individuals' past and current movements from carriers without first obtaining a warrant for this information. I think that these actions may violate the spirit if not the letter of the Jones decision. I am writing to ask you about the Department of Justice's own practices in requesting location information from wireless carriers. I am eager to learn about how frequently the Department requests location information and what legal standard the Department believes it must meet to obtain it. I would also like to know how the Department may have changed these practices since the Jones decision."
U.S. Customs and Border Protection Privacy Stewardship, OIG-12-78, April 2012
Mobile, Social Networking Three-quarters of smartphone owners use location-based services, by Kathryn Zickuhr, May 11, 2012
"In comments to the Federal Aviation Administration (FAA), EPIC emphasized the need for transparency and accountability in drone operations, and recommended the development of privacy protections before drones are more widely deployed in the US. The FAA Notice of Proposed Rulemaking set out proposed criteria for drone testing. Congress has tasked the FAA with facilitating the use of drones in the domestic airspace. February, EPIC, joined by a coalition of more than 100 organizations, experts, and members of the public, petitioned the FAA to conduct a rulemaking on the privacy implications of domestic drone use. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones."
News release: "Social networking service Myspace has agreed to settle Federal Trade Commission charges that it misrepresented its protection of users' personal information. The settlement, part of the FTC's ongoing efforts make sure companies live up to the privacy promises they make to consumers, bars Myspace from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy assessments for the next 20 years. The Myspace social network has millions of users who create and customize online profiles containing substantial personalized content. Myspace assigns a persistent unique identifier, called a "Friend ID," to each profile created on Myspace. A user's profile publicly discloses his or her age, gender, profile picture (if the user chooses to include one), display name, and, by default, the user's full name. User profiles also may contain additional information such as pictures, hobbies, interests, and lists of users' friends."
NSA Fact Sheet, April 2012: Mobile phone platforms are susceptible to malicious attacks, both from the network and upon physical compromise. Understanding the vectors of such attacks, level of expertise required to carry them out, available mitigations, and impact of compromise provides a background for certain risk decisions. In general, comparing risks introduced by the new generation of mobile devices to those of traditional, widely-deployed desktop systems provides insight into how the risks to DoD networks are changing. Due to the larger cultural and technological shift to mobile devices, this may be more relevant than comparison of different smartphone brands."
Who sees the data you share on the biggest social network? Consumer Reports magazine: June 2012
United States v. Jones: GPS Monitoring, Property, and Privacy, Richard M. Thompson II, Legislative Attorney, April 30, 2012
House of Commons Culture, Media and Sport Committee. News International and Phone-hacking. Eleventh Report of Session 2010-12, Volume I: Report, together with formal minutes - Volume II: Oral and written evidence
Cybersecurity: Authoritative Reports and - Resources, Rita Tehan
Information Research Specialist, April 26, 2012
LA Times: "Google has released the full report of the Federal Communications Commission’s investigation into the data it collected and stored from millions of unknowing households across the nation while operating specially equipped cars for its Street View service. The search giant released the report, which had had heavily redacted passages, after wrangling with the FCC over which details could be publicly revealed. The report now blacks out only the names of individuals. It reveals new details and raises new questions about how Google captured personal information over a two-year period. Google has said that it was mapping wireless networks but that collecting personal data was "inadvertent."
Computer World: "Ninety percent of the Internet's top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems. The report is based on data from a new TIM project called SSL Pulse, which uses automated scanning technology developed by security vendor Qualys, to analyze the strength of HTTPS implementations on websites listed in the top 1 million published by Web analytics firm Alexa."
News release: "The Information Commissioner’s Office (ICO) is urging consumers to take better care of their data, following an investigation into the trade in used hard drives. The ICO has published new guidance to help individuals securely delete personal information from their old devices. An investigation by the ICO found that one in ten second-hand hard drives sold online may contain residual personal information. An ICO survey also found that 65% of British adults now hand on their old phones, computers and laptops to another user, with 44% giving it away to somebody else for free and around one in five (21%) selling it to somebody else. In December 2010, the ICO asked a computer forensics company – NCC Group – to source around 200 hard drives, 20 memory sticks and 10 mobile phones. The devices were mainly bought online from internet auction sites and some were sourced at computer trade fairs. The devices were then searched, initially without any additional software, and then interrogated using forensic tools freely available on the internet. The research found that, while 52% of the hard drives investigated were unreadable or had been wiped of data, 48% contained information and 11% was personal data. The amount of personal data found on the mobile phones and memory sticks was negligible. In total 34,000 files containing personal or corporate information were recovered from the devices. At least two of the hard drives contained enough information to enable someone to steal the former owner’s identity. The residual documents included scanned bank statements, passports, information on previous driving offences, and some medical details. A further four hard drives contained information about the employees and clients of four organisations, including individuals’ health and financial details."
"The Consumer Federation of America (CFA) released Best Practices for Identity Theft Services: How Are Services Measuring Up?, which analyzes how well identity theft services are providing key information to prospective customers. The study is based on CFA’s Best Practices for Identity Theft Services, voluntary guidelines that CFA developed with the help of identity theft service providers and consumer advocates. Released last year, the best practices resulted from CFA’s first study of identity theft services in 2009, which raised concerns about misleading claims about the ability to protect consumers from identity theft, lack of clear information, and other troublesome practices."
Follow up to posting on SOPA’s Evil Twin Sister – CISPA, via Electronic Frontier Foundation, Cybersecurity Bill FAQ: The Disturbing Privacy Dangers in CISPA and How To Stop It, by Trevor Timm
EPIC: "The Federal Communications Commission announced that it will fine Google $25,000 for obstructing an investigation concerning Google Street View and federal wiretap law. The Commission found that Google impeded by "delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions." In May 2010, EPIC wrote to the FCC and urged the agency to undertake an investigation after it became clear that Google had intercepted the private communications of millions of users of wi-fi networks in the United States. Shortly afterward, the head of the FCC Bureau of Consumer and Governmental Affairs wrote that Google's behavior "clearly infringes on consumer privacy." Many countries around the world have found Google guilty of violating national privacy laws. Surprisingly, the FCC said that Google had not violated the federal wiretap act, even though a federal court recently held otherwise. For more information, see EPIC: Investigations of Google Street View and EPIC: Ben Joffe v. Google."
Via LLRX.com - SOPA’s Evil Twin Sister – CISPA: Well known graphic artists Jake O'Neil and Spencer Belkofer created this infographic out of a sense of urgency to visualize the salient information with as many communities as possible. This bill, the Cyber Intelligence Sharing and Protection Act of 2011, has not garnered the media coverage of the Stop Online Piracy Act (SOPA), but its high impact implications target key legal issues involving privacy and intellectual property.
News release: "EFF recently received records from the Miami-Dade Police Department in response to a Public Records request for information on its drone program. These records provide additional insight into domestic drone use in the United States, and they reinforce the importance of public access to information on who is authorized to fly drones inside US borders. The records the Miami-Dade PD released include the Federal Aviation Administration-issued Certificate of Authorization (COA) to fly the MDPD drones. This appears to be the first time a law enforcement agency has made its COA available to the public without redactions. The COA and the other records EFF received show that Miami-Dade’s drone program is quite limited in scope. The two small drones the MDPD is flying—Honeywell T-Hawks—are able to fly up to 10,000 feet high, can record video or still images in daylight or infrared, and can “Hover and stare; [and] follow and zoom,” (pdf) according to the manufacturer. However, the COA limits their use to flights below 300 feet. The drones also must remain within visual line of sight of both a pilot and an observer and can only be flown during the day."
EPIC: "The New York Times reported that Facebook would provide users with a downloadable archive containing many types of data that the company stores about users. Although the new archive contains more user information than Facebook first offered in 2010, Max Schrems, the German law student and founder of Europe v. Facebook, said that Facebook is still only providing 39 of 84 data categories. EPIC called on Facebook to give users full access to all of the data that the company keeps about them through EPIC’s Know What They Know campaign. In comments on a settlement between Facebook and the Federal Trade Commission, EPIC recommended that the FTC require Facebook to give users full access to their data. For more information, see EPIC: Facebook Privacy and EPIC: Know What They Know.
Baltimore Sun: "Moving to the forefront of social media privacy law nationwide, the Maryland General Assembly has passed legislation prohibiting employers in the state from asking current and prospective employees for their user names and passwords to websites such as Facebook and Twitter. If Gov. Martin O'Malley signs the bill — his office said it was one of hundreds of bills it has yet to review — the bill would make Maryland the first state in the nation to set such a restriction into law. Other states are considering similar legislation, including Illinois and California. The bill, drafted in response to a state agency's scouring the personal Facebook posts of prison guard applicants, also could be a bellwether for federal action. Two U.S. senators — Chuck Schumer of New York and Richard Blumenthal of Connecticut, both Democrats — have asked the Department of Justice and the U.S. Equal Employment Opportunity Commission to investigate the issue."
Selling You on Facebook: "Some of the most widely used apps on Facebook—the games, quizzes and sharing services that define the social-networking site and give it such appeal—are gathering volumes of personal information. A Wall Street Journal examination of 100 of the most popular Facebook apps found that some seek the email addresses, current location and sexual preference, among other details, not only of app users but also of their Facebook friends. One Yahoo service powered by Facebook requests access to a person's religious and political leanings as a condition for using it. The popular Skype service for making online phone calls seeks the Facebook photos and birthdays of its users and their friends...This appetite for personal data reflects a fundamental truth about Facebook and, by extension, the Internet economy as a whole: Facebook provides a free service that users pay for, in effect, by providing details about their lives, friendships, interests and activities. Facebook, in turn, uses that trove of information to attract advertisers, app makers and other business opportunities."
The Global Information Technology Report 2012 - Living in a Hyperconnected World - World Economic Forum, 2012
"Regardless of how weak or sophisticated their political financing regulations are, countries around the world are equally failing to effectively regulate the flow of money into politics, a new report finds. The Global Integrity Report: 2011, a major investigative study of 31 countries, was released today by Global Integrity, an award-winning international nonprofit organization that tracks governance and corruption trends globally. Twenty-nine countries out of a 31-country sample scored less than 60 on a 100-point scale on questions assessing the effectiveness of laws regulating individual and corporate donations to political parties, as well as the auditing of those donations and campaign expenditures. Government monitoring agencies tasked with enforcing such laws typically lack investigative power and often have little to no authority to impose sanctions. The United States scored just 29 out of 100 on the effectiveness of its party financing regulations and 25 out of 100 in its ability to effectively regulate contributions made to individual political candidates. Those scores represent a significant decrease from 2009, the last year Global Integrity covered the US, and reflect the negative impact of the “Citizens United” Supreme Court decision in early-2010 that loosened the controls over private money flowing into US elections. Despite that backsliding, the US remains at the head of the pack when it comes to the disclosure of political finance information to the public (94 out of 100)."
EFF: "On Sunday, the United Kingdom’s Prime Minister David Cameron and the Interior Ministry were forced to defend a sweeping wiretapping proposal, which would aim to monitor every single email, text message, and phone call flowing through the whole country. The proposal would likely force all UK Internet Service Providers (ISPs) to install “black boxes” on their systems that use Deep Packet Inspection (DPI) technology, which would give authorities access to all communications data without a warrant or any judicial oversight. Law enforcement would have access to IP addresses, email addresses, when you send an email, to whom you send it, and how frequently—as well as corresponding data for phone calls and text messages. The government has claimed this proposal is needed to fight “terrorism and serious crimes,” but of course, it would be available to law enforcement for all purposes."
News release: "In response to charges by the Federal Trade Commission, a federal judge has ordered the defendants behind a deceptive robocall scheme to pay a total of $30 million in civil penalties and give up more than $1.1 million in ill-gotten gains for violations of the FTC Act and the Telemarketing Sales Rule. The court order includes a $20 million judgment against Paul Navestad, which is the largest civil penalty against a defendant in an FTC case, and a $10 million judgment against Christine Maspakorn. The $30 million in total fines is, by far, the largest penalty ever imposed for unlawful calls to consumers on the Do-Not-Call Registry."
"Federal Trade Commission Chairman Jon Leibowitz released the agency’s 2012 Annual Highlights today at the spring meeting of the American Bar Association’s Section of Antitrust Law in Washington, DC, recognizing the agency’s continued efforts to protect consumers and promote competition. The Highlights, published in an online format for the first time this year, focus on the Commission’s work in multiple areas since March 2011, including online privacy, consumer fraud during the economic downturn, health care competition, and safeguarding children."
HHS, March 22, 2012 - "The National Quality Strategy sets three aims for improving health care in our country: better care, affordable care, and healthy people and communities. Information that is accurate, up to date, and available when and where a patient seeks care is the lifeblood of health care improvement and crucial to reaching these goals. The stage is set for the nation to make rapid progress on health information exchange (HIE) this year supporting achievement of the three-part aim.
This Program Information Notice (PIN) guidance provides a common set of privacy and security rules of the road to assure provider and public trust and enable rapid progress in health information exchange to support patient care. It addresses concerns from State leaders and other stakeholders that health information exchange efforts have been hampered and slowed by the lack of consistent approaches to core privacy and security issues and responds to requests for clear national guidance."
House of Lords - House of Commons - Joint Committee on Privacy and Injunctions Privacy and injunctions, Session 2010–12 - Report, together with formal minutes, minutes of evidence and appendices Ordered by the House of Lords and the House of Commons to be printed 12 March 2012
Department of Homeland Security Privacy Office, First Quarter Fiscal Year 2012 Report to Congress
Decentralizing the Analysis of Health Data, March 22, 2012
EPIC: Under revised guidelines [unclassified] for the National Counterterrorism Center, the intelligence agency officials will be able to profile and track American citizens, suspected of no crime, for up to five years. The change represents a dramatic expansion of government surveillance and appears to violate the Privacy Act of 1974, which limits data exchanges across federal agencies and establishes legal rights for US citizens. In 2003, Congress put an end to a similar program. For more information, see EPIC - Total Information Awareness.
"Between December 1, 2011 and February 29, 2012 the Chief Privacy Officer of the DHS approved and published eleven Privacy Impact Assessments (PIAs) on the DHS Privacy Office Web site, under the link for Privacy Impact Assessments. These PIAs cover eleven separate DHS programs. Below is a short summary of those programs, indicating the DHS component responsible for the system, and the date on which the PIA was approved. Additional information can be found on the web site or by contacting the Privacy Office."
Follow up to New 'HTTPS Everywhere' Version Warns Users About Web Security Holes see the following from privacy researcher Christopher Soghoian - Firefox switching to HTTPS Google search by default (and the end of referrer leakage).
Active Authentication: "The current standard method for validating a user’s identity for authentication on an information system requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console. The Active Authentication program seeks to address this problem by developing novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software based biometrics. Biometrics are defined as the characteristics used to uniquely recognize humans based on one or more intrinsic physical or behavioral traits. This program focuses on the behavioral traits that can be observed through how we interact with the world. Just as when you touch something your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a “cognitive fingerprint.”
News release: "The Federal Trade Commission issued a staff report, Using FACTA Remedies: An FTC Staff Report on a Survey of Experience of Identity Theft Victims, summarizing the results of a survey of identity theft victims who were asked to describe their experiences dealing with consumer reporting agencies and, more generally, exercising their rights under the Fair Credit Reporting Act (FCRA) as amended by the Fair and Accurate Credit Transactions Act (FACTA), to recover from identity theft. The survey showed that most of the respondents were generally satisfied with their experiences, but the report also noted areas for improvement. Congress has established several rights under the FACTA to help actual or potential identity theft victims protect themselves from, and recover from, identity theft. These rights enable victims to place fraud alerts on their credit report with the consumer reporting agencies, request a free credit report from the three national consumer reporting agencies when placing a fraud alert, block fraudulent information from appearing in their credit report, and receive a notice of these and other rights from the consumer reporting agencies."
Search Engine Use 2012, by Kristen Purcell, Joanna Brenner, Lee Rainie, Mar 9, 2012
News release: "In testimony before the U.S. House Appropriations Subcommittee on Financial Services and General Government, the Federal Trade Commission summarized the agency's FY 2013 budget request and described its ongoing work to promote competition and protect American consumers. The testimony, delivered by FTC Chairman Jon Leibowitz and Commissioner J. Thomas Rosch, outlined steps the agency has taken to carry out its mission efficiently, without putting unnecessary burdens on businesses. It describes FTC initiatives such as the agency's efforts to stop scammers from taking advantage of financially distressed consumers, protect privacy, and ensure that American consumers benefit from competition in the health care, technology and energy sectors. The testimony states that the FTC has continued to bring law enforcement actions to stop con artists aiming to take advantage of financially strapped consumers using deceptive practices such as falsely promising that they can help modify consumers' mortgages or solve their debt problems; and by using threats and deception to collect consumer debts. Overall, the testimony states, the FTC has brought more than 90 cases since 2009 to put a stop to these types of scams. Since 2010, the agency has filed seven actions to combat illegal debt collection practices, and obtained more than $8.1 million in civil penalties."
Mobile User Privacy Bill of Rights, March 2, 2012 | By Parker Higgins
News release: "The Electronic Frontier Foundation (EFF) launched the 2.0 version of HTTPS Everywhere for the Firefox browser today, including an important new update that warns users about web security holes. The "Decentralized SSL Observatory" is an optional feature that detects encryption weaknesses and notifies users when they are visiting a website with a security vulnerability – flagging potential risk for sites that are vulnerable to eavesdropping or "man in the middle" attacks."
News release: "Today at the RSA Conference 2012, Scott Charney, corporate vice president of Microsoft Trustworthy Computing, shared his vision for the road ahead as society and computing intersect in an increasingly interconnected world. In a new paper, Trustworthy Computing (TwC) Next, Charney encouraged industry and governments to develop more effective privacy principles focused on use and accountability, improve end-to-end reliability of cloud services through increased fault modeling and standards efforts, and adopt more holistic security strategies including improved hygiene and greater attention to detection and containment."
Privacy management on social media sites, by Mary Madden, Feb 24, 2012
"Petition Requests FAA to Conduct a Rulemaking on Drones and Privacy
EPIC, joined by more than 100 organizations, experts, and members of the public, has sent a petition to the Federal Aviation Administration, urging the agency to address the privacy threats associated with the increased use of drones in the United States. Congress recently passed legislation requiring the Agency to assess the safety of drones used by commercial and government operators. The petition asserts that "The privacy threat posed by the deployment of drone aircraft in the United States is great. The public should be given the opportunity to comment on this development." For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones."
News release: "As part of the Federal Trade Commission's ongoing efforts to crack down on illegal, prerecorded "robocalls," the FTC is taking legal action to stop two operations that allegedly enabled telemarketers to place hundreds of millions of illegal prerecorded calls to consumers around the country, including many who had registered their phone numbers on the National Do Not Call Registry. The FTC's complaints, here and here, in both cases allege that the defendants offered "self-service" voice broadcasting – a service that makes it easy for marketers who have no telecommunications expertise to deliver tens of millions of robocalls for pennies a call. The defendants arranged for marketers to deliver prerecorded sales pitches by uploading a recorded message and list of telephone numbers through web sites owned by the defendants that would then dial each uploaded phone number and play the designated prerecorded message."
Follow up to Third-Party Cookie Blocking in Safari Bypassed For Millions of Users, this posting via the Windows Internet Explorer Engineering Team Blog: "When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies. Below we spell out in more detail what we’ve discovered, as well as recommendations to IE users on how to protect their privacy from Google with the use of IE9's Tracking Protection feature. We’ve also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers. We’ve found that Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different. Internet Explorer 9 has an additional privacy feature called Tracking Protection which is not susceptible to this type of bypass. Microsoft recommends that customers who want to protect themselves from Google’s bypass of P3P Privacy Protection use Internet Explorer 9 and click here to add a Tracking Protection List. Customers can find additional lists and information on this page."
News release: "TRUSTe, the leading privacy management solutions provider, issued the first Consumer Confidence Edition (Q1 2012) of its ongoing TRUSTe Privacy Index Series. The Consumer Confidence Edition measures privacy concerns and sentiments of online U.S. adults and the impact on businesses. The study, conducted online on behalf of TRUSTe by Harris Interactive, reveals: 90 percent of online adults worry about their privacy online in general; 41 percent of online adults don't trust most businesses with their personal information online; and 88 percent of online adults avoid doing business with companies who they believe do not protect their privacy."
Safari Trackers, by Jonathan Mayer: "Apple’s Safari web browser is configured to block third-party cookies by default. We identified four advertising companies that unexpectedly place trackable cookies in Safari. Google and Vibrant Media intentionally circumvent Safari’s privacy feature. Media Innovation Group and PointRoll serve scripts that appear to be derived from circumvention example code. In the interest of clearly establishing facts on the ground, this post provides technical analysis of Safari’s cookie blocking feature and the four companies’ practices. It does not address policy or legal issues."
News release: "The Federal Trade Commission today issued a staff report showing the results of a survey of mobile apps for children. The survey shows that neither the app stores nor the app developers provide the information parents need to determine what data is being collected from their children, how it is being shared, or who will have access to it. According to the FTC report, Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing, in 2008, smartphone users could choose from about 600 available apps. Today there are more than 500,000 apps in the Apple App Store and 380,000 in the Android Market. "Consumers have downloaded these apps more than 28 billion times, and young children and teens are increasingly embracing smartphone technology for entertainment and educational purposes. The report says the survey focused on the largest stores, the Apple App Store and the Android Market, and evaluated the types of apps offered to children, the disclosures provided to users, interactive features such as connectivity with social media, and the ratings and parental controls offered for such apps."
"A privacyscore is a way to assess the privacy risk of using a website. Privacy risk is the chance that data about you will be used or shared in ways that you probably don't expect. Privacyscores cover two kinds of data:
News release: "Millions of people use Internet dating sites to search for love and connection every day, but it could come a big cost for their privacy and security. The Electronic Frontier Foundation (EFF) has found that many services are taking shortcuts in safeguarding users' profiles and other sensitive data. In Six Heartbreaking Truths About Online Dating Privacy, EFF identifies serious security holes and counter-intuitive privacy settings that could expose daters' private information. For example, your dating profile – including your photo – can hang around long after you think you've taken yourself off the market. Some sites are also sucking up the vast quantity of data their users share and selling it to online marketers. If you aren't careful, your profile can also be indexed by Google, perhaps popping up in search results if you have an unusual nickname or other unique ways of describing yourself." See also:
EPIC: "The Google privacy compliance report, made public today, raises new questions about the company's failure to comply with an FTC Consent Order. The Order required Google to answer detailed questions about how it protects the personal information of Google users. But Google chose not to answer many of the questions. Most significantly, the company did not explain to the Commission the impact on user privacy of the proposed changes that will take place on March 1. EPIC has filed a lawsuit to force the Federal Trade Commission to require Google to comply with the Consent Order to protect the privacy interests of Google users. For more information, see EPIC v. FTC (Google Consent Order)."
News release: "Congress is demanding drones in the air over the United States – without considering the civil liberties issues. Within the span of three days last week, the House and then the Senate passed a law – H.R. 658 – requiring the Federal Aviation Administration (FAA) to speed up, within 90 days, its current licensing process for government use of drones domestically and to open the national airspace to drone aircraft for commercial and private use by October 2015. While the law requires the FAA to develop guidance on drone safety, the law says absolutely nothing about the privacy or transparency implications of filling the sky with flying robots. As CDT and others have pointed out, drones are powerful surveillance devices capable of being outfitted with facial recognition cameras, license plate scanners, thermal imaging cameras, open WiFi sniffers, and other sensors. Drones’ unique ability to hover hundreds or thousands of feet in the air – undetected, for many hours – enables constant, pervasive monitoring over a wide area. Without clear privacy rules, public and private use of drones can usher in an era of unparalleled physical surveillance. Without transparency requirements, citizens will not even have the basic right to know who owns the drone watching them from above. Congress, the FAA, industry bodies, and the American people all should play a role in ensuring that drones are used responsibly."
"EPIC today filed a Complaint and a Motion for Temporary Restraining Order and Preliminary Injunction in Federal District Court in Washington, DC. EPIC is seeking to compel the Federal Trade Commission to act prior to March 1, when Google plans to make changes in its terms of service that will make it possible for the company to combine user data without user consent. EPIC alleges that this change in business practice is in clear violation of the consent order that Google entered into on October 13, 2011. The consent order arises from a complaint that EPIC brought to the Commission in February, 2010 concerning Google Buzz and a similar attempt by Google to combine user data without user consent. For more information, see EPIC - In re Google Buzz, FTC - FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network."
News release: "The Federal Trade Commission warned marketers of six mobile applications that provide background screening apps that they may be violating the Fair Credit Reporting Act. The FTC warned the apps marketers that, if they have reason to believe the background reports they provide are being used for employment screening, housing, credit, or other similar purposes, they must comply with the Act. According to the FTC, some of the apps include criminal record histories, which bear on an individual's character and general reputation and are precisely the type of information that is typically used in employment and tenant screening."
"EPIC has filed a Freedom of Information Act request with the Federal Trade Commission for the Privacy Report that Google was recently required to submit to the agency. The Commission had previously investigated Google after EPIC filed a complaint regarding Google's Buzz product, which transformed private user contacts into publicly available social network data. Last fall the Commission reached a settlement with Google and, as a result, the company is subject to a consent order that requires it to file regular reports with the Commission. EPIC has requested that Google's first report, filed on January 26, 2012, be released to the public. Because of Google's plan to change its business practice on March 1, 2012, EPIC has asked the FTC to expedite the disclosure of the report. For more information see EPIC: In re Google Buzz."
"DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance", is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate."
EFF: "This January 28 marks International Privacy Day. Different countries around the world are celebrating this day with their own events. This year, we are honoring the day by calling attention to recent international privacy threats and interviewing data protection authorities, government officials, and activists to gain insight into various aspects of privacy rights and related legislation in their own respective countries. As part of International Privacy Day, the EFF asked data protection authorities, politicians, and activists about privacy related issues and concerns for 2012. In addition to the individuals highlighted in our previous posts, EFF heard back from the Council of Europe, the European Data Protection Supervisor (EDPS), and activists from Canada, France and Spain. In various ways, all of the responses focused on government surveillance or data protection laws. For the Council of Europe and European Data Protection Supervisor, the focus was on data protection agreements, while the activists were mindful of the ever-increasing power of government authorities to surveil their citizens."
"In honor of Data Privacy Day, the full ebook of lol...OMG! (regularly $9.99) is being made available for FREE!"
"One policy, one Google experience - We’re getting rid of over 60 different privacy policies across Google and replacing them with one that’s a lot shorter and easier to read. Our new policy covers multiple products and features, reflecting our desire to create one beautifully simple and intuitive experience across Google."
News release: The European Commission has today [January 24, 2012] a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy. Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe."
Report from the Internet Privacy Workshop - Internet Architecture Board (IAB) - via CDT: "The workshop report provides a useful overview of fundamental privacy design challenges that appear again and again: the increasing ease of user/device/application fingerprinting, unforeseen information leakage, difficulties in distinguishing first parties from third parties, complications arising from system dependencies, and the lack of transparency and user awareness of privacy risks and tradeoffs. The report also identifies a number of barriers to successful deployment and analysis of privacy-minded protocols and systems, including the difficulty of using generic protocols and tools to defend against context-specific threats; the tension between privacy protection and usability; and the difficulty of navigating between business, legal, and individual incentives."
"Today the Supreme Court unanimously held in U.S. v. Jones that the warrantless use of a GPS tracking device by the police violated the Fourth Amendment. The Court said that a warrant is required "[w]here, as here, the government obtains information by physically intruding on a constitutionally protected area," like a car. Concurring opinions by Justices Sotomayor and Alito urged the court to focus on the reasonableness of the suspect's expectation of privacy because physical intrusion is unnecessary to surveillance in the digital age. EPIC, joined by 30 legal and technical experts,filed a "friend of the court" brief. EPIC warned that, "it is critical that police access to GPS tracking be subject to a warrant requirement." For more information, see EPIC: US v. Jones, and EPIC: Location Privacy"
"Google’s Good to Know campaign aims to help people stay safe on the Internet and manage the information they share online. The website and ads provide easy to use tips and advice on online security, help on understanding the data users share and tools they can use to manage their data. Written in clear language and featuring practical examples to illustrate complex security and privacy issues, the website and advertising campaign aim to empower users to tackle their online security concerns and make more informed decisions about their internet use. The U.S. campaign includes adverts in newspapers, on public transport and online. Download all print ads – (PDF)."
"As the result of EPIC v. DHS, a Freedom of Information Act lawsuit, EPIC has obtained nearly thee hundred pages of documents detailing a Department of Homeland Security's surveillance program. The documents include contracts and statements of work with General Dynamics for 24/7 media and social network monitoring and periodic reports to DHS. The documents reveal that the agency is tracking media stories that "reflect adversely" on DHS or the U.S. government. One tracking report -- "Residents Voice Opposition Over Possible Plan to Bring Guantanamo Detainees to Local Prison-Standish MI" -- summarizes dissent on blogs and social networking cites, quoting commenters. EPIC sent a request for these documents in April 2004 and filed suit against the agency in December. For more information, see EPIC: EPIC v. Department of Homeland Security: Media Monitoring."
EPIC: "Bloomberg News has reported that the Federal Trade Commission has expanded its antitrust investigation of Google to include Google's social networking service, Google+. The report comes after Google announced that it would include personal data gathered from Google+ in the results of users' searches, a move that led EPIC to urge the FTC to investigate the company. EPIC said that "Google's business practices raise concerns related to both competition and the implementation of the Commission’s consent order," referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. Google first confirmed the FTC’s antitrust investigation in June 2011. Recently, the Senate held a hearing on Google's use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission."
EPIC: In a letter to the Federal Trade Commission, EPIC has called for an investigation of recent changes by Google to Google Search, the dominant search algorithm on the Internet. EPIC cited Google's decision to include personal data, such as photos, posts, and contact details, gathered from Google+ in Google Search results. “Google’s business practices raise concerns related to both competition and the implementation of the Commission’s consent order,” EPIC said, referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of Google products and services and subjects the company to regular privacy audits. Recently, the Senate held a hearing on Google’s use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google’s acquisition of Youtube, which allowed Google to give preferential treatment to Google's own video content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade."
"EPIC filed the opening brief in EPIC v. NSA, No. 11-5233, challenging the National Security Agency’s response to EPIC's Freedom of Information Act request. EPIC is seeking information about the widely publicized cybersecurity agreement between the NSA and Google that followed the January 2010 China hack. The NSA claimed it "could neither confirm nor deny" the existence of any information about its relations with Google. After the attack, Google's implemented encryption technology for Gmail by default, a privacy safeguard EPIC and technical experts had urged in 2009. For more information, see EPIC v. NSA: Google / NSA Relationship."
News release: "The Federal Trade Commission has approved a biennial report to Congress focusing on the use of the Do Not Call Registry by both consumers and businesses over the past two years, as well as the impact that new technologies have had on the Registry. As detailed in the report, the Do Not Call Registry now has more than 209 million active registrations, and more than eight million new phone numbers were registered in Fiscal Year 2011. During that time, approximately 35,000 sellers, telemarketers, and exempt organizations such as charities subscribed to access the Registry, paying fees totaling more than $13.7 million. The report concludes that since its inception, the Registry has successfully accepted consumer registrations and complaints, allowed businesses to obtain access to Registry data, and provided law enforcement with the tools needed to investigate complaints and bring appropriate actions."
"EPIC has filed a Freedom of information Act lawsuit against the Department of Homeland Security to force disclosure of the details of the agency's social network monitoring program. In news reports and a Federal Register notice, the DHS has stated that it will routinely monitor the public postings of users on Twitter and Facebook. The agency plans to create fictitious user accounts and scan posts of users for key terms. User data will be stored for five years and shared with other government agencies.The legal authority for the DHS program remains unclear. EPIC filed the lawsuit after the DHS failed to reply to an April 2011 FOIA request. For more information, see EPIC: Social Networking Privacy."
Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices, by Seth Schoen, Marcia Hofmann and Rowan Reynolds, December 2011
News release: "The Office of the Data Protection Commissioner, Ireland 21 December 2011 published the outcome of its audit of Facebook Ireland(FB-I) which was conducted over the last three months including on-site in Facebook Ireland’s Headquarters in Dublin. The report is available in 2 parts: Report of the Audit, including recommendations and the Facebook Technical Analysis Report...It is a comprehensive assessment of Facebook Ireland’s compliance with Irish Data Protection law and by extension EU law in this area...Deputy Commissioner, Gary Davis who led the conduct of the Audit stated that “this Audit was the most comprehensive and detailed ever undertaken by our Office. We set ourselves a very ambitious target for completion and publication as both this Office and Facebook, felt it was important that the outcome be published and opened to public comment and scrutiny...Facebook is constantly evolving and adapting in response to user needs and technical developments. Like any successful technology platform, the service needs to innovate by introducing new products and features in order to adapt to changing circumstances. Indeed the almost Darwinian nature of the site means that there will constantly be an absolute need to have in place robust mechanisms to keep pace with the innovation that is the source of the site’s success."
"Have you ever wondered why some online ads you see are targeted to your tastes and interests, or how websites remember your preferences from visit to visit? The answer may be in the “cookies." A cookie is information saved by your web browser, the software program you use to visit the web. Cookies can be used by companies that collect, store and share bits of information about your online activities to track your behavior across sites. Cookies also can be used to customize your browsing experience, or to deliver ads targeted to you. OnGuardOnline.gov wants you to know how cookies are used and how you can control information about your browsing activities. Here are answers to some commonly asked questions about cookies – what they are, what they do, and how you can control them."
CRS — Governmental Tracking of Cell Phones and Vehicles: The Confluence of Privacy, Technology, and Law. Richard M. Thompson, Law Clerk. December 1, 2011
Reading Digits in Natural Images with Unsupervised Feature Learning, Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu1, Andrew Y. Ng
News release: "The Information Commissioner’s Office (ICO) has today published new guidance making it clear that information concerning official business held in private email accounts is subject to the Freedom of Information Act. Information Commissioner, Christopher Graham said:
CRS - Governmental Tracking of Cell Phones and Vehicles: The Confluence of Privacy, Technology, and Law. Richard M. Thompson, Law Clerk, December 1, 2011
Identity Theft Reported by Households, 2005-2010: "Presents data on the nature of and trends in identity theft victimization among U.S. households from the National Crime Victimization Survey (NCVS). The NCVS defines identity theft as the misuse or attempted misuse of an existing credit card or another existing account or the misuse of personal information to open a new account or for other fraudulent purposes. Findings are based on experiences of all household members age 12 or older as reported by the head of household. The data brief examines changes in the percentage of households experiencing identity theft from 2005 to 2010. It describes differences in the types of identity theft experienced by households in 2010 compared to 2005, as well as changes in the demographic characteristics of victimized households. The brief also presents estimates on the monetary losses attributed to household victims of identity theft. Highlights include the following:
News release: "The Federal Trade Commission today issued the National Do Not Call Registry Data Book for Fiscal Year 2011. The FTC's National Do Not Call Registry provides consumers with an easy way to stop unwanted telemarketing calls...According to the Data Book, at the end of FY 2011 (September 30, 2011), the Do Not Call Registry contained 209,722,924 actively registered phone numbers, up from 201,542,535 at the end of FY 2010. In addition, the number of consumer complaints about unwanted telemarketing calls increased from 1,633,819 at the end of FY 2010 to 2,272,662 at the end of FY 2011. In its third year of publication, the Data Book contains a wealth of information about the Registry for FY 2011, including:
News release: "The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established. The FTC's eight-count complaint against Facebook is part of the agency's ongoing effort to make sure companies live up to the privacy promises they make to American consumers. It charges that the claims that Facebook made were unfair and deceptive, and violated federal law."
"Consumer Reports' Guide to online security outlines some of the most common Net threats—such as phishing, online scams, and computer viruses. (See: Best ways to stay safe online.) But our latest security report also notes that mobile phones and social media sites can also present a rising amount of ID theft risks since more consumers are using their smart phones to shop and sharing news of online bargains on Facebook. (See: Mobile phones: The new risk and Concerns about Facebook.) The Consumer Federation of America, a non-profit association of almost 300 consumer organizations, has compiled a list of 10 tips for having an ID theft-free holiday season (PDF) on its website, IDTheftInfo.org."
News release: "The loss of computer tapes by Science Applications International Corporation (SAIC) may have placed TRICARE patient data at risk. There is no evidence that any of the data has actually been accessed by a third party, and analysis shows the chance any data was actually compromised is low, but proactive measures are being taken to ensure that potentially affected patients are kept informed and protected. SAIC is a contractor for the TRICARE Management Activity. On September 14, TMA learned that an SAIC employee reported that on September 12 computer tapes containing personally identifiable and protected health information (PII/PHI) of 4.9 million military clinic and hospital patients in Texas, or those patients who had laboratory exams sent to the military hospitals in Texas, were stolen. The data contained on the tapes may include names, Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes."
The growing impact of full disk encryption on digital forensics - Eoghan Caseya, Geoff Fellowsb, Matthew Geigerc, Gerasimos Stellatosd
"Documents obtained by The Wall Street Journal open a rare window into a new global market for the off-the-shelf surveillance technology that has arisen in the decade since the terrorist attacks of Sept. 11, 2001. The techniques described in the trove of 200-plus marketing documents include hacking tools that enable governments to break into people’s computers and cellphones, and "massive intercept" gear that can gather all Internet communications in a country. The documents—the highlights of which are cataloged and searchable here—were obtained from attendees of a secretive surveillance conference held near Washington, D.C., last month."
"The European Union has adopted strict new guidelines limiting the use of body scanners at EU airports. Under the new guidelines, European Union member states may only deploy airport body scanners if they comply with new regulations that protect health, privacy, and fundamental rights. The European Commission has also prohibited any devices that store, record, or transfer images of travelers as well as devices that display an image of the naked human body. As a result, backscatter x-ray devices are now effectively prohibited in airports in the European Union. The European Commission has also made clear that passengers may not be required to go through body scanners, following the conclusion reached by the federal appellate court in the United States in the EPIC v. DHS case, which held that passengers have a legal right to opt-out of body scanners. The body scanners have not done well during trials in Europe. Most recently a test in Germany found that the devices were ineffective. For more information, see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS (Suspension of the Body Scanner Program)."
Atlantic Wire - Adam Clark Estes: "When a federal judge ruled that Twitter must reveal the private data of three WikiLeaks associates on Thursday, privacy advocates died a little inside. The two organizations that had defended the three users, American Civil Liberties Union (ACLU) and the Electronic Frontier Foundations (EFF), immediately filed mournful blog posts that respectively raised doubts about the United States government's secretive handling of the case and highlighted grave message the ruling sends about the future of privacy on the internet. But Wall Street Journal reporter Jennifer Valentine-DeVries sums up the implications of the case best with a leading question: "Should the government be able to collect information related to your Internet use without a warrant?" We now know that the federal court's answer is, "Yes."
The Socialbot Network: When Bots Socialize for Fame and Money -
Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, Matei Ripeanu -
University of British Columbia Vancouver, Canada
"The Berkman Center for Internet & Society is pleased to share a new paper published in First Monday, Why parents help their children lie to Facebook about age: Unintended consequences of the ‘Children’s Online Privacy Protection Act,’ authored by Berkman community members danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey.
Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. and EU Compared, B.U. J. SCI. & TECH. L., Vol. 17, Winter 2011.
DOE IG Evaluation Report - The Department's Unclassified Cyber Security Program – 2011, DOE/IG-0856 October 2011
News release: "The Electronic Frontier Foundation (EFF) sued the Department of Justice (DOJ) today for answers about "secret interpretations" of the USA PATRIOT Act, signed into law ten years ago today. Several senators have warned that the DOJ is using Section 215 of the PATRIOT Act to support what government attorneys call a "sensitive collection program" that may be targeting large numbers of Americans. Section 215 allows for secret court orders to obtain "tangible things" when the FBI certifies they are relevant to a government investigation. The list of possible "tangible things" the government can obtain is seemingly limitless, and could include everything from driver's license records to Internet browsing patterns. Section 215 also limits the court's discretion to deny the order and prevents the recipient of an order from disclosing its existence."
News release: "Following a public comment period, the Federal Trade Commission has accepted as final a settlement with Google, and authorized the staff to provide responses to the commenters of record. The settlement resolves charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleged that the practices violate the FTC Act. The settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. The Commission vote approving the final settlement was 4-0.
Official Google Blog: "As search becomes an increasingly customized experience, we recognize the growing importance of protecting the personalized search results we deliver. As a result, we’re enhancing our default search experience for signed-in users. Over the next few weeks, many of you will find yourselves redirected to https://www.google.com (note the extra “s”) when you’re signed in to your Google Account. This change encrypts your search queries and Google’s results page. This is especially important when you’re using an unsecured Internet connection, such as a WiFi hotspot in an Internet cafe. You can also navigate to https://www.google.com directly if you’re signed out or if you don’t have a Google Account."
This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents, October 13, 2011
News release: "Concerned that the pairing of the new Kindle Fire tablet with its must-use Silk browser means Amazon could track each Web click of Kindle Fire users Congressman Edward J. Markey (D-Mass.) [October 14, 2011] sent a letter to Amazon’s CEO asking for responses to questions about tablets users’ privacy and security...In May 2011, Reps. Markey and Joe Barton (R-Texas) introduced the Do Not Track Kids Act of 2011, bipartisan legislation that amends the Children’s Online Privacy Protection Act of 1998 to extend, enhance and update the provisions relating to the collection, use and disclosure of children’s personal information. The legislation also establishes new protections for the personal information of children and teens."
Tracking the Trackers: Where Everybody Knows Your Username by Jonathan Mayer, posted on October 11, 2011
The Economist: "The beauty of Twitter, the popular microblogging service, is that users have to keep it short: messages can only be 140 characters long. But companies that mine the stream of tweets for marketing and other purposes (see article in this week's issue of The Economist) get much more information. [Here is a map] of a tweet including all its metadata. The map was published by Raffi Krikorian, a developer at Twitter. It is 18 months old, but it is safe to say that the amount of metadata attached to a tweet has not decreased since."
Account Deactivation and Content Removal: Guiding Principles and Practices for Companies and Users, Erica Newland, Caroline Nolan, Cynthia Wong, and Jillian York. The Berkman Center for Internet & Society and. The Center for Democracy & Technology, September 2011
News release: "In a massive coordinated information-seeking campaign, 35 ACLU affiliates are filing over 381 requests in 32 states across the country with local law enforcement agencies large and small that seek to uncover when, why and how they are using cell phone location data to track Americans. The requests seek information from local law enforcement agencies, including:
News release: An operator who allegedly sent millions of illegal spam text messages to consumers is banned from sending any unsolicited text messages, under a settlement agreement with the Federal Trade Commission entered by a federal court. According to the FTC complaint filed in February 2011, the marketer sent a “mind-boggling” number of unsolicited commercial text messages pitching mortgage modification services to consumers, and misrepresented that he was affiliated with a government agency. The FTC alleged that many consumers had to pay fees to their mobile carriers to receive the unsolicited text messages. The FTC also alleged that the marketer advertised his text message blasting services by sending consumers illegal spam. The agency charged him with violating the FTC Act and the CAN-SPAM Act."
News release: "What do you think about when choosing a cell phone provider? Their prices? Their coverage area? Whether they have spiffy, high-tech phones? Whether their phones work overseas or in the subway? What about how long they retain information about you and under what circumstances they turn it over to law enforcement? All of the nation's major mobile carriers are retaining their customers' location data for at least a year, according to a chart the Department of Justice (DOJ) developed in 2010 — and that the ACLU of North Carolina received in response to our public records request about local law enforcement's use of cell phone location information. And location info's not all they hang onto. We gave a copy of this document to Wired.com, which has written about it here."
News release: "Representatives Joe Barton (R-Texas) and Edward J. Markey (D-Mass.), Co-Chairmen of the House Bi-Partisan Privacy Caucus, sent a letter to the Federal Trade Commission (FTC) asking the agency to investigate so-called “supercookies”, files that can be installed on computers without a user's knowledge. Supercookies allow websites to collect detailed personal data about users, including websites previously visited. Even when consumers choose to delete regular cookies from their computers, supercookies persist. According to a report last month in The Wall Street Journal (“Latest in Web Tracking: Stealthy ‘Supercookies’, August 18, 2011), it was discovered that companies have been installing supercookies on users’ computers without their knowledge. Even technical experts at the websites in the report stated they had no knowledge that the secret files were being installed."
News release: "Buried in President Obama’s deficit reduction plan (see page 28) is a proposal to allow debt collectors “to contact delinquent debtors via their cellular phones” when collecting debts owed to or guaranteed by the federal government. The proposal will not help reduce the deficit and is harmful for consumers, the National Consumer Law Center warned...Currently, debt collection calls to cell phones are limited because collectors must check their phone number lists against a list of known cell phones and cannot call those numbers unless the consumer has provided that number as a way of reaching them. Though the proposal is limited to debts owed or guaranteed by the federal government, millions of consumers will be affected, including graduates who can’t pay their loans due to the terrible job market, homeowners who are behind in mortgages, and people who are in tax disputes with the Internal Revenue Service. Families who have lost their homes to foreclosure could be exposed to cell phone calls for years if the delinquency on their mortgage is sold to debt buyers."
EPIC: "Today Netflix announced that it has launched a DC lobbbying campaign against a federal privacy law that protects customer video rental information. The company, which is already under fire for dramatic hikes in the subscription price of its once popular DVD rental program, now claims that the privacy law prevents Facebook users from posting information about NetFlix on Facebook. According to OpenSecrets, operated by the Center for Responsive Politics, Netflix has ramped up its Washington influence, spending almost $200,000 in 2011, up from $20,000 in 2009. EPIC has described the Video Privacy Protection Act as "one of the strongest protections of consumer privacy against a specific form of data collection." The law always had an exception for user consent, which means that Facebook users are free to disclose information about the videos they rent. But NetFlix wants "blanket consent" so that all Netflix use will be posted routinely to Facebook. For more information, see EPIC: Video Privacy Protection Act."
Identity Theft - Trends, Patterns, and Typologies Based on Suspicious Activity Reports. Filed by the Securities and Futures Industries January 1, 2005 – December 31, 2010. Report released September 2011.
News release: "Want to know more about Internet safety and security? Visit the new and improved OnGuardOnline.gov for practical tips and resources on how to be safe, secure and responsible online. Created through a partnership of 16 federal agencies led by the Federal Trade Commission, it’s a great source of free information for your home, school, community group, or workplace. OnGuardOnline’s new features include a cybersecurity blog and information updates via e-mail. Also, the FTC has partnered with the Department of Homeland Security and other agencies in the Stop.Think.Connect Campaign™ to raise awareness of the need for stronger cybersecurity with new approaches to help increase online safety and security. The new OnGuardOnline blog offers cybersecurity news from around the government, how-to articles and videos, and insights from federal officials. Check back regularly for updates, or sign up to get an e-mail when a new post is up. You can copy information from the site, adapt it, post it, or link to it, and you can share your thoughts on the blog. Updating your website or blog? Link to OnGuardOnline. Editing a newsletter? Use our articles. Need hand-outs for a talk you’re giving? Print publications from the website, or order free materials from the FTC."
News release: "The Federal Trade Commission is seeking public comment on proposed amendments to the Children’s Online Privacy Protection Rule, which gives parents control over what personal information websites may collect from children under 13. The FTC proposes these amendments to ensure that the Rule continues to protect children’s privacy, as mandated by Congress, as online technologies evolve. The Commission proposes modifications to the Rule in five areas: definitions, including the definitions of “personal information” and “collection,” parental notice, parental consent mechanisms, confidentiality and security of children’s personal information, and the role of self-regulatory “safe harbor” programs."
"The Tracking Protection Working Group is chartered to improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements. The group seeks to standardize the technology and meaning of Do Not Track, and of Tracking Selection Lists." See in Input Documents as follows
News release: "Ever have a medical test done and then had to wait around – sometimes anxiously, depending on the test – to get the lab test results from your doctor? That’s about to change. Yesterday, the Department of Health and Human Services (HHS) proposed regulations that would give patients the ability to access their clinical lab test results directly from the lab, instead of having to wait to receive the results from their health care provider. This change further empowers patients to manage their own health care and organize electronic copies of their own data – a major benefit of the health care system’s transition to digital records...Yesterday’s proposed regulations will change how test results get to patients. The proposed regulations would modify CLIA to permit labs to send results directly to patients, and the proposed regulations would also modify the HIPAA Privacy Rule to give patients the right to access or receive their lab results. Contrary state laws would be preempted. As with patients’ existing right of access, patients would have the ability to request their lab results in a particular form or format; for example, patients could request a paper copy of their test results, or to have the results sent electronically to the patients’ personal health record. (For more information on patients’ right to access their medical data, see CDT’s page on Getting Your Medical Records.)"
The Library of Congress - THOMAS: "This site was begun in September 2001 as a way of keeping the public readily apprised of legislation related to the terrorist attack on the United States that month. The selection, made by hand, is necessarily subjective, as the September 11th attack had a ripple effect on legislation in the second session of the 107th Congress, making boundaries difficult to draw. The site will not be updated after the conclusion of the 107th. Not included here are appropriations and authorization bills, which may include provisions relevant to our response to terrorism, but included are some bills related to bio-terrorism and not September 11th."
"The Circuit Court for the District of Columbia has ruled that the Department of Justice must release information regarding government surveillance of cell phone location data. The American Civil Liberties Union had filed a Freedom of Information Act request for information regarding current and past cases where the Department of Justice had accessed cell phone location data without a warrant. The agency sought to keep this information secret, claiming that releasing cell phone tracking data could implicate privacy of investigation subjects. The court, however, disagreed, stating, "The disclosure sought by the plaintiffs would inform this ongoing public policy discussion by shedding light on the scope and effectiveness of cell phone tracking as a law enforcement tool." For more information, see EPIC: Wiretapping and EPIC: Electronic Surveillance 1968-2010."
The PII Problem: Privacy and a New Concept of Personally Identifiable Information (July 8, 2011). New York University Law Review, Vol. 86, 2011. Paul M. Schwartz and Daniel J. Solove.
"A Federal judge has ruled that law enforcement officers must have a warrant to access cell phone locational data. Courts are divided regarding whether or not this type of data should be protected by a warrant requirement. Judge Garaufis of the Eastern District of New York, found that "The fiction that the vast majority of the American population consents to warrantless government access to the records of a significant share of their movements by 'choosing' to carry a cell phone must be rejected…In light of drastic developments in technology, the Fourth Amendment doctrine must evolve to preserve cell-phone user's reasonable expectation of privacy in cumulative cell-site-location records." EPIC has filed amicus briefs in several related cases. For more information see: EPIC: Commonwealth v. Connolly, EPIC: US v. Jones, and EPIC: Locational Privacy."
"August 25, 2011 - Facebook is rolling out a series of changes to its privacy controls. We reviewed the changes in detail on Tuesday; now here’s how you can take advantage of these changes.
"Symantec Corp. announced the results of the August 2011 Symantec Intelligence Report, now combining the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. This month’s analysis reveals that once more spammers are seeking to benefit from fluctuations in the turbulent financial markets, most notably by sending large volumes of spam relating to certain “pink sheets” stocks in an attempt to “pump” the value of these stocks before “dumping” them at a profit. In a pump-and-dump stock scam, spammers promote certain stocks in order to inflate the price as much as possible so that they may then be sold before their valuation crashes back to reality. The spam for these scams tries to convince the prospective mark that the penny stock is actually worth more than its valuation, or that it will soon skyrocket. Most of these claims are either misleading or false. A successful pump-and-dump spam campaign will artificially drive up the price of the stock to a point where the scammers decide to sell their shares. This usually coincides with them ending the spam campaign, which in turn reduces the interest in the stock, helping to drive its valuation back to the original low price."
Trends in Circumventing Web-Malware Detection. Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt. Google Technical Report rajab-2011a, July 2011
A Guide to Facebook Security For Young Adults, Parents, and Educators, Linda McCarthy, Keith Watson, and Denise Weldon-Siviy, August 2011. "This online guide explains how you can:
Revealed: Operation Shady RAT by Dmitri Alperovitch, Vice President, Threat Research, McAfee: "An investigation of targeted intrusions into more than 70 global companies, governments, and non-profit organizations during the last five years."
Data-Enabled Government: How Well Is Our Personal Information Used and Protected? - HP Business White Paper
"Data (in)security is rapidly gaining consumer attention in major media. In 2011 major breaches at Sony, Epsilon and others have highlighted the risk consumers face from their data being compromised. Major corporations are now recognizing the urgency to implement strong and innovative security measures to ensure the security of their customers’ data. At the same time, both Apple and Google have seen stunning growth in the past few years and now dominate the smartphone market. Companies and app developers have leveraged these platforms to provide new mobile services, often bringing them to market very quickly. But what steps have the smartphone OS providers and app developers taken to secure the data on their customers’ smartphones? At viaForensics we believe in proactive forensics – applying the power of forensic methods proactively to improve digital security. With appWatchdog we utilize forensic techniques to investigate consumer mobile apps and understand what user data is stored and could be at risk. This white paper summarizes our findings for the first 100 tests, from November 2010 through June 2011."
Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (July 29, 2011), Ayenson, Mika, Wambach, Dietrich James, Soltani, Ashkan, Good, Nathan and Hoofnagle, Chris Jay, Available at SSRN
News release: "The Electronic Frontier Foundation (EFF), in collaboration with the Tor Project, has launched an official 1.0 version of HTTPS Everywhere, a tool for the Firefox web browser that helps secure web browsing by encrypting connections to more than 1,000 websites. HTTPS Everywhere was first released as a beta test version in June of 2010. Today's 1.0 version includes support for hundreds of additional websites, using carefully crafted rules to switch from HTTP to HTTPS. HTTPS protects against numerous Internet security and privacy problems, including the search hijacking on U.S. networks that was revealed by an article published today in New Scientist magazine. The article, entitled US internet providers hijacking users' search queries, documents how a company called Paxfire has been intercepting and altering search traffic on a number of ISPs' networks. HTTPS can prevent such attacks."
News release: "Acting on recent data that reveals many consumers still aren’t protected by even basic antivirus software when banking online, McAfee today released an educational guide for banking safely on computers, tablets or mobile devices. According to Javelin Strategy & Research, in 2010 47 percent of household financial managers did not have antivirus software installed. Combining McAfee intelligence with the latest U.S. banking data from many top sources revealed that most consumers fall into one of three categories of online banking behavior, and that age tends to play a strong role in safety and security habits online. Most people’s level of confidence with banking online is associated with their overall comfort level online, including participating in such activities as shopping, searching, and social networking."
EPIC: "The House of Representatives Judiciary Committee voted to approve a bill that will require Internet Service Providers (ISPs) to retain data on every customer to allow the government to identify and track their online activity for one year. EPIC Director Marc Rotenberg testified against the bill at the subcommittee hearing, and his arguments were cited by committee members including Representative Jerrold Nadler (D-NY). After two days of deliberation, the bill was passed with an amendment to require ISPs to retain even more information: not only internet protocol addresses, but also customer names, addresses, phone records, type and length of service, and credit card numbers. This retention is a radical contradiction of the core American value that we are innocent until proven guilty, said Representative Jason Chaffetz (R-UT)."
Faces of Facebook: Privacy in the Age of Augmented Reality - FAQ only - See also slides here. Alessandro Acquisti (Heinz College, Carnegie Mellon University), Ralph Gross (Heinz College, Carnegie Mellon University) Fred Stutzman (Heinz College, Carnegie Mellon University), August 2011
"Marketers are spying on Internet users -- observing and remembering people's clicks, and building and selling detailed dossiers of their activities and interests. The Wall Street Journal's What They Know series documents the new, cutting-edge uses of this Internet-tracking technology. The Journal analyzed the tracking files installed on people's computers by the 50 most popular U.S. websites, plus WSJ.com. The Journal also built an "exposure index" -- to determine the degree to which each site exposes visitors to monitoring -- by studying the tracking technologies they install and the privacy policies that guide their use."
CNET: "Google's Street View cars collected the locations of millions of laptops, cell phones, and other Wi-Fi devices around the world, a practice that raises novel privacy concerns, CNET has confirmed. The cars were supposed to collect the locations of Wi-Fi access points. But Google also recorded the street addresses and unique identifiers of computers and other devices using those wireless networks and then made the data publicly available through Google.com until a few weeks ago."
Commentary: "Britain is now enmeshed in a gigantic scandal around privacy invasions by the press and police. It began with revelations about reporters for Rupert Murdoch's British tabloid newspaper News of the World hacking into the voicemail of a murdered young girl, and has expanded as other privacy invasions have come to light."
"The Federal Trade Commission today told Congress that protecting consumers’ privacy – through law enforcement, education and policy initiatives – is a top priority at the agency. In delivering Commission testimony before the House Committee on Energy and Commerce Subcommittees on Commerce, Manufacturing, and Trade, and Communications and Technology, Commissioner Edith Ramirez said, “Privacy has been an important part of the Commission’s consumer protection mission for 40 years. During this time, the Commission’s goal in the privacy arena has remained constant: to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits offered by the dynamic and ever-changing marketplace."
Follow up to previous postings on whole body scanning at airports, via EPIC: The European Parliament has adopted a resolution that sets out strict safeguards for airport body scanners. The resolution requires that Member States only "deploy technology which is the least harmful for human health" and establish substantial privacy protection. The resolution prohibits the use of body scanners that use ionizing radiation. New guidelines also state that airport body scanners "must not have the capabilities to store or save data." EPIC currently is pursuing a lawsuit to suspend the use of body scanners in the United States, citing several federal laws and the US Constitution. EPIC has called the US airport body scanner program "invasive, ineffective, and unlawful." For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program) and EPIC: Whole Body Imaging Technology."
News release: "Outside, the global position system allows mobile phone users to pinpoint their location with surprising accuracy. But indoors, those who are lost are out of luck: GPS satellite signals can’t penetrate roofs. Researchers at the McCormick School of Engineering and Applied Science have determined one way of figuring out your location inside: by letting your phone listen. Their new mobile phone app, called Batphone, allows users to record ambient noise in a room and tag it with an acoustic fingerprint, which allows future users to use that database of fingerprints to determine their location." “We have found that the app has been very successful in determining locations,” says app developer Stephen Tarzia, a computer engineering graduate student in the Empathic Systems Project headed by electrical engineering and computer science professors Peter Dinda and Gokhan Memik and adjunct professor Robert Dick."
"Federal and state applications for orders authorizing or approving the interception of wire, oral or electronic communications increased 34 percent in 2010, compared to the number reported in 2009. The interceptions are reported in the 2010 Wiretap Report, released today by the Administrative Office of the United States Courts (AOUSC). The current report covers intercepts concluded between January 1, 2010 and December 31, 2010. A total of 3,194 intercept applications by federal and state courts were authorized in 2010, with 1,207 applications by federal authorities authorized and 1,987 applications by 25 states authorized. One application was denied. Installed intercepts totaled 2,311."
News release: "The Federal Trade Commission told Congress that consumers must be confident that their privacy will be protected if they are to be willing to take advantage of all the benefits offered by the Internet marketplace. Commission testimony to the Senate Committee on Commerce, Science and Transportation, delivered by Commissioner Julie Brill, states that, “Privacy has been an important component of the Commission’s consumer protection mission for 40 years. During this time, the Commission’s goal in the privacy arena has remained constant: to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits offered by the dynamic and ever-changing marketplace.”
EPIC: "In a FOIA lawsuit against the Department of Homeland Security, EPIC has just obtained documents concerning the radiation risks of TSA's airport body scanner program. The documents include agency emails, radiation studies, memoranda of agreement concerning radiation testing programs, and results of some radiation tests. One document set reveals that even after TSA employees identified cancer clusters possibly linked to radiation exposure, the agency failed to issue employees dosimeters - safety devices that could assess the level of radiation exposure. Another document indicates that the DHS mischaracterized the findings of the National Institute of Standards and Technology, stating that NIST "affirmed the safety" of full body scanners. The documents obtained by EPIC reveal that NIST disputed that characterization and stated that the Institute did not, in fact, test the devices. Also, a Johns Hopkins University study revealed that radiation zones around body scanners could exceed the "General Public Dose Limit." For more information, see EPIC: EPIC v. Department of Homeland Security - Full Body Scanner Radiation Risks and EPIC: EPIC v. DHS (Suspension of Body Scanner Program)."
Know Your Rights! by Hanni Fakhoury, EFF Staff Attorney, June 2011
EPIC: "The Trans-Atlantic Consumer Dialogue (TACD), a coalition of consumer groups in Europe and North America, adopted a report on privacy and electrical services at the 12th Annual TACD meeting held recently in Brussels. The Smart Meter White Paper warns the "dramatic increase in the granularity of data available and frequency of collection of household energy consumption means that the smallest detail of household life can be revealed." The TACD report sets out recommendations to protect the privacy of users of new energy services. For more information, see EPIC - Smart Grid and Privacy."
FCC: "You may be one of many consumers who have received emails saying you’re about to be assaulted by unwanted telemarketing calls to your wireless phone. Rest assured that placing telemarketing calls to wireless phones is -- and always has been -- illegal in most cases. Why the Confusion? The confusion seems to stem from recent discussions in the wireless phone industry about establishing a wireless 411 phone directory, much like your traditional (wired) 411 phone directory. A number of email campaigns seem to suggest that if your wireless telephone number is listed in a wireless 411 directory, it will be available to telemarketers, and you will start to receive sales calls. In addition, some of these email campaigns suggest that there is a separate do-not-call “cell phone registry,” which you must call to have your wireless phone number covered by the do-not-call rules. This information is wrong."
News release: "As explained in the amicus brief, the proposed settlement raises concerns in three areas in which the FTC has significant expertise: FDCPA and debt collection, privacy and data collection, and class action fairness. First, the FTC is the chief federal enforcer of the FDCPA and has conducted comprehensive assessments of debt collection activities, including its 2009 report, Collecting Consumer Debts: The Challenges of Change and its 2010 report, Repairing a Broken System: Protecting Consumers in Debt Collection Litigation and Arbitration. Second, the FTC safeguards consumers’ privacy and the security of their personal information under Section 5 of the FTC Act and the Gramm-Leach-Bliley Act. Finally, in connection with its Class Action Fairness Project, the FTC has studied how best to protect consumer interests and promote fairness in the class action context and has filed amicus briefs commenting on potentially unfair class settlements."
"In a 6-3 decision, the Supreme Court struck down Vermont's prescription privacy law. IMS Health, Inc. v. Sorrell held that the Vermont statute, which bars disclosure of prescription data for marketing purposes, violates data mining firms' free speech rights. Vermont "burdened a form of protected expression that it found too persuasive. At the same time, the State has left unburdened those speakers whose messages are in accord with its own views. This the State cannot do." the Court wrote. The Court suggested that a more privacy-protective statute might have withstood Constitutional scrutiny, writing "the State might have advanced its asserted privacy interest by allowing the information’s sale or disclosure in only a few narrow and well-justified circumstances. A statute of that type would present quite a different case than the one presented here." EPIC filed an amicus brief on behalf of 27 technical experts and legal scholars, as well as nine consumer and privacy groups, arguing that the privacy interest in safeguarding medical records is substantial and that the "de-identification" techniques adopted by data-mining firms do not protect patient privacy. For more information, see EPIC: IMS Health v. Sorrell."
News release: "The Federal Trade Commission told Congress today during a hearing that to minimize the risk of identity theft or other harm, companies should employ reasonable safeguards to protect consumer information, collect only information for which they have a legitimate business need, and retain data only as long as necessary to fulfill the business purposes for which it was collected. The FTC also reiterated its recommendation that Congress pass legislation that would require companies to implement reasonable security practices and to notify consumers when there is a data security breach...The Commission expressed its support for federal legislation that would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The testimony notes that the Committee’s “Discussion Draft” of data security legislation accomplishes these key goals. The testimony highlights several other elements of the Discussion Draft, which gives the Commission authority to use the standard APA notice and comment procedures for rulemaking in connection with the legislation, provides for civil penalties for violations, and requires non-profit entities to adhere to the same data security and breach notification standards as for-profit entities."
NYT: "The Federal Bureau of Investigation is giving significant new powers to its roughly 14,000 agents, allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. The F.B.I. soon plans to issue a new edition of its manual, called the Domestic Investigations and Operations Guide, according to an official who has worked on the draft document and several others who have been briefed on its contents. The new rules add to several measures taken over the past decade to give agents more latitude as they search for signs of criminal or terrorist activity. The F.B.I. recently briefed several privacy advocates about the coming changes. Among them, Michael German, a former F.B.I. agent who is now a lawyer for the American Civil Liberties Union, argued that it was unwise to further ease restrictions on agents’ power to use potentially intrusive techniques, especially if they lacked a firm reason to suspect someone of wrongdoing."
Announcement by Eva Galperin: "Back in December of 2010, Facebook debuted its tag suggestion feature, which works by using facial recognition technology to examine photos in which you’ve already been tagged, and then creating what Facebook calls your “photo summary” or “photo comparison information,” or what we’ll call your “facial fingerprint.” Using this information, FB suggests your name to your friends when they upload a photo of you, and invites them to tag you in that photo. Over the last few months, Facebook has been slowly rolling this feature out to all of its users, which caught the attention of security firm Sophos, The New York Times, and the European Union, which has launched a probe to investigate the new feature."
"EPIC and a coalition of privacy, consumer rights, and civil rights organizations filed a statement to the Department of Homeland Security in opposition to the proposed expansion of the employment verification system, "E-Verify." The agency announced plans to incorporate state driver license records that could significantly expand the use of the Homeland Security database. The groups said that the DHS proposal is unlawful and looks very similar to the REAL ID scheme that was previously defeated. EPIC has testified before Congress and published a Spotlight on Surveillance report about E-Verify. For more information, see EPIC: Employment Eligibility Verification System and EPIC: National ID."
PricewaterhouseCoopers’ Health Research Institute, Health Reform Prospering in a post-reform world, June 2001
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The House has approved the 2012 budget for the Transportation Security Administration, cutting $270 million from the amount originally requested by the Agency. The cuts include $76 million that had been designated for the purchase of 275 airport body scanners. Leading lawmakers and activists have called attention to the health risks associated with the scanners, as well as their invasiveness. Representative Jason Chaffetz (R-UT) criticized the machines as “slow” and “ineffective.”
News release: "AVG Technologies, Inc. announced it will make its leading Family Safety software available for free in exchange for a 99 cent donation to the American Red Cross family relief efforts in Joplin, Mo. The move comes in response to research the company conducted and has released over the course of the year on early childhood technology usage trends, “Digital Diaries" and is complemented with the release of a first-of-its-kind e-book and mobile application for teaching very young children the basics of online safety, Little Bird’s Internet Security Adventure.” AVG CEO JR Smith is making appearances across the country today urging parents to consider introducing their child to Little Bird to help them learn about online safety....Roughly half of today’s children (ages 6-9) are regularly talking to their friends online and using social networks, yet 58 percent of their parents admit they are not well-informed about their children’s online social networks. The “Digital Playground,” the third stage of AVG’s year-long “Digital Diaries” research program, further reveals the increasingly digitally-literate group of 6- to 9-year-olds and their parents in North America, Europe, Australia and New Zealand to find that:
Privacy leakage vs. Protection measures: the growing disconnect, Balachander Krishnamurthy - AT&T Labs Research; Konstantin Naryshkin - Worcester Polytechnic Institute; Craig E. Wills - Worcester Polytechnic Institute, May 2011.
Press Release and Highlights: "The annual study of the impact of the Internet on Americans conducted by the Center for the Digital Future found that almost half of Internet users age 16 and older -- 48 percent -- are worried about companies checking their actions on the Internet. By comparison, the new question for the Digital Future Study found that only 38 percent of Internet users age 16 and older are concerned about the government checking what they do online."
Official Google Blog: "...Through the strength of our cloud-based security and abuse detection systems, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.) Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities."
G8 Summit of Deauville - May 26-27, 2011: "We discussed new issues such as the Internet which are essential to our societies, economies and growth. For citizens, the Internet is a unique information and education tool, and thus helps to promote freedom, democracy and human rights. The Internet facilitates new forms of business and promotes efficiency, competitiveness, and economic growth. Governments, the private sector, users, and other stakeholders all have a role to play in creating an environment in which the Internet can flourish in a balanced manner. In Deauville in 2011, for the first time at Leaders' level, we agreed, in the presence of some leaders of the Internet economy, on a number of key principles, including freedom, respect for privacy and intellectual property, multi-stakeholder governance, cyber-security, and protection from crime, that underpin a strong and flourishing Internet. The "e-G8" event held in Paris on 24 and 25 May was a useful contribution to these debates."
RollCall: "After two days of wrangling and last-minute deal-making in the Senate, Congress cleared a reauthorization of the USA PATRIOT Act on Thursday, and the Obama administration announced that the president signed the bill into law before provisions of the anti-terrorism act expired at midnight. A standoff over amendments in the Senate ate into the time needed to fly the enrolled bill to President Barack Obama, who is traveling in Europe. Instead of physically signing the bill, Obama planned to direct the use of an autopen to sign it, White House spokesman Nick Shapiro said in an email shortly after the House cleared the bill. “Failure to sign this legislation poses a significant risk to U.S. national security,” Shapiro said in the email. Autopens generate a facsimile of an individual’s signature and are frequently used by Members of Congress for signing constituent correspondence and other letters. The Justice Department’s Office of Legal Counsel advised in 2005 that the president may sign a bill by autopen."
EPIC: "A draft agreement between the United States and the European Union will allow the U.S. Department of Homeland Security to store passenger data for up to 15 years. The passenger data includes names, addresses, phone numbers, and credit card information, and even ethnic origin, political opinions, and details of health or sex life. The 15 year time period in the proposed agreement is three times that allowed under Europe's existing Passenger Name Record regime. See also EPIC: EU-US Airline Passenger Data Disclosure."
Privacy Protections for Personal Information Online, Gina Stevens, Legislative Attorney, April 6, 2011
PBS Newshour: 'As the Obama administration pushes ahead with plans to increase the use of electronic medical records, two internal reports released Tuesday by the Department of Health and Human Services revealed "significant concerns" about security gaps in the system. The Office of the Inspector General found "a lack of general [information technology] security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals." The investigation audited computer security at seven large hospitals in different states, and found 151 major vulnerabilities, including unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. The auditors classified 124 of the breeches were "high impact" - resulting in costly losses, injury or death. According to the report, "outsiders or employees at some hospitals could have accessed, and at one of the seven hospitals did access, systems and beneficiaries' personal data."
Catching AuthTokens in the Wild - The Insecurity of Google's ClientLogin Protocol by Bastian Könings, Jens Nickels, and Florian Schaub, May 13, 2011
"...the Administration has transmitted a cybersecurity legislative proposal to Capitol Hill in response to Congress’ call for assistance on how best to address the cybersecurity needs of our Nation. This is a milestone in our national effort to ensure secure and reliable networks for Americans, businesses, and government; fundamentally, this proposal strikes a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cybersecurity. Just as importantly, it does so while providing a robust framework to protect civil liberties and privacy."
The False Tradeoff between Privacy and Security. (May 1, 2011). Daniel J. Solove, Nothing to Hide: The False Tradeoff between Privacy and Security, Chapter 1, Yale University Press, 2011.
"The FSA's Consultation paper CP11/08 is entitled 'Data Collection: Retail Mediation Activities Return and complaints data'. It was published in May 2011. Comments should reach us by July 8 2011.
News release: "The Federal Trade Commission today told Congress that “the Commission is committed to protecting consumers’ privacy in the mobile sphere” by bringing enforcement actions where appropriate and “by working with industry and consumer groups to develop workable solutions that protect consumers while allowing innovation in this growing marketplace.” In Commission testimony before the Senate Judiciary Committee Subcommittee for Privacy, Technology and the Law, Jessica Rich, Deputy Director in the FTC’s Bureau of Consumer Protection said the FTC has been examining mobile and wireless issues since 2000, when the agency hosted a workshop on emerging wireless Internet and data technologies and the privacy, security, and consumer protection issues they raise. The FTC also hosted a technology forum in 2006 that featured mobile issues, two Town Halls to explore the use of radio frequency identification technology and its integration into mobile devices, and a forum in 2008 examining consumer protection issues in the mobile sphere. In addition, the FTC has taken law enforcement actions against companies that fail to protect the privacy and security of consumer information. The testimony highlighted four recent cases that illustrate how the FTC’s authority applies to the mobile arena. The FTC’s case against Google alleges that the company deceived consumers by using information collected from Gmail users to generate and populate a new social network, Google Buzz, without users’ consent. As part of the proposed settlement order, Google must protect the privacy of all of its customers – including mobile users."
News release: "Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue. Facebook applications are Web applications that are integrated onto the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day. Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties. Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc."
Better Choices: Better Deals - Consumers Powering Growth. UK Department for Business, Innovations and Skills, April 2011
Larsson, Stefan, The Path Dependence of European Copyright (April 15, 2011). SCRIPT-ed, Vol. 8, No. 1, April 2011. Available at SSRN: http://ssrn.com/abstract=1824228
FISA Annual Reports to Congress 2010 [via FAS]
"Rep. Markey (D-MA) and Rep. Barton (R-TX) released a discussion draft of the "Do Not Track Kids Act of 2011." This Act establishes enhanced protections for the use and disclosure of the personal information of children and teens online. In February, Rep. Speier (D-CA) introduced the broader Do Not Track Me Online Act. And in California, the Senate Judiciary Committee voted to move their Do Not Track bill, SB 761, to the next stage in the Appropriations Committee. EPIC submitted a statement to Congress saying that an effective Do Not Track initiative must ensure that a consumer's decision to opt-out is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Online Tracking and Behavioral Advertising."
Via CDT - The Threat of Data Theft to American Consumers: "Two high profile data (Sony's Playstation and Epsilon) breaches have grabbed headlines lately because of their recency, data breach is a major longstanding problem for consumers, businesses and government. According to Privacy Rights Clearinghouse, a staggering 600 million records have been breached due to the roughly 2,460 data breaches made public since 2005.5 According to a 2010 Ponemon benchmark study, the cost of data breaches to businesses – in terms of preventing, detecting, and notifying individuals of breach, as well as legal defense and lost business opportunities – have risen considerably over the past several years. Consumers whose personal information is lost or stolen in data breaches face increased risks of identity theft, spam and phishing attacks, reduced trust toward services on which they depend, and sometimes humiliating loss of privacy over sensitive medical conditions."
"Today EPIC submitted detailed comments on a landmark privacy agreement that requires Google to adopt a "Comprehensive Privacy Plan" to safeguard the privacy and personal information of Internet users. In comments to the Federal Trade Commission, EPIC recommended that the FTC require Google to adopt and implement comprehensive Fair Information Practices complaint EPIC: In re Google Buzz ..."
Cyrus Nemati, CDT: "If you've been following our Take Back Your Privacy campaign, you've seen our weekly privacy tips. Each week, we offer readers a new way to protect their privacy online through plug-ins, browser tricks, programs, and general privacy best practices. While each tip has merit in its own right, there are a few tips that give you a great amount of control over your online privacy. Without further ado, here are Take Back Your Privacy's Top Five Privacy Tips."
The big four phone carriers spill on their location and customer data collection policies: "The recent uproar over location tracking in smartphones has gotten ugly and fingers are bound to be pointed. But in the spirit of transparency, the four major carriers have outlined and detailed their location tracking applications s well as what exactly that data is being used for. The honesty does come as a response to the revelation that iPhones, Android devices, and Windows Phone 7 units are tracking user location."
Welcome to the age of data: Watch your back! by Molly Wood
News release: "The Electronic Frontier Foundation (EFF) and Access have launched an international campaign for HTTPS Now, rallying consumers around the world to help us make web surfing safer. HTTPS (Hypertext Transfer Protocol Secure) protects web surfing by encrypting requests from a user's browser and the resulting pages that are displayed, but many websites default to using the unencrypted and vulnerable HTTP protocol. The HTTPS Now campaign takes a three-pronged approach to protecting web surfing, including distributing updated tools for people to use to protect their web browsing, taking an Internet-wide survey of the state of HTTPS deployment, and helping website operators implement HTTPS. As a first step, individuals using the web are encouraged to install HTTPS Everywhere, a security tool for the Firefox browser developed by EFF and the Tor Project. HTTPS Everywhere automatically encrypts a user's browsing, changing it from HTTP to HTTPS whenever possible."
News release: "[April 19, 2011], the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP) has issued several administrative orders against Google for incremental penalty payments. Investigations by the CBP show that Google has, for a period of two years, systematically, and without the data subjects’ knowledge, collected MAC addresses of more than 3,6 million WiFi routers, in combination with the calculated location of those routers. This was done by using the so called ‘Street View cars’. MAC addresses in combination with their calculated locations, qualify, in this context, as personal data, because the collected data provide information about the WiFi router’s owners. The Dutch DPA also concludes that Google, using the same Street View cars, collected so called payload data, the contents of internet communication. This information contains personal data such as e-mail addresses, medical data and information concerning financial transactions.
Google has been ordered to, within three months, inform the data subjects – off line as well as on line – about the collection of data originating from WiFi routers by the Street View cars. Within the same period of three months, Google must also offer an on line possibility to opt-out from the database in order to enable people to object to the processing of the data concerning their WiFi routers. In case Google does not comply with the administrative order within the time period granted, the penalty amount can increase to a maximum of one million euros. Furthermore, Google is obliged to destroy the payload data it has collected in the Netherlands within four weeks. Read the Dutch press release and the relevant documents (only in Dutch)."
Declan McCullagh,Chief political correspondent, CNET: How police have obtained iPhone, iPad tracking logs
Information Security Oversight Office’s (ISOO) Report to the President for Fiscal Year (FY) 2010: "This report provides information on the status of the security classification program as required by Executive Order 13526, “Classified National Security Information” (the Order). It provides statistics and analysis concerning key components of the system, primarily classification and declassification, and coverage of ISOO’s reviews. It also contains information with respect to industrial security in the private sector as required by Executive Order 12829, as amended, “National Industrial Security Program.” FY 2010 was a notable year for the security classification program. The initial implementation of Executive Order 13526 began in earnest and remains ongoing. To comply with your direction that a government-wide implementing directive be issued within 180 days, we led an interagency working group that developed 32 C.F.R. Part 2001 which became effective and binding on all appropriate Executive branch agencies on June 25, 2010. However, we are concerned about delays in the issuance of agency regulations implementing the Order. Despite the preparation of agency drafts and the completion of our review last Fall, many agencies failed to issue their regulations in final form by December 2010 and many have yet to issue them as of the date of this letter [April 15, 2011]."
Privacy Protections for Personal Information Online, Gina Stevens, Legislative Attorney, April 6, 2011
News release: "Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the "Verizon 2011 Data Breach Investigations Report." These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices. The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date. According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action. The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.
"The Solicitor General filed a petition with the Supreme Court about the growing dispute in the federal courts over warrantless locational tracking. There is a split among the appellate court about GPS tracking by police agencies. The petition appeals a decision from the DC Circuit which held that the warrantless tracking of a motor vehicle violates the Constitutional right against unlawful searches. Earlier, EPIC filed an amicus brief in the Massachusetts Supreme Judicial Court case that also held that a warrant is required for the use of a GPS tracking device. For more information, see EPIC - Commonwealth v. Connolly and EPIC - Locational Privacy."
EU: "77% of 13-16 year olds and 38% of 9-12 year olds in the EU have a profile on a social networking site, according to a pan-European survey carried out for the European Commission. Yet, a quarter of children who use social networking sites like Facebook, Hyves, Tuenti, Nasza-Klasa SchuelerVZ, Hi5, Iwiw or Myvip say their profile is set to "public" meaning that everyone can see it, and many of these display their address and/or phone number. The figures highlight the importance of the European Commission's upcoming review of the implementation of the Safer Social Networking Principles for the EU. This agreement was brokered by the Commission in 2009 (IP/09/232) when major social networking companies agreed to implement measures to ensure the online safety of their under 18s users. Children's safety online is an important part of the Digital Agenda for Europe (see IP/10/581, MEMO/10/199 and MEMO/10/200)."
"On 15 April 2011, the European Data Protection Supervisor (EDPS) adopted an opinion on the Commission's proposal aimed at revising the financial rules applicable to the annual budget of the European Union ("EU Financial Regulation"). The proposal covers several matters which involve the processing of personal data by the EU institutions and by entities at Member State level. One of the most significant new elements introduced by the proposal is the possibility to publish decisions on administrative and financial penalties. Such publication would entail the disclosure of information about the person concerned in an identifiable way. The EDPS believes that this provision does not meet the requirements of data protection law. To better comply with data protection rules, it should be improved by explicitly indicating the purpose for the disclosure and by ensuring the consistent application of the possibility of what is in fact naming and shaming of persons, with use of clear criteria to demonstrate the necessity of the disclosure."
"The Federal Trade Commission today told a House subcommittee that millions of consumers are victims of identity theft each year at a cost of billion of dollars and countless hours of consumers’ time to repair the damage. In testimony before the House Ways and Means Committee’s Social Security Subcommittee, the agency said helping protect consumers from ID theft and deal with its consequences is a critical part of the FTC’s consumer protection mission. In the testimony, the FTC recommended legislation to help mitigate the identity theft problem by making Social Security numbers less useful to identity thieves and making the numbers harder to access."
Via EPIC: "Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data."
Symantec Internet Security Threat Report Trends for 2010, Volume 16, Published April 2011
IDG News Service - "Pandora and possibly other makers of popular smartphone applications are being questioned by a federal grand jury about their privacy practices. In a filing with the U.S. Securities and Exchange Commission on Monday, Pandora said that early this year it was served with a subpoena to produce documents in connection with a federal grand jury "which we believe was convened to investigate the information sharing processes of certain popular applications that run on the Apple and Android mobile platforms," it said. The company also wrote that it believes similar subpoenas were issued to publishers of numerous other smartphone applications. Pandora was informed that it is not a specific target of the investigation, it said. Pandora has been the subject of class-action lawsuits charging it with violating computer privacy laws."
"Federal Trade Commission Chairman Jon Leibowitz today issued the FTC’s 2011 Annual Report at the American Bar Association’s Section of Antitrust Law Spring Meeting in Washington, DC, highlighting the agency’s continued efforts to protect financially distressed consumers and promote competition during the economic downturn.
News release: "Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States."
Via EFF: "Your cell phone company knows everywhere you go, twenty-four hours a day, every day. How concrete is this fact for you? It's very concrete for Malte Spitz, a German politician and privacy advocate. He used German privacy law — which, like the law of many European countries, gives individuals a right to see what private companies know about them — to force his cell phone carrier to reveal what it knew about him. The result? 35,831 different facts about his cell phone use over the course of six months. As the German newspaper website Zeit Online reports:
Via EFF: "Your cell phone company knows everywhere you go, twenty-four hours a day, every day. How concrete is this fact for you? It's very concrete for Malte Spitz, a German politician and privacy advocate. He used German privacy law — which, like the law of many European countries, gives individuals a right to see what private companies know about them — to force his cell phone carrier to reveal what it knew about him. The result? 35,831 different facts about his cell phone use over the course of six months. As the German newspaper website Zeit Online reports:
Privacy Impact Assessment for the Use of Unidirectional Social Media Applications Communications and Outreach, March 8, 2011. Kathleen McShea
Director of New Media and Web Communications, Office of Public Affairs, Department of Homeland Security
"EPIC asked a federal court in Washington, DC to reconsider its earlier decision allowing the Department of Homeland Security to keep secret 2,000 airport body scanner images in EPIC's Freedom of Information Act lawsuit. The Court relied on a legal theory in its decision, "Exemption High b(2)," that was recently struck down by the Supreme Court in Navy v. Milner. In Milner, the Court held that FOIA exemption 2 only applies to records concerning employee relations and human resources issues. Milner overturns previous lower court decisions that applied the exemption to broader categories of records, allowing federal agencies to block disclosure of documents to the public. EPIC argues in its motion that the Department of Homeland Security is unlawfully withholding information about the airport scanners from the public. For more information, see EPIC-Milner v. Dept. of Navy and EPIC v. DHS - Body Scanners."
Smartphone Security - Survey of U.S. consumers, Ponemon Institute© Research Report, Sponsored by AVG Technologies, Independently conducted by Ponemon Institute LLC, Publication Date: March 2011
EPIC: "Judge Denny Chin struck down a proposed settlement between Google and copyright holders that would have imposed significant privacy risks on e-book consumers. Google's proposal would have entitled the company to collect each users' search queries as well as the titles and page numbers of the books they read. In a February 2010 hearing before the Court, EPIC President Marc Rotenberg explained EPIC Press Release: EPIC Urges Court To Reject Google Books Settlement; EPIC: Google Books Settlement and Privacy."
News release: "In testimony before the Senate Committee on Commerce, Science and Transportation, the Federal Trade Commission discussed its efforts to protect consumer privacy through enforcement actions, consumer education, and policy initiatives like the FTC staff’s recent preliminary privacy report. The report proposes a framework to balance consumer privacy with industry innovation by: 1) building privacy protections into everyday business practices (“privacy-by-design”); 2) simplifying privacy choices for consumers; and 3)improving transparency with clearer, shorter privacy notices. The Commission told Congress that industry stakeholders have made important progress in implementing Do Not Track, a mechanism proposed in the staff's preliminary privacy report last December that would allow consumers to choose not to have their Internet browsing tracked by third parties. The testimony noted that two of the major Internet browsers – Microsoft and Mozilla – “have recently announced the development of new choice mechanisms for online behavioral advertising that seek to provide increased transparency, greater consumer control, and improved ease of use.”
EPIC: "In a hearing before the House Oversight Subcommittee on National Security, EPIC urged Congress to suspend the use of airport body scanners for primary screening. EPIC said the devices were not effective and were not minimally intrusive, as courts have required for airport searches. EPIC cited TSA documents obtained in EPIC's FOIA lawsuit which showed that the machines are designed to store and transfer images, and not designed to detect powdered explosives. EPIC was joined on the panel by radiation expert Dr. David Brenner, who has frequently pointed out the radiation risks created by these machines. The TSA, which is a federal agency funded by taxpayer dollars and responsible for the body scanner program, originally refused to testify at hearing. Eventually they showed up. Chairman Jason Chaffetz, who had previously sponsored a bill regarding body scanners, grilled the TSA officials and said the hearing would continue with more questions. For more information see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS."
News release: "The Ponemon Institute proudly presents the 2010 U.S. Cost of a Data Breach, the sixth annual study concerning the cost of data breach incidents for U.S.-based companies sponsored by Symantec Corporation. The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009. The study also found that for the second straight year organizations’ need to respond rapidly to data breaches drove the associated costs higher. The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors."
News release: "For the first time, industry groups and civil liberties interests have come together to advocate a comprehensive, common approach to cybersecurity. That approach is reflected in today's release of a cybersecurity white paper that rejects government mandates and advocates for a stronger partnership between industry and government. The 20-page white paper is a joint release from CDT, U.S. Chamber of Commerce, Business Software Alliance, TechAmerica, and the Internet Security Alliance."
News release: "The Federal Trade Commission today released the list of top consumer complaints received by the agency in 2010. The list showed that for the 11th year in a row, identity theft was the number one consumer complaint category. Of 1,339,265 complaints received in 2010, 250,854 – or 19 percent – were related to identity theft. Debt collection complaints were in second place, with 144,159 complaints. The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted."
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The Inspector General of the Department of Homeland Security released a report finding that the agency's contract files did not "contain sufficient evidence of justification and approval, market research, and acquisition planning" for the $1.3 billion dollars in noncompetitive contracts the agency entered into in fiscal year 2010. The noncompetitive process raises doubts that the agency secured the "best possible value" for the goods and services and that the contracts were awarded to "eligible and qualified vendors." The IG recommended that the agency’s Chief Procurement Officer pursue corrective action plans. EPIC previously criticized the agency’s contracting practices regarding whole body scanners. For related information see EPIC: EPIC v. DHS: Body Scanners (Suspend the Program) and EPIC: EPIC v. DHS (FOIA)."
News release: AeroVironment Develops World’s First Fully Operational Life-Size Hummingbird-Like Unmanned Aircraft for DARPA
2010 Internet Crime Report, The Internet Crime Complaint Center (IC3), February 2011
"EFF just received documents in response to a 2-year old FOIA request for information on the FBI’s "Going Dark" program, an initiative to increase the FBI's authority in response to problems the FBI says it's having implementing wiretap and pen register/trap and trace orders on new communications technologies. The documents detail a fully-formed and well-coordinated plan to expand existing surveillance laws and develop new ones. And although they represent only a small fraction of the documents we expect to receive in response to this and a more recent FOIA request, they were released just in time to provide important background information for the House Judiciary Committee’s hearing [February 17, 2011] on the Going Dark program."
News release: "The Federal Trade Commission, the nation’s consumer protection agency, released tips to help people protect their personal information while they use public wireless networks – Wi-Fi hotspots in coffee shops, libraries, airports, hotels, universities, and other public places. While convenient, public Wi-Fi networks often are not secure. When using wireless networks, it’s best to send only personal information that is encrypted – either by an encrypted website or a secure network. Encryption scrambles information sent over the internet into a code so that it’s not accessed by others. An encrypted website protects only the information sent to and from that site. A secure wireless network encrypts all the information sent over it. To determine if a website is encrypted, look for https at the beginning of the web address (the “s” is for secure), and a lock icon at the top or bottom of the browser window. Some websites use encryption only on the sign-in page, but if any part of the session isn’t encrypted, the entire account could be vulnerable. Look for https and the lock icon throughout the site, not just at sign in."
10 Conservative Principles for Cybersecurity Policy, by Paul Rosenzweig, George Washington University School of Law; Posted FEbruary 10, 2011
Official Google Blog: "Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples...that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information...2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your Account Settings page."
EPIC: "In Pineda v. William Sonoma, the California Supreme Court has determined that merchants may not require credit card customers to provide ZIP codes. In a unanimous decision, the Court found that ZIP codes are "personal identification information" under the state Credit Card Act of 1971. In the Pineda case, the customer believed that providing an SSN was necessary to complete a credit card transaction. The merchant subsequently used the SSN to determine the customer's home address. The California court said that the Credit Card Act "intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction." For more information, see EPIC - Social Security Numbers and EPIC - Reidentification."
"The Digital Signage Federation (DSF), a professional membership association, announced today the release of new industry standards for digital signage privacy. The “Digital Signage Privacy Standards” are a set of voluntary privacy guidelines recommended by DSF for digital signage companies, their partners and the venues that host these systems....The DSF Standards Committee is comprised of eight members from different sectors of the industry, and is chaired by Ken Goldberg, CEO of Real Digital Media. Harley Geiger, a committee member and Policy Counsel at the Center for Democracy & Technology, was instrumental in leading the effort to develop policies that safeguard consumer privacy and preserve the public’s trust in the digital signage industry. Subsequently, the Digital Signage Privacy Standard includes strong principles in the following categories:
EPIC: "Facebook will now allow full-session HTTPS. The switch to encrypted cloud-based computing promotes privacy and security, particularly when users access Facebook from public Internet access points. Previously, Facebook only used HTTPS when users’ passwords were being sent to the site. Third party applications currently do not support HTTPS. Users can opt into HTTPS through their “Account Settings;” however, HTTPS is not yet the default. Facebook will use "social authentication, rather than traditional CAPTCHA, to deter hackers. EPIC has previously recommended the adoption of strong privacy techniques for cloud-based services. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Google subsequently established HTTPS by default for Gmail. For related information, see EPIC: Facebook, EPIC: Cloud Computing, and EPIC: Social Networking Privacy."
State Cyberbullying Law - A Brief Review of State Cyberbullying Laws and Policies, Sameer Hinduja, Ph.D. and Justin W. Patchin, Ph.D., Cyberbullying Research Center, updated January 2011
Emerging Legal Issues in Social Media: In Part 1 of his commentary, Ken Strutin discusses how the growth of social media and social networking applications has permeated and extended the range of legal investigation, discovery and litigation. The materials he highlights represent a current sampling of notable developments in law enforcement, law practice, civil and criminal litigation, and technology's influence on human behavior.
News release: "The Center for Democracy & Technology today released a proposal that sketches the parameters of what Do Not Track (DNT) means. The document is intended to identify the types of behaviors that DNT should prohibit, and jumpstart a discussion aimed at developing a common understanding of the terms of this emerging technology. The concept of DNT technology is gaining momentum; however, definitions underlying technology—such as what "tracking" actually means—are still in flux...CDT suggests that the following definition for "tracking" in the context of Do Not Track:
"Privacy International, EPIC, and the Center for Media and Communications Studies (CMSC) released European Privacy and Human Rights (EPHR) 2010, a report investigating the scope of privacy and data protection laws in Europe. The study includes 33 individual reports covering issues from privacy enforcement to ID cards, biometrics, and data-sharing and video surveillance The study ranks privacy protections across the European Union (EU). An interactive map allows is available. The EPHR is based on EPIC's report Privacy & Human Rights: An International Survey of Privacy Laws and Developments."
Via FAS: China: Student Informant System to Expand, Limiting School Autonomy, Free Expression (U//FOUO - "Unclassified // For Official Use Only")- 23 November 2010, CIA-DI-10-05021 [This report was prepared by the Open Source Works, which was charged by the Director for Intelligence with drawing on language trained analysts to mine open-source information for new or alternative insights on intelligence issues.]
National Journal: Google and Mozilla both announced that they will be adding "do-not-track" options to their Internet browsers, allowing users to prevent websites from gathering personal information and selling it to advertisers. Mozilla announced its plan Sunday with Google following suit Monday. According to a company statement, Google's "Keep My Op-Outs" feature will be available as an extension for download on its Chrome browser Monday. "We made available, for all major browsers, a downloadable browser plugin that enables you to permanently opt out of Google's advertising cookie, even if you deleted all your browser's cookies," according to the statement." Mozilla's Firefox version will be an HTTP header that will tell websites that a user wants to opt-out what's called "online behavioral advertising." "The advantages to the header technique are that it is less complex and simple to locate and use, it is more persistent than cookie-based solutions, and it doesn't rely on user's finding and loading lists of ad networks and advertisers to work," said Mozilla technology and privacy officer Alex Fowler wrote in a blog post Sunday. Microsoft announced a similar feature for its Internet Explorer in December."
UK Home Office: "The Government began the process of scrapping identity cards by introducing the Identity Documents Bill to Parliament on 26 May 2010. The Bill made provision for the cancellation of the UK National Identity Card, the Identification Card for EEA nationals and the destruction of the National Identity Register. This Bill has completed the parliamentary process and the Identity Documents Act 2010 received Royal Assent on 21 December 2010. In line with the terms of the Act identity cards ceased to be valid legal documents for the purposes of confirming identity, age or for travel in Europe on 21 January 2011. Under the terms of the Act the National Identity Register will be destroyed within two months of the Act coming in to force. This means all personal information supplied during process of applying for an identity card, including photographs and fingerprints, will be destroyed by 21 February 2011. Refunds will not be provided and identity card holders are not required to return the card to IPS. As the card will cease to be a legal document, if you have an identity card you should consider securely destroying it. If you choose to retain your identity card, you should ensure that it is kept in a safe and secure place. The statutory post of Identity Commissioner, set up under the Identity Cards Act 2006 to provide independent oversight of the National Identity Service, is also terminated under the terms of the Act."
Domestic Intelligence: New Powers, New Risks [released 01/18/11], by Emily Berman - Counsel in the Liberty and National Security Program at the Brennan Center for Justice
EPIC: "The Supreme Court has issued a decision in NASA v. Nelson, a case brought by NASA scientists who argued that the government's invasive background checks violated the Constitution. The Supreme Court found amicus brief , cosigned by 27 technical experts and legal scholars, which highlighted problems with the Privacy Act, including the "routine use" exception, security breaches, and the agency's authority to carve out its own exceptions. For more information, see EPIC: NASA v. Nelson."
"Gibson Dunn 2010 Year-End Electronic Discovery and Information Law Update calls for Reform Reach Crescendo. Sanctions Granted Less Frequently. Government's Duties Clarified. No Reasonable Expectation of Privacy In Social Media."
McIntyre, Joshua J., The Number is Me: Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable Information (August 15, 2010). DePaul Law Review, Vol. 60, No. 3, 2011.
Follow up to previous postings on government implementation of whole body scanning technology at airports, this News release: "A federal district court has granted the Department of Homeland Security's motion to conclude one of EPIC's Freedom of Information Act lawsuits. EPIC was seeking more than 2,000 images generated by airport body scanners held by the TSA. The DHS objected to the disclosure and the court sided with the government. The court relied on a legal theory, "Exemption High (b)(2)" that is currently under review by the Supreme Court in Milner v. Dept. of Navy. As a result of this lawsuit, EPIC obtained many documents concerning the airport screening program, including Procurement Specifications, Operational Requirements, traveler complaints, and vendor contracts with L3 and Rapiscan, that were subsequently made available to the public. EPIC may appeal the district court's decision as to the release of the body scanner images. For more information see EPIC: EPIC v. DHS and EPIC: Body Scanners."
"On January 10, 2011, the EastWest Institute released a report detailing the results of the First Worldwide Cybersecurity Summit: Protecting the Digital Economy, and outlining the cybersecurity initiative’s next steps as it prepares for the Second Worldwide Cybersecurity Summit in London on June 1-2. At the summit, held from May 3 to 5, 2010 in Dallas, Texas, EWI brought together over 400 technical experts, policy elites and national security officials from the Cyber40, an informal grouping of the world’s most digitally-advanced countries—among others, the United States, China, India, Russia and Estonia. Participants worked to identify problems facing crucial sectors of the Internet, such as financial services and essential government services, and forge concrete solutions to protect the world’s digital infrastructure."
News release: "At a forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt announced plans to create a National Program Office to help foster an environment in which sensitive online transactions can be carried out with greater levels of trust. The National Program Office, to be established within the Department of Commerce, would coordinate federal activities needed to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC), an Obama administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will make the online environment more secure and convenient for consumers. The national office would serve as the point of contact to bring the public and private sectors together to meet this challenge."
News release: "National Taxpayer Advocate Nina E. Olson today released her annual report to Congress, identifying the need for tax reform as the number one priority in tax administration. The Advocate expressed continuing concern that the IRS’s increasing use of hard-core enforcement actions, particularly tax liens, is inflicting unnecessary harm on financially struggling taxpayers. The report also examines challenges the IRS is facing in implementing the new health care law."
PEOPLE v. DIAZ, Criminal Appeal, Start Date: 09/09/2008. Opinion issued - Petition for review after the Court of Appeal affirmed a judgment of conviction of a criminal offense. This case presents the following issues: (1) Was defendant's cell phone an item "immediately associated with the person of the arrestee" within the meaning of United States v. Edwards (1974) 415 U.S. 800, and thus subject to search incident to his arrest? (2) Was the warrantless search of the cell phone an hour and a half after the arrest, while defendant was being interrogated, invalid under United States v. Chadwick (1977) 433 U.S. 1? The court ordered briefing deferred pending the decision of the United States Supreme Court in Arizona v. Gant, No. 07-542, cert. granted Feb. 25, 2008, __ U.S. __ [128 S.Ct. 1443, 170 L.Ed.2d 274], or further order of this court."
WaPo: As outrage over screenings rises, sites consider replacing TSA - "For airports, the change isn't about money. At issue, airport managers and security experts say, is the unwieldy size and bureaucracy of the federal aviation security system. Private firms may be able to do the job more efficiently and with a personal touch, they say. Airports that choose private screeners must submit the request to the TSA. There are no specific criteria for approval, but federal officials can decide whether to grant the request "based on the airport's record of compliance on security regulations and requirements." The TSA pays for the cost of the screening and has the final say on which company gets the contract. Rep. John L. Mica (R-Fla.), the incoming chairman of the House Transportation and Infrastructure Committee, has written to 200 of the nation's largest airports, urging them to consider switching to private companies. The TSA was "never intended to be an army of 67,000 employees," he said."
WikiLeaks And The New Corporate Disclosure Crisis - Stephanie Nora White and Rebecca Theim: "If the scandals that have plagued corporate America in the past two years haven't gotten you thinking about your own company's vulnerabilities, then the latest revelations out of WikiLeaks certainly should. In an interview with Forbes' Andy Greenberg, WikiLeaks founder Julian Assange declared that half the documents that have been fed to the organization are from corporations, and that sometime early next year his organization plans what presumably will be the first of many corporate disclosures. It will begin with information about one of the nation's leading banks. The target is rumored to be Bank of America, and the bank's stock tumbled 3% shortly after the rumors were publicized. Got your attention now? WikiLeaks is promising to give a voice to the disenfranchised, disgusted and disillusioned within Corporate America, those who have knowledge of company behavior ranging from distasteful to criminal. "Companies turn people into leakers by their failure to listen, look and respond," says business consultant and author Margaret Heffernan, whose forthcoming book, Willful Blindness: Why We Ignore the Obvious at Our Peril, will tackle the issue. In other words, it will no longer be a company's general counsel who will decide if and when something is disclosed to the public. Now, it's any insider with a flash drive who's troubled or disgruntled by an organization's conduct. And the types of information WikiLeaks is disclosing can be more damaging--and memorable--than a traditional corporate crisis."
Washington Post: Auditors question TSA's use of and spending on technology: "The massive push to fix airport security in the United States after the attacks of Sept. 11, 2001, led to a gold rush in technology contracts for an industry that mushroomed almost overnight. Since it was founded in 2001, the TSA has spent roughly $14 billion in more than 20,900 transactions with dozens of contractors. In addition to beefing up the fleets of X-ray machines and traditional security systems at airports nationwide, about $8 billion also paid for ambitious new technologies. The agency has spent about $800 million on devices to screen bags and passenger items, including shoes, bottled liquids, casts and prostheses. For next year, it wants more than $1.3 billion for airport screening technologies. But lawmakers, auditors and national security experts question whether the government is too quick to embrace technology as a solution for basic security problems and whether the TSA has been too eager to write checks for unproven products."
Follow up to FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers, this news from Gallup: "U.S. Internet users would likely welcome a "Do Not Track" measure like the one the Federal Trade Commission is currently considering to keep advertisers from tracking their movements online. Gallup finds Internet users largely aware that advertisers use their online browsing history to target ads to their interests, but largely opposed to such tactics -- even if they help to keep websites free...The results, from a USA Today/Gallup poll conducted Dec. 10-12, 2010, come as the Federal Trade Commission considers a measure that would allow Internet users to essentially opt out of online tracking, as they do with the telemarketing "Do Not Call" list. AdWeek in a recent editorial said such a measure would amount to an "apocalypse" for online advertisers, particularly for the fast-growing $1.1 billion industry that relies on these tactics to target content to users."
"The United States Court of Appeals for the District of Columbia Circuit has scheduled oral argument in EPIC's case, No. 10-1157, against the Department of Homeland Security. The court set a March 10, 2011 date for the parties to present oral argument before the Court. EPIC filed suit against the Department of Homeland Security to suspend the body scanner program because it is "unlawful, invasive, and ineffective." In its opening brief, EPIC argued that the federal agency has violated the Administrative Procedures Act, the Privacy Act, the Religious Freedom Restoration Act, the Video Voyeurism Prevention Act, and the Fourth Amendment. For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology.
WSJ: "More than half the smartphone apps tested by The Wall Street Journal sent a serial-number-like identifier for the phone to tracking companies. Some tracking companies use these IDs to create profiles of cellphone users for marketing purposes. The use of these identifiers poses a greater risk than tracking technologies typically used on PC Web browsers, said Heng Xu, an assistant professor of information sciences and technology at Pennsylvania State University. This is because the numbers are difficult or impossible to delete and can be tied to other data, like a person’s location at a given moment, she said."
"Few devices know more personal details about people than the smartphones in their pockets: phone numbers, current location, often the owner's real name—even a unique ID number that can never be changed or turned off. These phones don't keep secrets. They are sharing this personal data widely and regularly, a Wall Street Journal investigation has found. An examination of 101 popular smartphone "apps"—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitted the phone's location in some way. Five sent age, gender and other personal details to outsiders."
News release: "The Department of Commerce today issued a report detailing initial policy recommendations aimed at promoting consumer privacy online while ensuring the Internet remains a platform that spurs innovation, job creation, and economic growth. The report outlines a dynamic framework to increase protection of consumers’ commercial data and support innovation and evolving technology. The Department is seeking additional public comment on the plan to further the policy discussion and ensure the framework benefits all stakeholders in the Internet economy."
News release: "An estimated 11.7 million persons, representing five percent of all persons age 16 or older in the United States, were victims of identity theft during the two years prior to being surveyed in 2008, the Bureau of Justice Statistics (BJS) announced today. The financial losses due to the identity theft totaled more than $17 billion. Identity theft was defined in the survey as the attempted or successful misuse of an existing account, such as a debit or credit account, misuse of personal information to open a new account, or misuse of personal information for other fraudulent purposes, such as obtaining government benefits. Approximately 6.2 million victims (three percent of all persons age 16 or older) experienced the unauthorized use or attempted use of an existing credit card account, the most prevalent type of identity theft. An estimated 4.4 million persons reported the misuse or attempted misuse of a banking account, such as a debit, checking or savings account. Another 1.7 million persons experienced the fraudulent misuse of their information to open a new account, and about 618,900 persons reported the misuse of their information to commit other crimes, such as fraudulently obtaining medical care or government benefits or providing false information to law enforcement during a crime or traffic stop. About 16 percent of all victims (1.8 million persons) experienced multiple types of identity theft during the two-year period."
Follow up to postings on Wikileaks, news of a Hearing on the Espionage Act and the Legal and Constitutional Issues Raised by WikiLeaks, Thursday 12/16/2010.
EPIC: December 10 marks the United Nation's annual International Human Rights Day, which celebrates the signing of the Universal Declaration of Human Rights. The Declaration sets forth universal privacy rights in Article 12 and rights to freedom of expression in Article 19. The Declaration's importance and influence is recognized in the U.S. State Department's annual Human Rights Reports. In 2009, the Public Voice published the Madrid Privacy Declaration, which affirmed these international rights to privacy and free and open expression. You can find more information and resources through the U.N. Dag Hammarskjöld Library's Human Rights Day page."
Changes in Airport Passenger Screening Technologies and Procedures: Frequently Asked Questions, Bart Elias, Specialist in Aviation Policy, November 23, 2010
Holiday Shopping Tips: "This holiday season the FBI reminds shoppers that cyber criminals aggressively create new ways to steal money and personal information. Scammers use many techniques to fool potential victims, including conducting fraudulent auction sales, reshipping merchandise purchased with stolen credit cards, and selling fraudulent or stolen gift cards through auction sites at discounted prices...If you have received a scam email, please notify the IC3 by filing a complaint at http://www.IC3.gov. For more information on e-scams, please visit the FBI's New E-Scams and Warnings webpage at http://www.fbi.gov/cyberinvest/escams.htm."
Google: "..we’re releasing a white paper, Enabling Trade in the Era of Information Technologies: Breaking Down Barriers to the Free Flow of Information, that explores the ways that governments impose limits on the free flow of information online. It’s pretty wonky stuff, but the premise is simple: In addition to infringing human rights, governments that block the free flow of information on the Internet are also blocking trade and economic growth. Over the last two decades, the Internet has delivered tremendous economic and trade benefits. It has driven record increases in productivity, spurred innovation, created new economies, and fueled international trade. In part this is because the Internet makes geographically distant markets easy to reach. But this engine of economic growth is increasingly coming under attack. According to one study, more than forty governments now engage in broad-scale restriction of online information. Governments are blocking online services, imposing non-transparent regulation, and seeking to incorporate surveillance tools into their Internet infrastructure. These are the trade barriers of the 21st century economy...we urge policymakers in the United States, European Union and elsewhere to take steps to break down barriers to free trade and Internet commerce. These issues present challenges, but also an opportunity for governments to align 21st century trade policy with the 21st century economy."
EPIC: "A new poll by Zogby International finds that 61% of Americans polled between Nov. 19 and Nov. 22 oppose the use of full body scans and TSA pat downs. Of those polled, 52% believe the enhanced security measures will not prevent terrorist activity, almost half (48%) say it is a violation of privacy rights, 33% say they should not have to go through enhanced security methods to get on an airplane, and 32% believe the full body scans and TSA pat downs to be sexual harassment. The Zogby Poll is the most recent survey of American opinion on the new airport screening procedures. Combined with earlier polls by USA Today and the Washington Post-ABC News, the Zogby Poll reflects declining support for the TSA program."
News release: "The Electronic Frontier Foundation (EFF) has launched a new version of HTTPS Everywhere, a security tool that offers enhanced protection for Firefox browser users against "Firesheep" and other exploits of webpage security flaws. HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking... This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough...Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly."
Follow up to previous postings on government implementation of whole body scanning technology at airports, this news release: "The Air Line Pilots Association, Int’l (ALPA), welcomed the Transportation Security Administration (TSA) announcement of expedited screening for airline pilots as important action to move the nation toward a threat-based strategy that focuses security resources where the risk is highest and away from a one-size-fits-all approach...ALPA proposed the creation of a highly secure and effective security screening system that would quickly and accurately verify the identity and employment status of active airline pilots. As a result, ALPA’s Crew Personnel Advanced Screening System (CrewPASS) program would identify individual pilots as trusted and, as a result, enhance the overall security of air travel and reduce passenger delays. In [the November 19, 2010] announcement, the TSA acknowledged ALPA for developing the CrewPASS concept and committed to phasing in CrewPASS nationally. The CrewPASS system is currently operating at Baltimore-Washington Thurgood Marshall International, Pittsburgh International, and Columbia Metropolitan airports."
Follow up to previous postings on government implementation of whole body scanning technology at airports, via National Journal, "The Transportation Security Administration is working to create an alternative screening process for pilots, the agency's chief said this morning, amid mounting protests by airline pilots over new airport scanners criticized as invasive and hazardous to health due to radiation exposure."
"The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals." Snipped from November 3, 2010 letter from ICO to Global Privacy Counsel, Google France: "My office now understands that GSV (Google Street View) cars driving in the UK before May 2010 were equipped with the same equipment as the GSV cars in countries where regulators found some instances where entire emails and URLs were captured, as well as passwords. As such, my office believes that while most of the payload data gathered from the UK is fragmentary, in some instances it is possible that entire emails and URLs were captured, as well as passwords. It is my view that the collection of this information is a serious breach of the first data protection principle..."
2010 HIMSS Security Survey Sponsored by Intel, Final Report, November 3, 2010
News release: "Federal Trade Commission Chairman Jon Leibowitz [November 4, 2010] announced the appointment of Edward W. Felten as the agency’s first Chief Technologist. In his new position, Dr. Felten will advise the agency on evolving technology and policy issues. Dr. Felten is a professor of computer science and public affairs and founding director of the Center for Information Technology Policy at Princeton University. He has served as a consultant to federal agencies, including the FTC, and departments of Justice and Defense, and has testified before Congress on a range of technology, computer security, and privacy issues. He is a fellow of the Association of Computing Machinery and recipient of the Scientific American 50 Award. Felten holds a Ph.D. in computer science and engineering from the University of Washington. Dr. Felten’s research has focused on areas including computer security and privacy, especially relating to consumer products; technology law and policy; Internet software; intellectual property policy; and using technology to improve government."
Sharing Data While Protecting Privacy, November 3, 2010 - The judicious use of accurate and reliable data plays a critical role in initiatives designed to increase the transparency and efficiency of Federal programs and to enhance our capacity to gauge program effectiveness. Sharing data among agencies also allows us to achieve better outcomes for the American public through more accurate evaluation of policy options, improved stewardship of taxpayer dollars, reduced paperwork burdens, and more coordinated delivery of public services. As advances in technology enhance tools for data sharing, Federal agencies can and should seek new approaches for identifying and sharing high-value data responsibly and appropriately. This Memorandum strongly encourages Federal agencies to engage in coordinated efforts to share high-value data for purposes of supporting important Administration initiatives, informing public policy decisions, and improving program implementation while simultaneously embracing responsible stewardship."
News release: "The Federal Trade Commission has a new Business Center at Business.ftc.gov that gives business owners, attorneys, and marketing professionals the tools they need to understand and comply with the consumer protection laws, rules, and guides the FTC enforces. The Business Center provides practical, plain-language guidance about advertising, credit, telemarketing, privacy, and a host of other topics. A series of short videos explain the bottom line about what businesses need to know to comply, and the Business Center blog gives readers the latest compliance tips and information."
Email I received Tuesday evening, 9:49pm ET: "Google rarely contacts Gmail users via email, but we are making an exception to let you know that we've reached a settlement in a lawsuit regarding Google Buzz, a service we launched within Gmail in February of this year. Shortly after its launch, we heard from a number of people who were concerned about privacy. In addition, we were sued by a group of Buzz users and recently reached a settlement in this case. The settlement acknowledges that we quickly changed the service to address users' concerns. In addition, Google has committed $8.5 million to an independent fund, most of which will support organizations promoting privacy education and policy on the web. We will also do more to educate people about privacy controls specific to Buzz. The more people know about privacy online, the better their online experience will be. Just to be clear, this is not a settlement in which people who use Gmail can file to receive compensation. Everyone in the U.S. who uses Gmail is included in the settlement, unless you personally decide to opt out before December 6, 2010. The Court will consider final approval of the agreement on January 31, 2011. This email is a summary of the settlement, and more detailed information and instructions approved by the court, including instructions about how to opt out, object, or comment, are available at http://www.BuzzClassAction.com."
News release: "The Electronic Frontier Foundation (EFF) filed suit against three agencies of the Department of Justice (DOJ) today, demanding records about problems or limitations that hamper electronic surveillance and potentially justify or undermine the Administration's new calls for expanded surveillance powers. The issue has been in the headlines for more than a month, kicked off by a New York Times report that the government was seeking to require "back doors" in all communications systems -- from email and webmail to Skype, Facebook and even Xboxes -- to ease its ability to spy on Americans. The head of the FBI publicly claimed that these "back doors" are needed because advances in technology are eroding agents' ability to intercept information. EFF filed a Freedom of Information Act (FOIA) request with the Federal Bureau of Investigation (FBI), the Drug Enforcement Agency (DEA), and the DOJ Criminal Division to see if that claim is backed up by specific incidents where these agencies encountered obstacles in conducting electronic surveillance."
Geotag, You're It! What Your Smartphone Might Be Saying Behind Your Back, Privacy Rights Clearinghouse, October 18, 2010
Identity Theft Trends, Patterns, and Typologies Reported in Suspicious Activity Reports Filed by Depository Institutions January 1, 2003 – December 31, 2009, released October 2010 by the Financial Crimes Enforcement Network
EPIC: "Following numerous protests around the world, Google has ended its illegal collection of wifi data transmissions. The company, which originally claimed it was not even collecting wifi data, was forced to admit that the practice has been ongoing for three years in more than thirty countries, following an independent investigation initiated by European privacy officials. Investigations are still underway to determine the extent of Google's liability. EPIC wrote to the FCC earlier this year, pointing out that the practice violated US wiretap laws."
News release: "The Federal Trade Commission today told the Equal Employment Opportunity Commission that the Fair Credit Reporting Act (FCRA) imposes requirements on Consumer Reporting Agencies (CRAs) - which include the three major credit bureaus - and on employers that use the information “to ensure that sensitive consumer report information is used with fairness, impartiality, and respect for consumers’ privacy.” Commission testimony given by Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, states that FCRA requirements placed on CRAs and employers are designed to promote privacy, accuracy, and fairness in the use of consumer reports. For example, before giving a consumer report to an employer, the CRA must take reasonable steps to ensure that the employer has a legitimate basis to obtain the report; must inform the employer of his or her obligation to provide certain notices to consumers; and must obtain the employer’s certification that he or she is complying with the FCRA and will not use consumer report information in violation of equal opportunity laws."
News release: "This is National Protect Your Identity Week, and the Federal Trade Commission, the nation’s consumer protection agency, has information to help consumers, businesses, and law enforcement officials safeguard personal information and take action if an identity thief strikes.
State of the Internet 2010: A Report on the Ever-Changing Threat Landscape, CA Technologies Internet Security Business Unit
Internet Security Intelligence Report, October 2010
WSJ: "Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people's names and, in some cases, their friends' names—to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found. The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings. The practice breaks Facebook's rules, and renews questions about its ability to keep identifiable information about its users' activities secure. The problem has ties to the growing field of companies that build detailed databases on people in order to track them online—a practice the Journal has been examining in its What They Know series. It's unclear how long the breach was in place. On Sunday, a Facebook spokesman said it is taking steps to "dramatically limit" the exposure of users' personal information."
EFF: "As noted in our first post, EFF recently received new documents via our FOIA lawsuit on social network surveillance, filed with the help of UC Berkeley’s Samuelson Clinic, that reveal two ways the government has been tracking people online: Citizenship and Immigration’s surveillance of social networks to investigate citizenship petitions and the DHS’s use of a “Social Networking Monitoring Center” to collect and analyze online public communication during President Obama’s inauguration. This is the second of two posts describing these documents and some of their implications. In addition to learning about surveillance of citizenship petitioners, EFF also learned that leading up to President Obama’s January 2009 inauguration, DHS established a Social Networking Monitoring Center (SNMC) to monitor social networking sites for “items of interest.” In a set of slides [PDF] outlining the effort, DHS discusses both the massive collection and use of social network information as well as the privacy principles it sought to employ when doing so."
Escaping the ‘Scrapers’: "The Internet has given rise to a dizzying array of people-search sites and data brokers that gather and compile public information and social-networking profiles. The sites gather information from public sources such as property records and telephone listings, and other information is harvested by “scraping” — or copying — websites where people post information about themselves. The fact that the information is from public records or posted on the Internet generally means that the companies have a right to use it. And many of the firms emphasize that the data will still be available in public records or elsewhere online, even if the information is removed from specific sites. As long as the source of the information remains available, it can simply be scraped again. But determined consumers willing to navigate the maze of companies have some options for requesting that their data be removed from certain sites."
What They Know - interactive graphic: "Marketers are spying on Internet users -- observing and remembering people's clicks, and building and selling detailed dossiers of their activities and interests. The Wall Street Journal's What They Know series documents the new, cutting-edge uses of this Internet-tracking technology. The Journal analyzed the tracking files installed on people's computers by the 50 most popular U.S. websites, plus WSJ.com. The Journal also built an "exposure index" -- to determine the degree to which each site exposes visitors to monitoring -- by studying the tracking technologies they install and the privacy policies that guide their use."
WSJ: "A former Federal Trade Commission employee has filed a complaint with the agency accusing Google Inc. of not adequately protecting the privacy of consumers’ search queries. The complaint was filed September 6 by Christopher Soghoian, who worked until August as a technologist with the FTC’s Division of Privacy and Identity Protection. It calls on the agency to investigate Google and to “compel Google to take proactive steps to protect the privacy of individual users’ search terms.” The complaint alleges Google shares with third parties users’ search queries, including those that contain personal information. In an emailed statement, Google said its passing of search-query data to third parties “is a standard practice across all search engines” and that “webmasters use this to see what searches bring visitors to their websites.” The statement added, “Google does not pass any personal information about the source of the query to the destination website.”
News release: "The Federal Trade Commission today unveiled a community outreach kit with new resources to help parents and communities keep kids safe online and on their mobile phones. With more than five million copies of the Net Cetera: Chatting with Kids About Being Online guide already in the hands of families across the country, FTC Chairman Jon Leibowitz announced the expanded campaign."
"Biometric recognition--the automated recognition of individuals based on their behavioral and biological characteristic--is promoted as a way to help identify terrorists, provide better control of access to physical facilities and financial accounts, and increase the efficiency of access to services and their utilization. Biometric recognition has been applied to identification of criminals, patient tracking in medical informatics, and the personalization of social services, among other things. In spite of substantial effort, however, there remain unresolved questions about the effectiveness and management of systems for biometric recognition, as well as the appropriateness and societal impact of their use. Moreover, the general public has been exposed to biometrics largely as high-technology gadgets in spy thrillers or as fear-instilling instruments of state or corporate surveillance in speculative fiction. Now, as biometric technologies appear poised for broader use, increased concerns about national security and the tracking of individuals as they cross borders have caused passports, visas, and border-crossing records to be linked to biometric data. A focus on fighting insurgencies and terrorism has led to the military deployment of biometric tools to enable recognition of individuals as friend or foe. Commercially, finger-imaging sensors, whose cost and physical size have been reduced, now appear on many laptop personal computers, handheld devices, mobile phones, and other consumer devices. Biometric Recognition: Challenges and Opportunities addresses the issues surrounding broader implementation of this technology, making two main points: first, biometric recognition systems are incredibly complex, and need to be addressed as such. Second, biometric recognition is an inherently probabilistic endeavor. Consequently, even when the technology and the system in which it is embedded are behaving as designed, there is inevitable uncertainty and risk of error. This book elaborates on these themes in detail to provide policy makers, developers, and researchers a comprehensive assessment of biometric recognition that examines current capabilities, future possibilities, and the role of government in technology and system development."
News release: [On September 22, 2010] the Federal Trade Commission told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach. In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, Associate Director for Privacy and Identity Protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations..
The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted."
Transparency Report: "Transparency is a core value at Google. As a company we feel it is our responsibility to ensure that we maximize transparency around the flow of information related to our tools and services. We believe that more information means more choice, more freedom and ultimately more power for the individual. We’ve created an interactive map of Government Requests that shows the number of government inquiries for information about users and requests for Google to take down or censor content. We hope this step toward greater transparency will help in ongoing discussions about the appropriate scope and authority of government requests. Our interactive Traffic graphs provide information about traffic to Google services around the world. Each graph shows historic traffic patterns for a given country/region and service. By illustrating outages, this tool visualizes disruptions in the free flow of information, whether it's a government blocking information or a cable being cut. We hope this raw data will help facilitate studies about service outages and disruptions."
EU Passenger Name Record (PNR) External Strategy (9/21/10): "The European Commission adopted today a package of proposals on the exchange of Passenger Name Record (PNR) data with third countries (countries outside the EU), consisting of an EU external PNR strategy and recommendations for negotiating directives for new PNR agreements with the United States, Australia and Canada."
Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid. The Smart Grid Interoperability Panel – Cyber Security Working Group, August 2010
"A Wall Street Journal investigation into online privacy has found that popular children's websites install more tracking technologies on personal computers than do the top websites aimed at adults."
"The Foreign Intelligence Surveillance Act (FISA) authorizes a special court, the Foreign Intelligence Surveillance Court (FISC), to undertake electronic surveillance in the United States for foreign intelligence information. The FISC is now seeking public comments concerning its procedures. Comments must received by Monday, October 4, 2010. EPIC previously submitted an amicus brief regarding FISA authority and national security. EPIC will be submitting comments to the FISC and endorse changes that improve accountability and transparency for FISA orders."
Views on Genetic Testing: An AARP Bulletin Survey, by: Helen W. Brown, Ph.D., Research & Strategic Analysis: "A large majority of Americans have never been tested for their genetic makeup, according to a recent AARP Bulletin survey. Moreover, most would not consider undergoing genetic testing to find out if they are susceptible to a disease such as Alzheimer’s, cancer, or diabetes. The top reasons why respondents have not had genetic testing include never having given it any thought (63%), the cost (32%), not wanting to know the results (21%), concerned someone else may get the results (20%), and being skeptical of science (12%)."
Official Google Blog: "Long, complicated and lawyerly — that's what most people think about privacy policies, and for good reason. Even taking into account that they’re legal documents, most privacy policies are still too hard to understand. So we’re simplifying and updating Google’s privacy policies. To be clear, we aren’t changing any of our privacy practices; we want to make our policies more transparent and understandable. As a first step, we’re making two types of improvements:
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The United States Court of Appeals for the District of Columbia Circuit has set a briefing schedule for EPIC v. DHS, No. 10-1157, EPIC's challenge to the airport body scanner program. EPIC has alleged that that the Department of Homeland Security has violated three federal laws (the Administrative Procedures Act, the Privacy Act, and the Religious Freedom Restoration Act) and that the body scanner search itself is unconstitutional, given what the courts have said about the permissible scope of airport screening procedures. EPIC's initial brief will be due November 1, 2010. Subsequent briefs from DHS and EPIC will be due by December 15, 2010. In earlier open government litigation against DHS, EPIC obtained evidence that the devices are designed to store and record images."
Follow up to previous postings on government implementation of whole body scanning technology at airports, "EPIC has filed an appeal with the Transportation Security Administration, challenging the agency's denial of expedited processing and fee waivers for an EPIC Freedom of Information Act request. EPIC's is seeking documents from the TSA concerning full body scanner radiation risks and testing. EPIC challenged the TSA's denial of expedited processing, arguing that by delaying to release of the records, the agency was risking the health of travelers and its own employees. EPIC also argued that the record request was particularly timely, as three US Senators recently wrote to the Department of Homeland Security about the safety of the airport body scanners and the risk to air travelers. Separately, EPIC has urged a federal court to suspend the program, pending an independent review of the health risks and privacy impact."
Follow up to previous postings on government implementation of whole body scanning technology at airports, via Forbes news that "American Science & Engineering, a company based in Billerica, Massachusetts, has sold U.S. and foreign government agencies more than 500 backscatter x-ray scanners mounted in vans that can be driven past neighboring vehicles to see their contents...While the biggest buyer of AS&E’s machines over the last seven years has been the Department of Defense operations in Afghanistan and Iraq...law enforcement agencies have also deployed the vans to search for vehicle-based bombs in the U.S."
Cleveland.com: "..the city will roll out next year with new trash and recycling carts embedded with radio frequency identification chips and bar codes. The chips will allow city workers to monitor how often residents roll carts to the curb for collection. If a chip show a recyclable cart hasn't been brought to the curb in weeks, a trash supervisor will sort through the trash for recyclables. Trash carts containing more than 10 percent recyclable material could lead to a $100 fine, according to Waste Collection Commissioner Ronnie Owens. Recyclables include glass, metal cans, plastic bottles, paper and cardboard."
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The Chairman and Ranking Member of the Homeland Security Committee, along with four other Senators, have sent a letter to the head of the US Marshal Service to ask why the federal agency stored more than 35,000 images from whole body imaging scans taken at the Orlando federal courthouse. The letter follows a Freedom of Information Act lawsuit, filed by EPIC, in which the Marshal Service was forced to disclose the fact that it had stored body scanner images. EPIC has also filed an emergency motion in federal court to suspend the program, pending a thorough review of the airport body scanner program. For more information, see EPIC: Whole Body Imaging Technology and EPIC v. DHS (Suspension of Body Scanner Program). ">letter to the head of the US Marshal Service to ask why the federal agency stored more than 35,000 images from whole body imaging scans taken at the Orlando federal courthouse. The letter follows a Freedom of Information Act lawsuit, filed by EPIC, in which the Marshal Service was forced to disclose the fact that it had stored body scanner images. EPIC has also filed an emergency motion in federal court to suspend the program, pending a thorough review of the airport body scanner program."
An Analysis of Private Browsing Modes in Modern Browsers, by Gaurav Aggarwal and Elie Bursztein, Stanford University; Collin Jackson, CMU; Dan Boneh, Stanford University
Follow up to previous postings on National Security Letters, this news release: "The FBI has partially lifted a gag it imposed on American Civil Liberties Union client Nicholas Merrill in 2004 that prevented him from disclosing to anyone that he received a national security letter (NSL) demanding private customer records. Merrill, who received the NSL as the president of an Internet service provider (ISP), can now reveal his identity and speak about his experience for the first time since receiving the NSL. The ACLU and New York Civil Liberties Union filed a lawsuit challenging the NSL statute and the gag order on behalf of Merrill (then called John Doe) in April 2004, which resulted in numerous court rulings finding the NSL statute unconstitutional. Merrill was the first person ever to challenge an NSL in court...NSLs are secret record demands the FBI issues to obtain access to personal customer records from ISPs, libraries, financial institutions and credit reporting agencies without court approval or even suspicion of wrongdoing. Because the FBI can gag NSL recipients to prohibit them from disclosing anything about the record demands they receive, the FBI's use and potential abuse of the NSL power has been shrouded in excessive secrecy. While the NSL served on Merrill stated that he was prohibited from telling anyone about it, he decided to challenge the demand in court because he believed that the FBI was ordering him to turn over constitutionally protected information about one of his clients. Because of the FBI-imposed gag, Merrill was prohibited from talking about the NSL or revealing his identity and role in the lawsuit until today, even though the FBI abandoned its demand for records from Merrill more than three years ago."
"Google, a company with vast pools of data about us, is moving into the world of highly targeted ads." See this graphic for details covering 1998 to present.
Official Google Blog: "The original architects of the Internet got the big things right. By making the network open, they enabled the greatest exchange of ideas in history. By making the Internet scalable, they enabled explosive innovation in the infrastructure. It is imperative that we find ways to protect the future openness of the Internet and encourage the rapid deployment of broadband. Verizon and Google are pleased to discuss the principled compromise,
Verizon-Google Legislative Framework Proposal, our companies have developed over the last year concerning the thorny issue of “network neutrality."
"CDT submits the following chart as an addendum to the written testimony of Leslie Harris, President and Chief Executive Officer of the Center for Democracy and Technology before the House Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection on The BEST PRACTICES Act of 2010 and Other Federal Privacy Legislation on July 22, 2010. The chart compares some of the key provisions in both bills, and issues CDT’s recommendations about the approach we believe privacy legislation should take."
Follow up to previous postings on government implementation of whole body scanning technology at airports, "In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of individuals stripped naked. The 100 images are a small sample of more than 35,000 at issue in the EPIC lawsuit. EPIC has pursued a but the DHS refuses to release the images it has obtained. EPIC has also filed suit to stop the deployment of the machines in US airports. For more information, see EPIC Body Scanners, EPIC - EPIC v. DOJ (Marshall Service FOIA)
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC new the organization has filed an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of individuals stripped naked. The 100 images are a small sample of more than 35,000 at issue in the EPIC lawsuit. EPIC has pursued a but the DHS refuses to release the images it has obtained. EPIC has also filed suit to stop the deployment of the machines in US airports. For more information, see EPIC Body Scanners and EPIC - EPIC v. DOJ (Marshall Service FOIA).
2010 Data Breach Investigations Report, A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service
The Web's New Gold Mine: Your Secrets - A Journal investigation finds that one of the fastest-growing businesses on the Internet is the business of spying on consumers. First in a series, by Julia Angwin: "The Journal conducted a comprehensive study that assesses and analyzes the broad array of cookies and other surveillance technology that companies are deploying on Internet users. It reveals that the tracking of consumers has grown both far more pervasive and far more intrusive than is realized by all but a handful of people in the vanguard of the industry.
Pew Internet: Reputation Management and Social Media - How people monitor their identity and
search for others online by Mary Madden, Aaron Smith, May 26, 2010
News release: "The National Cyber Security Alliance (NCSA), a public-private partnership focused on educating a digital citizenry to stay safe and secure online, today launched its National Cyber Security Awareness Month Web portal with information on events, activities, promotions and educational materials to be used in preparation for the online safety month to be held in October. Anyone – family, employers, consumers, teachers, and students – interested in online safety is encouraged to access the portal, and all materials are free to use."
[Federal Register: July 28, 2010 (Volume 75, Number 144)] [Notices][Page 44216-44223]: "The Department of Commerce's Internet Policy Task Force is conducting a comprehensive review of the nexus between cybersecurity challenges in the commercial sector and innovation in the Internet economy. The Department seeks comments from all stakeholders, including the commercial, academic and civil society sectors, on measures to improve cybersecurity while sustaining innovation. Preserving innovation, as well as private sector and consumer confidence in the security of the Internet economy, are important for promoting economic prosperity and social well-being overall. In particular, the Department seeks to develop an up-to-date understanding of the current public policy and operational challenges affecting cybersecurity, as those challenges may shape the future direction of the Internet and its commercial use, both domestically and globally. After analyzing comments on this Notice, the Department intends to issue a report that will contribute to the Administration's domestic and international policies and activities in advancing both cybersecurity and the Internet economy."
Exclusive - Google, CIA Invest in ‘Future’ of Web Monitoring, By Noah Shachtman, July 28, 2010: "The investment arms of the CIA and Google are both backing a company that monitors the web in real time — and says it uses that information to predict the future. The company is called Recorded Future, and it scours tens of thousands of websites, blogs and Twitter accounts to find the relationships between people, organizations, actions and incidents — both present and still-to-come. In a white paper, the company says its temporal analytics engine “goes beyond search” by “looking at the ‘invisible links’ between documents that talk about the same, or related, entities and events.” The idea is to figure out for each incident who was involved, where it happened and when it might go down. Recorded Future then plots that chatter, showing online “momentum” for any given event."
News release: "The Federal Trade Commission testified [July 22, 2010] about FTC efforts to protect consumer privacy and commented on legislative proposals to improve privacy protections before the U.S. House Subcommittee on Commerce, Trade, and Consumer Protection of the Committee on Energy and Commerce. The testimony presented by David Vladeck, Director of the FTC’s Bureau of Consumer Protection, described the FTC’s law enforcement actions to hold companies accountable for protecting consumer privacy, focusing on data security, identity theft, children’s privacy, and protecting consumers from intrusive spam, spyware, and telemarketing. The testimony noted that the FTC has brought 28 actions charging businesses with failing to protect consumers’ personal information and 15 actions charging website operators with collecting information from children without parents’ consent. The FTC also has brought 15 spyware cases and dozens of actions challenging illegal spam, including an action against a rogue Internet Service Provider that resulted in a temporary 30 percent drop in spam worldwide. Finally, the FTC has brought 64 actions alleging violations of the Do Not Call Rule, resulting in violators paying almost $40 million in civil penalties and giving up nearly $18 million, including consumer redress."
Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, this news release: "Attorney General Richard Blumenthal today on behalf of the executive committee of a 38-state coalition asked Google whether it tested its Street View software before use -- which should have revealed that the program collected data transmitted over wireless computer networks. Google has acknowledged unauthorized collection of data -- possibly including emails, passwords, web browsing and other confidential information – but called it a mistake. In a letter to Google, Blumenthal also asks whether the company’s program was designed to collect random bits of information broadcast over wireless networks or download specific types of data and whether it has sold or otherwise used technical network information also collected."
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "On July 20, 2010, the Department of Homeland Security announced a substantial change in the deployment of body scanners in US airports. According to the DHS Secretary, the devices, which had once been part of a pilot program for secondary screening, will now be deployed in 28 additional airports. The devices are designed to capture and store photographic images of naked air travelers. EPIC has filed an emergency motion in federal court, urging the suspension of the program and citing violations of several federal statutes and the Fourth Amendment. Public opposition to the program is also growing."
Follow up to previous postings on government implementation of whole body scanning technology at airports, today, EPIC filed a reply in its case against the Department of Homeland Security, EPIC v. DHS,10-1157. EPIC had previously filed a petition and motion for emergency stay, asking the court to suspend the use of the machines. EPIC argued that the use of body scanners for primary screening in U.S. airports violates several federal laws and the Fourth Amendment. In its reply to the government's motion, EPIC also cited the growing public opposition to the program, the decision of major airports not to use body scanners, as well as the agency's failure to adequately address Constitutional concerns."
"EPIC Executive Director Marc Rotenberg testified [July 15, 2010]before the House Committee on Science and Technology regarding Planning for the Future of Cyber Attack Attribution. In his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies."
Unleashing the Wireless Broadband Revolution: "Expanded wireless broadband access will trigger the creation of innovative new businesses, provide cost-effective connections in rural areas, increase productivity, improve public safety, and allow for the development of mobile telemedicine, telework, distance learning, and other new applications that will transform Americans' lives. Spectrum and the new technologies it enables also are essential to the Federal Government, which relies on spectrum for important activities, such as emergency communications, national security, law enforcement, aviation, maritime, space communications, and numerous other Federal functions. Spectrum is also critical for many State, local, and tribal government functions. As the wireless broadband revolution unfolds, innovation can enable efficient and imaginative uses of spectrum to maintain and enhance the Government's capabilities. In order to achieve mobile wireless broadband's full potential, we need an environment where innovation thrives, and where new capabilities also are secure, trustworthy, and provide appropriate safeguards for users' privacy. These characteristics will continue to be important to the adoption of mobile wireless broadband."
EPIC: "The White House has announced a new "Clear Notice and Personal Choice" policy for the use of Web Measurement and Customization Technologies for government web sites. The policy is remarkable in that there does not appear to be any legal basis to allow federal agencies to routinely disclose personal information of citizens to private companies. The policy is accompanied by new Guidance for Agency Use of Third-Party Websites and Applications. The White House also announced a National Strategy for Trusted Identities in Cyberspace. EPIC had urged the White House to uphold Privacy Act obligations in use of web 2.0 services. For more information, see EPIC - Privacy and Government Contracts with Social Media Companies."
Follow up to Google Launches Encrypted Search in Beta, via the Official Google Enterprise Blog, the announcement that the company moved encrypted search from https://www.google.com to https://encrypted.google.com. "The site functions in the same way. However, if school network administrators decide to block encrypted searches on https://encrypted.google.com, the blocking will no longer affect Google authenticated services like Google Apps for Education."
Legislating Consumer Privacy Online & Off: Last month, Congressmen Rick Boucher and Cliff Stearns, respectively Chairman and Ranking Member of the House Subcommittee on Communications, Technology and the Internet, released a discussion draft of legislation "to assure the privacy of information about individuals both on the Internet and offline." This is the most significant movement in over half a decade to craft privacy rules for consumers in the digital age."
The Comprehensive National Cybersecurity Initiative: "President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure."
Twitter Settles Charges that it Failed to Protect Consumers’
Personal Information; Company Will Establish Independently Audited Information Security Program: "Social networking service Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the agency’s first such case against a social networking service. The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers had designated private, and the ability to send out phony tweets from any account including those belonging to then-President-elect Barack Obama and Fox News, among others."
Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, via Privacy International, "Crime reference number 2318672/10 was today issued by London's Metropolitan Police, marking the commencement of investigations into Google for alleged criminal interception of Wireless communications content. Privacy International, which brought the complaint, has been briefed by police on the likely path the investigation will take. In the first instance police will conduct initial inquiries into the essential facts of the case before deciding which (if any) law may have been breached. In this case PI has brought the action under two laws - the Regulation of Investigatory Powers Act and the Wireless Telegraphy Act. The police will need to seek advice on which legislation to focus on, as each involves a different prosecution process."
Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, via EPIC: "The French National Commission on Computing and Liberty (CNIL) has released preliminary results (French) (English) of the Google Street View investigation in France. According to the CNIL, Google "saved passwords for access to mailboxes" and obtained content of electronic messages. The CNIL is pursuing the investigation to determine whether Google engaged in "unfair and unlawful collection of data" as well as "invasion of privacy and individual liberties." Investigations are now underway in at least 18 countries and five states in the US. EPIC has prepared a preliminary survey of Investigations of Google Street View."
Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, an update via EPIC: "Several state attorneys general have opened investigations of Google, following disclosures that the company captured and stored Wi-Fi data in addition to digital images. These states include Connecticut, Illinois, Massachusetts, Michigan, and Missouri. Maryland and New York are also reported to be pursuing investigations. Connecticut AG Richard Blumenthal described the "driveby data sweeps" of WiFi networks as "deeply disturbing, a potentially impermissible, pernicious invasion of privacy." In a subsequent statement, the Connecticut Attorney General said he will determine the legality of Google's WiFi collection practices. Earlier, EPIC sent a letter to the Federal Communications Commission urging the FCC to determine whether Google may have violated the Wiretap Act and the Communications Act. Google has since grounded its entire Street View fleet and ceased all WiFi data collection. For more information, see EPIC - Investigations of Google Street View."
EPIC: "The Supreme Court has issued a ruling in City of Ontario v. Quon, a case concerning the reasonablenees of a search of a public employee's pager. EPIC filed a "friend of the court" brief in the case, arguing that data minimization practices should be followed for electronic searches, and that the search, which uncovered personal texts unrelated to the purpose of the search, was therefore unreasonable. EPIC urged the Supreme Court to apply the approach set out in Comprehensive Drug Testing v. United States, which allows a government agency to undertake appropriate searches without unnecessarily violating privacy interests. The Court ruled that the search was reasonable, reversing the Ninth Circuit's decision that such a search be conducted through the least intrusive means possible. For more information, see EPIC: City of Ontario v. Quon."
EPIC: "International watchdog Privacy International has announced the launch of a new website for bringing transparency to "technical mysteries" behind controversial systems. Cracking the Black Box identifies key questions regarding mysterious technologies and asks experts, whistleblowers, and other concerned parties to "help crack the box" by anonymously contributing ideas and input. The organization responsible for the technology in question is then invited to provide an official response. The first two issues addressed on the PI site are the Google Wi-Fi controversy and the EU proposal to retain search data."
"In formal comments to the California Public Utility Commission, EPIC said that utility customers should control the use of personal information generated by Smart Grid services. EPIC warned that companies will otherwise use the data for purposes not related to electricity delivery, consumption management, or payment. EPIC urged the California Commission to include a requirement that limits the use of personal data by third party providers offering energy management services. The Commission acknowledged EPIC's March 2010 comments and EPIC's April 2010 comments in the proposed California Smart Grid plan. For more information, see EPIC Smart Grid."
Official Google Blog: "When we announced three weeks ago that we had mistakenly included code in our software that collected samples of payload data from WiFi networks, we said we would ask a third party to review the software at issue, how it worked, and what data it gathered. That report, by the security consulting firm Stroz Friedberg, is now complete and was sent to the interested data protection authorities today. In short, it confirms that Google did indeed collect and store payload data from unencrypted WiFi networks, but not from networks that were encrypted. You can read the report here. We are continuing to work with the relevant authorities to respond to their questions and concerns.
No Secrets, by Raffi Khatchadourian: "[Julian Paul] Assange is an international trafficker, of sorts. He and his colleagues collect documents and imagery that governments and other institutions regard as confidential and publish them on a Web site called WikiLeaks.org. Since it went online, three and a half years ago, the site has published an extensive catalogue of secret material, ranging from the Standard Operating Procedures at Camp Delta, in Guantánamo Bay, and the “Climategate” e-mails from the University of East Anglia, in England, to the contents of Sarah Palin’s private Yahoo account. The catalogue is especially remarkable because WikiLeaks is not quite an organization; it is better described as a media insurgency. It has no paid staff, no copiers, no desks, no office. Assange does not even have a home. He travels from country to country, staying with supporters, or friends of friends—as he once put it to me, “I’m living in airports these days.” He is the operation’s prime mover, and it is fair to say that WikiLeaks exists wherever he does. At the same time, hundreds of volunteers from around the world help maintain the Web site’s complicated infrastructure; many participate in small ways, and between three and five people dedicate themselves to it full time. Key members are known only by initials—M, for instance—even deep within WikiLeaks, where communications are conducted by encrypted online chat services. The secretiveness stems from the belief that a populist intelligence operation with virtually no resources, designed to publicize information that powerful institutions do not want public, will have serious adversaries."
Article 29 Data Protection Working Party Press Release, Brussels, 26 May 2010: EU data protection group says Google, Microsoft and Yahoo! do not comply with data protection rules
News release: "Today, Chairman Henry A. Waxman, Subcommittee Chairman Ed Markey, and Ranking Member Joe Barton sent a letter to Eric Schmidt, Chairman & CEO of Google, regarding recent reports of data collection over private Wi-Fi networks in conjunction with Google's Street View product. The Committee is concerned about the accuracy and completeness of Google's public explanations and request information regarding the nature and use of the private data collected, the underlying technology of the Street View vehicle fleet, and the impact on consumer privacy."
"With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience. To use search over SSL, visit https://www.google.com New window icon each time you perform a search. Note that only Google web search is available over SSL, so other search products like Google Images and Google Maps are not currently available over SSL. When you're searching over SSL, these properties may not appear in the left panel."
EPIC: "The Senate unanimously passed the Faster FOIA Act of 2010, introduced by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), that will establish a 16-member commission to determine methods for reducing delays in processing FOIA requests. Government reports reveal substantial delays in disclosing records subject to the open government law. The legislation seeks to improve the processing of FOIA requests. EPIC frequently uses the FOIA to obtain information about government programs that impact privacy rights."
BusinessWire: "A new study of 90 organizations actively engaged in online marketing concludes that in spite of an acknowledged return on investment, hundreds of millions of dollars are being held back from online behavioral advertising (OBA) over concerns that a lack of consumer trust in the practice could damage brand reputation. The study, Economic Impact of Privacy on Online Behavioral Advertising, conducted independently by the Ponemon Institute, found that although 70 percent of companies agreed that behaviorally targeted advertising substantially increases marketing and sales performance, and in spite of an overall favorable return, most companies surveyed have limited their online advertising budgets over privacy concerns. In fact, extrapolated results suggest that budgets would be as much as four times higher if not for these concerns. Among the study’s noteworthy results:
News release: "A total of 2,376 federal and state applications for orders authorizing the interception of wire, oral or electronic communications, known as wiretaps, was reported in 2009. The number of applications for orders by federal authorities was 663; the number of applications reported by state prosecuting officials was 1,713. No applications were denied. The Omnibus Crime Control and Safe Streets Act of 1968 requires the Administrative Office of the U.S. Courts to report to Congress the number and nature of federal and state applications for wiretap orders. The 2009 Wiretap Report covers intercepts concluded between January 1, 2009 and December 31, 2009."
EPIC: "A new White House memo sets out the Federal Information Security Management Act of 2002 (FISMA) standards for federal agencies. All agencies must comply with the FISMA standard and report security practices for information under agency control. The standard also extends obligations to agency contractors. By November 15, 2010, all agencies must be capable of monitoring all information traffic on their networks; and make reports to CyberScope, a platform launched last year to provide a single government-wide security management tool for FISMA reports. The Memorandum included requirements to respond to breaches of personal information. Agency Inspectors General will provide oversight of agency FISMA compliance."
Generalized ‘satisfaction of search’: Adverse influences on dual-target search accuracy - Mathias S. Fleck, Ehsan Samei, and Stephen R. Mitroff, Department of Psychology & Neuroscience, Center for Cognitive Neuroscience, Duke University, Carl E. Ravin Advanced Imaging Laboratories, Department of Radiology, Duke University Medical Center
scalability and flexibility needed to foster innovation in the information economy; (2) the public confidence necessary for full citizen participation with the Internet; and (3) uphold
fundamental democratic values essential to the functioning of a free market and a free society."
Follow up to previous postings on government implementation of whole body scanning technology at airports, this news release: "EPIC and a broad coalition of organizations sent a formal petition to the Department of Homeland Security to demand that the agency suspend the airport body scanner program. The petition states that the "uniquely intrusive search" is unreasonable and violates the Constitution. The petition further states the program fails to comply with several federal laws, including the Religious Freedom Restoration Act, the Privacy Act of 1974, and the Administrative Procedures Act. The petitioners also argue that the machines are ineffective and that there are better, less costly security technology. The petitioners contend that the TSA has routinely misled the pubic about the ability of the devices to store and transmit detailed images of travelers' naked bodies. In a Freedom of Information Act lawsuit, EPIC has already obtained technical documents, vendor contracts, and hundreds of traveler complaints."
Follow up to Google Announces "A new approach to China", from the New York Times: "Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s web services, including e-mail and business applications."
News release: "Eight federal regulators released an Online Form Builder today that financial institutions can download and use to develop and print customized versions of a model consumer privacy notice. The Online Form Builder, based on the model form regulation published in the Federal Register on December 1, 2009, under the Gramm-Leach-Bliley Act, is available with several options. Easy-to-follow instructions for the form builder will guide an institution to select the version of the model form that fits its practices, such as whether the institution provides an opt-out for consumers. To obtain a legal "safe harbor" and so satisfy the law's disclosure requirements, institutions must follow the instructions in the model form regulation when using the Online Form Builder."
Hoofnagle, Chris Jay, King, Jennifer, Li, Su and Turow, Joseph, How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies? (April 14, 2010). Available at SSRN: http://ssrn.com/abstract=1589864
News release: "The Electronic Frontier Foundation (EFF) along with Google and numerous other public interest organizations and Internet industry associations joined with Yahoo! in asking a federal court Tuesday to block a government attempt to access the contents of a Yahoo! email account without a search warrant based on probable cause. The Department of Justice is seeking the emails as part of a case that is under seal, and the account holder has apparently not been notified of the request. Government investigators maintain that because the Yahoo! email has been accessed by the user, it is no longer in "electronic storage" under the Stored Communications Act (SCA) and therefore does not require a warrant, even though that same legal theory has been flatly rejected by the one Circuit Court to address it. Yahoo! is challenging the government request before a federal magistrate judge in Denver, arguing that the SCA and Fourth Amendment require the government to get a search warrant before compelling Yahoo! to disclose the email. In an amicus brief filed in support of Yahoo! Tuesday, EFF says that the company is simply following the law and protecting the constitutional privacy rights of its customers."
Follow up to previous postings on government implementation of whole body scanning technology at airports, this news release: "Ninety-three percent of Americans said they are willing to sacrifice some level of privacy to increase safety when traveling by air, according to research conducted in January and February by Unisys Corporation (NYSE: UIS). Nearly two-thirds of Americans (65%) said they are willing to cooperate with full electronic body scans at the airport, and more than half (57%) would be willing to submit to identity checks using biometric data such as iris scans or fingerprints. Nearly three quarters of Americans (72%) said they are willing to provide personal data in advance of air travel to increase security. The findings, part of the latest bi-annual Unisys Security Index, illustrate that recent events such as the attempted Christmas Day airline bombing may have made security a priority for air travelers. A clear majority of citizens in nearly every country surveyed said they would be willing to forgo privacy to increase air travel security. For example, 90% of citizens in the United Kingdom and 70% of Australians said they would submit to electronic body scans."
NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, Erika McCallister, Tim Grance, Karen Scarfone, April 2010.
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "A meeting between top United States counter-terrorism officials and European counterparts ended in Madrid today with no agreement to restart a program that gave the US access to European financial data. The Terrorist Finance Tracking Program operated in secret from 2001 to 2006. European legislators objected to the program as a violation of EU privacy law. There also appeared to be no EU support for the further deployment of body scanners in European airports. EPIC has raised several objections to the body scanner program, including a letter with Ralph Nader to the administration, Congressional Testimony, and open government litigation, which revealed that the devices store and record images."
"Smart Grid policies that maximize the benefits to consumers need to encompass more than just the electric or telecom sectors policies. The purpose of the Summit is to create a forum to align policies for energy, telecommunication, the environment and the economy, and fulfill the promises of smart grid deployments. The Summit brings together dozens of representatives from a wide variety of policy communities including: state and federal legislative, regulatory and administrative agencies, labor, consumers, and representatives from the major energy and smart grid associations. In this first of its kind multiple-policy, multiple-community Summit, the UTC intends to provide a forum for this next level of policy development..."
News release: "Three consumer protection organizations on Thursday filed a complaint with the Federal Trade Commission (FTC), demanding the commission investigate growing privacy threats in the “Wild West” online. The U.S. Public Interest Research Group, the Center for Digital Democracy and the World Privacy Forum challenged the commission to investigate the growing privacy threats to consumers from the practices conducted by the real-time data-targeting auction and exchange online marketplace. Increasingly and largely unknown to the public, technologies enabling the real-time profiling, targeting, and auctioning of consumers is becoming commonplace. Adding to the privacy threat, explains the new complaint, is the incorporation and expanding role of an array of outside data sources for sale online that provide detailed information on a consumer."
Follow up to postings on security issues and erasing hard drive, from Gizmodoa detailed article with accompanying screen shots and product references: "With stories abounding of identity theft aided by information lifted from discarded storage devices, you want devices you no longer plan to use to have no usable information when they head out the door. Here's how to wipe them clean...When you erase/delete a file from your computer, it's not really gone until the areas of the disk it used are overwritten by new information. If you use the normal Windows delete function, the "deleted" file is sent to the Recycle Bin until the space it uses is required by other files. If you use Shift-Delete to bypass the Recycle Bin, the space occupied by the file is marked as available for other files. However, the file could be recovered days or even weeks later with third-party data recovery software. As long as the operating system does not reuse the space occupied by a file with another file, the "deleted" file can be recovered."
News release: "Department of Homeland Security (DHS) Secretary Janet Napolitano today announced that the Transportation Security Administration (TSA) will begin implementing new enhanced security measures for all air carriers with international flights to the United States to strengthen the safety and security of all passengers—superseding the emergency measures put in place immediately following the attempted terrorist attack on Dec. 25, 2009...Secretary Napolitano also commended today’s release of the Surface Transportation Security Priority Assessment as another important step in efforts to protect the nation’s traveling public from acts of terrorism—conducted by the Obama administration in its first year as a thorough review of the nation’s surface transportation security efforts, which cover mass transit, commuter and long-distance passenger rail, freight rail, commercial vehicles and pipelines."
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "In response to a Congressional inquiry, led by Congressman Bennie Thompson, the Transportation Security Agency acknowledged that images on body scanner machines would be recorded for "testing, training, and evaluation purposes." The TSA also did not dispute that test mode could be activated in airports, but said this "would" not happen. As part of an ongoing lawsuit, EPIC had previously obtained TSA documents describing the machines' capabilities to store and transmit detailed images of travelers' naked bodies."
News release: "The Federal Trade Commission today reported to Congress that it is getting the word out about Internet safety for children by aggressively promoting a new booklet, Net Cetera: Chatting with Kids About Being Online, to schools, police and sheriff’s departments, and PTAs nationwide. Net Cetera explains to parents and their children how to deal with issues such as social networking, cyberbullying, using mobile phones safely, and protecting the family computer from badware. The booklet is practical, plain-language, and value-neutral, so all parents – regardless of whether they are technologically savvy – can use it to help their kids make better decisions about online behavior. It is the most recent addition to the OnGuardOnline.gov consumer education campaign, which helps people guard against Internet fraud, secure their computers, and protect their privacy."
Follow up to previous postings on the Domestic Surveillance Program, via EFF, Kevin Bankston: "Today, Chief Judge Vaughn Walker of the federal district court in San Francisco found that the government illegally wiretapped an Islamic charity's phone calls in 2004, granting summary judgment for the plaintiffs in Al-Haramain Islamic Foundation v. Obama. The court held the government liable for violating the Foreign Intelligence Surveillance Act (FISA). Today's order is the first decision since ACLU v. NSA to hold that warrantless wiretapping by the National Security Agency was illegal. The decision in ACLU v. NSA was overturned on other grounds in 2007, and the focus of the government's litigation strategy since then has been to avoid having any court rule on the merits of the issue. The court's thorough decision is a strong rebuke to the government's argument that only the Executive Branch may determine if a case against the government can proceed in the courts, by invoking state secrets. The Obama Administration adopted this "state secrets privilege" theory from the Bush Administration's legal positions in this and other warrantless wiretapping cases."
World Privacy Forum: "New forms of sophisticated digital signage networks are being deployed widely by retailers and others in both public and private spaces. From simple people-counting sensors mounted on doorways to sophisticated facial recognition cameras mounted in flat video screens and end-cap displays, digital signage technologies are gathering increasing amounts of detailed information about consumers, their behaviors, and their characteristics, like age, gender, and ethnicity. These technologies are quickly becoming ubiquitous in the offline world, and there is little if any disclosure to consumers that information about behavioral and personal characteristics is being collected and analyzed to create highly targeted advertisements, among other things. Few if any consumers expect that the video screen they are watching, the kiosk they are typing on, or the game billboard they are interacting with is watching them back while gathering images of them and behavioral information. This is creating a one-way-mirror society with no notice or opportunity for consumers to consent to being monitored in retail, public, and other spaces or to consent to having their behavior analyzed for marketing and profit. The privacy problems inherent in digital networks are profound, and to date these issues have not been adequately addressed by anyone. This report by the World Privacy Forum seeks to shed light in a dark area and to start a more robust public debate. In addition to the report, the WPF has released with a group of the nation's leading consumer groups a set of privacy principles to be used in digital signage networks."
News release: "A broad coalition of privacy groups, think tanks, technology companies and academics today issued principles for updating the key federal law that defines the rules for government access to email and private files stored in the Internet “cloud.” The coalition cited the need to preserve traditional privacy rights in the face of technological change while also ensuring that law enforcement agents can carry out investigations and that industry has the clarity needed to innovate. To set a consistent standard in line with the traditional rules for law enforcement access in the offline world, the group’s recommendations focus on the Electronic Communications Privacy Act (ECPA). Passed in 1986 and not significantly updated since, it establishes standards for government access to email and other electronic communications in criminal investigations."
EPIC: "The New Jersey Supreme Court ruled in favor of a female employee whose employer read emails that she sent while using Yahoo Mail on a company-owned laptop. The employee, Marina Stengart, had exchanged emails with her attorney regarding a possible discrimination lawsuit against the employer. The employer then pulled the emails off of the laptop's hard drive and used them to prepare a defense to the discrimination suit. The New Jersey Supreme Court found that "Under the circumstances, Stengart could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them." The Supreme Court of the United States is set to consider employee privacy in City of Ontario v. Quon, in which EPIC submitted a "friend of the court brief."
Although many organizations do not report breaches on a timely basis, or in many instances, report them at all, the most recent Identity Theft Resource Center report reveals data protection remains a critical issue for organizations, especially financial services.
Follow up to Major International Hacker Pleads Guilty For Massive Attack On U.S. Retail And Banking Networks, this DOJ news release: "The leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government has been sentenced to 20 years and one day in prison for his role in a series of hacks into a major payment processor and several retail networks, announced Assistant Attorney General for the Criminal Division Lanny A. Breuer; U.S. Attorney for the District of Massachusetts Carmen Milagros Ortiz; U.S. Attorney for the Eastern District of New York Benton J. Campbell; U.S. Attorney for the District of New Jersey Paul J. Fishman; and Director of the U.S. Secret Service Mark Sullivan."
News release: "Social Sentry provides corporations the ability to monitor the social networking communications of their employees. Delivered as an easy to deploy SaaS offering, Social Sentry enables businesses to monitor employee activity on all major social networks such as Facebook and Twitter. It provides granular and real-time tracking to eliminate significant corporate risks related to: Compliance issues; Leakage of sensitive information; HR issues; Legal exposure; Brand damage; Financial impact."
EPIC: "Senators Charles Schumer and Lindsey Graham have proposed a new national identity card. The Senators would require that "all U.S. citizens and legal immigrants who want jobs" obtain a "high-tech, fraud-proof Social Security card" with a unique biometric identifier. The card, they say, would not contain private information, medical information, or tracking techniques, and the biometric identifiers would not be stored in a government database. EPIC has testified in Congress and commented to federal agencies on the privacy and security risks associated with national identification systems and biometric identifiers."
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "In testimony before the House Committee on Homeland Security, EPIC President Marc Rotenberg urged Congress to halt the plan to deploy body scanners in the nation's airports. "Based on the documents we've obtained, the views of experts, the concerns of American, and the extraordinary cost, Congress should suspend the program," said Mr. Rotenberg. In a recent letter to President Obama, EPIC and Ralph Nader recommended an independent review to assess health impacts, privacy safeguards, and the actual effectiveness of the devices. Through FOIA litigation, EPIC has obtained technical specifications, vendor contracts, and hundreds of complaints from US air travelers about the body scanners. A recent report from the GAO has also raised questions about the effectiveness and cost of the devices."
Satellite Surveillance: Domestic Issues, Richard A. Best Jr. Specialist in National Defense, Jennifer K. Elsea, Legislative Attorney, February 1, 2010
News release: "FinCEN joins with other Federal, State and Local government agencies and consumer protection organizations to recognize the 12th Annual National Consumer Protection Week (NCPW), March 7-13. This coordinated consumer education campaign encourages individuals across the country to take full advantage of their consumer rights. FinCEN provides a number of special resources to educate consumers, and the financial institutions that serve them, of potential fraud and scam attempts. FinCEN's rules help consumers by requiring financial institutions to be on the alert for illicit activity. Requirements that a financial institution know its customers can help both to provide better customer service and to prevent that customer from becoming a victim of fraud."
Follow up to previous postings on government implementation of whole body scanning technology at airports - "In response to an EPIC Freedom of Information Act lawsuit, the Department of Homeland Security and the Transportation Security Administration (TSA) released more documents about body scanners in US airports. The documents include many complaints from travelers who went through the devices. Travelers reported that they were not told about the pat down alternative or that they were going to be subject to a body scan by TSA officials. Travelers also expressed concern about radiation risks to pregnant women and the image capture of young children without clothes. EPIC has previously obtained whole body imaging vendor contracts, operational requirements, and procurement specifications from TSA. EPIC and Ralph Nader have urged President Obama to suspend the program until an independent review is completed."
The Comprehensive National Cybersecurity Initiative: "President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure In May 2009, the President accepted the recommendations of the resulting Cyberspace Policy Review, including the selection of an Executive Branch Cybersecurity Coordinator who will have regular access to the President. The Executive Branch was also directed to work closely with all key players in U.S. cybersecurity, including state and local governments and the private sector, to ensure an organized and unified response to future cyber incidents; strengthen public/private partnerships to find technology solutions that ensure U.S. security and prosperity; invest in the cutting-edge research and development necessary for the innovation and discovery to meet the digital challenges of our time; and begin a campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms and begin to build the digital workforce of the 21st century. Finally, the President directed that these activities be conducted in a way that is consistent with ensuring the privacy rights and civil liberties guaranteed in the Constitution and cherished by all Americans."
News release: "The Federal Trade Commission and other government agencies and national consumer groups are sponsoring the 12th annual National Consumer Protection Week from March 7-13, 2010. The event is a coordinated consumer education campaign that encourages individuals across the country to take full advantage of their consumer rights. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life, from grade school to retirement. In keeping with the theme, the consumer education campaign features a Web site with a page for kids and parents, as well as games, videos, and links other Web sites that teach practical lessons about the role of business and government in everyday life. The site, www.consumer.gov/ncpw, provides information that encourages people to take full advantage of their consumer rights, and promotes free resources to help people protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams."
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The Government Accountability Office (GAO) recently released a report regarding the deployment of body scanners. The GAO cited its 2009 recommendations to the Transportation Security Administration (TSA): that the TSA conduct operational tests to ensure that the whole body imaging machines are reliable, and the that TSA conduct an assessment of the whole body imaging machines' vulnerabilities. In its latest report, the GAO warned TSA of the importance of full operational tests, citing the puffer machine debacle as an example of the government waste that results from insufficient operational testing. The GAO also expressed concern over TSA's lack of complete risk assessments and inability to "provide documentation to show how they have addressed the concerns raised in the 2009 GAO report regarding the susceptibility of the technology to terrorist tactics." Because of this, the GAO concluded that it is unclear whether the body scanners or other technologies would have detected the weapon used in the December 25 attempted attack."
EPIC: "Ponemon Institute released its annual study identifying the top twenty companies that are most trusted for privacy. American Express was ranked first, earning the Most Trusted for Privacy distinction for the fifth year in a row. Facebook suffered several privacy missteps over the last year, including a recent change in privacy settings at the end of 2009, and as a result, failed to make the 2010 list. Google, however, returned to the Top 20, ranked at 13. The survey also produced significant findings regarding consumer attitudes towards privacy, including the finding that consumers feel they are losing control over their personal information. Further, the responses revealed that consumers’ fear of identity theft is the main factor for brand trust diminishment, while a company’s implementation of privacy features contribute to brand trust. Other significant positive factors were limits on the collection of personal information and online anonymity."
"The Subcommittee on Commerce, Trade, and Consumer Protection and the Subcommittee on Communications, Technology, and the Internet held a joint hearing titled, The Collection and Use of Location Information for Commercial Purposes, on Wednesday, February 24, 2010, in 2141 Rayburn House Office Building. The hearing examined privacy and other issues related to the commercial collection, use, and sharing of location-based information."
News release: "NetWitness, the world leader in advanced persistent threat detection and real-time network forensics, announced today that its analysts have discovered a dangerous new ZeuS botnet affecting 75,000 systems in 2,500 organizations around the world. The newly-discovered infestation, dubbed the "Kneber botnet" after the username linking the infected systems worldwide, gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information to miscreants who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities. NetWitness first discovered the Kneber botnet in January during a routine deployment of the NetWitness advanced monitoring solutions. Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines."
Official Google Blog: "Google Buzz is a new way to start conversations about the things you find interesting. It's built right into Gmail, so you don't have to peck out an entirely new set of friends from scratch — it just works. If you think about it, there's always been a big social network underlying Gmail. Buzz brings this network to the surface by automatically setting you up to follow the people you email and chat with the most. We focused on building an easy-to-use sharing experience that richly integrates photos, videos and links, and makes it easy to share publicly or privately (so you don't have to use different tools to share with different audiences). Plus, Buzz integrates tightly with your existing Gmail inbox, so you're sure to see the stuff that matters most as it happens in real time."
3rd Circuit to Mull Privacy of Cell Phone Data, Shannon P. Duffy: "In a case that could prove to be one of the most important privacy rights battles of the modern era, the 3rd U.S. Circuit Court of Appeals will hear argument this week on the proper legal standard to apply when prosecutors demand cell phone location data. The data, which are recorded about once every seven seconds whenever a cell phone is turned on, effectively track the whereabouts and the comings and goings of every cell phone user. Justice Department lawyers argue that, by statute, they need only show "reasonable grounds" to believe that such records are "relevant and material to an ongoing criminal investigation." But a federal magistrate judge in Pittsburgh strongly disagreed in February 2008, issuing a 52-page opinion that said the prosecutors must meet the "probable cause" standard."
Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The Office of Management and Budget has released the federal budget for fiscal year 2011. The budget proposes funding for several new surveillance initiatives, including over $700 million to the Department of Homeland Security for "Passenger Aviation Security". The Department would like to purchase 500 body scanner machines for U.S. airports, bringing the projected total number of machines to 1,000 at a cost of over $200 million by the end of 2011. The new budget also includes several hundred million dollars for the Department of Justice's national security programs, which were recently the subject of a critical Inspector-General's report for improper use of authority."
Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, Dennis C. Blair, Director of National Intelligence, February 2, 2010
"EPIC submitted comments to the FTC prior to the agency’s second privacy roundtable. EPIC warned of the ongoing privacy risks associated with cloud computing and social networking privacy, highlighting the Google cloud computing complaint and Facebook privacy complaint filed by EPIC in 2009. The comments note that the FTC has failed to take any meaningful action with respect to either complaint, demonstrating the Commission's “lack of leadership and technical expertise.” EPIC's comments also draw attention to the success of international privacy initiatives, in hopes of encouraging the FTC to take meaningful action to protect American consumers."
OPNAV NOTICE 5400, January 11, 2010: "Action will establish U. S. Fleet Cyber Command as an echelon II command to serve as the Navy Component Commander to United States Cyber Command upon its establishment. Interim reporting will be to United States Strategic Command. Command will provide for operational employment of the Navy's cyber, network operations, information operations, cryptologic and space forces, and serve as the Navy's Service Cryptologic Component Commander to the National Security Agency. U.S. Tenth Fleet. will be re-commissioned to control operations supporting U. S. Fleet Cyber Command.
"This 2009 Ponemon Institute 2009 Annual Study: Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventive Solutions examines the costs incurred by 45 organizations after experiencing a data breach. Results were not hypothetical responses; they represent the cost estimates of activities resulting from the actual data loss incidents. This is the fifth annual survey of this issues. Breaches included in the survey included ranged from approximately 5,000 records to more than 101,000 records from 15 different industry sectors."
News release: "The Federal Trade Commission today released the agenda for its second roundtable on consumer privacy issues scheduled for January 28, 2010. The second roundtable, hosted by the Berkeley Center for Law and Technology, will take place at the University of California, Berkeley, School of Law Booth Auditorium. The roundtable is the second of three public events designed to explore the privacy challenges that are posed by technology and business practices that collect and use consumer data. The agenda continues the public dialogue by focusing on how technology affects consumer privacy, including its potential to weaken and/or strengthen privacy protections. The roundtable will also explore privacy implications of several evolving technologies, including social networking and other platform services, cloud computing, and mobile computing."
Follow up to previous postings on government implementation of whole body scanning technology at airports, news that EPIC has posted more than 250 pages of documents it obtained in a Freedom of Information Act lawsuit concerning body scanners. The documents, released by the Department of Homeland Security, reveal that Whole Body Imaging machines can record, store, and transmit digital strip search images of Americans. This contradicts assurances made by the TSA. The documents include TSA Procurement Specifications, TSA Operational Requirements, TSA contract with L3, TSA contract with Rapiscan (1), and TSA contract with Rapiscan (2). The DHS has withheld other documents that EPIC is seeking."
News release: "The Federal Trade Commission, as required by The Do-Not-Call Registry Fee Extension Act of 2007, has approved two reports to Congress: a biennial report focusing on the use of the Do Not Call Registry by both consumers and businesses, as well as the impact that new technologies have had on the Registry, and a one-time report on enforcement efforts and consumers’ perceptions of the Registry’s effectiveness. As detailed in the first report, the Do Not Call Registry now has more than 191 million active registrations, and more than 18 million new phone numbers were registered in Fiscal Year (FY) 2009. During that time, approximately 45,000 sellers, telemarketers, and exempt organizations such as charities subscribed to access the Registry, paying fees totaling more than $15.5 million. In addition, during FY 2009, the FTC implemented a new procedure for tracking disconnected and reassigned phone numbers, which addresses problems that may arise as a result of new telecommunications technologies and the ease of transporting numbers from one telephone service provider to another. According to the second report, since 2003 when the Do Not Call Registry was put in place, research has consistently shown widespread public awareness of the program and a steady increase in the number of phone numbers registered. Together, the FTC and the Federal Communications Commission have collected penalties totaling over $22 million from Registry violators, and due to these enforcement actions and the agencies’ consumer education campaigns, consumers who have joined the Registry have reported dramatic reductions in the number of unwanted calls they receive."
Follow up to previous postings on government implementation of whole body scanning technology at airports, see Presidential Report on Radiation Protection Advice: Screening of Humans for Security Purposes Using Ionizing Radiation Scanning Systems - A Report Prepared by the National Council on Radiation Protection and Measurements: "This Presidential Report from the National Council on Radiation Protection and Measurements (NCRP) presents radiation protection advice concerning ionizing radiation-producing devices that are being evaluated for various uses in screening of humans for the purpose of security. Chief among the devices being evaluated at the present time are scanning systems that utilize x rays. This report addresses systems utilizing ionizing radiation, but also describes briefly some systems under consideration that utilize nonionizing radiation sources."
News release: "The Federal Trade Commission today issued a Fraud Forum staff report that examines more effective ways to protect consumers from fraudulent schemes and focus the collective knowledge and experience of forum participants to fight fraud. The February 2009 Forum was attended by academics, consumer advocates, industry representatives, and state and federal law enforcers. The Fraud Forum Report summarizes information presented at the event during panel and small group discussions on a range of issues including: the psychology of scammers and their victims, fraud statistics, under-reported fraud, and the role of private industry in detecting and preventing fraud."
Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, December 3, 2009: "Depending on one’s perspective, wiretapping and electronic eavesdropping are either “dirty business,” essential law enforcement tools, or both. This is a very general overview of the federal statutes that proscribe wiretapping and electronic eavesdropping and of the procedures they establish for law enforcement and foreign intelligence gathering purposes. Although the specifics of state law are beyond the scope of this report, citations to related state statutory provisions have been appended. The text of pertinent federal statutes and a selected bibliography of legal materials appear as appendices as well."
"...e-reader technology also presents significant new threats to reader privacy. E-readers possess the ability to report back substantial information about their users' reading habits and locations to the corporations that sell them. And yet none of the major e-reader manufacturers have explained to consumers in clear unequivocal language what data is being collected about them and why. As a first step towards addressing these problems, EFF has created a first draft of our Buyer's Guide to E-Book Privacy. We've examined the privacy policies for the major e-readers on the market to determine what information they reserve the right to collect and share."
News release: "EPIC has filed a complaint with the Federal Trade Commission, urging the FTC to open an investigation into Facebook’s revised privacy settings. The EPIC complaint, signed by nine other privacy and consumer organizations, states that the "changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations." EPIC cites widespread opposition from Facebook users, security experts, bloggers, and news organizations. A previous EPIC complaint to the FTC, concerning the data broker industry, produced the largest settlement in the FTC's history. For more information, see EPIC: In re Facebook and EPIC Facebook Privacy."
Follow up to previous postings on government implementation of whole body scanning technology at airports, this news: On December 17, 2009, EPIC filed a lawsuit against the Department of Justice concerning the use of devices that capture images of individuals stripped naked. The Transportation Security Administration has confirmed the Whole Body Imaging machines are being used in at least one Virginia federal court by the US Marshall Service. EPIC submitted a FOIA request for information about these devices including the contracts with the manufacturer of the machines, and information about technical specifications and training materials. The Marshall Service failed to respond adequately to the request. EPIC filed suit, said that the agency had not performed a sufficient search and should disclose the documents requested."
News release: "A new booklet released today by the Federal Trade Commission and other government agencies helps parents and teachers steer kids safely through the online and mobile phone worlds. Net Cetera: Chatting with Kids About Being Online was unveiled...by FTC Chairman Jon Leibowitz, U.S. Secretary of Education Arne Duncan, and Federal Communications Commission Chairman Julius Genachowski."
"The Federal Trade Commission [is hosting] a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation." Via EPIC, The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law.
News release: "Eight federal regulatory agencies today released a final model privacy notice form that will make it easier for consumers to understand how financial institutions collect and share information about consumers. Under the Gramm-Leach-Bliley Act (GLB Act), institutions must notify consumers of their information-sharing practices and inform consumers of their right to opt out of certain sharing practices. The model form issued today can be used by financial institutions to comply with these requirements. The Financial Services Regulatory Relief Act of 2006 amended the GLB Act to require the agencies to propose a succinct and comprehensible model form that allows consumers to easily compare the privacy practices of different financial institutions, and has an easy-to-read font...The final rule provides that a financial institution that chooses to use the model form obtains a "safe harbor" and will satisfy the disclosure requirements for notices. The rule also removes, after a transition period, the sample clauses now included in the appendices of the agencies’ privacy rules. The final model privacy form was developed jointly by the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission."
"The American Civil Liberties Union today released a new report, Enforcing Privacy: Building American Institutions to Protect Privacy in the Face of New Technology and Government Powers, November 2009, written by Jay Stanley, recommending steps Congress should take to create the vigorous privacy oversight institutions that are desperately needed in the United States to counterbalance the rush of new technologies and expanding government powers, and called for the Obama administration to move quickly to fill the seats on the Privacy and Civil Liberties Oversight Board (PCLOB)."
Follow up to previous postings on airport whole body imaging technology, "EPIC filed a Freedom of Information Act lawsuit challenging the Department of Homeland Security's failure to make public details about the agency's Whole Body Imaging program. The devices capture detailed naked images of air travelers in the United States. After the agency announced that the body scanners would become the primary screening device in US airports, EPIC demanded that the agency disclose records that describe the scanners' capacity to save and transmit images. In June, EPIC sent a letter to the Secretary of Homeland Security Janet Napolitano urging her to suspend the digital strip searches."
"CDT released a whitepaper highlighting policy issues related to responsible user-centric identification systems. The paper comes as the U.S. Government begins launching a series of pilot programs that will use third party user credentials to authenticate users to federal Web sites and discusses possible challenges to be considered as these activities are expanded in order to provide a better user experience."
"The American Constitution Society for Law and Policy (ACS) hosted an event exploring challenges to privacy in a growing digital age. The event featured a keynote address by Christopher N. Olsen, the Assistant Director in the Division of Privacy and Identity Protection at the Federal Trade Commission, which was followed by a diverse panel of experts who discussed the myriad issues surrounding the availability of information in cyberspace, including privacy concerns such as potential government dissemination of financial and health
EPIC: "In a crisply worded declaration, over 100 civil society organizations and privacy experts from more than 40 countries have set out an expansive statement on the future of privacy. The Madrid Declaration affirms that privacy is a fundamental human right and reminds "all countries of their obligations to safeguard the civil rights of their citizens and residents." The Madrid Declaration warns that "privacy law and privacy institutions have failed to take full account of new surveillance practices." The Declaration urges countries "that have not yet established a comprehensive framework for privacy protection and an independent data protection authority to do so as expeditiously as possible." The civil society groups and experts recommend a "moratorium on the development or implementation of new systems of mass surveillance." Finally, the Declaration calls for the "establishment of a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions." The Madrid Declaration was released at the Public Voice conference in Madrid on Global Privacy Standards."
Official Google Blog: "In an effort to provide you with greater transparency and control over their own data, we've built the Google Dashboard. Designed to be simple and useful, the Dashboard summarizes data for each product that you use (when signed in to your account) and provides you direct links to control your personal settings. Today, the Dashboard covers more than 20 products and services, including Gmail, Calendar, Docs, Web History, Orkut, YouTube, Picasa, Talk, Reader, Alerts, Latitude and many more. The scale and level of detail of the Dashboard is unprecedented, and we're delighted to be the first Internet company to offer this — and we hope it will become the standard. [Includes a quick video] to learn more and then try it out for yourself at www.google.com/dashboard."
New York Times: "In September 2008, the Bush administration changed domestic intelligence-gathering rules. The Federal Bureau of Investigation's interpretation of those rules was recently made public when the bureau released a redacted copy of its "Domestic Investigations and Operation Guide" in response to a Freedom of Information lawsuit. The new rules have given F.B.I. agents the most power in national security matters that they have had since the post-Watergate era."
"EPIC joined the Privacy Coalition letter sent to the House Committee on Homeland Security urging them to investigate the Department of Homeland Security's (DHS) Chief Privacy Office. DHS is unrivaled in its authority to develop and deploy new systems of surveillance. The letter cited DHS use of Fusion Center, Whole Body Imaging, funding of CCTV Surveillance, and Suspicionless Electronic Border Searches as examples of where the agency is eroding privacy protections."
News release: "The Federal Communications Commission (FCC) today released a Notice of Inquiry (NOI) asking how children can be served and protected and parents can be further empowered in the new digital media landscape. The NOI comes almost 20 years after enactment of the Children’s Television Act and follows the Commission’s recently issued Child Safe Viewing Act Report, which examined parental control technologies for video and audio programming. Children live in a dramatically different media environment from the one their parents and grandparents grew up in decades ago. From television to mobile devices to the Internet, electronic media today offer an array of opportunities to, among other things, access educational content, communicate with family and peers, and acquire the skills and technological literacy necessary to compete in a global economy. However, digital media can also pose risks of harm to children, including exposing them exploitative advertising, inappropriate content, and cyberbullying, as well as potentially contributing to childhood obesity and other negative health impacts. The NOI asks to what extent children are using electronic media today, the benefits and risks this presents, and the ways in which parents, teachers, and children can help reap the benefits while minimizing the risks of using these technologies."
Evaluation Report, The Department's Unclassified, Cyber Security Program - 2009. DOE/IG-0828 October 2009
Follow up to previous postings on airport whole body imaging technology, this article from the Economist.com: "Much excitement in Manchester where trials have started of Britain’s first whole-body scanner. The machine takes X-ray photographs of passengers, and can reveal concealed threats without requiring the removal of clothing."
News release: "ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000. In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention."
Legal Implications of Cloud Computing - Part Two (Privacy and the Cloud): As a follow-up to last month's article that provided an overview of cloud computing in the context of significant legal issues, this article by Tanya Forsheit reviews the issues of privacy and cross-border data transfers.
Who's in Big Brother's Database? By James Bamford - A review of The Secret Sentry: The Untold History of the National Security Agency by Matthew M. Aid.
Kate Mosher in The Recorder: "Under a bill signed into law by the governor this week and sponsored by San Francisco District Attorney Kamala Harris, prosecutors hope witnesses in the state's relocation program will be harder to find through Internet searching. Gang members have targeted witnesses through Internet search engines even when witnesses weren't aware their personal information was online, said Sen. Mark Leno, who authored SB 748, which was signed Sunday. The new law goes after people or agencies that disclose phone numbers, addresses or other identifying information of protected witnesses."
News release: "Increases in global contraceptive use have contributed to a decrease in the number of unintended pregnancies and, in turn, a decline in the number of abortions, which fell from an estimated 45.5 million procedures in 1995 to 41.6 million in 2003. While both the developed and the developing world experienced these positive trends, developed regions saw the greatest progress. Within the developing world, improvement varied widely, with Africa lagging behind other regions, according to Abortion Worldwide: A Decade of Uneven Progress, a major new Guttmacher Institute report released today."
National Identity Theft Prevention Week - UK's Fraud Prevention Service resources:
News release: "To promote cyber safety outreach and education, the FCC recently partnered with OnGuardOnline.gov, a joint effort of 12 federal agencies and 18 non-government organizations, developed and managed by the FTC. OnGuardOnline.gov provides practical and timely tips to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. Among the recommendations that consumers should follow:
FBI news release: "The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks. [October 7, 2009], authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme. The United States government is extremely grateful for the extraordinary assistance provided by the Egyptian government in this matter."
Viviane Reding, Member of the European Commission in charge of Information Society and Media, The Future of the Internet and Europe's Digital Agenda - Brussels, 6 October 2009
National Law Journal: "The economy has employers extra jittery about company secrets getting out, so nervous that they're hiring staff just to monitor outbound e-mails. That's the conclusion of a recent study by Proofpoint, an Internet security and data loss prevention company, which found that 38 percent of large U.S. employers are monitoring outbound e-mail to prevent data leaks, up from 29 percent in 2008."
News release: "Individuals’ genetic information will have greater protections through new regulations issued today by the U.S. Departments of Health and Human Services (HHS), Labor, and the Treasury. The interim final rule will help ensure that genetic information is not used adversely in determining health care coverage and will encourage more individuals to participate in genetic testing, which can help better identify and prevent certain illnesses."
New York Times: "About two-thirds of Americans object to online tracking by advertisers — and that number rises once they learn the different ways marketers are following their online movements, according to a new survey from professors at the University of Pennsylvania and the University of California, Berkeley."
News release: "A judge ordered the government Thursday to release more records about the lobbying campaign to provide immunity to the telecommunications giants that participated in the NSA's warrantless surveillance program. U.S. District Judge Jeffrey S. White ordered the records be provided to the Electronic Frontier Foundation (EFF) by October 9, 2009. The decision is part of EFF's long-running battle to gather information about telecommunications lobbying conducted as Congress considered granting immunity to companies that participated in illegal government electronic surveillance. Telecom immunity was eventually passed as part of the FISA Amendments Act (FAA) of 2008, but a bill that would repeal the immunity -- called the JUSTICE Act -- was introduced in the Senate last week."
"A fast-growing FBI data-mining system billed as a tool for hunting terrorists is being used in hacker and domestic criminal investigations, and now contains tens of thousands of records from private corporate databases, including car-rental companies, large hotel chains and at least one national department store, declassified documents obtained by Wired.com show. Headquartered in Crystal City, Virginia, just outside Washington, the FBI’s National Security Branch Analysis Center (NSAC) maintains a hodgepodge of data sets packed with more than 1.5 billion government and private-sector records about citizens and foreigners, the documents show, bringing the government closer than ever to implementing the “Total Information Awareness” system first dreamed up by the Pentagon in the days following the Sept. 11 attacks."
EU Project INDECT - "The main objectives of the INDECT project are: to develop a platform for: the registration and exchange of operational data, acquisition of multimedia content, intelligent processing of all information and automatic detection of threats and recognition of abnormal behaviour or violence, to develop the prototype of an integrated, network-centric system supporting the operational activities of police officers, providing techniques and tools for observation of various mobile objects, to develop a new type of search engine combining direct search of images and video based on watermarked contents, and the storage of metadata in the form of digital watermarks, to develop a set of techniques supporting surveillance of internet resources, analysis of the acquired information, and detection of criminal activities and threats."
In following this January 9, 2009 memo, Legal Issues Relating to the Testing, Use and Deployment of an Intrusion-Detection System (EINSTEIN 2.0) to Protect Unclassified Computer Networks in the Executive Branch, this DOJ memo released September 18, 2009: Legality of Intrusion-Detection System To Protect Unclassified Computers Networks In Executive Branch - "Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws."
News release and Fact Sheet: "U.S. Senators Russ Feingold (D-WI), Dick Durbin (D-IL), Jon Tester (D-MT), Tom Udall (D-NM), Jeff Bingaman (D-NM), Bernie Sanders (I-VT), Daniel Akaka (D-HI) and Ron Wyden (D-OR) have introduced legislation to fix problems with surveillance laws that threaten the rights and liberties of American citizens. The Judicious Use of Surveillance Tools In Counterterrorism Efforts (JUSTICE) Act would reform the USA PATRIOT Act, the FISA Amendments Act and other surveillance authorities to protect Americans’ constitutional rights, while preserving the powers of our government to fight terrorism. The JUSTICE Act reforms include more effective checks on government searches of Americans’ personal records, the “sneak and peek” search provision of the PATRIOT Act, “John Doe” roving wiretaps and other overbroad authorities. The bill will also reform the FISA Amendments Act, passed last year, by repealing the retroactive immunity provision, preventing “bulk collection” of the contents of Americans’ international communications, and prohibiting “reverse targeting” of innocent Americans. And the bill enables better oversight of the use of National Security Letters (NSLs) after the Department of Justice Inspector General issued reports detailing the misuse and abuse of the NSLs. The Senate Judiciary Committee will hold a hearing on Wednesday, September 23rd, on reauthorization of the USA PATRIOT Act."
"CDT told a congressional panel today that providing the public with direct, online access to complex government programs, such as TARP, would strengthen oversight. Media, watchdog groups, researchers and citizens could then better analyze the data for a wide variety of purposes. CDT asked the House Oversight and Investigations Subcommittee to ensure that legislation explicitly require that TARP resources be made available to the public on the Web. CDT also noted that more sophisticated data--such as location and mapping data--are being collected today by government agencies; however, aging federal privacy law needs to be updated to ensure these new types of information are protected as well."
News release: "Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., Sunday said the latest trend in cybercrime is directed at small to medium sized companies that have been robbed of both data and dollars...The thieves steal in amounts under $10,000 to avoid triggering a bank report required by anti-money laundering law. The malware is so well written that the traffic seems to be coming from an authorized computer – and possibly is a legitimate computer that has been commandeered. The money is then transferred to “money mules” who may have been recruited over internet job boards or who have posted resumes on a job listing serviceThe Committee will hold a hearing September 14, 2009, Cyber Attacks: Protecting Industry Against Growing Threats, to examine this new trend, and the Senators plan to introduce broad cyber security legislation later this fall that will improve cyber security in the private sector."
Follow up to August 1, 2009 posting - Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks - today's news release: "An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity. Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks."
"EPIC released the Privacy Report Card for the Obama Administration at a morning briefing held at the National Press Club. EPIC gave the Administration an “Incomplete” for Consumer Privacy, A- for Medical Privacy, C+ for Civil Liberties, and a B for Cyber Security. Privacy Coalition members participating in the event included US PIRG, Consumer Federation of America, the Liberty Coalition, Association of American Physicians and, Surgeons, and the Bill of Rights Defense Committee. In December 2008, the Privacy Coalition urged the new Administration to address growing public concerns about privacy protection."
"CDT filed a "friend of the court" brief in the Southern District of New York [September 4, 2009] requesting that key privacy requirements be included in the Court's approval of the class-action settlement that would dramatically expand Google Book Search. CDT previously released a report in July analyzing the privacy implications of this settlement and is urging the judge to guarantee strong privacy safeguards for the exciting new services Google will be able to offer. The brief asks that the court approve the proposed settlement of the copyright infringement lawsuit between Google and authors and publishers, but to retain oversight in order to monitor implementation of a privacy plan."
Online Behavioral Tracking and Targeting Concerns and Solutions, Legislative Primer September 2009 - from the Perspective of: Center for Digital Democracy, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group, The World Privacy Forum.
"Tracking people’s every move online is an invasion of privacy. It’s like being followed by an invisible stalker – individuals aren’t aware that it’s happening, who is tracking them, and how the information will be used. They’re not asked for their consent and have no meaningful control over the collection and use of their information, often by third-parties with which they have no relationships."
News release: "Beginning September 1, 2009, prerecorded commercial telemarketing calls to consumers – commonly known as robocalls – will be prohibited, unless the telemarketer has obtained permission in writing from consumers who want to receive such calls, the Federal Trade Commission announced today...The new requirement is part of amendments to the agency’s Telemarketing Sales Rule (TSR) that were announced a year ago. After September 1, sellers and telemarketers who transmit prerecorded messages to consumers who have not agreed in writing to accept such messages will face penalties of up to $16,000 per call."
OIG-09-64 - Role of the No Fly and Selectee Lists in Securing Commercial Aviation (PDF, 63 pages] Redacted, July 2009.
"A new publication that recommends best practices for the next generation of portable biometric acquisition devices—Mobile ID—has been published by Commerce’s National Institute of Standards and Technology (NIST). Devices that gather, process and transmit an individual’s biometric data—fingerprints, facial and iris images—for identification are proliferating. Previous work on standards for these biometric devices has focused primarily on getting different stationary and desktop systems with hard-wired processing pathways to work together in an interoperable manner. But a new generation of small, portable and versatile biometric devices are raising new issues for interoperability."
News release: " The Federal Trade Commission has issued a final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached. Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009. The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential."
News release: "Albert Gonzalez, 28, of Miami, Fla., was indicted today for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of New Jersey Ralph J. Marra Jr. and U.S. Secret Service Assistant Director for Investigations Michael Merritt...The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."
"In response to an EPIC Freedom of Information Act Request, the Government Services Administration released several contracts between the federal government and web 2.0 companies, including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that “no specific Web 2.0 guidance currently exists,” but provided EPIC with Training Slides that raise privacy issues. The GSA Agreement with Google actually states that, “to the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google.” Some of the agreements also permit companies to track users of government web sites for advertising purposes."
News release: "The out-of-court settlement sought in the US civil proceedings against UBS has been reached. The details of the arrangement were worked out between Switzerland and the USA over the last few days. The judge was informed during a telephone conference on Wednesday. The settlement now has to be signed by both states."
New York Times, And You Thought a Prescription Was Private : "...in fact, prescriptions, and all the information on them — including not only the name and dosage of the drug and the name and address of the doctor, but also the patient’s address and Social Security number — are a commodity bought and sold in a murky marketplace, often without the patients’ knowledge or permission...
EPIC: "Senators Russ Feingold (D-WI) and Dick Durbin (D-IL) are drafting legislative reforms to revise the USA PATRIOT Act. The USA PATRIOT Act allows authorities to conduct surveillance without judicial review through the use of National Security Letters. The Senators asked the Attorney General and the Chairmen of the Senate Judiciary and Intelligence Committee to consider two previous bills that add protections to PATRIOT ACT. Pursuant to a EPIC lawsuit, a federal judge had ordered the Justice Department to provide for independent judicial inspection of documents relating to warrantless wiretapping. For more information, see EPIC USA PATRIOT Act, EPIC FISA, EPIC Wiretapping, and EPIC National Security Letters."
Fuchs, Christian. 2009. Social Networking Sites and the Surveillance Society. A Critical Case Study of the Usage of studiVZ, Facebook, and MySpace by Students in Salzburg in the Context of Electronic Surveillance. Salzburg/Vienna: Research Group UTI. ISBN 978-3-200-01428-2.
On Locational Privacy, and How to Avoid Losing it Forever, By Andrew J. Blumberg and Peter Eckersley, August 2009: "Over the next decade, systems which create and store digital records of people's movements through public space will be woven inextricably into the fabric of everyday life. We are already starting to see such systems now, and there will be many more in the near future...Locational privacy (also known as “location privacy”) is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use. The systems discussed [in this report] have the potential to strip away locational privacy from individuals..."
wkyc.com: "TSA has revealed it is testing scanning technology at Cleveland Hopkins Airport that allows screeners to see through clothing. Despite public concern over what's viewed by some as invasive imagery, TSA is moving ahead with the advanced imagery technology it claims will improve security by allowing screeners to quickly scan passengers for weapons without a need for physical contact. Once testing and training are complete, the new scanners will go into full-time use at Hopkins."
Seeking Bypass: What Will Ultimately End Confidence in the Necessity of Parental Involvement Laws? - Public interest law advocate Diana Philip's commentary focuses specifically on the multifaceted, complex and challenging issues that encompass the dichotomy between reproductive health care and rights available to adult pregnant women and pregnant minors. Diana's position includes references to seminal legal cases as well as to selected scholarly literature in the field of juvenile reproductive health.
PASS ID Act Addresses Major Privacy Concerns in REAL ID: "CDT testified [July 15, 2009] before the Senate Committee on Homeland Security and Governmental Affairs hearing on reevaluating the REAL ID Act. CDT testified in support of the PASS ID Act, noting that it mitigates or corrects critical privacy and security flaws introduced by REAL ID, while still establishing minimum federal standards for the issuance of driver's licenses and ID cards. While the PASS ID Act does not address all flaws in the REAL ID program, merely repealing REAL ID does not address all of the underlying privacy and security risks posed by government identification programs, CDT said. PASS ID provides the opportunity to start building privacy guidance and protections into all state identification programs, addressing trends and issues that will exist regardless of REAL ID implementation."
News release: Javelin Strategy & Research released its Fifth Annual Card Issuers’ Identity Safety Scorecard, which analyzes the top 25 U.S. card issuers’ capabilities for protecting customers from identity fraud. To compile the report, Javelin incorporated data from annual household, consumer, and issuer surveys using Javelin’s Prevention, Detection and Resolution™ criteria to accurately reflect customer demands and trends in how issuers protect against fraud. The Javelin scorecard is a structured assessment of each issuer’s fraud protection services. The scorecard ranks features that best empower two major victims of the nation’s $48B identity fraud problem—cardholders and issuers—showing how to turn the tables on a worrying method of crime."