Privacy
May 21, 2013
* Pew - Teens, Social Media, and Privacy

Teens, Social Media, and Privacy by Mary Madden, Amanda Lenhart, Sandra Cortesi, Urs Gasser, Maeve Duggan, Aaron Smith. May 21, 2013

  • "Teens are sharing more information about themselves on social media sites than they have in the past, but they are also taking a variety of technical and non-technical steps to manage the privacy of that information. Despite taking these privacy-protective actions, teen social media users do not express a high level of concern about third-parties (such as businesses or advertisers) accessing their data; just 9% say they are “very” concerned."
  • May 19, 2013
    * Technology Review - What Happened When One Man Pinged the Whole Internet

    A home science experiment that probed billions of Internet devices reveals that thousands of industrial and business systems offer remote access to anyone.

  • "HD Moore’s census involved regularly sending simple, automated messages to each one of the 3.7 billion IP addresses assigned to devices connected to the Internet around the world (Google, in contrast, collects information offered publicly by websites). Many of the two terabytes (2,000 gigabytes) worth of replies Moore received from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could let anyone take control of them. On Tuesday [April 23, 2013], Moore published results on a particularly troubling segment of those vulnerable devices: ones that appear to be used for business and industrial systems. Over 114,000 of those control connections were logged as being on the Internet with known security flaws. Many could be accessed using default passwords and 13,000 offered direct access through a command prompt without a password at all."
  • May 11, 2013
    * FOIA Request to DOJ Yields Expansively Redacted Response

    ABCNews: "The Department of Justice complied with the letter of the law and responded to a Freedom of Information Act request from the ACLU seeking insight into the Obama Administration’s policy on intercepting text messages from cell phones. But -- it didn’t release any actual information. Or even any words or letters. As one Reddit comment put it, “[the document is] so transparent it’s completely invisible.” Instead, the Justice Department released 15 pages that were entirely redacted, shaded over in heavy black from top to bottom. All that was visible is the subject of the memo: “Guidance for the Minimization of Text Messages over Dual-Function Cellular Telephones” It is all part of a larger legal battle between civil rights activists and the federal law enforcement about electronic communications. The ACLU has argued that current government surveillance practices on electronic communications violate citizens’ Fourth Amendment rights, which are meant to protect Americans from unlawful searches and seizures. With the FOIA request they were trying to determine if the FBI had properly complied with a 2010 appeals court decision that concerned when email providers must turn over messages to law enforcement and whether the guidelines apply to text messages."

    May 09, 2013
    * On The "Right to Be Forgotten": Challenges and Suggested Changes to the Data Protection Regulation

    On The "Right to Be Forgotten": Challenges and Suggested Changes to the Data Protection Regulation

  • "Since January 2012, the European Union institutions have been debating draft legislation to reform European rules on data protection (commonly referred to as the Data Protection Regulation (DPR)). Article 17 of the proposed DPR presents the concept of a "Right to Be Forgotten". Article 17 would allow a user to request that an online service provider delete all data – including data that has been made public – it has about that user. While CDT is sympathetic to the concerns that underlie Article 17, we have recommended that it be redrafted and narrowed substantially. As laid out in the Commissionʼs proposal it would significantly limit usersʼ free expression rights and impose unreasonable burdens on online platforms and ISPs, likely leading to fewer platforms for user speech. Private companies are ill-equipped to take responsibility for decisions that balance the right to privacy with the right to free expression. Such questions are ultimately for courts to decide, interpreting carefully drawn legislative mandates in light of relevant human rights jurisprudence. Moreover, we believe that the measures to protect journalistic and artistic expression – namely, those granted by Article 80 of the DPR – are too narrowly drafted and do not satisfy international human rights obligations regarding free expression."
  • May 08, 2013
    * Report from European Coalition for Digital Rights

    International privacy organisations: Don't let corporations strip citizens of their right to privacy

  • "This report features new analysis by privacy experts of proposed amendments to the draft Data Protection Regulation. It reveals how many of these amendments threaten to critically undermine the privacy of EU consumers and citizens. Together, the amendments are an effort to strip EU citizens 'naked' by making it almost impossible for them to control who sees their personal information and even how it is used...We have grouped the amendments into five themes, outlining exactly why they would be so damaging for EU citizens' privacy rights. The proposals would:
    • weaken the definition of consent, making it more likely people could unwittingly agree to their data being used.
    • make it easy for companies to profile people without their consent, resulting in possible discrimination particularly of the most vulnerable.
    • allow businesses more readily to decide their interests outweigh people's privacy rights.
    • assume that so-called “pseudonymisation of data” is an effective means of avoiding privacy harms.
  • May 07, 2013
    * FTC Testifies on Credit Reporting Accuracy Study, FCRA Enforcement, Credit Education

    "The Federal Trade Commission testified before a U.S. Senate Commerce subcommittee on a recent FTC study examining the accuracy of consumer credit reports, as well as the agency’s efforts to improve credit report accuracy through enforcement and education. On behalf of the agency, Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, told the Subcommittee on Consumer Protection, Product Safety, and Insurance that errors in credit reports can cause consumers to be denied credit or other benefits or pay a higher price for them. It may also lead credit issuers to make inaccurate decisions that cause them to deny credit to a potentially valuable customer or issue credit to a riskier customer than intended."

    * EPIC - Senate Confirms Chairman of Privacy and Civil Liberties Oversight Board

    EPIC: "Today the Senate voted to confirm David Medine as the Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), an agency established to review executive branch actions and to protect privacy and civil liberties after 9/11. EPIC urged the creation of an independent privacy agency after 9/11. At the first meeting of the agency in 2012, EPIC set out several priorities for PCLOB, including (1) suspension of the fusion center program, (2) limitations on CCTV surveillance, (3) removal of airport body scanners, (4) establishing privacy regulation for drones, (5) updating data disclosure standards, and (6) ensuring Privacy Act adherence. For more information, see EPIC: The 9/11 Commission Report and EPIC: The Sui Generis Privacy Agency."

    May 05, 2013
    * Secret surveillance of American citizens - "no digital communication is secure"

    Are all telephone calls recorded and accessible to the US government? A former FBI counterterrorism agent claims on CNN that this is the case, by Glenn Greenwald

  • "The real capabilities and behavior of the US surveillance state are almost entirely unknown to the American public because, like most things of significance done by the US government, it operates behind an impenetrable wall of secrecy. But a seemingly spontaneous admission this week by a former FBI counterterrorism agent provides a rather startling acknowledgment of just how vast and invasive these surveillance activities are."
  • May 04, 2013
    * FTC Issues Updated FAQs on Amended Children's Online Privacy Protection Rule

    "The Federal Trade Commission has issued an updated set of frequently asked questions designed to help website operators, mobile application developers, plug-ins and advertising networks operating on child-directed websites and online services prepare for upcoming changes to the Children’s Online Privacy Protection Rule. The document, titled Complying With COPPA: Frequently Asked Questions contains information directed to websites and online services whose work online may involve the collection of personal information from children under age 13. The document provides guidance from the FTC staff that supplements the rule and other COPPA–related material previously published by the FTC."

    May 02, 2013
    * For Their Eyes Only: The Commercialization of Digital Spying

    Citizen Lab [University of Toronto] "released a new report, For Their Eyes Only: The Commercialization of Digital Spying. The report features new findings, as well as consolidating a year of our research on the commercial market for offensive computer network intrusion capabilities developed by Western companies. Our new findings include:

    • We have identified FinFisher Command & Control servers in 11 new Countries. Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, Austria.
    • Taken together with our previous research, we can now assert that FinFisher Command & Control servers are currently active, or have been present, in 36 countries.

    May 01, 2013
    * Google Transparency Report

    "Transparency is a core value at Google. As a company we feel it is our responsibility to ensure that we maximize transparency around the flow of information related to our tools and services. We believe that more information means more choice, more freedom and ultimately more power for the individual. In this report, we disclose:

    • Real-time and historical traffic to Google services around the world;
    • Numbers of removal requests we receive from copyright owners or governments;
    • Numbers of user data requests we receive from government agencies and courts.
    • To learn more about the laws governing our disclosure of user data and reforms to those laws that we think are important, visit http://digitaldueprocess.org/. We hope this report will shine some light on the appropriate scope and authority of government requests to obtain user data around the globe."

    April 30, 2013
    * EFF Surveys Major Tech Companies' Privacy and Transparency Policies

    News release: "As you search the Internet, visit websites, and update your social media accounts, you entrust a wealth of data to service providers: your thoughts, your photos, your location, and much more. What happens when the government wants access to all of this information, held by companies like Google and Facebook and AT&T? Will these providers help you fight back against unfair demands for data about your private life? Today the Electronic Frontier Foundation (EFF) releases its third annual report, Who Has Your Back?, which looks at major technology service providers' commitment to users' rights in the face of government data demands. EFF's report examines 18 companies' terms of service, privacy policies, advocacy, and courtroom track records, awarding up to six gold stars for best practices in categories like "require a warrant for content," "tell users about government data demands," and "publish transparency reports."

    * A Secure Submission System for Online Whistleblowing Platforms

    A Secure Submission System for Online Whistleblowing Platforms. Volker Roth, Benjamin Güldenring, Eleanor Rieffel, Sven Dietrich, Lars Ries (Submitted on 26 Jan 2013) An abridged version has been accepted for publication in the proceedings of Financial Cryptography and Data Security 2013.

  • "Whistleblower laws protect individuals who inform the public or an authority about governmental or corporate misconduct. Despite these laws, whistleblowers frequently risk reprisals and sites such as WikiLeaks emerged to provide a level of anonymity to these individuals. However, as countries increase their level of network surveillance and Internet protocol data retention, the mere act of using anonymizing software such as Tor, or accessing a whistleblowing website through an SSL channel might be incriminating enough to lead to investigations and repercussions. As an alternative submission system we propose an online advertising network called AdLeaks. AdLeaks leverages the ubiquity of unsolicited online advertising to provide complete sender unobservability when submitting disclosures. AdLeaks ads compute a random function in a browser and submit the outcome to the AdLeaks infrastructure. Such a whistleblower's browser replaces the output with encrypted information so that the transmission is indistinguishable from that of a regular browser. Its back-end design assures that AdLeaks must process only a fraction of the resulting traffic in order to receive disclosures with high probability. We describe the design of AdLeaks and evaluate its performance through analysis and experimentation."
  • April 28, 2013
    * US News: IRS tracks your digital footprint

    "The Internal Revenue Service is collecting a lot more than taxes this year -- it's also acquiring a huge volume of personal information on taxpayers' digital activities, from eBay auctions to Facebook posts and, for the first time ever, credit card and e-payment transaction records, as it expands its search for tax cheats to places it's never gone before. The IRS, under heavy pressure to help Washington out of its budget quagmire by chasing down an estimated $300 billion in revenue lost to evasions and errors each year, will start using "robo-audits" of tax forms and third-party data the IRS hopes will help close this so-called "tax gap." But the agency reveals little about how it will employ its vast, new network scanning powers. Tax lawyers and watchdogs are concerned about the sweeping changes being implemented with little public discussion or clear guidelines, and Congressional staff sources say the IRS use of "big data" will be a key issue when the next IRS chief comes to the Senate for approval. Acting commissioner Steven T. Miller replaced Douglas Shulman last November."

    April 27, 2013
    * EPIC Pursues Public Release of Facebook and MySpace Privacy Reports

    EPIC: "EPIC has submitted Freedom of Information Act requests for the release of the privacy assessments of Facebook and MySpace submitted to the Federal Trade Commission. As a result of privacy violations, both companies are required to implement comprehensive privacy programs and submit to independent, biennial evaluations for 20 years. Previously, EPIC obtained a copy of Google's initial privacy assessment that redacted information about the standards by which the assessment was completed, the test procedures used to assess the effectiveness of Google's privacy controls, the procedures Google uses to identify privacy risks, and the types of personal data Google collects from users. The FTC settlements with Facebook and Google arose from complaints brought by EPIC and other consumer organizations. In comments to the agency on the proposed settlements, EPIC recommended that the privacy assessments be publicly available. For more information, see EPIC: Federal Trade Commission and EPIC: Open Government."

    April 25, 2013
    * Publicly Available Social Media Monitoring and Situational Awareness Initiative Update

    Privacy Impact Assessment for the Office of Operations Coordination and Planning - Publicly Available Social Media Monitoring and Situational Awareness Initiative, DHS, Update April 1, 2013

  • "To monitor social media, National Operations Center Media Monitoring analysts only use publicly available search engines, content aggregators, and site-specific search tools to find items of potential interest to DHS. Once the analysts determine an item or event is of sufficient value to DHS to be reported, they extract only the pertinent, authorized information, and put it into a specific web application (Media Monitoring Capability (MMC) application) to build and format their reports. The unused information for each item of interest is not stored or filed for reference and is lost when the webpage is closed or deleted. The MMC application also facilitates tracking previous reports to help avoid duplicative reporting and ensures further development of reporting on ongoing issues. It allows analysts to electronically document details using a customized user interface, and disseminate relevant information in a standardized format. Using the MMC application, NOC MMC analysts can efficiently and effectively catalog the information by adding meta - tags such as location, category, critical information requirement, image files, and source information. The application empowers NOC MMC analysts to have a better grasp of the common operating picture by providing the means to quickly search for an item of interest using any of the above - mentioned meta-tags as well as enabling them to respond to requests for information from other collaborating entities in a timely fashion."
  • April 24, 2013
    * DHS Releases Revises Privacy Impact Assessment on Internet Monitoring Program

    EPIC: "The Department of Homeland Security has released a Privacy Impact Assessment for Einstein 3 - Accelerated. Einstein 3 is a government cybersecurity program that monitors Internet traffic. The monitoring includes scanning email destined for .gov networks for malicious attachments and URLs. According to DHS, the basis of the government’s authority to perform the monitoring is National Security Presidential Directive 54. EPIC is pursuing FOIA litigation to force the government to release the Directive to the public. For more information, see EPIC v. NSA - Cybersecurity Authority."

    * 2013 Data Breach Investigations Report

    "Verizon’s 2013 Data Breach Investigations Report (DBIR) provides truly global insights into the nature of data breaches that can help organizations of all sizes to better understand the threat and take the necessary steps to protect themselves. The breadth and depth of data represented in this year’s DBIR is unprecedented. It combines the efforts of 19 global organizations: law enforcement agencies, national incident-reporting entities, research institutions, and a number of private security firms — all working to study and combat data breaches. Over the years the number of contributors has grown. Since we started publishing the DBIR in 2008, our partners have contributed data information on more than 2,500 confirmed data breaches — totaling more than a billion compromised records."

    April 23, 2013
    * EFF - How Facebook Teams Up With Data Brokers to Show You Targeted Ads

    EFF: "Recently, we published a blog post that described how to opt out of seeing ads on Facebook targeted to you based on your offline activities. This post explained where these companies get their data, what information they share with Facebook, or what this means for your privacy. So get ready for the nitty-gritty details: who has your information, how they get it, and what they do with it. It’s a lot of information, so we’ve organized it into an FAQ for convenience."

    April 18, 2013
    * Submission of Mental Health Records to NICS and the HIPAA Privacy Rule

    CRS - Submission of Mental Health Records to NICS and the HIPAA Privacy Rule, April 15, 2013

  • "Questions about the scope and efficacy of the background checks required during certain firearm purchases have gained prominence following recent mass shootings. These background checks are intended to identify whether potential purchasers are prohibited from purchasing or possessing firearms due to one or more “prohibiting factors,” such as a prior felony conviction or a prior involuntary commitment for mental health reasons. Operationally, such background checks primarily use information contained within the National Instant Criminal Background Check System (NICS) and a particular focus of the debate in Congress has been whether federal privacy standards promulgated under the Health Insurance Portability and Accountability Act (i.e., the HIPAA privacy rule) or state privacy laws are an obstacle to the submission of mental health records to NICS."
  • April 15, 2013
    * OECD - Machine-to-Machine Communications Connecting Billions of Devices You or your institution

    Machine-to-Machine Communications - Connecting Billions of Devices, Publication Date, 30 Jan 2012. Bibliographic information No.: 192 Pages. 45. DOI 10.1787/5k9gsh2gp043-en

  • "This document examines the future of machine-to-machine communication (M2M), with a particular focus on mobile wireless networks. M2M devices are defined, in this paper, as those that are actively communicating using wired and wireless networks, are not computers in the traditional sense and are using the Internet in some form or another. While, at the global level, there are currently around five billion devices connected to mobile networks, this may by some estimates increase to 50 billion by the end of the decade. The report provides examples of some of the uses to which M2M is being put today and its potential to enhance economic and social development. It concludes that to achieve these benefits, however, changes to telecommunication policy and regulatory frameworks may be required. Some of the main areas that will need to be evaluated, and implications of M2M assessed, include: opening access to mobile wholesale markets for firms not providing public telecommunication services; numbering policy; frequency policy; privacy and security; and access to public sector information."
  • April 09, 2013
    * EPIC Sues FBI to Obtain Details of Massive Biometric ID Database

    "EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents about "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. The EPIC lawsuit follows the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other identifying information. The FBI will use facial recognition to match images in the database against facial images obtained from CCTV and elsewhere. For more information, see EPIC v. FBI - Next Generation Identification, EPIC: Biometric Identifiers and EPIC: Face Recognition."

    April 08, 2013
    * CRS - Drones in Domestic Surveillance Operations

    Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses. Richard M. Thompson II, Legislative Attorney. April 3, 2013

  • "The prospect of drone use inside the United States raises far-reaching issues concerning the extent of government surveillance authority, the value of privacy in the digital age, and the role of Congress in reconciling these issues. Drones, or unmanned aerial vehicles (UAVs), are aircraft that can fly without an onboard human operator. An unmanned aircraft system (UAS) is the entire system, including the aircraft, digital network, and personnel on the ground. Drones can fly either by remote control or on a predetermined flight path; can be as small as an insect and as large as a traditional jet; can be produced more cheaply than traditional aircraft; and can keep operators out of harm’s way. These unmanned aircraft are most commonly known for their operations overseas in tracking down and killing suspected members of Al Qaeda and related organizations. In addition to these missions abroad, drones are being considered for use in domestic surveillance operations to protect the homeland, assist in crime fighting, disaster relief, immigration control, and environmental monitoring. Although relatively few drones are currently flown over U.S. soil, the Federal Aviation Administration (FAA) predicts that 30,000 drones will fill the nation’s skies in less than 20 years."
  • April 07, 2013
    * IRS Releases the Dirty Dozen Tax Scams for 2013

    News release: "The Internal Revenue Service...issued its annual “Dirty Dozen” list of tax scams, reminding taxpayers to use caution during tax season to protect themselves against a wide range of schemes ranging from identity theft to return preparer fraud. The Dirty Dozen listing, compiled by the IRS each year, lists a variety of common scams taxpayers can encounter at any point during the year. But many of these schemes peak during filing season as people prepare their tax returns. "This tax season, the IRS has stepped up its efforts to protect taxpayers from a wide range of schemes, including moving aggressively to combat identity theft and refund fraud," said IRS Acting Commissioner Steven T. Miller. "The Dirty Dozen list shows that scams come in many forms during filing season. Don't let a scam artist steal from you or talk you into doing something you will regret later." Illegal scams can lead to significant penalties and interest and possible criminal prosecution. IRS Criminal Investigation works closely with the Department of Justice (DOJ) to shutdown scams and prosecute the criminals behind them."

    April 06, 2013
    * Firefox getting smarter about third-party cookies

    Via Firefox Aurora Notes - Firefox getting smarter about third-party cookies: "On Friday, Mozilla released a Firefox patch into its “Nightly” channel that changes how cookies from third party companies function. Users of this build of Firefox must directly interact with a site or company for a cookie to be installed on their machine. The patch also provides an additional control setting under the “Privacy” tab in Firefox’s Preferences menu. Many years of observing Safari’s approach to third party cookies, a rapidly expanding number of third party companies using cookies to track users, and strong user support for more control is driving our decision to move forward with this patch. We have a responsibility to advance features and controls that bring users’ expectations in line with how the web functions for them."

    * EU Data Protection Policies Challenge Google Privacy Policy

    PCWorld: "Six European data protection authorities will conduct formal investigations of Google's privacy policy after the company repeatedly rejected their requests that it reverse changes it made to the policy last March. Data protection authorities in France, Germany, Italy, the Netherlands, Spain, and the U.K. have resolved to conduct investigations or inspections of Google's privacy policy, following an initial investigation by the French data protection authority. The precise nature of the actions will depend on how the European Data Protection Directive has been transposed in their respective national laws."

    April 05, 2013
    * EPIC Supports Public Mark Up for Controversial Cyber Security Bill

    "EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process of the Cyber Intelligence Sharing and Protection Act (CISPA) to the public. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." Some in Congress believe that the proposal should be adopted in a secret committee meeting. EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority."

    * EPIC Supports Public Mark Up for Controversial Cyber Security Bill

    "EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process of the Cyber Intelligence Sharing and Protection Act (CISPA) to the public. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." Some in Congress believe that the proposal should be adopted in a secret committee meeting. EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority."

    April 03, 2013
    * EPIC: EU Takes Action Against Google for Privacy Policy Meltdown

    EPIC: "Data protection agencies in six European countries have announced enforcement actions against Google. The agencies acted after Google ignored recommendations to comply with European data protection law. "It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation," the French data protection authority said. The enforcement action follows from Google's March 2012 decision to combine user data across 60 Internet services to create detailed profiles on Internet users. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. Google's revised privacy policies also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order."

    April 01, 2013
    * Court Rules for EPIC, Denies FBI Request for Delay in StingRay Case

    "A federal judge in Washington, DC today issued an Opinion denying the FBI's motion to delay the release of records sought under the Freedom of Information Act. The decision follows from a lawsuit filed by EPIC against the FBI for records about the agency's use of cell-site simulator technology, commonly referred to as "StingRay." These devices track cell phones and collect a vast amount of data from telephone customers. The Court found that the FBI was not facing the "exceptional circumstances" necessary to justify its proposed two-year delay. The Court ordered the agency to produce all records, except those subject to classification review, by August 1, 2013. For more information, see EPIC v. FBI - StingRay."

    * Law review article - The Dangers of Surveillance

    The Dangers of Surveillance, Neil M. Richards. Washington University in Saint Louis - School of Law, March 25, 2013. Harvard Law Review, 2013. Via SSRN

  • "From the Fourth Amendment to George Orwell’s Nineteen Eighty-Four, our law and literature are full of warnings about state scrutiny of our lives. These warnings are commonplace, but they are rarely very specific. Other than the vague threat of an Orwellian dystopia, as a society we don’t really know why surveillance is bad, and why we should be wary of it. To the extent the answer has something to do with “privacy,” we lack an understanding of what “privacy” means in this context, and why it matters. Developments in government and corporate practices, however, have made this problem more urgent. Although we have laws that protect us against government surveillance, secret government programs cannot be challenged until they are discovered. And even when they are, courts frequently dismiss challenges to such programs for lack of standing, under the theory that mere surveillance creates no tangible harms, as the Supreme Court did recently in the case of Clapper v. Amnesty International. We need a better account of the dangers of surveillance. This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of “surveillance studies,” I explain what those harms are and why they matter. At the level of theory, I explain when surveillance is particularly dangerous, and when it is not. Surveillance is harmful because it can chill the exercise of our civil liberties, especially our intellectual privacy. It is also gives the watcher power over the watched, creating the the risk of a variety of other harms, such as discrimination, coercion, and the threat of selective enforcement, where critics of the government can be prosecuted or blackmailed for wrongdoing unrelated to the purpose of the surveillance."
  • March 31, 2013
    * Commentary - We Need a Better, Simpler Narrative of US Privacy Laws

    Peter Fleischer, Global Privacy Counsel for Google: "On the global stage, Europe is convincing many countries around the world to implement privacy laws that follow the European model. The facts speak for themselves: in the last year alone, a dozen countries in Latin America and Asia have adopted euro-style privacy laws. Not a single country, anywhere, has followed the US-model. Indeed, what is the US model? People in the privacy profession know that the US has a dense "patchwork" model of privacy laws: every individual US State has numerous privacy laws, the Federal government has numerous sectoral laws, and numerous other "non-privacy" laws, like consumer protection laws, are regularly invoked in privacy matters. Regulators in many corners of government, ranging from State attorneys general, to the Federal Trade Commission, and armies of class action lawyers inspect every privacy issue for possible actions..."

    * Report of Select Committee on Intelligence to US Senate covering the period January 5, 2011 - January 3, 2013

    Report of the Select Committee on Intelligence to United States Senate covering the period January 5, 2011 - January 3, 2013, 113th Congress, 1st Session, Senate Report 113-7.

  • "A major focus of the Committee's oversight agenda is the review of existing intelligence programs and proposed legislation to ensure that U.S. person privacy rights and civil liberties are not compromised during the collection of intelligence information. However, most of the Committee's oversight activities and efforts are, of necessity, done in secret in order to protect sources and methods vital to our nation's security. During the course of the 112th Congress, the Committee held numerous hearings, briefings, and meetings on a broad range of activities and programs performed by the seventeen elements of the Intelligence Community. Examples of these oversight activities include: the examination of intelligence support to U.S. military operations in Afghanistan and Iraq; the continued study of the threats posed by Iran; a review of the successful raid against Usama bin Ladin in Abbottabad, Pakistan; consideration of legislative proposals designed to counter the unauthorized disclosure of classified information to the media; and sustained concern about the cybersecurity threat."
  • March 26, 2013
    * Proposed new EU General Data Protection Regulation

    Proposed new EU General Data Protection Regulation: Article-by-article analysis paper, V1.0
    12 February 2013. UK Information Commission Office (ICO).

  • "We originally produced this document for two main audiences –
    the ICO’s own staff and the Ministry of Justice, to help to inform the UK’s negotiations in Europe. However, it has become clear that the information contained in this paper could be of use more widely, as a resource for all those with an interest in the data protection reform process and the ICO’s views . Therefore we have decided to publish it."
  • * Nature.com - Unique in the Crowd: The privacy bounds of human mobility

    Unique in the Crowd: The privacy bounds of human mobility, Yves-Alexandre de Montjoye, César A. Hidalgo, Michel Verleysen & Vincent D. Blondel. Scientific Reports 3; Article number:1376; doi:10.1038/srep01376; Published 25 March 2013

  • "We study fifteen months of human mobility data for one and a half million individuals and find that human mobility traces are highly unique. In fact, in a dataset where the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier's antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals. We coarsen the data spatially and temporally to find a formula for the uniqueness of human mobility traces given their resolution and the available outside information. This formula shows that the uniqueness of mobility traces decays approximately as the 1/10 power of their resolution. Hence, even coarse datasets provide little anonymity. These findings represent fundamental constraints to an individual's privacy and have important implications for the design of frameworks and institutions dedicated to protect the privacy of individuals."
  • March 25, 2013
    * Cloud Computing: Constitutional and Statutory Privacy Protections

    CRS - Cloud Computing: Constitutional and Statutory Privacy Protections, Richard M. Thompson II, Legislative Attorney. March 22, 2013

  • "...cloud computing is a web-based service that allows users to access anything from e-mail to social media on a third-party computer. For instance, Gmail and Yahoo are cloud-based email services that allow users to access and store emails that are saved on each respective service’s computer, rather than on the individual’s computer. As more communications are facilitated through these cloud-based programs, it is no surprise that government and law enforcement would seek to access this stored information to conduct criminal investigations, prevent cyber threats, and thwart terrorist attacks, among other purposes. This prompts the following questions: (1) What legal protections are in place for information shared and stored in the cloud? (2) What legal process must the government follow to obtain this information? and (3) How do these rules differ from those applied in the physical world?"
  • March 18, 2013
    * Opinion column by security technologist - The Internet is a surveillance state

    Bruce Schneier is a security technologist and author of "Liars and Outliers: Enabling the Trust Society Needs to Survive."

  • "The Internet is a surveillance state. Whether we admit it to ourselves or not, and whether we like it or not, we're being tracked all the time. Google tracks us, both on its pages and on other pages it has access to. Facebook does the same; it even tracks non-Facebook users. Apple tracks us on our iPhones and iPads. One reporter used a tool called Collusion to track who was tracking him; 105 companies tracked his Internet use during one 36-hour period. Increasingly, what we do on the Internet is being combined with other data about us...Everything we do now involves computers, and computers produce data as a natural by-product. Everything is now being saved and correlated, and many big-data companies make money by building up intimate profiles of our lives from a variety of sources."

  • March 13, 2013
    * Research - Digital records could expose intimate details and personality traits of millions

    "New research, published today in the journal PNAS, shows that surprisingly accurate estimates of Facebook users’ race, age, IQ, sexuality, personality, substance use and political views can be inferred from automated analysis of only their Facebook Likes - information currently publicly available by default. In the study, researchers describe Facebook Likes as a “generic class” of digital record - similar to web search queries and browsing histories - and suggest that such techniques could be used to extract sensitive information for almost anyone regularly online. Researchers at Cambridge’s Psychometrics Centre, in collaboration with Microsoft Research Cambridge, analysed a dataset of over 58,000 US Facebook users, who volunteered their Likes, demographic profiles and psychometric testing results through the myPersonality application...The researchers also tested for personality traits including intelligence, emotional stability, openness and extraversion. While such latent traits are far more difficult to gauge, the accuracy of the analysis was striking. Study of the openness trait – the spectrum of those who dislike change to those who welcome it – revealed that observation of Likes alone is roughly as informative as using an individual’s actual personality test score."

    March 12, 2013
    * EPIC - States Fine Google for Street View Privacy Violations

    "Attorneys general for 38 states and the District of Columbia today reached a "$7 Million Settlement" with Google over consumer protection and privacy claims. The company engaged in the unauthorized collection of data from wireless networks, including private WiFi networks of residential Internet users. A detailed Assurance of Voluntary Compliance, setting out the terms of the settlement, is now available. In 2010, EPIC urged the Federal Communication Commission to investigate the Google Street View program after it became clear that Google had intercepted the private communications of millions of users of wi-fi networks in the United States. EPIC subsequently pursued FOIA requests regarding the FCC and the Department of Justice investigations. Federal wiretap claims concerning Street View are still pending in federal court. For more information, see EPIC: Investigations of Google Street View and EPIC: Joffe v. Google."

  • See also EFF commentary - Google's Wi-Fi Snooping Settlement is Really, Really Awful
  • March 11, 2013
    * ProPublica Profiles Data Brokers

    Lois Beckett - ProPublica: "Data companies are scooping up enormous amounts of information about almost every American. They sell information about whether you're pregnant or divorced or trying to lose weight, about how rich you are and what kinds of cars you have. Regulators and some in Congress have been taking a closer look at these so-called data brokers — and are beginning to push the companies to give consumers more information and control over what happens to their data. But many people still don't even know that data brokers exist.

    March 08, 2013
    * EFF- How To Opt Out of Receiving Facebook Ads Based on Your Real-Life Shopping Activity

    EFF: "Facebook has announced that it’s teaming up with four of the world’s largest corporate data brokers to “enhance” the ad experience for users. Datalogix, Epsilon, Acxiom, and BlueKai obtain information gathered about users through online means (such as through cookies when users surf the web) as well as through offline means (such as through loyalty cards at supermarkets and product warranty cards). Through the new relationship with Facebook, companies will be able to display advertisements to Facebook users based on data that these data brokers have on individuals...We recommend you use a tool such as Ghostery (now available on Firefox, Safari, Chrome, Opera and Internet Explorer) or Abine's DoNotTrackMe (available in Firefox, Safari, Chrome and Internet Explorer) or AdBlockPlus with EasyPrivacy Lists. See more comprehensive instructions in our 4 Simple Changes to Stop Online Tracking."

    * VA Review of Alleged Transmission of Sensitive VA Data Over Internet Connections

    VA Office of Inspector General, Office of Audits and Evaluations - Review of Alleged Transmission of Sensitive VA Data Over Internet Connections, March 6, 2013

  • "We substantiated the allegation that VA was transmitting sensitive data, including PII and internal network routing information, over an unencrypted telecommunications carrier network. Office of Information and Technology (OIT) personnel disclosed that VA typically transferred unencrypted sensitive data, such as electronic health records and internal Internet protocol addresses, among certain VA medical centers and Community Based Outpatient Clinics (CBOCs) using an unencrypted telecommunications carrier network."
  • March 06, 2013
    * EFF - States Seek Ban to Employers' Social-Media Snooping

    EFF: "Last year, Maryland became the first state to explicitly prohibit employers from forcing applicants or workers to disclose their personal names or passwords as a condition of employment. California followed soon after with its own measure, which further bars private employers from even requesting access to their workers social-media accounts. According to the National Conference of State Legislatures, some 28 states are weighing legislation addressing the issue in one regard or another in 2013. Broadly speaking, an individual should not have to open up their online private lives to get or keep a job. Not only is it an invasion of the job-seeker’s privacy, but such practices expose personal information belonging to friends and family members who thought they were communicating privately within a closed network."

    * EFF - Google Transparency Report Provides Info on National Security Letters

    EFF: "In an unprecedented win for transparency, yesterday Google began publishing generalized information about the number of National Security Letters that the company received in the past year as well as the total number of user accounts affected by those requests. Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act, the National Security Letter (NSL) power provided by five statutory provisions is one of the most frightening and invasive. These letters--the type served on communications service providers such as phone companies and ISPs and are authorized by 18 U.S.C. 2709--allow the FBI to secretly demand data about ordinary American citizens' private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters' existence to anyone."

    * Silent Listeners: The Evolution of Privacy and Disclosure on Facebook

    Silent Listeners: The Evolution of Privacy and Disclosure on Facebook by Fred Stutzman, Ralph Grossy, Alessandro Acquistiz. Journal of Privacy and Confidentiality. Issue 4/2/2012 [via Study: Facebook Users More Protective Even as They Reveal More About Themselves]

  • "Over the past decade, social network sites have experienced dramatic growth in popularity, reaching most demographics and providing new opportunities for interaction and socialization. Through this growth, users have been challenged to manage novel privacy concerns and balance nuanced trade-off s between disclosing and withholding personal information. To date, however, no study has documented how privacy and disclosure evolved on social network sites over an extended period of time. In this manuscript we use pro file data from a longitudinal panel of 5,076 Facebook users to understand how their privacy and disclosure behavior changed between 2005 - the early days of the network - and 2011. Our analysis highlights three contrasting trends. First, over time Facebook users in our dataset exhibited increasingly privacy seeking behavior, progressively decreasing the amount of personal data shared publicly with unconnected profiles in the same network. However, and second, changes implemented by Facebook near the end of the period of time under our observation arrested or in some cases inverted that trend. Third, the amount and scope of personal information that Facebook users revealed privately to other connected pro files actually increased over time|and because of that, so did disclosures to "silent listeners" on the network: Facebook itself, third-party apps, and (indirectly) advertisers. These findings highlight the tension between privacy choices as expressions of individual subjective preferences, and the role of the environment in shaping those choices."
  • March 04, 2013
    * EFF Surveillance Self Defense - Secure Deletion

    "Secure deletion involves the use of special software to ensure that when you delete a file, there really is no way to get it back again. When you "delete" a file — for instance, by putting the file in your computer's trash folder and emptying the trash — you may think you've deleted that file. But you really haven't. Instead, the computer has just made the file invisible to the user, and marked the part of the disk drive that it is stored on as "empty," meaning that it can be overwritten with new data. But it may be weeks, months, or even years before that data is overwritten, and the computer forensics experts can often even retrieve data that has been overwritten by newer files. Indeed, computers normally don't "delete" data; they just allow it to be overwritten over time, and overwritten again. The best way to keep those "deleted" files hidden, then, is to make sure they get overwritten immediately. Your operating system probably already includes software that can do this for you, and overwrite all of the "empty" space on your disk with gibberish (optionally multiple times), and thereby protect the confidentiality of deleted data. Examples include GNU Shred (Linux), Secure Delete (Mac OS X), and cipher.exe (Windows XP Pro and later)."

    February 28, 2013
    * New Documents Reveal U.S. Marshals’ Drones Experiment

    "The use of surveillance drones is growing rapidly in the United States, but we know little about how the federal government employs this new technology. Now, new information obtained by the ACLU shows for the first time that the U.S. Marshals Service has experimented with using drones for domestic surveillance. We learned this through documents we released today, received in response to a Freedom of Information Act request. The documents are available here. (We also released a short log of drone accidents from the Federal Aviation Administration as well as accident reports and other documents from the U.S. Air Force.) This revelation comes a week after a bipartisan bill to protect Americans’ privacy from domestic drones was introduced in the House."

    * EPIC Testifies Before Maryland Legislature on Location Privacy

    "EPIC Appellate Advocacy Counsel Alan Butler testified before the Maryland House Judiciary Committee on H.B. 887, a location privacy bill that will establish a search warrant requirement for the collection of private location information. Mr. Butler discussed the current state of location tracking and privacy under the state and federal constitutions. The Maryland bill will require a warrant for location tracking and an annual report on electronic surveillance reports, similar to the federal wiretap reports. EPIC recently submitted amicus briefs in State v. Earls and In re US regarding location privacy. For more information, see EPIC: Locational Privacy and EPIC: State v. Earls."

    February 26, 2013
    * ACLU - New Document Sheds Light on Government’s Ability to Search iPhones

    "Cell phone searches are a common law enforcement tool, but up until now, the public has largely been in the dark regarding how much sensitive information the government can get with this invasive surveillance technique. A document submitted to court in connection with a drug investigation, which we recently discovered, provides a rare inventory of the types of data that federal agents are able to obtain from a seized iPhone using advanced forensic analysis tools. The list, available here, starkly demonstrates just how invasive cell phone searches are—and why law enforcement should be required to obtain a warrant before conducting them."

    February 25, 2013
    * EPIC - DHS Working Group to Consider Privacy Impact of Drones

    "The Department of Homeland Security has released a previously internal memo regarding the establishment of a working group to "Safeguard Privacy, Civil Rights, and Civil Liberties in the Department's Use and Support of Unmanned Aerial Systems" (drones). The memo states, "[t]he overarching goal of the working group is to determine what policies and procedures are needed to ensure that protections for privacy, civil rights, and civil liberties are designed into DHS and DHS-funded [drone] programs." DHS has developed a program to explore the expansive use of small drones for law enforcement. Customs and Border Protection currently operates 10 Predator B drones in the United States. In testimony before Congress in July 2012, EPIC said that federal agencies operating drones should adopt privacy regulations. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones."

    February 22, 2013
    * MEF Global Privacy Survey - challenges and opportunities

    "Mobile apps offer consumers fun and functionality via the one device that stays with them throughout the day. The explosion of the apps ecosystem is driven by new business models where many apps are free or heavily discounted which of course consumers love, but where developers monetize the information they collect on their users. The report, supported by AVG Technologies, was carried out in partnership with mobile specialists On Device Research to understand global consumer understanding and perceptions of apps that gather and use personal data such as address book information and location. The ten country study of 9,500 respondents reveals consumer attitudes towards the use of their personal information by mobile app providers, scrutinizing four key factors of privacy, Transparency, Comfort, Security and Control."

    February 21, 2013
    * New GAO Reports: FDIC Financial Audit, Data Sharing While Protecting Privacy
    • Financial Audit - Federal Deposit Insurance Corporation Funds' 2012 and 2011 Financial Statements, GAO-13-291, Feb 21, 2013
    • Human Services - Sustained and Coordinated Efforts Could Facilitate Data Sharing While Protecting Privacy, GAO-13-106, Feb 8, 2013
    February 19, 2013
    * EPIC - Europe Prepares Action Against Google

    EPIC: "The French Data Protection Commissioner, acting on behalf of the European Union, announced it will take action against Google after the company failed to reply to questions about its handling of user information. In October 2012, officials representing 24 countries in Europe sent a letter requiring Google to comply with European data protection laws, and give users greater control over their personal information. The action followed an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google. Google’s policy consolidation also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order."

    February 16, 2013
    * Secrecy News - Army's use of unmanned aerial systems within the United States

    Secrecy News, February 14, 2012: "Legal restrictions on the use of unmanned aircraft systems in domestic operations are numerous," the manual states. The question arises particularly in the context of Defense Support of Civil Authorities (DSCA), refering to military assistance to government agencies in disaster response and other domestic emergencies. "Use of DOD intelligence capabilities for DSCA missions--such as incident awareness and assessment, damage assessment, and search and rescue--requires prior Secretary of Defense approval, together with approval of both the mission and use of the exact DOD intelligence community capabilities. Certain missions require not only approval of the Secretary of Defense, but also coordination, certification, and possibly, prior approval by the Attorney General of the United States...[...from 2003 to 2010, small, unmanned aircraft systems flew approximately 250,000 hours]"

    February 12, 2013
    * EPIC Obtains New Documents About FBI Cellphone Tracking Technology

    EPIC - "In the fifth interim release of documents in EPIC v. FBI, a Freedom of Information Act lawsuit, the agency has turned over nearly 300 pages about the surveillance technique directed toward users of mobile phones. The documents obtained by EPIC reveal that agents have been using "cell site simulator" technologies, also known as "StingRay," "Triggerfish," or "Digital Analyzers" to monitor cell phones since 1995. Internal FBI e-mails, also obtained by EPIC, reveal that agents went through extensive training on these devices in 2007. In addition, a presentation from the agency's Wireless Intercept and Tracking Team argues that cell site simulators qualify for a low legal standard as a "pen register device," an interpretation that was recently rejected by a federal court in Texas. For more information, see EPIC v. FBI (StingRay)."

    February 07, 2013
    * EPIC - States Move to Limit Drone Surveillance

  • "Oregon became the most recent state to consider limits on the deployment of drones in the United States. A new bill sets out licensing requirements for drone use in Oregon and would fine those who use unlicensed drone to conduct surveillance. New limitations are also proposed for federal evidence collected by drone use in a state court. Florida, North Dakota, and Missouri are among the other states that are also considering laws that limit drone use within their jurisdiction. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones."

  • February 06, 2013
    * EPIC Urges Public Support for Driver Privacy Safeguards

    "The National Highway Traffic Safety Administration has proposed regulations for event data recorders (EDR) that will become mandatory in all cars and small trucks by 2014. Building on state privacy laws, EPIC has urged the federal agency to adopt comprehensive privacy safeguards for vehicle owners and operators, including driver ownership of data, limitations on disclosure, and better security for the data collected. EPIC has also launched a national campaign to encourage public comments to the federal agency."

  • See also CDT: "The NHTSA states that it is agency policy “to treat EDR data as the property of the vehicle owner.” That’s not enough. There needs to be a clear statement, both in the regulation itself, and in the owners manual, that any data recorded by the EDR are the sole property of the vehicle owner, and that the owner may expect that the EDR data remain private except if he or she consents to its disclosure."
  • January 28, 2013
    * Google’s approach to government requests for user data

    Google Official Blog: "..January 28, is Data Privacy Day, when the world recognizes the importance of preserving your online privacy and security. If it’s like most other days, Google—like many companies that provide online services to users—will receive dozens of letters, faxes and emails from government agencies and courts around the world requesting access to our users’ private account information. Typically this happens in connection with government investigations. It’s important for law enforcement agencies to pursue illegal activity and keep the public safe. We’re a law-abiding company, and we don’t want our services to be used in harmful ways. But it’s just as important that laws protect you against overly broad requests for your personal information...Today, for example, we’ve added a new section to our Transparency Report that answers many questions you might have. And last week we released data showing that government requests continue to rise, along with additional details on the U.S. legal processes—such as subpoenas, court orders and warrants—that governments use to compel us to provide this information."

    January 26, 2013
    * CDT: Feds Boost Privacy Protections for Medical Records

    CDT: "The privacy protections guarding the care and handling of your medical records just got stronger… a lot stronger. The new rules bolster prohibitions against use of a patient's medical records without consent for marketing communications; extend federal privacy and security protections to contractors (and subcontractors) of doctors, hospitals and insurers; improved your right to be notified when your medical records are lost, stolen or otherwise compromised; and clarifies your right to receive a copy of your medical records when you ask for it. The new protections stem from the long-awaited final regulations to implement most of the improvements to federal health privacy protections enacted by Congress in the HITECH provisions of the 2009 economic stimulus legislation."

    * "Carnegie Mellon researchers devise grammar-aware password cracker"

    News release: "When writing or speaking, good grammar helps people make themselves be understood. But when used to concoct a long computer password, grammar — good or bad — provides crucial hints that can help someone crack that password, researchers at Carnegie Mellon University have demonstrated. A team led by Ashwini Rao, a software engineering Ph.D. student in the Institute for Software Research, developed a password-cracking algorithm that took into account grammar and tested it against 1,434 passwords containing 16 or more characters. The grammar-aware cracker surpassed other state-of-the-art password crackers when passwords had grammatical structures, with 10 percent of the dataset cracked exclusively by the team's algorithm. "We should not blindly rely on the number of words or characters in a password as a measure of its security," Rao concluded. She will present the findings on Feb. 20 at the Association for Computing Machinery's Conference on Data and Application Security and Privacy (CODASPY 2013) in San Antonio, Texas. Basing a password on a phrase or short sentence makes it easier for a user to remember, but the grammatical structure dramatically narrows the possible combinations and sequences of words, she noted."

    January 24, 2013
    * EFF - Google Releases Transparency Report Showing US Surveillance Requests Up 33% in the Last Year

    News release: "This morning, Google released their semi-annual transparency report, and once again, it revealed a troubling trend: Internet surveillance around the world continues to rise, with the United States leading the way in demands for user data. Google received over 21,000 requests for data on over 33,000 users in the last six months from governments around the world, a 70% increase since Google started releasing numbers in 2010. The United States accounted for almost 40% the total requests (8,438) and the number of users (14,791). The total numbers in the US for 2012 amounted to a 33% increase from 2011. And while Google only complied with two-thirds of the total requests globally, they complied with 88% of the requests in the United States."

    January 21, 2013
    * RFP Issued by SF for Wireless Control and Communication System for LED Luminaires and Other Devices

    Via Public Intelligence: "The following request for participants (RFP) was issued by the San Francisco Public Utilities Commission on June 8, 2012. The RFP concerns the construction of a wireless control and communications system for managing the city’s future network of dimmable LED streetlights. The RFP states that future uses for the secure wireless network may include street surveillance, gunshot monitoring, public information broadcasts, electric meter reading and pollution monitoring. For more information on the project, see Rebecca Bowe’s recent article in the San Francisco Bay Guardian."

    January 20, 2013
    * EFF - How to Protect Your Privacy from Facebook's Graph Search

    EFF news release: "Earlier this week, Facebook launched a new feature—Graph Search—that raised some privacy concerns with us. Graph Search allows users to make structured searches to filter through friends, friends of friends, and strangers. This feature relies on your profile information being made widely or publicly available, yet there are some Likes, photos, or other pieces of information that you might not want out there. Since Facebook removed the ability to remove yourself from search results altogether, we've put together a quick how-to guide to help you take control over what is featured on your Facebook profile and on Graph Search results. (Facebook also has a new video explaining how to control what shows up in Graph Search.)"

    January 19, 2013
    * EPIC - TSA to remove body scanners without privacy software by June 2013

    Follow up to previous postings on airport use of full body scanners, news from EPIC: "the US Transportation Security Administration will end the contract for backscatter x-ray devices. As a consequence, all devices that produce a detailed naked image of air travelers will be removed from US airports. Beginning in 2005, EPIC and then a coalition of privacy advocates, scientists, legal experts and lawmakers urged the TSA not to deploy the devices. The groups petitioned DHS Secretary Napolitano to suspend the program pending a thorough review. The agency went forward and EPIC sued. In EPIC v. DHS, the DC Circuit held that the devices could be used as long as passengers were able to opt-out. The federal appeals court also ordered the agency to "promptly" begin a public rulemaking. That process will likely begin in March 2013. For more information, see EPIC: EPIC v. DHS and EPIC: Body Scanners."

    January 13, 2013
    * Privacy on the Go - Recommendations for the Mobile Ecosystem

    Privacy on the Go - Recommendations for the Mobile Ecosystem, Kamala D. Harris, Attorney General, California Department of Justice. January 2013

  • "Today, 85 percent of American adults own a cell phone and over half of them use their phones to access the Internet. The mobile app marketplace is also booming with more than 1,600 new mobile apps being introduced every day. These apps allow us to do everything from streaming movies to hailing a cab to viewing our own X-ray and ultrasound images. Along with the many wonderful capabilities these apps offer, we remain mindful that the mobile environment also poses uncharted privacy challenges, such as the difficulty of providing consumers with meaningful information about privacy choices on small screens and the many players who may have access to sensitive user information...Recognizing that the legally required general privacy policy is not always the most effective way to get consumers’ attention, Privacy on the Go recommends a “surprise minimization” approach. This approach means supplementing the general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information."

  • January 11, 2013
    * EPIC - California Attorney General Releases Mobile App Privacy Guidelines

    EPIC: "California Attorney General Kamala Harris has issued a report describing best practices for mobile application privacy. The report, Privacy on the Go, recommends that app developers implement safeguards such as privacy-by-design and notice, but stops short of setting forth a comprehensive set of Fair Information Practices. The report follows a law that requires all service providers doing business in California, such as mobile app developers, to have a privacy policy available to consumers. The report also occurs while the White House's privacy multistakeholder process is attempting to develop a voluntary code of conduct for mobile app transparency. For more information, see EPIC: Mobile and Location Privacy."

    January 05, 2013
    * EFF - Extension Gives You More Control Over Your Facebook Privacy

    "Facebook Messages has a feature that tells you when a chat recipient has seen a message. This "read receipt" is, in true Facebook fashion, both nifty and unsettling. And it brings with it tons of potential for abuse. Unfortunately, there's no built-in method to opt out. Facebook's privacy interface has undergone change upon change, yet some needed controls simply don't exist—and these days consumer privacy depends heavily on control. Luckily, the developers over at Crossrider have an extension, Chat Undetected, that disables the read receipt feature. The extension is available for Chrome, Firefox, Internet Explorer, and Safari. By nature of its popularity, Facebook is inviting developers to customize users' experiences and create useful tools. We're hoping Facebook adopts a policy that allows its users to innovate, create, and—in the spirit of Facebook—hack. Currently, an overly vague Terms of Service has led Facebook to shut down helpful add-ons like Fluff-Busting Purity, which let users configure what news items were shown to them. As FB Purity's developer notes, many of his users stuck around Facebook only because their experience was tailored to their liking."

    January 03, 2013
    * Proposed Rulemaking - IRS Truncated Taxpayer Identification Numbers

    "This document contains proposed regulations that create a new taxpayer identifying number known as an IRS truncated taxpayer identification number, a TTIN. As an alternative to using a social security number (SSN), IRS individual taxpayer identification number (ITIN), or IRS adoption taxpayer identification number (ATIN), the filer of certain information returns may use a TTIN on the corresponding payee statements to identify the individual being furnished a statement. The TTIN displays only the last four digits of an individual’s identifying number and is shown in the format XXX-XX-1234 or ***-**-1234. These proposed regulations affect filers of certain information returns who will be permitted to identify an individual payee by use of a TTIN on the payee statement furnished to the individual, and those individuals who receive payee statements containing a TTIN."

    December 30, 2012
    * European Data Protection Supervisor - safeguarding data protection rights

    December 17, 2012: "the European Data Protection Supervisor (EDPS) published his Report on the Status of Data Protection Officers (DPOs) as part of his ongoing task to monitor the compliance of EU institutions and bodies with Article 24 of the European Data Protection Regulation, which obliges the appointment of DPOs...Article 24 of the Data Protection Regulation (EC) No 45/2001 provides that each EU institution/body has to appoint at least one Data Protection Officer (DPO) to ensure in an independent manner its internal application. Article 24 sets out the conditions of appointment of the DPOs, their status and the general conditions governing the performance of their duties. Personal data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data."

  • Monitoring compliance of EU institutions and bodies with Article 24 of Regulation (EC) 45/2001 - Report on the Status of Data Protection Officers
  • December 19, 2012
    * FTC Strengthens Kids’ Privacy By Amending Children’s Online Privacy Protection Rule

    New release: "The Federal Trade Commission adopted final amendments to the Children’s Online Privacy Protection Rule that strengthen kids' privacy protections and give parents greater control over the personal information that websites and online services may collect from children under 13. The FTC initiated a review in 2010 to ensure that the COPPA Rule keeps up with evolving technology and changes in the way children use and access the Internet, including the increased use of mobile devices and social networking. The updates to the COPPA Rule reflect careful consideration of the entire record of the rulemaking, which included a public roundtable and several rounds of public comments sought by the agency."

    December 17, 2012
    * CRS - Intelligence Identities Protection Act

    Intelligence Identities Protection Act, Jennifer K. Elsea, Legislative Attorney/ December 13, 2012

  • "Concern that government documents obtained by WikiLeaks and disclosed to several newspapers could reveal the identities of United States intelligence agents or informants focused attention on whether the disclosure or publication of such information could give rise to criminal liability. This report summarizes the Intelligence Identities Protection Act (IIPA; P.L. 97-200), enacted by Congress in 1982 to address the unauthorized disclosure of information that exposes covert U.S. intelligence agents. The act, as amended, is codified at 50 U.S.C. §§421-426, and provides criminal penalties in certain circumstances for intentional, unauthorized disclosure of information identifying a covert agent, where those making such a disclosure know that the information disclosed identifies the covert agent as such and that the United States is taking affirmative measures to conceal the covert agent’s foreign intelligence relationship to the United States. The act prescribes punishments for disclosing the identities of covert agents with increasing severity according to the level of access to classified information the offender exploited. Offenders without authorized access to classified information are subject to punishment only if they participated in a pattern of activity designed to discover and reveal the identities of covert agents and have reason to believe that such disclosure will harm U.S. intelligence operations."
  • December 15, 2012
    * FindLaw - Data Stored on Cell Phones Not Protected, Fed. Court Rules

    FindLaw - "Data stored on personal cell phones is not protected by the Stored Communications Act (SCA), the U.S. Court of Appeals for the Fifth Circuit has ruled. As mobile technology changes rapidly, legal questions remain about the extent of digital privacy protection. The Fifth Circuit determined that the act does not protect information stored on personal devices such as cell phones, laptops and personal computers. The lawsuit was brought by a former police dispatcher who was dismissed after photos and text messages on her cell phone revealed that she was violating police department rules. The plaintiff's cell phone was removed from her locker and searched without her permission. The SCA only protects "facilit[ies] through which an electronic communication service is provided" and not the device that is used to access those communication services, the court explained."

    December 12, 2012
    * Commentary - The life span of email

    Curt Hopkins for The Daily Dot: "When a user “deletes” an email in the normal fashion, it becomes invisible to that user and is immediately a candidate to be overwritten. But until it is in fact overwritten, it exists. And it may persist longer on company servers. So, even if it is taken off your computer, it may still be available on the host’s server. Given that email-hosting companies are legally obliged to turn over user information to law enforcement and intelligence authorities with warrants—and these days even without them—the impossibility of being certain of a deletion means you must presume that any email you compose will be available remain accessible forever."

  • See also “A Pace Not Dictated by Electrons”: An Empirical Study of Work Without Email
  • * U.S. DOT Proposes Broader Use of Event Data Recorders to Help Improve Vehicle Safety

    News release and Federal Register Notice: "In August 2006, NHTSA established a regulation that sets forth requirements for data elements, data capture and format, data retrieval, and data crash survivability for event data recorders (EDRs) installed in light vehicles. The requirements apply to light vehicles that are manufactured on or after September 1, 2012, and are equipped with EDRs. However, the regulation does not mandate the installation of EDRs in those vehicles. This notice of proposed rulemaking would establish a new safety standard mandating the installation of EDRs in most light vehicles manufactured on or after September 1, 2014. The EDRs in those vehicles would be required by the new standard to meet the data elements, data capture and format, data retrieval, and data crash survivability requirements of the existing regulation. This proposal would not modify any of the requirements or specifications in the regulation for EDRs voluntarily installed between September 1, 2012 and September 1, 2014."

    December 11, 2012
    * Privacy International - A New Dawn: Privacy in Asia

    "Privacy has truly become an issue of global resonance. A quick glance at policy agendas in countries around the world shows that privacy and surveillance issues are increasingly important. The challenge, however, is improving the ability of governments and policy stakeholders to engage in a policy debate that is informed about the dangers of surveillance and the importance of protecting privacy. This is the primary objective of our Privacy in the Developing World programme. In this report, A New Dawn: Privacy in Asia, we summarise our partner’s research into privacy in developing countries across Asia. The experiences of privacy in these countries are illustrative of the many opportunities for and challenges to the advancement of privacy, not only the developing world but across the world. Click here for individual country reports for India, Pakistan, Bangladesh, Indonesia, Nepal, Malaysia, Thailand, Hong Kong, China and the Philippines."

    December 10, 2012
    * FTC's Latest Kids’ App Report Finds Little Progress in Addressing Privacy Concerns

    News release: "The Federal Trade Commission issued a new staff report, Mobile Apps for Kids: Disclosures report Still Not Making the Grade, examining the privacy disclosures and practices of apps offered for children in the Google Play and Apple App stores. The report details the results of the FTC’s second survey of kids’ mobile apps...Staff examined hundreds of apps for children and looked at disclosures and links on each app’s promotion page in the app store, on the app developer’s website, and within the app. According to the report, “most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data. Even more troubling, the results showed that many of the apps shared certain information with third parties – such as device ID, geolocation, or phone number – without disclosing that fact to parents. Further, a number of apps contained interactive features – such as advertising, the ability to make in-app purchases, and links to social media – without disclosing these features to parents prior to download.”

    December 07, 2012
    * WSJ - They Know What You're Shopping For

    WSJ.com: "The widening ability to associate people's real-life identities with their browsing habits marks a privacy milestone, further blurring the already unclear border between our public and private lives. In pursuit of ever more precise and valuable information about potential customers, tracking companies are redefining what it means to be anonymous...the sheer ease with which personal details can be shared online makes it difficult for people to know whether their information is safe. A Wall Street Journal survey of 50 popular websites, plus the Journal's own site, found that 12 sent potentially identifying information such as email addresses or full real names to third parties...The Journal tested an additional 20 sites that deal with sensitive information, including sites dealing with personal relationships, medical information and children. Nine of these sent potentially identifying information elsewhere."

  • See also WSJ.com's ongoing privacy coverage - investigative reporting and analysis.
  • December 06, 2012
    * ProPublica Guide to Warrantless Access to Digital Data

    "The U.S. government isn’t allowed to wiretap American citizens without a warrant from a judge. But there are plenty of legal ways for law enforcement, from the local sheriff to the FBI, to snoop on the digital trails you create every day. Authorities can often obtain your emails and texts by going to Google or AT&T with a simple subpoena. Usually you won’t even be notified. The Senate last week took a step toward updating privacy protection for emails, but it's likely the issue will be kicked to the next Congress. Meantime, here’s how police can track you without a warrant now..."

    December 05, 2012
    * EFF - Newly Released Drone Records Reveal Extensive Military Flights in US

    News release: "Today EFF posted several thousand pages of new drone license records and a new map that tracks the location of drone flights across the United States. These records, received as a result of EFF’s Freedom of Information Act (FOIA) lawsuit against the Federal Aviation Administration (FAA), come from state and local law enforcement agencies, universities and—for the first time—three branches of the U.S. military: the Air Force, Marine Corps, and DARPA (Defense Advanced Research Projects Agency)."

    November 29, 2012
    * HHS Guidance Regarding Methods for De-identification of Protected Health Information

    Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act(HIPAA) Privacy Rule

  • "This page provides guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The guidance explains and answers questions regarding the two methods that can be used to satisfy the Privacy Rule’s de-identification standard: Expert Determination and Safe Harbor. This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de-identified information is created, and the options available for performing de-identification."
  • November 28, 2012
    * EPIC - NASA Suffers More Data Breaches

    Via EPIC: "NASA has announced that the theft of an unencrypted laptop has compromised the personal information of a "large number" of NASA employees and contractors. A similar theft earlier this year exposed the data of thousands of Kennedy Space Center employees. The federal agency said that by the end of the year all NASA laptops must have full-disk encryption. The recent developments follow a 2010 United States Supreme Court case, NASA v. Nelson, in which a federal contractor challenged NASA's overly broad collection of personal information. EPIC filed an amicus curiae brief in support of the contractor Robert Nelson, arguing that there were insufficient legal protections and that NASA's systems are vulnerable to data breaches. Robert Nelson is among the employees and contractors who this week received a notice from NASA about the data breach. For more information, see EPIC: NASA v. Nelson and EPIC: Privacy Act."

  • See also New York Times: Losing in Court, and to Laptop Thieves, in a Battle With NASA Over Private Data
  • November 26, 2012
    * AVG - How to Choose How You’re Tracked

    AVG Official Blog: "All the latest versions of the major browsers today include do-not-track user preference controls, but these merely express your wishes. Many third-party sites will honor your request, but many don’t. And they only let you decide whether you want to block online tracking or not. AVG offers a do-not-track feature in its AVG Anti-Virus Free Edition. AVG takes it a step further by allowing you to customize your blocking preferences at a granular level. Permanent Identifiers - One company to be aware of is BlueCava. Unlike cookies, which can be blocked or removed, BlueCava provides tracking technology that allows sites to permanently identify whatever device you’re using to connect to the web. The good news is, you can opt-out by going to http://www.bluecava.com/preferences, but you have to connect using each device you want to remove from their system."

    November 20, 2012
    * Pew - Parents, Teens, and Online Privacy

    Parents, Teens, and Online Privacy, by Mary Madden, Sandra Cortesi, Urs Gasser, Amanda Lenhart, Maeve Duggan, Nov 20, 2012. "Most parents of teenagers are concerned about what their teenage children do online and how their behavior could be monitored by others. Some parents are taking steps to observe, discuss, and check up on their children’s digital footprints, according to a new survey by the Pew Research Center’s Internet & American Life Project.

  • 81% of parents of online teens say they are concerned about how much information advertisers can learn about their child’s online behavior, with some 46% being “very” concerned.
  • * Statement by FTC Bureau of Consumer Protection Director On Judge’s Approval of Google Safari Settlement

    News release: "Federal Trade Commission Bureau of Consumer Protection Director David Vladeck issued the following statement regarding a federal judge’s approval of the FTC proposed order and $22.5 million civil penalty settling charges that Google misrepresented privacy assurances to users of Apple’s Safari Internet browser in violation of a previous FTC settlement Order: “The court’s approval of the Commission’s record setting $22.5 million fine against Google is a clear victory for consumers and privacy. As this case and many others demonstrate, the Commission will continue to ensure that its orders are obeyed, and that consumers’ privacy is protected.”

    November 18, 2012
    * Secrecy News Posts New CRS Reports on Privacy
    November 16, 2012
    * EFF - Google Transparency Report Shows Rising Trend of Government Surveillance

    EFF: "Each year, Google receives thousands of demands from governments around the world seeking information about its users. People who use any of the search engine giant’s free online services – such as Gmail, YouTube, Google+ or Blogger – leave digital footprints behind, and information relating to their accounts is increasingly sought out by law enforcement agencies. To raise awareness about this, Google publishes a Transparency Report every six months documenting how many requests it received for user data, and from which countries. The practice was recently emulated by Twitter."

    November 15, 2012
    * Privacy: An Overview of the Electronic Communications Privacy Act

    Privacy: An Overview of the Electronic Communications Privacy Act, Charles Doyle - Senior Specialist in American Public Law - October 9, 2012

  • "This report provides an overview of federal law governing wiretapping and electronic eavesdropping under the Electronic Communications Privacy Act (ECPA). It also appends citations to state law in the area and the text of ECPA. It is a federal crime to wiretap or to use a machine to capture the communications of others without court approval, unless one of the parties has given his prior consent. It is likewise a federal crime to use or disclose any information acquired by illegal wiretapping or electronic eavesdropping. Violations can result in imprisonment for not more than five years; fines up to $250,000 (up to $500,000 for organizations); civil liability for damages, attorneys’ fees and possibly punitive damages; disciplinary action against any attorneys involved; and suppression of any derivative evidence. Congress has created separate, but comparable, protective schemes for electronic communications (e.g., email) and against the surreptitious use of telephone call monitoring practices such as pen registers and trap and trace devices. Each of these protective schemes comes with a procedural mechanism to afford limited law enforcement access to private communications and communications records under conditions consistent with the dictates of the Fourth Amendment. The government has been given narrowly confined authority to engage in electronic surveillance, conduct physical searches, and install and use pen registers and trap and trace devices for law enforcement purposes under ECPA and for purposes of foreign intelligence gathering under the Foreign Intelligence Surveillance Act."
  • November 14, 2012
    * EPIC - Google Transparency Report Reveals Risks of Cloud-based Computing

    "According to a recent report from Google, the company received 20,938 requests for user data in the first half of 2012, up from 18,257 requests in the second half of 2011. The United States accounted for 7,969 requests in the 2012 report. And of these requests, Google provided user data to the US government in 90% of the cases. Over the last several years, Google has pursued an aggressive effort to promote computing services that store personal data on Google's servers even as the number of government requests has grown. And earlier this year, Google reduced safeguards for Gmail users, over the objections of many lawmakers and users when it consolidated privacy policies across its various Internet services. In 2009, EPIC L3[urged] the Federal Trade Commission to look more closely at the privacy risks of cloud-based services. For more, see EPIC - "Cloud Computing"."

    November 13, 2012
    * EPIC - Supreme Court Limits Remedies for Credit Card Privacy Violations

    EPIC: In U.S. v. Bormes, the U.S. Supreme Court held that the government could not be sued for violating the Fair Credit Reporting Act under an 1887 law that waived governmental immunity for certain claims "premised on other sources of law." The case arose after an attorney paid a federal-court filing fee with his credit card and noticed that the receipt included personal information in violation of the Fair Credit Reporting Act. He then sued the government under the Little Tucker Act, which waives sovereign immunity "for claims premised on other sources of law." Justice Scalia, writing for a unanimous Court, held that the attorney could not sue the government under the Little Tucker Act because the Fair Credit Reporting Act has its own detailed damages provision, and "[w]here...a statute contains its own self-executing remedial scheme, we look only to that statute to determine whether Congress intended to subject the United States to dam¬ages liability." The Court sent the case back to the Seventh Circuit Court of Appeals to determine whether the government may be sued under the Fair Credit Reporting Act itself. For more information, see EPIC: Fair Credit Reporting Act."

    November 11, 2012
    * UNESCO launches Global Survey on Internet Privacy and Freedom of Expression

    "How do the “digital footprints” of Internet and cellphone users affect privacy, and what impact does this have on freedom of expression? These questions lie at the heart of a new study released by UNESCO this week...This publication seeks to identify the relationship between freedom of expression and Internet privacy, assessing where they support or compete with each other in different circumstances. The book maps out the issues in the current regulatory landscape of Internet privacy from the viewpoint of freedom of expression. It provides an overview of legal protection, self-regulatory guidelines, normative challenges, and case studies relating to the topic.

  • Global survey on Internet privacy and freedom of expression
  • November 10, 2012
    * Privacy Compliance Review of the NOC Publicly Available Social Media Monitoring and Situational Awareness Initiative

    Privacy Compliance Review of the NOC Publicly Available Social Media Monitoring and Situational Awareness Initiative, November 8, 2012

  • "The Office of Operations Coordination and Planning (OPS), National Operations Center (NOC), has statutory responsibility to (1) provide situational awareness and establish a common operating picture for the federal government, and for state, local, and tribal governments as appropriate, in the event of a natural disaster, act of terrorism, or other man-made disaster, and (2) ensure that critical terrorism and disaster-related information reaches government decision makers. Traditional media sources and, more recently, social media sources such as Twitter, Facebook, and a vast number of blogs provide public reports on breaking events with a potential nexus to homeland security. By examining open source traditional and social media information, comparing it with many other sources of information, and including it where appropriate into reports, the NOC can provide a more comprehensive picture of breaking or evolving events."
  • November 08, 2012
    * Lawmakers Release Information About How Data Brokers Handle Consumers’ Personal Information

    News release: "A bipartisan group of lawmakers, including Reps. Edward J. Markey (D-Mass.) and Joe Barton (R-Texas), co-Chairmen of the Congressional Bi-Partisan Privacy Caucus, today released responses to letters sent to nine major data brokerage companies querying each about how it collects, assembles and sells consumer information to third parties. The companies – Acxiom, Epsilon (Alliance Data Systems), Equifax, Experian, Harte-Hanks, Intelius, Fair Isaac, Merkle, and Meredith Corp. – responded to lawmaker questions about policies and practices related to privacy, transparency and consumer notification. Data brokers represent a multi-billion dollar industry, aggregating information about hundreds of millions of Americans from both online and offline sources, which they then may sell to third parties for targeted advertising and other purposes. Consumers often have little knowledge of the existence of these companies."

    * Australian Government - Telecommunications data retention - an overview

    Telecommunications data retention - an overview, October 24, 2012:

  • "By drawing on information related to similar proposals introduced in the United Kingdom (UK) in June 2012, this Background Note outlines the types of communications data generated by use of the Internet, email and phones, why law enforcement agencies want it retained, and what existing access law enforcement agencies have to such data. In this context, it also explores the reasons for the proposals, outlines some of the concerns and touches on some of the challenges involved. However, it does not specifically examine the arguments for and against a data retention scheme, or the growing debate over its privacy implications."
  • November 03, 2012
    * Hacker Intelligence Initiative, Monthly Trend Report #13

    Monitoring Hacker Forums ADC Monthly Web Attacks Analysis, October 2012: "Imperva analyzed one of the largest-known hacker forums with roughly 250,000 members, as well as other smaller forums. Using search capabilities, we analyzed conversations by topic using specific keywords. We found:

    * Juniper Research - Exposing Your Personal Information – There’s An App for That

    "Mobile devices and applications are no longer an accessory – they’re central to our daily lives. Gartner predicts the number of mobile apps downloaded will double to 45 billion this year – and they’re only getting smarter. Today’s apps are increasingly essential to accessing critical business applications, connecting with friends on the go and even adopting digital wallets. While these apps make our lives easier, they also give a wider group of application developers and advertising networks the ability to collect information about our activities and leverage the functionality of our devices. At the same time, the companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information. Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust. More concerning is that many apps collect information or require permissions unnecessary for the described functionality of the apps. This is not the first time this issue has surfaced – reports of popular apps collecting irrelevant information or transmitting data when devices are turned off has led to significant backlash. However, less is known about the state of privacy across the entire application ecosystem. To get a sense of the state of application privacy today, Juniper Networks’ Mobile Threat Center (MTC) analyzed over 1.7 million apps on the Google Play market from March 2011 to September 2012."

    November 02, 2012
    * EFF Launches New Transparency Project

    News release: "From cell phone location tracking to the use of surveillance drones, from secret interpretations of electronic surveillance law to the expanding use of biometrics, EFF has long been at the forefront of the push for greater transparency on the government’s increasingly secretive use of new technologies. With the launch of our new Transparency Project, we’ve made the information we’ve received easier to access and added new tools to help you learn about the government and file your own requests for information. The new name—Transparency Project—reflects the fact that EFF’s work has expanded far beyond filing and litigating federal Freedom of Information Act requests. While that work still makes up a solid core of what our Transparency Team does, we also seek information from state and local governments, regularly report on transparency issue more broadly, and provide tools to help you find out more about our government and what it’s up to."

    October 22, 2012
    * FTC Recommends Best Practices for Companies That Use Facial Recognition Technologies

    News release: "The Federal Trade Commission released a staff report Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies for the increasing number of companies using facial recognition technologies, to help them protect consumers’ privacy as they use the technologies to create innovative new commercial products and services...Facial recognition also has raised a variety of privacy concerns because – for example – it holds the prospect of identifying anonymous individuals in public, and because the data collected may be susceptible to security breaches and hacking."

    October 19, 2012
    * ProPublica Report: TSA replacing airport X-ray body scanners with millimeter-wave scanners

    TSA Removes X-Ray Body Scanners From Major Airports: "The replacement machines, known as millimeter-wave scanners, rely on low-energy radio waves similar to those used in cell phones. The machines detect potential threats automatically and quickly using a computer program. They display a generic cartoon image of a person's body, mitigating privacy concerns...Here's a side-by-side comparison of the two types of body scanners the TSA uses."

    October 16, 2012
    * FTC Issues FY 2012 National Do Not Call Registry Data Book

    News release: "The Federal Trade Commission today issued the National Do Not Call Registry Data Book for Fiscal Year 2012. The FTC’s National Do Not Call Registry lets consumers choose not to receive telemarketing calls. In its fourth year of publication, the Data Book contains a wealth of information about the Registry for FY 2012 (from October 1, 2011 to September 30, 2012)...According to the Data Book, at the end of FY 2012, the Do Not Call Registry contained 217,568,135 actively registered phone numbers, up from 209,722,924 at the end of FY 2011. In addition, the number of consumer complaints about unwanted telemarketing calls received increased from 2,273,516 during FY 2011 to 3,840,572 during FY 2012."

    October 11, 2012
    * EPIC - FBI Exempts Massive Database from Privacy Act Protections

    EPIC: "The Federal Bureau of Investigation has exempted the FBI Data Warehouse System, from important Privacy Act safeguards. The database ingests troves of personally identifiable information including race, birthdate, biometric information, social security numbers, and financial information from various government agencies. The database contains information on a surprisingly broad category of individuals, including "subjects, suspects, victims, witnesses, complainants, informants, sources, bystanders, law enforcement personnel, intelligence personnel, other responders, administrative personnel, consultants, relatives, and associates who may be relevant to the investigation or intelligence operation; individuals who are identified in open source information or commercial databases, or who are associated, related, or have a nexus to the FBI’s missions; individuals whose information is collected and maintained for information system user auditing and security purposes." The Federal Bureau of Investigation has exempted these records from the notification, access, and amendment provisions of the Privacy Act. Earlier this year, EPIC opposed the Automated Targeting System, another massive government database that the Department of Homeland Security exempted from Privacy Act provisions. For more information, see EPIC: The Privacy Act of 1974 and EPIC: Automated Targeting System."

    * New GAO Report - Mobile Device Location Data

    Mobile Device Location Data - Additional Federal Actions Could Help Protect Consumer Privacy, GAO-12-903, Sep 11, 2012

  • "Using several methods of varying precision, mobile industry companies collect location data and use or share that data to provide users with location-based services, offer improved services, and increase revenue through targeted advertising. Location-based services provide consumers access to applications such as real-time navigation aids, access to free or reduced-cost mobile applications, and faster response from emergency services, among other potential benefits. However, the collection and sharing of location data also pose privacy risks. Specifically, privacy advocates said that consumers: (1) are generally unaware of how their location data are shared with and used by third parties; (2) could be subject to increased surveillance when location data are shared with law enforcement; and (3) could be at higher risk of identity theft or threats to personal safety when companies retain location data for long periods or share data with third parties that do not adequately protect them."
  • October 07, 2012
    * Most US Internet Users Want 'Do Not Track' to Stop Collection of Data about their Online Activities

    Hoofnagle, Chris Jay, Urban, Jennifer M. and Li, Su, Privacy and Modern Advertising: Most US Internet Users Want 'Do Not Track' to Stop Collection of Data about their Online Activities (October 8, 2012). Amsterdam Privacy Conference, 2012. Available at SSRN.

  • Most Americans have not heard of 'Do Not Track,' a proposal to allow Internet users to exercise more control over online advertising. However, when probed, most prefer that Do Not Track block advertisers from collecting data about their online activities. This is a much more privacy-protective approach for Do Not Track than what has been proposed by the advertising industry. In previous studies, we have found that Americans think they are protected by strong online privacy laws. Here, we probed beliefs about tracking on medical websites and 'free' websites, with most not able to answer true/false questions correctly about tracking. This result brings into question notice-and-choice models that depend on consumer understanding of the terms for their legitimacy. We also probed Internet users' attitudes towards advertising. Most Internet users say that they do not find utility in online advertising, with half claiming that they never click on ads. Advertisers and consumers are at an impasse on privacy. Advertisers seem to be seeking a kind of total information awareness for behavioral advertising, and have proposed self-regulatory guidelines with little bite. At the same time, both our survey evidence and media reports show consumer opposition to tracking. Do Not Track has emerged from the current skirmish between consumers and advertisers, but it is a relatively modest intervention that does little to shift the underlying incentives that have driven increasing tracking and aggregation of information about consumers. It is foreseeable that regardless of the form Do Not Track takes, websites will simply require consumers to disable it in order to access content. A fundamental change in incentives may be necessary to relieve this impasse and find an approach for advertising that is not so dependent upon third-party tracking and aggregation of information, both online and off."
  • September 30, 2012
    * DHS Privacy Policy for Operational Use of Social Media

    Public Intelligence: "The following is an instruction accompanying DHS Policy Directive 110-01 “Privacy Policy for Operational Use of Social Media” that was enacted in June 2012. The policy directive itself is only three pages and provides little information, whereas this instruction for the policy is ten pages and includes rules for compliance with the directive. The policy was enacted following congressional hearings earlier this year that criticized DHS’ monitoring of social media. However, this privacy policy specifically exempts the use of social media for “situational awareness by the National Operations Center” which was the focus of the hearings."

    September 28, 2012
    * EPIC FOIA Uncovers Google’s Privacy Assessment

    "Through a Freedom of Information Act request to the Federal Trade Commission, EPIC has obtained Google's initial privacy assessment. The assessment was required by a settlement between Google and the FTC that followed from a 2010 complaint filed by EPIC over Google Buzz. The FTC has withheld from public disclosure information about the audit process, procedures to assess privacy controls, techniques to identify privacy risks, and the types of personal data Google collects from users. EPIC intends to challenge the agency withholdings. For more information, see EPIC: Google Buzz."

    September 27, 2012
    * ACLU Reports on DOJ Warrantless Electronic Surveillance

    Naomi Gilens: "Justice Department documents released today by the ACLU reveal that federal law enforcement agencies are increasingly monitoring Americans’ electronic communications, and doing so without warrants, sufficient oversight, or meaningful accountability. The documents, handed over by the government only after months of litigation, are the attorney general’s 2010 and 2011 reports on the use of “pen register” and “trap and trace” surveillance powers. The reports show a dramatic increase in the use of these surveillance tools, which are used to gather information about telephone, email, and other Internet communications. The revelations underscore the importance of regulating and overseeing the government’s surveillance power. (Our original Freedom of Information Act request and our legal complaint are online.)"

    September 26, 2012
    * EFF: Facebook and Datalogix - What's Actually Getting Shared and How You Can Opt Out

    EFF: "We’ve been seeing a range of reports about Facebook partnering up with marketing company Datalogix to assess whether users go to stores in the physical world and buy the products they saw in Facebook advertisements. A lot of the reports aren’t getting into the nitty gritty of what data is actually shared between Facebook and Datalogix, so the goal of this blog post is to dive into the details. We’re glad to see that Facebook is taking a number of steps to avoid sharing sensitive data with Datalogix, but users who are uncomfortable with the program should opt out (directions). Hopefully, reporting on this issue will make more people aware of how our shopping data is being used for a lot more than offering us discounts on tomato soup. Datalogix is an advertising metrics company that describes its data set as including “almost every U.S. household and more than $1 trillion in consumer transactions.” It specifically relies on loyalty card data – cards anyone can get by filling out a form at a participating grocery store."

    September 25, 2012
    * FTC Action Halts Computer Spying by Illinois Companies

    News release: "Seven rent-to-own companies and a software design firm have agreed to settle Federal Trade Commission charges that they spied on consumers using computers that consumers rented from them, capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers. The software design firm collected the data that enabled rent-to-own stores to track the location of rented computers without consumers’ knowledge according to the FTC complaint. The settlements bar the companies from any further illegal spying, from activating location-tracking software without the consent of computer renters and notice to computer users, and from deceptively collecting and disclosing information about consumers."

    September 24, 2012
    * Airport Body Scanners: The Role of Advanced Imaging Technology in Airline Passenger Screening

    Airport Body Scanners: The Role of Advanced Imaging Technology in Airline Passenger Screening. Bart Elias, Specialist in Aviation Policy, September 20, 2012

  • "Responding to the need to reliably detect explosives, bomb-making components, and other potential security threats concealed by airline passengers, the Transportation Security Administration (TSA) has focused on the deployment of whole body scanners as a core element of its strategy for airport checkpoint screening. TSA has deployed about 700 of these scanners, known as whole body imagers (WBI) or advanced imaging technology (AIT), at airports throughout the United States, and plans to have 1,800 in place by the end of FY2014. AIT systems include two technologies: millimeter wave systems and X-ray backscatter systems. AIT directly addresses specific recommendations and mandates to improve the detection of explosives on passengers. However, the deployment of these systems has generated a number of concerns. Although polling data indicate that the American public generally accepts the use of body scanners for passenger screening, various stakeholders have expressed concerns over privacy, potential health risks, and delays in getting through security. Concerns have also been raised regarding screening individuals with special needs, the overall effectiveness of current technology, screener staffing requirements, and TSA’s deployment strategy."
  • September 11, 2012
    * New on LLRX - Privacy Resources and Sites on the Internet

    Via LLRX.com, Privacy Resources and Sites on the Internet - Marcus P. Zillman's guide is a comprehensive listing of both free and low cost privacy resources currently available on the Internet. It includes associations, indexes and search engines, as well as websites and programs that provide the latest technology and information on Web privacy. This guide will help facilitate a safer interactive environment for your email, your internet browsing, your health records, your data storage and file sharing exchanges, and internet telephony.

    * FTC Finalizes Privacy Settlement with Myspace

    News release: "Following a public comment period, the Federal Trade Commission has approved a final order settling FTC charges that Myspace misrepresented its protection of users’ personal information. The settlement bars Myspace from future misrepresentations about its privacy practices, requires the company to implement a comprehensive privacy program, and calls for regular, independent privacy assessments for the next 20 years."

    September 10, 2012
    * Drones in Domestic Surveillance Operations: Fourth Amendment Implications and

    CRS - Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses. Richard M. Thompson II, Legislative Attorney, September 6, 2012

  • "The prospect of drone use inside the United States raises far-reaching issues concerning the extent of government surveillance authority, the value of privacy in the digital age, and the role of Congress in reconciling these issues. Drones, or unmanned aerial vehicles (UAVs), are aircraft that can fly without an on-board human operator. An unmanned aircraft system (UAS) is the entire system, including the aircraft, digital network, and personnel on the ground. Drones can fly either by remote control or on a predetermined flight path; can be as small as an insect and as large as a traditional jet; can be produced more cheaply than traditional aircraft; and can keep operators out of harm’s way. These unmanned aircraft are most commonly known for their operations overseas in tracking down and killing suspected members of Al Qaeda and related organizations. In addition to these missions abroad, drones are being considered for use in domestic surveillance operations, which might include in furtherance of homeland security, crime fighting, disaster relief, immigration control, and environmental monitoring."
  • September 09, 2012
    * Paper - The Perils of Learning and Sharing Everything' from a Criminal Information Sharing Perspective

    Sliter, John R., 'Techno-Risk - the Perils of Learning and Sharing Everything' from a Criminal Information Sharing Perspective (September 9, 2012). 30th Symposium on Economic Crime in Cambridge, England on September 5th, 2012. Available at SSRN.

  • "The author has extensive law enforcement experience and the paper is intended to provoke thought on the use of technology as it pertains to information sharing between the police and the private sector. As the world edges closer and closer to the convergence of man and machine, the human capacity to retrieve information is increasing by leaps and bounds. We are on the verge of knowing everything and anything there is to know...and this means that police will have the capacity to learn everything about everyone with the only restriction being privacy legislation. But it also means that those involved in immoral, unlawful or illegal activity will have that same capacity and with no such restriction...The global community requires a secure and credible system to retrieve and assess all of the information ‘generally available to the public.' A system that will strive to keep ‘Big Brother’ in check and ‘Bad Brother’ out, all the while providing a means of alerting citizens to genuine risks or to dangerous people. Such as system would help diffuse the systemic inaccurate and harmful profiling that is often based on rumours and innuendo. There is an identified public-private partnership opportunity. A chance to work with privacy advocate groups and background checking private companies to define, design and deliver on something that will be of immense benefit to citizens around the globe."
  • September 06, 2012
    * Advocacy Groups Request Court to Rehear GPS Cell Phone Case

    "[On September 4, 2012, CDT] joined the ACLU, EFF and EPIC in calling on the 6th U.S. Circuit Court of Appeals to rehear U.S. v. Skinner, the GPS cell phone location tracking case. A panel of the 6th Circuit ruled that tracking a cell phone's location by repeatedly "pinging" the phone over a three-day period did not require a warrant. The amicus brief we filed yesterday asked the full Sixth Circuit to consider this issue in light of the concurring opinions filed by five justices in the U.S. v. Jones U.S. Supreme Court case which came down earlier this year. We also pointed out that the panel's legal conclusion was based on a material misunderstanding: that cell phones normally "give off" GPS location information. Instead, mobile providers have to take a special step - sending a signal to the phone to direct it to produce the GPS data. Unless they take that step, there is no location data at the provider for the government to seize. As a result, the court should not have analyzed the case under the third party records doctrine, which says a person has no Fourth Amendment interest in information shared with a third party."

    September 05, 2012
    * Pew Survey - Privacy and Data Management on Mobile Devices

    Privacy and Data Management on Mobile Devices, by Jan Lauren Boyles, Aaron Smith, Mary Madden. Sep 5, 2012.
    "More than half of mobile application users have uninstalled or avoided certain apps due to concerns about the way personal information is shared or collected by the app, according to a nationally representative telephone survey conducted by the Pew Research Center’s Internet & American Life Project. In all, 88% of U.S. adults now own cell phones, and 43% say they download cell phone applications or “apps” to their phones. Among app users, the survey found:

    • 54% of app users have decided to not install a cell phone app when they discovered how much personal information they would need to share in order to use it
    • 30% of app users have uninstalled an app that was already on their cell phone because they learned it was collecting personal information that they didn’t wish to share
    • Taken together, 57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons."

    * FTC Publishes Guide to Help Mobile App Developers Observe Truth-in-Advertising, Privacy Principles

    News release: "The Federal Trade Commission has published a guide to help mobile application developers observe truth-in-advertising and basic privacy principles when marketing new mobile apps. The FTC’s new publication, Marketing Your Mobile App: Get It Right from the Start, notes that there are general guidelines that all app developers should consider. They include:

    • Tell the Truth About What Your App Can Do.
    • Disclose Key Information Clearly and Conspicuously.
    • Build Privacy Considerations in From the Start.
    • Offer Choices that are Easy to Find and Easy to Use.
    • Honor Your Privacy Promises.
    • Collect Sensitive Information Only with Consent.
    • Keep User Data Secure."

    September 04, 2012
    * A Behavioural Understanding of Privacy and its Implications for Privacy Law

    A Behavioural Understanding of Privacy and its Implications for Privacy Law, Kirsty Hughes, University of Cambridge, September 2012. The Modern Law Review, Vol. 75, Issue 5, pp. 806-836, 2012

  • "This article draws upon social interaction theory (the work of Irwin Altman) to develop a theory of the right to privacy, which reflects the way that privacy is experienced. This theory states that the right to privacy is a right to respect for barriers, and that an invasion of privacy occurs when a privacy barrier is penetrated. The first part of the paper establishes the position of the author's theory in the existing scholarship. The second part of the paper expands upon the theory to explain the nature of privacy barriers and the way that the author's theory manages a number of specific privacy issues, including threats to privacy, attempted invasions of privacy, unforeseeable interferences with privacy and waiving the right to privacy. The final part of the paper demonstrates the impact that this approach to privacy could have upon judicial reasoning, in particular Article 8 European Convention on Human Rights."
  • August 26, 2012
    * Consumers Asked DISH Network to Leave Them Alone, But FTC Says Calls Kept Coming

    News release: "DISH Network, one of the nation's largest providers of satellite television service, faces a Federal Trade Commission lawsuit alleging that it illegally called millions of consumers who had previously asked telemarketers from the company or its affiliates not to call them again. The calls allegedly violated provisions of the FTC's Telemarketing Sales Rule that state that even if a consumer is not on the National Do Not Call Registry, a telemarketer may not call him or her again if the consumer specifically asks to be placed on the company's own entity-specific do-not-call list...According to the FTC's complaint, DISH Network violated the agency's Telemarketing Sales Rule while calling consumers nationwide in an attempt to sell its satellite television programming. DISH Network makes these telemarketing calls both directly to consumers and via a network of authorized dealers who make calls on its behalf. Specifically, the FTC alleges that DISH has made millions of outbound telephone calls since about September 1, 2007 to consumers who had already told them that they did not want to receive any more telemarketing calls from the company."

    August 18, 2012
    * Recommended Guidelines for the use of Unmanned Aircraft

    Recommended Guidelines for the use of Unmanned Aircraft, The International Association of Chiefs of Police

  • "Rapid advances in technology have led to the development and increased use of unmanned aircraft. That technology is now making its way into the hands of law enforcement officers nationwide. We also live in a culture that is extremely sensitive to the idea of preventing unnecessary government intrusion into any facet of their lives. Personal rights are cherished and legally protected by the Constitution. Despite their proven effectiveness, concerns about privacy threaten to overshadow the benefits this technology promises to bring to public safety. From enhanced officer safety by exposing unseen dangers, to finding those most vulnerable who may have wandered away from their caregivers, the potential benefits are irrefutable. However, privacy concerns are an issue that must be dealt with effectively if a law enforcement agency expects the public to support the use of UA by their police. The Aviation Committee has been involved in the development of unmanned aircraft policy and regulations for several years. The Committee recommends the following guidelines for use by any law enforcement agency contemplating the use of unmanned aircraft."
  • August 15, 2012
    * FTC Advises Parents How to Protect Kids' Personal Information at School

    News release: "A new school year usually means filling out paperwork like registration forms, health forms, and emergency contact forms, to name a few. The Federal Trade Commission wants parents to know that many school forms require personal and sensitive information that, in the wrong hands, could be used to commit fraud in their child’s name. A criminal can use a child’s Social Security number to get government benefits, open bank and credit card accounts, or rent a place to live. Most parents and guardians don’t expect their child to have a credit file, and rarely order or monitor a child’s credit report. Child identity theft may go undetected for years – until the child applies for a job or loan and discovers problems in a credit report. To help limit the risks of child identity theft, the Federal Trade Commission offers Protecting Your Child’s Personal Information at School. It explains how the federal Family Educational Rights and Privacy Act protects the privacy of student records and gives parents of school-age children the right to opt out of sharing contact information with third parties. It also suggests that parents ask their child’s school about its directory information policy, learn about privacy policies of sports or music activities that are not school-sponsored, and find out what to do if their child’s school experiences a data breach. The second publication, Safeguarding Your Child’s Future, offers tips on how to keep your child’s data safe at home and online, and explains the warning signs of child identity theft. It also explains how parents and guardians can check whether their child has a credit report, and what to do if the report has errors."

    * Paper - A Technology-Centered Approach to Quantitative Privacy

    Gray, David C. and Citron, Danielle Keats, A Technology-Centered Approach to Quantitative Privacy (August 14, 2012). Available at SSRN

  • "Our analysis and proposal draw upon insights from information privacy law. Although information privacy law and Fourth Amendment jurisprudence share a fundamental interest in protecting privacy interests, these conversations have been treated as theoretically and practically discrete. This Article ends that isolation and the mutual exceptionalism that it implies. As information privacy scholarship suggests, technology can permit government to know us in unprecedented and totalizing ways at great cost to personal development and democratic institutions. We argue that these concerns about panoptic surveillance lie at the heart of the Fourth Amendment as well. We therefore propose a technology-centered approach to measuring and protecting Fourth Amendment interests in quantitative privacy. As opposed to proposals for case-by-case assessments of information “mosaics,” which have so far dominated the debate, we argue that government access to technologies capable of facilitating broad programs of continuous and indiscriminate monitoring should be subject to the same Fourth Amendment limitations applied to physical searches."
  • August 10, 2012
    * FTC Approves Final Settlement With Facebook

    News release: "Following a public comment period, the FTC has accepted as final a settlement with Facebook resolving charges that Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including by giving consumers clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings, by maintaining a comprehensive privacy program to protect consumers' information, and by obtaining biennial privacy audits from an independent third party. The settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including by giving consumers clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings, by maintaining a comprehensive privacy program to protect consumers' information, and by obtaining biennial privacy audits from an independent third party."

    August 09, 2012
    * Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances

    News release: "Google Inc. has agreed to pay a record $22.5 million civil penalty to settle Federal Trade Commission charges that it misrepresented to users of Apple Inc.’s Safari Internet browser that it would not place tracking “cookies” or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC. The settlement is part of the FTC’s ongoing efforts make sure companies live up to the privacy promises they make to consumers, and is the largest penalty the agency has ever obtained for a violation of a Commission order. In addition to the civil penalty, the order also requires Google to disable all the tracking cookies it had said it would not place on consumers’ computers."

    August 05, 2012
    * ICO statement on information received from Google about retention of Street View data

    Statement: 27 July 2012 - "The Information Commissioner’s Office (ICO) has issued the following statement today in response to information received from Google about the retention of payload data collected by its Street View vehicles. An ICO spokesperson said: “Earlier today Google contacted the ICO to confirm that it still had in its possession some of the payload data collected by its Street View vehicles prior to May 2010. This data was supposed to have been deleted in December 2010. The fact that some of this information still exists appears to breach the undertaking to the ICO signed by Google in November 2010. “In their letter to the ICO today, Google indicated that they wanted to delete the remaining data and asked for the ICO’s instructions on how to proceed. Our response, which has already been issued, makes clear that Google must supply the data to the ICO immediately, so that we can subject it to forensic analysis before deciding on the necessary course of action. "We are also in touch with other data protection authorities in the EU and elsewhere through the Article 29 Working Party and the GPEN network to coordinate the response to this development. “The ICO is clear that this information should never have been collected in the first place and the company’s failure to secure its deletion as promised is cause for concern.”

    * The Stop Trading on Congressional Knowledge (STOCK) Act

    Via NIH: "The Stop Trading on Congressional Knowledge (STOCK) Act, enacted on April 4, 2012, contains several requirements for employees who file a Public Financial Disclosure Report (OGE Form 278). The following resources are provided for filers and ethics officials. Filers should consult with their IC's ethics officials if they have questions.

    • STOCK Act Summary (pdf, 1 page): This document provides a summary of the requirements affecting NIH OGE-278 filers and the effective date of each section.
    • Your Public Financial Disclosure Form (OGE-278) (pdf, 2 pages): Suggestions for filers to ensure that reports are accurate and complete, and to avoid over-reporting.
    • Helpful Hints for Filers and Reviewers (pdf, 2 pages): Additional suggestions for filers and reviewers of the OGE-278.
    • Questions and Answers for Filers (pdf format, 2 pages)
    • Sample Broker Statements and OGE-278 Assets Page (pdf, 2 pages). This document provides sample filer and spouse statements, and the OGE-278 Assets and Income page (Schedule A) showing their reportable consolidated holdings.
    • Slide Presentation to IC Directors and Ethics Officials: PowerPoint Slides or Acrobat pdf format (5 pages)

    August 04, 2012
    * Infographics - How Consumers Really Feel About Data Privacy

    via Placecast: How Consumers Really Feel About Data Privacy - "2,307 people were surveyed and it was found that use of data where the value exchange is explicit are most acceptable (grocery coupons, Amazon), while Facebook’s data usage is least acceptable. Also, use of location data from either merchants or cell phone carriers is acceptable by significant group with permission and an explicit value exchange."

    August 01, 2012
    * FTC Seeks Comments on Additional Proposed Revisions to Children's Online Privacy Protection Rule

    News release: "The Federal Trade Commission is publishing a Federal Register Notice seeking public comments on additional proposed modifications to the Children's Online Privacy Protection Rule. In updating the Rule to keep current with technology advances, in September 2011, the FTC issued a Notice of Proposed Rulemaking seeking comment on proposed changes to the Commission's COPPA Rule. The Commission received 350 comments. In response to those comments and informed by its experience in enforcing and administrating the Rule, the FTC now proposes to modify certain definitions to clarify the scope of the Rule and strengthen its protections for the online collection, use, or disclosure of children's personal information."

    July 30, 2012
    * Comparison of Information Sharing, Monitoring and Countermeasures Provisions in Cybersecurity Bills

    Via CDT: "The chart below compares on civil liberties grounds three bills that seek to promote cybersecurity and it updates a similar chart we issued on April 4, 2012 based on prior versions of all three bills. The Senate is set to consider the Cybersecurity Act, S. 3414 (“Lieberman-Collins” bill), introduced on July 19. The chart shows that the Lieberman bill better protects privacy than do either of the competing bills, and that it should be further improved by dropping monitoring and countermeasures language. The leading alternative Senate bill, SECURE IT, S. 3342, was re-introduced by Senator McCain and other co-sponsors on June 27 (“SECURE IT”). Despite a White House veto threat, the House passed the Cyber Intelligence Sharing and Protection Act, H.R. 3523 (“CISPA”) on April 26 on a vote of 248-168. It will be reconciled with cybersecurity legislation that the Senate passes. (Lieberman-Collins and SECURE IT include cybersecurity measures unrelated to information sharing that are not reflected in this chart.)

  • See also Executive Order 13470 of July 30, 2008 - Further Amendments to Executive Order 12333, United States Intelligence Activities
  • July 26, 2012
    * FTC Becomes First Enforcement Authority in APEC Cross-Border Privacy Rules System

    "The Federal Trade Commission welcomed the approval of the United States' participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules system, which was announced by the U.S. Department of Commerce today. The APEC privacy system is a self-regulatory initiative to enhance the protection of consumer data that moves between the United States and other APEC members through a voluntary but enforceable code of conduct implemented by participating businesses. President Obama and representatives from the other APEC economies endorsed the system in November 2011. On July 25, 2012 the United States was approved as the first formal participant in the system and the FTC as the system's first privacy enforcement authority...Additional information about the Cross Border Privacy Rules is available via the APEC Electronic Commerce Steering Group website."

    July 21, 2012
    * Protecting yourself and others in YouTube videos

    "YouTube is proud to be a place where citizens and activists come to tell their stories -- stories that may otherwise go unnoticed. A study released this week by the Pew Research Center’s Project for Excellence in Journalism found that YouTube is a top destination for news and that “citizens play a substantial role in supplying and producing footage.” But this level of exposure can be risky to the citizens shooting the footage and the people who appear in their videos. Today, we announced a new face blurring tool that represents a first step toward providing visual anonymity in video. Of course, anonymity is never a guarantee, and people who capture sensitive video footage should consider taking other precautions to keep themselves and their subjects safe. Here are three suggestions..."

    July 19, 2012
    * Presentation - Disappearing Phone Booths: Privacy in the Digital Age

    Disappearing Phone Booths: Privacy in the Digital Age

  • "CDT Senior Policy Analyst Erica Newland gave a version of this talk to DC Superior Court judges in May 2012. This speech, which draws on past CDT testimony and work, makes the case that in the context of a legal framework that has turned a blind-eye to the foundational benefits of privacy, changes in technology are threatening this civil liberty with obsolescence."
  • July 18, 2012
    * FTC Testifies on Commercial Uses of Facial Recognition Technologies

    News release: "The Federal Trade Commission today told a Senate Judiciary subcommittee that the FTC is examining the benefits to consumers, as well as privacy and security concerns regarding current and possible future commercial uses of facial recognition technologies and will make recommendations later this year on best practices for companies that use these new technologies. The recommendations will build on comments from a recent FTC workshop on facial recognition technology, and on the three core principles from the agency's March 2012 Privacy Report – privacy by design, simplified consumer choice, and transparency."

    July 13, 2012
    * Congressional Connection - Privacy Trumps Cybersecurity, Poll Shows

    Via EFF: Josh Smith: "Proposals to increase cybersecurity by allowing businesses and government to share information may enjoy bipartisan support in Washington, but Americans aren’t sold on the idea, the latest United Technologies/National Journal Congressional Connection Poll finds. Almost two-thirds of respondents—63 percent—said government and businesses should not be allowed to share information because it would hurt privacy and civil liberties. But 29 percent of those surveyed said information-sharing should be allowed to better protect computer networks. The United Technologies/National Journal Congressional Connection Poll, conducted by Princeton Survey Research Associates International, surveyed 1,004 adults from July 5-8. The poll has a margin of error of plus or minus 3.7 percentage points."

    July 09, 2012
    * EPIC: Law Enforcement Requests to Wireless Carriers Topped 1.3 Million in 2011

    "In response to recent letters from Congressman Ed Markey (D-MA), nine mobile wireless carriers have provided detailed reports of law enforcement requests for user cell phone records. These requests come from agencies - across all levels of government - seeking text messages, caller locations, and other information in the course of investigations. The reports show that companies turn over thousands of records a day in response to subpoenas, court orders, police emergencies, and other requests. The volume of requests has increased as much as 16 percent for some companies over the last five years, and some carriers have rejected as many as 15 percent of all requests that they found legally questionable or unjustified. EPIC recently filed amicus briefs in the Fifth Circuit and New Jersey Supreme Court arguing that disclosure of historical and real-time cell phone location information violates a reasonable expectation of privacy and thus requires a warrant under the Fourth Amendment. For more information, see EPIC: In re Historic Cell-Site Location Information, EPIC: State v. Earls."

  • See also ACLU's Mobile Phone Surveillance by the Numbers
  • July 08, 2012
    * HP - Privacy, Security and Trust in Cloud Computing

    Privacy, Security and Trust in Cloud Computing, by Siani Pearson, HP Laboratories, HPL-2012-80R1, June 28, 2012

  • "Cloud computing refers to the underlying infrastructure for an emerging model of service provision that has the advantage of reducing cost by sharing computing and storage resources, combined with an on-demand provisioning mechanism relying on a pay- per-use business model. These new features have a direct impact on information technology (IT) budgeting but also affect traditional security, trust and privacy mechanisms. The advantages of cloud computing - its ability to scale rapidly, store data remotely, and share services in a dynamic environment - can become disadvantages in maintaining a level of assurance sufficient to sustain confidence in potential customers. Some core traditional mechanisms for addressing privacy (such as model contracts) are no longer flexible or dynamic enough, so new approaches need to be developed to fit this new paradigm. In this chapter we assess how security, trust and privacy issues occur in the context of cloud computing and discuss ways in which they may be addressed."
  • July 06, 2012
    * EPIC: Industry Association Publishes Guidelines for Drone Operators

    Follow up to previous postings on drones, via EPIC: "The Association for Unmanned Vehicle Systems International, the organization representing drone manufacturers and operators, has released an Industry "Code of Conduct". Compliance with the guidelines is both voluntary and not enforceable. The association acknowledges that invasive drone surveillance technology poses a risk to the public, and specifically tasked users to "respect the privacy of individuals." In February, EPIC, joined by over 100 organizations, experts, and members of the public, submitted a petition to the FAA requesting a public rulemaking on the privacy impact of drone use in U.S. airspace. The Agency has not yet responded or addressed these concerns. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones."

    July 03, 2012
    * Twitter Transparency Report

    "Wednesday marks Independence Day here in the United States. Beyond the fireworks and barbecue, July 4th serves as an important reminder of the need to hold governments accountable, especially on behalf of those who may not have a chance to do so themselves. With that in mind, today we’re unveiling our first Twitter Transparency Report. Inspired by the great work done by our peers @Google, the primary goal of this report is to shed more light on: government requests received for user information, government requests received to withhold content, and DMCA takedown notices received from copyright holders. The report also provides insight into whether or not we take action on these requests. One of our goals is to grow Twitter in a way that makes us proud. This ideal informs many of our policies and guides us in making difficult decisions. One example is our long-standing policy to proactively notify users of requests for their account information unless we’re prohibited by law; another example is transmitting DMCA takedown notices and requests to withhold content to Chilling Effects. These policies help inform people, increase awareness and hold all involved parties––including ourselves––more accountable; the release of our first Transparency Report aims to further these ambitions."

    * EPIC - 2011 Report: Wiretap Authorizations Decrease

    "According to the 2011 Wiretap Report, released by the Administrative Office of the US Courts, federal and state applications for wiretap orders dropped 14 percent in 2011, compared to the number reported in 2010. The reduction in wiretaps resulted primarily from a drop in applications for intercepts in narcotics offenses. In 2011, a total of 2,732 intercept applications were authorized by federal and state courts, with 792 applications by federal authorities and 1,940 by the states. In 2011, 98 percent, or 2,674, of all authorized wiretaps were designated as portable devices. The Wiretap Report does not include interceptions pursuant to the Foreign Intelligence Surveillance Act of 1978. For more information see: EPIC: Wiretapping and Administrative Office of the US Courts: Wiretap Reports."

    * EPIC - European Expert Group Affirms Privacy Rules for Cloud Service Providers

    "The Article 29 Working Party, representing the privacy agencies of European Union countries, has released a new Opinion in which it states that cloud service providers will be subject to the EU Data Protection Directive. The expert group also advises users of cloud-based services to conduct a comprehensive and thorough risk analysis of cloud services. In 2009, EPIC urged the US Federal Trade Commission to develop privacy standards for Cloud Computing services. See EPIC - Cloud Computing."

    June 30, 2012
    * FOIA Request by ACLU Produces More Information on National Security Letters

    Ars Technica: "As the result of a Freedom of Information Act request filed by the American Civil Liberties Union, the Department of Justice has revealed, for the first time, the types of secret letters that the government can send out to ISPs and other tech companies being asked to reveal personal data about their users and customers who are being investigated for national security reasons. In 2009, over 6,000 Americans received such National Security Letters (NSLs). According to the Wall Street Journal, the “letters show that the FBI is now informing people who receive the letters how they can challenge the documents in court. But some key elements of the letters remain blocked from view—including lists of material the FBI says companies can send in response to the letter.”

    June 29, 2012
    * WSJ - E-book publishers and retailers collecting data on readers

    WSJ: "In the past, publishers and authors had no way of knowing what happens when a reader sits down with a book. Does the reader quit after three pages, or finish it in a single sitting? Do most readers skip over the introduction, or read it closely, underlining passages and scrawling notes in the margins? Now, e-books are providing a glimpse into the story behind the sales figures, revealing not only how many people buy particular books, but how intensely they read them."

    June 28, 2012
    * UK Info Commissioner: Cookies - advice for members of the public

    "What are cookies? - A cookie is a small file of letters and numbers that is downloaded on to your computer when you visit a website. Cookies are used by many websites and can do a number of things eg remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website. The rules on cookies are covered by the Privacy and Electronic Communications Regulations. The Regulations also cover similar technologies for storing information, eg Flash cookies. The Regulations were revised in 2011, and the ICO is responsible for enforcing these new rules...Where to find information about controlling cookies:

    June 27, 2012
    * EPIC - Senate Judiciary Holds Hearing on Voter Suppressions

    EPIC: The Senate Judiciary Committee held a hearing on “Prohibiting the Use of Deceptive Practices and Voter Intimidation Tactics in Federal Elections." The Senate is considering new legislation to address the problem of deceptive practices and voter intimidation. Committee Chairman Patrick Leahy cited "burdensome identification laws" as one of the obstacles to public participation in federal elections. A new report highlights similar problems in the recent Canadian national election. EPIC has published reports on deceptive campaign practices and filed briefs in opposition to unnecessary voter ID requirements. For more information see EPIC Voting Privacy and EPIC - Crawford v. Marion County."

    * EPIC Calls On FTC to Investigate Facebook Email Changes

    "EPIC has asked the Federal Trade Commission to review Facebook's decision to change the default email address of Facebook users. The company recently removed email addresses, selected by users, with a @facebook.com address assigned by Facebook. EPIC asked the FTC to review this practice as it finalizes the terms of a settlement with Facebook. "Facebook's willingness to disregard user choice...raise[s] important questions about the company's ability to comply with the terms of the proposed Consent Order," EPIC wrote. EPIC also said that the change is a deceptive business practice because Facebook did not tell users that their preferred email address could be removed by the company. And EPIC noted that the change would result in user email being sent to Facebook's servers that would otherwise have gone to the user's email service. The FTC's settlement with Facebook follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The settlement would bar Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement."

    June 26, 2012
    * The Web Privacy Census

    Berkeley Center for Law and Technology: "The Web Privacy Census is intended to formalize the benchmarking process and measure internet tracking consistently over time...This effort was developed and executed in partnership with Abine, Inc. Abine has been our technical collaborator and resource partner, helping us develop a reliable method for web crawling and analysis of tracking vectors. We seek to explore:

    • How many entities are tracking users online?
    • What vectors (technologies) are most popular for tracking users?
    • Is there displacement (i.e. a shift from one tracking technology to another) in tracking practices?
    • Is there greater concentration of tracking companies online?
    • What entities have the greatest potential for online tracking and why?"

    June 25, 2012
    * FTC Advises Consumers on What to Do if Their Identity is Stolen

    "The Federal Trade Commission, the nation's consumer protection agency, offers updated information explaining how to protect your child's information and your own, and the immediate steps to take to limit the damage identity theft can cause. Taking Charge: What To Do If Your Identity Is Stolen is a step-by-step guide that includes sample letters, forms and essential contact information. A brochure, Identity Theft: What To Know, What To Do, explains the basic steps of protecting information and responding to identity theft. Safeguarding Your Child's Future tells parents how to protect their children's information, find out if a credit report has been created for them, and respond to problems."

    June 21, 2012
    * Article - The Public Domain: Surveillance in Everyday Life

    The Public Domain: Surveillance in Everyday Life, Alice Marwick. Surveillance & Society, Vol 9, No 4 (2012)

  • "People create profiles on social network sites and Twitter accounts against the background of an audience. This paper argues that closely examining content created by others and looking at one’s own content through other people’s eyes, a common part of social media use, should be framed as social surveillance. While social surveillance is distinguished from traditional surveillance along three axes (power, hierarchy, and reciprocity), its effects and behavior modification is common to traditional surveillance. Drawing on ethnographic studies of United States populations, I look at social surveillance, how it is practiced, and its impact on people who engage in it. I use Foucault’s concept of capillaries of power to demonstrate that social surveillance assumes the power differentials evident in everyday interactions rather than the hierarchical power relationships assumed in much of the surveillance literature. Social media involves a collapse of social contexts and social roles, complicating boundary work but facilitating social surveillance. Individuals strategically reveal, disclose and conceal personal information to create connections with others and tend social boundaries. These processes are normal parts of day-to-day life in communities that are highly connected through social media."
  • * Check Point Survey Reveals a Generation Gap in Computer Security

    News release: "Check Point® Software Technologies Ltd...announced the results of a new ZoneAlarm report revealing differences in the use of computer security between Gen Y and Baby Boomers. The report, The Generation Gap in Computer Security, found that Gen Y is more confident in its security knowledge than Baby Boomers. However, 50 percent of Gen Y respondents have had security issues in the past two years compared to less-than-half of Baby Boomers. The broad adoption of digital media and social networking, combined with the increasing amount of sensitive data that is stored online, is making personal computer security more important than ever before. Yet the ZoneAlarm study reveals that 78 percent of Gen Y respondents do not follow security best practices while cybercriminals are launching new and more sophisticated attacks on consumers every day. In comparison, Baby Boomers are more concerned about security and privacy and twice more likely to protect their computers with additional security software."

    June 19, 2012
    * Report - Applications Made to FISA Court During Calendar Year 2011

    U.S. Department of Justice, Office of Legislative Affairs, Applications Made to the Foreign Intelligence Surveillance Court During Calendar Year 2011, submitted pursuant to sections 107 and 502 of the Foreign Intelligence Surveillance Act of 1978, as amended, 50 U.S.C. Sec. 1801 et seq., and section 118 of USA PATRIOT Improvement Act and Reauthorization Act of 2005, Pub. L. No. 109-177 (2006)

    June 16, 2012
    * Federal Government Moves Forward with Drone Programs

    Follow up to DHS IG - Customs and Border Protection Use of Unmanned Aircraft Systems in Nation’s Border Security - via EFF: "DHS’s Office of Inspector General (OIG) recently released a report (pdf) detailing multiple problems with the drones used to patrol US borders. This report, combined with the Federal Aviation Administration’s lack of openness about its drone authorization program and failure to disclose the true number of entities flying drones, shows that the federal government is moving far too quickly in its plans to dramatically expand the number of domestic drones flying in the United States over the next few years. The DHS OIG report, which reviewed the drone program run by Customs & Border Protection (CBP), noted several serious problems with the program, including lack of appropriate equipment and staff to fly the drones safely and lack of processes or procedures to prioritize requests for drone flights. This is especially troubling, given the agency has been flying drones since 2004. CBP currently has nine unarmed Predator drones in its arsenal, each purchased at a cost of $18 million dollars. The drones cost $3,000 per hour to fly, and, according to the OIG report, the agency spent over $55 million (pdf) to operate and maintain the drones between 2006 and 2011. Despite these costs, CBP never made a specific budget request to Congress for the funds, and has thus far failed to seek compensation from the other federal and state agencies it loans its drones to. Instead, the agency diverted $25 million from other programs to cover these costs."

    June 15, 2012
    * UK Mail reports Google and Apple deploying advanced satellite surveillance

    Mail Online: "Spy planes able to photograph sunbathers in their back gardens are being deployed by Google and Apple. The U.S. technology giants are racing to produce aerial maps so detailed they can show up objects just four inches wide. But campaigners say the technology is a sinister development that brings the surveillance society a step closer. Google admits it has already sent planes over cities while Apple has acquired a firm using spy-in-the-sky technology that has been tested on at least 20 locations, including London. Apple’s military-grade cameras are understood to be so powerful they could potentially see into homes through skylights and windows. The technology is similar to that used by intelligence agencies in identifying terrorist targets in Afghanistan."

    * EFF - How to Turn on Do Not Track in Your Browser

    "In recent years, online tracking companies have begun to monitor our clicks, searches and reading habits as we move around the Internet. If you are concerned about pervasive online web tracking by behavioral advertisers, then you may want to enable Do Not Track on your web browser. Do Not Track is unique in that it combines both technology (a signal transmitted from a user) as well as a policy framework for how companies that receive the signal should respond. As more and more websites respect the Do Not Track signal from your browser, it becomes a more effective tool for protecting your privacy. EFF is working with privacy advocates and industry representatives through the W3C Tracking Protection Working Group to define standards for how websites that receive the Do Not Track signal ought to response in order to best respect consumer's choices. The following tutorial walks you through the enabling Do Not Track in the four most popular browsers: Safari, Internet Explorer 9, Firefox, and Chrome."

    June 13, 2012
    * UK Information Commissioner’s Office Writes to Google About Street View

    June 13, 2012: The ICO writes to Google about Street View - "Following the publication of the Federal Communications Commission report, the ICO has written to Google and will consider what further action, if any, needs to be taken."

  • UK reopens Google Street View investigation after FCC probe - The ICO wants to know “precisely what type of data and sensitive personal data was captured within the payload data collected in the U.K.” It also wants to know when Google management became aware of the issue, and why the data scope found by the FCC investigation were not disclosed to the ICO when it visited in July 2010. Interestingly, the ICO also wants to see “copies of the original software design document” and any “subsequent version control”. This is the ICO looking to see whether a data trail leads back to Google building the software to collect the data by design or not."
  • June 11, 2012
    * Report - "When the Government Comes Knocking, Who Has Your Back?"

    When the Government Comes Knocking, Who Has Your Back?

  • "When you use the Internet, you entrust your online conversations, thoughts, experiences, locations, photos, and more to companies like Google, AT&T and Facebook. But what happens when the government demands that these companies to hand over your private information? Will the company stand with you? Will it tell you that the government is looking for your data so that you can take steps to protect yourself? The Electronic Frontier Foundation examined the policies of 18 major Internet companies — including email providers, ISPs, cloud storage providers, and social networking sites — to assess whether they publicly commit to standing with users when the government seeks access to user data. We looked at their terms of service, privacy policies, and published law enforcement guides, if any. We also examined their track record of fighting for user privacy in the courts and whether they’re members of the Digital Due Process coalition, which works to improve outdated communications law. Finally, we contacted each of the companies with our conclusions and gave them an opportunity to respond and provide us evidence of improved policies and practices. These categories are not the only ways that a company can stand up for users, of course, but they are important and publicly verifiable."
  • June 10, 2012
    * Update on cybertheft of 6.5 million LinkedIn Password

    Follow up to June 6, 2012 posting, LinkedIn Member Passwords Compromised, this update via the LinkedIn Blog: An Update On Taking Steps To Protect Our Members, June 9, 2012: "...In this post, we want to address questions we’ve been receiving and share what we’ve learned so far about the incident, how we’ve responded, and what we’re doing to protect our members going forward. First, it’s important to know that compromised passwords were not published with corresponding email logins. At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves."

    June 06, 2012
    * LinkedIn Member Passwords Compromised

    Vicente Silveira, June 6, 2012: "We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:

    • Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
    • These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
    • These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
    • It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases."

    May 31, 2012
    * EFF - House Hearing on Warrantless Wiretapping and the FISA Amendments Act

    News release: "This morning, the House Judiciary Committee held an important hearing on the FISA Amendments Act (FAA) and the scope of the NSA’s warrantless wiretapping program. The FAA, which gutted privacy protections governing the interception international phone calls and e-mail to and from the United States, is set to expire at the end of the year, and Attorney General Eric Holder says it is his “top priority” to see it renewed."

    May 30, 2012
    * Principles for Voluntary Efforts to Reduce the Impact of Botnets in Cyberspace

    Industry Botnet Group Principles for Voluntary Efforts to Reduce the Impact of Botnets in Cyberspace

  • "The proliferation of botnets and malware in cyberspace threatens to undermine the efficiencies, innovation, and economic growth of the Internet and diminishes the trust and confidence of online users. Every participant has a role in helping to reduce the impact of malicious cyber attacks, such as botnets. As such, an ad hoc group of companies, trade associations, and non-profit organizations has formed the Industry Botnet Group (“IBG”) to share expertise and resources for the common purpose of taking collaborative action to combat botnets. In the short term, the IBG set a goal to develop high-level principles to heighten awareness of the threat of botnets, encourage prevention measures, provide a path to notification when botnets are detected, and increase the availability of remediation and recovery tools to end users."
  • White House: "The DIB Cybersecurity/Information Assurance (CS/IA) program allows eligible DIB companies and the Government to share cybersecurity information. The Government shares cybersecurity threat and mitigation information with [Defense Industrial Base] DIB companies to incorporate into their security practices, and, in turn, DIB companies report known intrusion events that may compromise DOD information to the Government and participates in damage assessments as needed. In addition, DIB enhanced Cybersecurity Services - a joint DOD-DHS activity and based on lessons learned from the 2011 DIB Pilot - is available as an optional part of the DIB CS/IA program in which the Government will furnish classified information that enables DIB companies or participating commercial service providers to counter additional types of known malicious activity for participating DIB companies."
  • * CRS - U.S.-EU Cooperation Against Terrorism

    U.S.-EU Cooperation Against Terrorism, Kristin Archick, Specialist in European Affairs, May 21, 2012

  • "...challenges persist in fostering closer U.S.-EU counterterrorism and law enforcement cooperation. Among the most prominent are data privacy and data protection concerns. The EU considers the privacy of personal data a basic right and EU rules and regulations strive to keep personal data out of the hands of law enforcement as much as possible. The negotiation of several U.S.-EU information-sharing agreements, from those related to tracking terrorist financial data to sharing airline passenger information, have been complicated by ongoing EU concerns about whether the United States could guarantee a sufficient level of protection for European citizens’ personal data. Other issues that have led to periodic tensions include detainee policies, differences in the U.S. and EU terrorist designation lists, and balancing measures to improve border controls and border security with the need to facilitate legitimate transatlantic travel and commerce."
  • May 28, 2012
    * DHS National Operations Center Media Monitoring Capability Desktop Reference Binder 2011

    Via EPIC FOIA release, Analyst’s Desktop Binder 2011 Redacted, Department of Homeland Security National Operations Center Media Monitoring Capability, Desktop Reference Binder.

  • "MMC [media monitoring capability] coverage focuses primarily on providing information on incidents of national significance, which are usually defined as catastrophic events that result in wide-scale damage or disruption to the nation’s critical infrastructure, key assets, or the Nation’s health; and require a coordinated and effective response by Federal, State, and Local entities. For the most part, coverage of international incidents is limited to that of terrorist activities and infectious diseases that impact a wide population of humans or animal stock, such as mad cow disease or H5N1, and catastrophic weather events around the globe (Category 5 Hurricanes, Tsunami, and Large Magnitude Earthquakes). An Item of Interest (IOI) is generated whenever an MMC search or alert produces information about an emergent incident that should be brought to the attention of the NOC [National Operations Center]."
  • Related - UK Mail Online - "The Department of Homeland Security has been forced to release a list of keywords and phrases it uses to monitor social networking sites and online media for signs of terrorist or other threats against the U.S."
  • May 27, 2012
    * Governmental Access to Data in the Cloud - A comparative analysis of ten international jurisdictions

    A Global Reality: Governmental Access to Data in the Cloud - A comparative analysis of ten international jurisdictions Governmental access to data stored in the Cloud – including cross-border access – exists in every jurisdiction, by Winston Maxwell, Paris, France Christopher Wolf, Washington, DC; May 23, 2012. A Hogan Lovells White Paper.

  • "This White Paper examines the extent to which access to data in the Cloud by governments in various jurisdictions is possible, regardless of where a Cloud provider is located. “Governmental access,” as that term is used here, includes access by all types of law enforcement authorities and other governmental agencies, recognizing that the rules may be different for law enforcement and national security access. Governments need some degree of access to data for criminal (including cybercrime) investigations and for
    purposes of national security. But privacy and confidentiality also are important issues. This paper does not enter into the ongoing debate about the potential for excessive government access to data and insufficient procedural protections. Rather, this White Paper undertakes to compare the nature and extent of governmental access to data in the Cloud in many jurisdictions around the world."
  • See also Study: Patriot Act Gives US Government No Special Access to Cloud Data
  • * FTC Testifies on Efforts to Protect Consumer Privacy

    News release: "The Federal Trade Commission testified before Congress about the agency’s efforts to protect consumer privacy, including the FTC’s support for implementation of a “Do Not Track” mechanism that would allow consumers to control the tracking of their online activities across websites, and other approaches recommended in its recent privacy report. In delivering Commission testimony before the Senate Committee on Commerce, Science and Transportation, FTC Chairman Jon Leibowitz said the current time is a “critical juncture” for consumer privacy, and described the FTC’s recent privacy report, including its call for final implementation of a Do Not Track mechanism. The testimony notes that the Commission recommends Congress consider enacting general privacy legislation, and that it enact data security and breach notification legislation and targeted legislation to address data brokers."

    May 24, 2012
    * Disappearing Phone Booths - Privacy in the Digital Age

    Disappearing Phone Booths - Privacy in the Digital Age, by Erica Newland, May 2012

  • "I will...explain why the confluence of at least four circumstances – (1) digital ubiquity, (2) the increasing number of parties that take part in our daily transactions, (3) the commodification and monetization of data, (4) and woefully out-of-date privacy laws – creates something of a perfect storm, leaving us as a nation poorly equipped, in our present state, to preserve any measure of a right to privacy. That is to say, I will be arguing that technology and policy both play powerful roles in framing what is possible and how we live our lives, and that changes in technology must be accompanied by changes to policy."
  • May 23, 2012
    * From Fingerprints to DNA: Biometric Data Collection in U.S. Immigrant Communities

    "Today the Immigration Policy Center (IPC) and the Electronic Frontier Foundation (EFF) release From Fingerprints to DNA: Biometric Data Collection in U.S. Immigrant Communities and Beyond. The paper outlines the current state of U.S. government collection of biometric information and the problems that could arise from these growing databases of records. It also points out how immigrant communities are immediately affected by the way this data is collected, stored, and shared."

    * Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization

    Ohm, Paul, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization (August 13, 2009). UCLA Law Review, Vol. 57, p. 1701, 2010; U of Colorado Law Legal Studies Research Paper No. 9-12. Available at SSRN

  • "Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often 'reidentify' or 'deanonymize' individuals hidden in anonymized data with astonishing ease. By understanding this research, we will realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention. We must respond to the surprising failure of anonymization, and this Article provides the tools to do so."
  • May 19, 2012
    * Hearing on the Geolocation Privacy and Surveillance (GPS) Act

    House Committee on the Judiciary Subcommittee on Crime, Terrorism, and Homeland Security - Hearing on the Geolocation Privacy and Surveillance (GPS) Act - Statement for the Record of Professor Matt Blaze, May 17, 2012

  • Re - Geolocational Privacy and Surveillance Act, S. 1212: "GPS is only one technology for cell location, and while it is the most visible to the end user, GPS is neither the most pervasive nor the most generally applicable cellular phone location system, especially in the surveillance context. More ubiquitously available are techniques that (unlike GPS) do not depend on satellites or special hardware in the handset, but rather on radio signal data collected and analyzed at the cellular providers' towers and base stations. These “network-based” location techniques can give the position of virtually every handset active in the network at any time, regardless of whether the mobile devices are equipped with GPS chips and without the explicit knowledge or active cooperation of the phone users."
  • May 17, 2012
    * EPIC: Privacy Board Approved by Judiciary Committee, Vote Moves to Senate

    "The Senate Committee on the Judiciary has approved President Obama's five nominees for the Privacy and Civil Liberties Oversight Board. The Board is an independent entity charged with ensuring that fundamental rights are protected in the implementation of government programs, including cybersecurity. Originally convened in 2004, the five seats on the Board have remained vacant for the past five years. Senator Leahy, the Chairman of the Judiciary Committee, said, "When we worked to create this board, we did so to ensure that our fundamental rights and liberties would be preserved…The Senate should move quickly to confirm the nominees to the board so that they can get to their important work." For more information, see EPIC: 9/11 Commission Report and "The Sui Generis Privacy Agency: How the United States Institutionalized Privacy Oversight After 9-11."

    May 15, 2012
    * EPIC - FAA Revises Drone License Procedures, Privacy Petition Still Pending

    EPIC: "The Federal Aviation Administration has announced new procedures for government agencies that operate drones in the United States. The procedures will streamline the process through which government agencies, including local law enforcement, receive drone licenses. However, the FAA has so far failed to establish privacy safeguards for drone use. On February 24, 2012, EPIC, joined by over 100 organizations, experts, and members of the public, submitted a petition to the FAA requesting a public rulemaking on the privacy impact of drone use in US airspace. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones."

    May 12, 2012
    * Senator Franken Requests Data on GPS Tracking of Citizen Movements

    Via the ACLU, Letter from Senator Al Franken Chairman, Subcommittee on Privacy,
    Technology and the Law to Attorney General Holder on May 10, 2012, which reads in part: "I was very concerned to read recent reports suggesting that state and local law enforcement agencies may be working around the protections of United States v. Jones by requesting the location records of individuals directly from their wireless carriers instead of tracking the individuals through stand-alone GPS devices installed on their vehicles. I was further concerned to learn that in many cases, these agencies appear to be obtaining precise records of individuals' past and current movements from carriers without first obtaining a warrant for this information. I think that these actions may violate the spirit if not the letter of the Jones decision. I am writing to ask you about the Department of Justice's own practices in requesting location information from wireless carriers. I am eager to learn about how frequently the Department requests location information and what legal standard the Department believes it must meet to obtain it. I would also like to know how the Department may have changed these practices since the Jones decision."

  • See also Sen. Franken Wants Justice Dept. To Reveal When It Sought Cell Phone GPS Data
  • May 11, 2012
    * DHS OIG - U.S. Customs and Border Protection Privacy Stewardship

    U.S. Customs and Border Protection Privacy Stewardship, OIG-12-78, April 2012

  • "CBP has made limited progress toward instilling a culture of privacy that protects sensitive personally identifiable information. This is in part because it has not established a strong organizational approach to address privacy issues across the component. To strengthen its organizational approach to privacy, CBP needs to establish an Office of Privacy with adequate resources and staffing and hold Assistant Commissioners and Directors accountable for their employees’ understanding of and compliance with their privacy responsibilities. In addition, CBP needs to improve its compliance with Federal privacy laws and regulations. Specifically, it needs to develop a complete inventory of its personally identifiable information holdings, complete privacy threshold analyses for all systems, and develop accurate system of records notices for its systems. CBP also needs to ensure that privacy impact assessments are conducted for all personally identifiable information systems."
  • * Pew - Three-quarters of smartphone owners use location-based services

    Mobile, Social Networking Three-quarters of smartphone owners use location-based services, by Kathryn Zickuhr, May 11, 2012

  • "A new report finds that 74% of smartphone owners use their phone to get real-time location-based information, and 18% use a geosocial service to “check in” to certain locations or share their location with friends. Over the past year, smartphone ownership among American adults has risen from 35% of adults in 2011 to 46% in 2012. This means that the overall proportion of U.S. adults who get location-based information has almost doubled over that time period, from 23% in May 2011 to 41% in February 2012. The percentage of adults who use geosocial services like Foursquare has likewise risen from 4% in 2011 to 10% in 2012."
  • May 09, 2012
    * EPIC Stresses Need For Privacy Evaluation in Drone Testing

    "In comments to the Federal Aviation Administration (FAA), EPIC emphasized the need for transparency and accountability in drone operations, and recommended the development of privacy protections before drones are more widely deployed in the US. The FAA Notice of Proposed Rulemaking set out proposed criteria for drone testing. Congress has tasked the FAA with facilitating the use of drones in the domestic airspace. February, EPIC, joined by a coalition of more than 100 organizations, experts, and members of the public, petitioned the FAA to conduct a rulemaking on the privacy implications of domestic drone use. For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones."

    May 08, 2012
    * Myspace Settles FTC Charges That It Misled Millions of Users About Sharing Personal Information with Advertisers

    News release: "Social networking service Myspace has agreed to settle Federal Trade Commission charges that it misrepresented its protection of users' personal information. The settlement, part of the FTC's ongoing efforts make sure companies live up to the privacy promises they make to consumers, bars Myspace from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy assessments for the next 20 years. The Myspace social network has millions of users who create and customize online profiles containing substantial personalized content. Myspace assigns a persistent unique identifier, called a "Friend ID," to each profile created on Myspace. A user's profile publicly discloses his or her age, gender, profile picture (if the user chooses to include one), display name, and, by default, the user's full name. User profiles also may contain additional information such as pictures, hobbies, interests, and lists of users' friends."

    May 06, 2012
    * NSA: New Smartphones and the Risk Picture

    NSA Fact Sheet, April 2012: Mobile phone platforms are susceptible to malicious attacks, both from the network and upon physical compromise. Understanding the vectors of such attacks, level of expertise required to carry them out, available mitigations, and impact of compromise provides a background for certain risk decisions. In general, comparing risks introduced by the new generation of mobile devices to those of traditional, widely-deployed desktop systems provides insight into how the risks to DoD networks are changing. Due to the larger cultural and technological shift to mobile devices, this may be more relevant than comparison of different smartphone brands."

    May 05, 2012
    * Consumer Reports - Facebook & your privacy

    Who sees the data you share on the biggest social network? Consumer Reports magazine: June 2012

  • "if you're reading this article, chances are good you have a page on Facebook, too. More than 150 million Americans already use the site, and the number grows daily because Facebook makes it so easy to keep up with friends, family, and colleagues, discover great content, connect to causes, share photos, drum up business, and learn about fun events. To deliver this service, Facebook and other social networks collect enormous amounts of highly sensitive information—and distribute it more quickly and widely than traditional consumer data-gathering firms ever could. That’s great when it helps you find old classmates or see ads for things you actually want to buy. But how much information is really being collected about you? How is it being used? And could it fall into the wrong hands? To find out, we queried Facebook and interviewed some two dozen others, including security experts, privacy lawyers, app developers, and victims of security and privacy abuse. We dug into private, academic, and government research, as well as Facebook’s labyrinthian policies and controls. And we surveyed 2,002 online households, including 1,340 that are active on Facebook, for our annual State of the Net report. We then projected those data to estimate national totals."
  • May 02, 2012
    * CRS - United States v. Jones: GPS Monitoring, Property, and Privacy

    United States v. Jones: GPS Monitoring, Property, and Privacy, Richard M. Thompson II, Legislative Attorney, April 30, 2012

  • "In United States v. Jones, 132 S. Ct. 945 (2012), all nine Supreme Court Justices agreed that Jones was searched when the police attached a Global Positioning System (GPS) device to the undercarriage of his car and tracked his movements for four weeks. The Court, however, splintered on what constituted the search: the attachment of the device or the long-term monitoring. The majority held that the attachment of the GPS device and an attempt to obtain information was the violation; Justice Alito, concurring, argued that the monitoring was a violation of Jones’s reasonable expectation of privacy; and Justice Sotomayor, also concurring, agreed with them both, but would provide further Fourth Amendment protections. This report will examine these three decisions in an effort to find their place in the body of existing Fourth Amendment law pertaining to privacy, property, and technology."
  • May 01, 2012
    * House of Commons Report - News International and Phone-hacking

    House of Commons Culture, Media and Sport Committee. News International and Phone-hacking. Eleventh Report of Session 2010-12, Volume I: Report, together with formal minutes - Volume II: Oral and written evidence

  • "This Report examines whether or not there is good evidence to suggest that the Committee and its predecessor Committees have been misled by any witnesses during the course of their work on the phone-hacking scandal, which continues to reverberate around News International and to have major repercussions for the British newspaper industry as a whole."
  • NYT: Panel in Hacking Case Finds Murdoch Unfit as News Titan
  • * CRS: Cybersecurity: Authoritative Reports and Resources

    Cybersecurity: Authoritative Reports and - Resources, Rita Tehan
    Information Research Specialist, April 26, 2012

  • "Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide. Attacks have been initiated by individuals, as well as countries. Targets have included government networks, military defenses, companies, or political organizations, depending upon whether the attacker was seeking military intelligence, conducting diplomatic or industrial espionage, or intimidating political activists. In addition, national borders mean little or nothing to cyberattackers, and attributing an attack to a specific location can be difficult, which also makes a response problematic...There is no shortage of data on this topic: government agencies, academic institutions, think tanks, security consultants, and trade associations have issued hundreds of reports, studies, analyses, and statistics. This report provides links to selected authoritative resources related to cybersecurity issues."
  • April 28, 2012
    * Redacted Version of Google Street View Investigation by FCC Released

    LA Times: "Google has released the full report of the Federal Communications Commission’s investigation into the data it collected and stored from millions of unknowing households across the nation while operating specially equipped cars for its Street View service. The search giant released the report, which had had heavily redacted passages, after wrangling with the FCC over which details could be publicly revealed. The report now blacks out only the names of individuals. It reveals new details and raises new questions about how Google captured personal information over a two-year period. Google has said that it was mapping wireless networks but that collecting personal data was "inadvertent."

    April 26, 2012
    * New Internet Security Report Highlights Vulernability of HTTPS Websites

    Computer World: "Ninety percent of the Internet's top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems. The report is based on data from a new TIM project called SSL Pulse, which uses automated scanning technology developed by security vendor Qualys, to analyze the strength of HTTPS implementations on websites listed in the top 1 million published by Web analytics firm Alexa."

    * UK Study - ICO report finds many people becoming a 'soft touch' for online fraudsters

    News release: "The Information Commissioner’s Office (ICO) is urging consumers to take better care of their data, following an investigation into the trade in used hard drives. The ICO has published new guidance to help individuals securely delete personal information from their old devices. An investigation by the ICO found that one in ten second-hand hard drives sold online may contain residual personal information. An ICO survey also found that 65% of British adults now hand on their old phones, computers and laptops to another user, with 44% giving it away to somebody else for free and around one in five (21%) selling it to somebody else. In December 2010, the ICO asked a computer forensics company – NCC Group – to source around 200 hard drives, 20 memory sticks and 10 mobile phones. The devices were mainly bought online from internet auction sites and some were sourced at computer trade fairs. The devices were then searched, initially without any additional software, and then interrogated using forensic tools freely available on the internet. The research found that, while 52% of the hard drives investigated were unreadable or had been wiped of data, 48% contained information and 11% was personal data. The amount of personal data found on the mobile phones and memory sticks was negligible. In total 34,000 files containing personal or corporate information were recovered from the devices. At least two of the hard drives contained enough information to enable someone to steal the former owner’s identity. The residual documents included scanned bank statements, passports, information on previous driving offences, and some medical details. A further four hard drives contained information about the employees and clients of four organisations, including individuals’ health and financial details."

    April 24, 2012
    * CFA Report: How Identity Theft Services Measure Up to Best Practices

    "The Consumer Federation of America (CFA) released Best Practices for Identity Theft Services: How Are Services Measuring Up?, which analyzes how well identity theft services are providing key information to prospective customers. The study is based on CFA’s Best Practices for Identity Theft Services, voluntary guidelines that CFA developed with the help of identity theft service providers and consumer advocates. Released last year, the best practices resulted from CFA’s first study of identity theft services in 2009, which raised concerns about misleading claims about the ability to protect consumers from identity theft, lack of clear information, and other troublesome practices."

    April 16, 2012
    * EPIC: FCC Fines Google $25,000 for Failure to Cooperate with Street View Investigation

    EPIC: "The Federal Communications Commission announced that it will fine Google $25,000 for obstructing an investigation concerning Google Street View and federal wiretap law. The Commission found that Google impeded by "delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions." In May 2010, EPIC wrote to the FCC and urged the agency to undertake an investigation after it became clear that Google had intercepted the private communications of millions of users of wi-fi networks in the United States. Shortly afterward, the head of the FCC Bureau of Consumer and Governmental Affairs wrote that Google's behavior "clearly infringes on consumer privacy." Many countries around the world have found Google guilty of violating national privacy laws. Surprisingly, the FCC said that Google had not violated the federal wiretap act, even though a federal court recently held otherwise. For more information, see EPIC: Investigations of Google Street View and EPIC: Ben Joffe v. Google."

    April 15, 2012
    * LLRX: SOPA’s Evil Twin Sister – CISPA

    Via LLRX.com - SOPA’s Evil Twin Sister – CISPA: Well known graphic artists Jake O'Neil and Spencer Belkofer created this infographic out of a sense of urgency to visualize the salient information with as many communities as possible. This bill, the Cyber Intelligence Sharing and Protection Act of 2011, has not garnered the media coverage of the Stop Online Piracy Act (SOPA), but its high impact implications target key legal issues involving privacy and intellectual property.

    April 14, 2012
    * EFF: Miami-Dade PD Releases Information about Its Drone Program

    News release: "EFF recently received records from the Miami-Dade Police Department in response to a Public Records request for information on its drone program. These records provide additional insight into domestic drone use in the United States, and they reinforce the importance of public access to information on who is authorized to fly drones inside US borders. The records the Miami-Dade PD released include the Federal Aviation Administration-issued Certificate of Authorization (COA) to fly the MDPD drones. This appears to be the first time a law enforcement agency has made its COA available to the public without redactions. The COA and the other records EFF received show that Miami-Dade’s drone program is quite limited in scope. The two small drones the MDPD is flying—Honeywell T-Hawks—are able to fly up to 10,000 feet high, can record video or still images in daylight or infrared, and can “Hover and stare; [and] follow and zoom,” (pdf) according to the manufacturer. However, the COA limits their use to flights below 300 feet. The drones also must remain within visual line of sight of both a pilot and an observer and can only be flown during the day."

    April 12, 2012
    * EPIC: Facebook Offers Revised “Download Your Information” Option

    EPIC: "The New York Times reported that Facebook would provide users with a downloadable archive containing many types of data that the company stores about users. Although the new archive contains more user information than Facebook first offered in 2010, Max Schrems, the German law student and founder of Europe v. Facebook, said that Facebook is still only providing 39 of 84 data categories. EPIC called on Facebook to give users full access to all of the data that the company keeps about them through EPIC’s Know What They Know campaign. In comments on a settlement between Facebook and the Federal Trade Commission, EPIC recommended that the FTC require Facebook to give users full access to their data. For more information, see EPIC: Facebook Privacy and EPIC: Know What They Know.

    April 11, 2012
    * Pioneering Privacy Bill Awaits Signature by Maryland Governor

    Baltimore Sun: "Moving to the forefront of social media privacy law nationwide, the Maryland General Assembly has passed legislation prohibiting employers in the state from asking current and prospective employees for their user names and passwords to websites such as Facebook and Twitter. If Gov. Martin O'Malley signs the bill — his office said it was one of hundreds of bills it has yet to review — the bill would make Maryland the first state in the nation to set such a restriction into law. Other states are considering similar legislation, including Illinois and California. The bill, drafted in response to a state agency's scouring the personal Facebook posts of prison guard applicants, also could be a bellwether for federal action. Two U.S. senators — Chuck Schumer of New York and Richard Blumenthal of Connecticut, both Democrats — have asked the Department of Justice and the U.S. Equal Employment Opportunity Commission to investigate the issue."

    April 09, 2012
    * CDT Analysis of EC's Proposed Data Protection Regulation

    CDT Analysis of the European Commission's Proposed Data Protection Regulation

    • CDT strongly supports the use of the Regulation instrument to
      harmonize data protection across the common market and the renewed
      emphasis on stronger enforcement to provide data subjects with
      consistent, predictable privacy rights.
    • CDT proposes a clarification that the Regulationʼs requirement of parental consent only applies when a controller has actual knowledge that it is processing a child's data, as opposed to a presumption of knowledge that it is likely processing data concerning a child. Otherwise, all controllers would have to adopt invasive, expensive, and ineffective controls to determine the identity of all data subjects in violation of Article 10 of the Regulation.
    • CDT urges significant revision to the Articles providing for a right to be forgotten and for stringent rules around profiling, as these Articles are unduly broad and unworkable in their current iterations.
    • CDT supports a streamlined process for the development of industry specific Codes of Conduct and urges the Commission to take an active role in convening stakeholders around evolving privacy norms.

    April 08, 2012
    * WSJ Report - Selling You on Facebook

    Selling You on Facebook: "Some of the most widely used apps on Facebook—the games, quizzes and sharing services that define the social-networking site and give it such appeal—are gathering volumes of personal information. A Wall Street Journal examination of 100 of the most popular Facebook apps found that some seek the email addresses, current location and sexual preference, among other details, not only of app users but also of their Facebook friends. One Yahoo service powered by Facebook requests access to a person's religious and political leanings as a condition for using it. The popular Skype service for making online phone calls seeks the Facebook photos and birthdays of its users and their friends...This appetite for personal data reflects a fundamental truth about Facebook and, by extension, the Internet economy as a whole: Facebook provides a free service that users pay for, in effect, by providing details about their lives, friendships, interests and activities. Facebook, in turn, uses that trove of information to attract advertisers, app makers and other business opportunities."

    * The Global Information Technology Report 2012

    The Global Information Technology Report 2012 - Living in a Hyperconnected World - World Economic Forum, 2012

  • "We live in an environment where the Internet and its associated services are accessible and immediate, where people and businesses can communicate with each other instantly, and where machines are equally interconnected with each other. The exponential growth of mobile devices, big data, and social media are all drivers of this process of hyperconnectivity. Consequently, we are beginning to see fundamental transformations in society. Hyperconnectivity is redefining relationships between individuals, consumers and enterprises, and citizens and the state. It is introducing new opportunities to increase productivity and well-being by redefining the way business is done, generating new products and services, and improving the way public services are delivered. However, hyperconnectivity can also bring about new challenges and risks in terms of security, cybercrime, privacy, the flow of personal data, individual rights, and access to information. Traditional organizations and industry infrastructures are also facing challenges as industries converge. This will inevitably have consequences for policy and regulation because regulators will have to mediate the blurring lines between sectors and industries, and will be obligated to oversee more facets of each interaction in a pervasive way. For example, in terms of security and surveillance, hyperconnectivity is transforming the way people, objects, and even animals are being monitored. Experts also predict it will have an impact on inventory, transport and fleet management, wireless payments, navigation tools, and so on. The impact of ICT on different facets of life and work is growing. In this context, the way we monitor, measure, and benchmark the deployment and impacts of ICT must evolve to take into account the rapid changes and consequences of living in a hyperconnected world. Reflecting on this imperative of adaptation, a comprehensive review process of the NRI framework has been undertaken, guided by a process of high-level consultations with academic experts, policymakers, and representatives of the ICT industry. The results of this new framework are presented for the first time in this edition of the Report."
  • * Global Integrity Report 2011

    "Regardless of how weak or sophisticated their political financing regulations are, countries around the world are equally failing to effectively regulate the flow of money into politics, a new report finds. The Global Integrity Report: 2011, a major investigative study of 31 countries, was released today by Global Integrity, an award-winning international nonprofit organization that tracks governance and corruption trends globally. Twenty-nine countries out of a 31-country sample scored less than 60 on a 100-point scale on questions assessing the effectiveness of laws regulating individual and corporate donations to political parties, as well as the auditing of those donations and campaign expenditures. Government monitoring agencies tasked with enforcing such laws typically lack investigative power and often have little to no authority to impose sanctions. The United States scored just 29 out of 100 on the effectiveness of its party financing regulations and 25 out of 100 in its ability to effectively regulate contributions made to individual political candidates. Those scores represent a significant decrease from 2009, the last year Global Integrity covered the US, and reflect the negative impact of the “Citizens United” Supreme Court decision in early-2010 that loosened the controls over private money flowing into US elections. Despite that backsliding, the US remains at the head of the pack when it comes to the disclosure of political finance information to the public (94 out of 100)."

    April 06, 2012
    * SmartMoney - 10 Things Online Data Collectors Won't Say

    10 Things Online Data Collectors Won't Say - They know your online browsing secrets. We reveal their hidden tactics.

  • "If you're reading this on the Internet, chances are you're being followed. More than 200 data collection companies and ad networks use approximately 600 different tracking technologies to gather and sell information on people's web habits, according to Abine, an online privacy firm that tracks the trackers. The online advertising industry is a $31 billion business fueled largely by behind-the-scenes exchanges of consumers' personal online shopping and browsing habits. Web-based commercial data collectors work by quietly dropping bits of code called cookies on user computers, which allow collectors to track what people read, click or buy. That information, collected by companies such as BlueKai and DoubleClick (a Google subsidiary), is sold in real-time exchanges to ad networks, which then target segments of users with ads fitting their interests. Someone who just searched Expedia for information on Puerto Rico, for example, would be almost instantly hit with ads featuring San Juan hotels and resorts. Billions of these exchanges occur daily. Search engines and social networking sites such as Google and Facebook also track user data to generate targeted advertising. The result? The new cell phone or spring sandals users willed themselves not to buy show up in ads alongside their morning news."
  • April 04, 2012
    * EFF: UK Government Proposes Law Monitoring Every Email, Phone Call, and Text Message

    EFF: "On Sunday, the United Kingdom’s Prime Minister David Cameron and the Interior Ministry were forced to defend a sweeping wiretapping proposal, which would aim to monitor every single email, text message, and phone call flowing through the whole country. The proposal would likely force all UK Internet Service Providers (ISPs) to install “black boxes” on their systems that use Deep Packet Inspection (DPI) technology, which would give authorities access to all communications data without a warrant or any judicial oversight. Law enforcement would have access to IP addresses, email addresses, when you send an email, to whom you send it, and how frequently—as well as corresponding data for phone calls and text messages. The government has claimed this proposal is needed to fight “terrorism and serious crimes,” but of course, it would be available to law enforcement for all purposes."

    April 03, 2012
    * EPIC Urges Court to Affirm Privacy Protections for Home Wi-Fi Networks

  • "EPIC has filed an amicus brief in the Ninth Circuit urging the court to affirm legal protections for users of home Wi-Fi networks. In Joffe v. Google, the plaintiffs sued Google for the interception and capture of private communications transferred over residential Wi-Fi networks. Google argued that it should be exempt from liability under the federal Wiretap Act because Wi-Fi communications are "readily accessible to the general public." However, a lower court held that saying "that a network is unencrypted does not render that network readily accessible to the general public and serve to remove the intentional interception of electronic communications from that network from liability under the ECPA." EPIC's brief for the Court of Appeals, which contains a detailed technical discussion of Wi-Fi technology, explains that residential Wi-Fi networks are unlike traditional radio broadcasts and should be protected Electronic Communications Privacy Act. EPIC also said that consumers should not bear the burden of securing their networks against sophisticated eavesdroppers when the purpose of the ECPA is to protect communications from such interception. For more information, see EPIC: Investigation of Google Street View, EPIC: Ben Joffe v. Google."

  • * FTC Case Against Deceptive Robocallers Leads to Record $30 Million in Civil Penalties

    News release: "In response to charges by the Federal Trade Commission, a federal judge has ordered the defendants behind a deceptive robocall scheme to pay a total of $30 million in civil penalties and give up more than $1.1 million in ill-gotten gains for violations of the FTC Act and the Telemarketing Sales Rule. The court order includes a $20 million judgment against Paul Navestad, which is the largest civil penalty against a defendant in an FTC case, and a $10 million judgment against Christine Maspakorn. The $30 million in total fines is, by far, the largest penalty ever imposed for unlawful calls to consumers on the Do-Not-Call Registry."

    April 02, 2012
    * FTC Chairman Releases 2012 Annual Highlights

    "Federal Trade Commission Chairman Jon Leibowitz released the agency’s 2012 Annual Highlights today at the spring meeting of the American Bar Association’s Section of Antitrust Law in Washington, DC, recognizing the agency’s continued efforts to protect consumers and promote competition. The Highlights, published in an online format for the first time this year, focus on the Commission’s work in multiple areas since March 2011, including online privacy, consumer fraud during the economic downturn, health care competition, and safeguarding children."

    April 01, 2012
    * FBI - Social Networking Risks Outlined in Latest Counterintelligence Brochure

    Social Networking Risks Outlined in Latest Counterintelligence Brochure, March 2012

  • "Internet-based social networking sites have created a revolution in social connectivity. However, con artists, criminals, and other dishonest actors are exploiting this capability for nefarious purposes. So warns our Counterintelligence Division in its latest informative brochure, Internet Social Networking Risks, which not only depicts the hazards present online, but also describes common tactics used criminals and spies in the cyber world as well as counter-tactics and preventative measures you can employ to protect yourself. View the other brochures in our collection for information and security tips on topics such as insider threats, intellectual property protection, and keeping safe abroad."
  • * Privacy and Security Framework Requirements and Guidance for the State Health Information Exchange Cooperative Agreement Program

    HHS, March 22, 2012 - "The National Quality Strategy sets three aims for improving health care in our country: better care, affordable care, and healthy people and communities. Information that is accurate, up to date, and available when and where a patient seeks care is the lifeblood of health care improvement and crucial to reaching these goals. The stage is set for the nation to make rapid progress on health information exchange (HIE) this year supporting achievement of the three-part aim.
    This Program Information Notice (PIN) guidance provides a common set of privacy and security rules of the road to assure provider and public trust and enable rapid progress in health information exchange to support patient care. It addresses concerns from State leaders and other stakeholders that health information exchange efforts have been hampered and slowed by the lack of consistent approaches to core privacy and security issues and responds to requests for clear national guidance."

    March 31, 2012
    * House of Lords and the House of Commons Report - Privacy and injunctions

    House of Lords - House of Commons - Joint Committee on Privacy and Injunctions Privacy and injunctions, Session 2010–12 - Report, together with formal minutes, minutes of evidence and appendices Ordered by the House of Lords and the House of Commons to be printed 12 March 2012

  • "A strong, free and vibrant press is essential to the good operation of democracy. Over the past 12 months, the culture and activities of the UK media have become the focus of widespread public concern, particularly in light of the phone hacking scandal. The balance between privacy and freedom of expression is at the heart of these debates about the role of the media. We have considered how this balance should be struck, who should determine where the balance lies and how decisions, once taken, can be enforced."
  • March 26, 2012
    * FTC Issues Final Commission Report on Protecting Consumer Privacy

    News release: "The Federal Trade Commission, the nation's chief privacy policy and enforcement agency, issued a final report setting forth best practices for businesses to protect the privacy of American consumers and give them greater control over the collection and use of their personal data. In the report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers, the FTC also recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation."

    * DHS Privacy Office Delivers First Quarter Fiscal Year 2012 Report to Congress

    Department of Homeland Security Privacy Office, First Quarter Fiscal Year 2012 Report to Congress

  • "The PIA [Privacy Impact Assessments] process is one of the key mechanisms used to assure that the Department’s use of technologies sustains, and does not erode, privacy protections relating to the use, collection, and disclosure of PII. As of November 30, 2011, 81 percent of the Department’s Federal Information Security Management Act (FISMA) systems that require a PIA were covered by a PIA, an increase from 80 percent at the end of the fourth quarter of FY 2011. Additionally, the Department has implemented a triennial review program for legacy PIAs to assess and confirm that these systems are still operating within the originally published parameters. As these systems are renewed, notification will be added to the previously published PIA to inform the public that a review has been conducted for that system."
  • * CDT - Decentralizing the Analysis of Health Data

    Decentralizing the Analysis of Health Data, March 22, 2012

  • "As the digitization of health records makes it easier and more cost effective to share and analyze health data, policymakers and businesses are increasingly looking to use health data for secondary purposes – uses beyond that for which the health data were originally collected. For example, health data that were primarily collected for treatment or payment can be valuable for such secondary uses as population-scale research and public health surveillance. Done properly, many secondary uses of health data can provide substantial benefits to patients and aid the creation of a more effective, information-driven health care system. Secondary use initiatives should be undertaken in a way that maximizes the confidentiality and security of patient data and preserves the trust of both health care providers and the public. While a strong policy framework based on Fair Information Practices is critical to achieve this balance, the technical architecture of information exchange – which is the focus of this paper – is another important factor. Currently, many government programs using health claims for secondary purposes collect and retain the data in a centralized fashion. The key message of this paper is that decentralized alternatives can achieve most secondary use program goals in a manner that is more protective of privacy and security in the long term."
  • March 25, 2012
    * EPIC: New Guidelines Expand Datamining Role of National Counterterrorism Center

    EPIC: Under revised guidelines [unclassified] for the National Counterterrorism Center, the intelligence agency officials will be able to profile and track American citizens, suspected of no crime, for up to five years. The change represents a dramatic expansion of government surveillance and appears to violate the Privacy Act of 1974, which limits data exchanges across federal agencies and establishes legal rights for US citizens. In 2003, Congress put an end to a similar program. For more information, see EPIC - Total Information Awareness.

    March 23, 2012
    * DHS Privacy Office Limited Time Release of Privacy Impact Assessments

    "Between December 1, 2011 and February 29, 2012 the Chief Privacy Officer of the DHS approved and published eleven Privacy Impact Assessments (PIAs) on the DHS Privacy Office Web site, under the link for Privacy Impact Assessments. These PIAs cover eleven separate DHS programs. Below is a short summary of those programs, indicating the DHS component responsible for the system, and the date on which the PIA was approved. Additional information can be found on the web site or by contacting the Privacy Office."

    March 21, 2012
    * Firefox enables HTTPS safe searching as default setting

    Follow up to New 'HTTPS Everywhere' Version Warns Users About Web Security Holes see the following from privacy researcher Christopher Soghoian - Firefox switching to HTTPS Google search by default (and the end of referrer leakage).

  • "A few days ago, Mozilla's developers quietly enabled Google's HTTPS encrypted search as the default search service for the "nightly" developer trunk of the Firefox browser (it will actually use the SPDY protocol). This change should reach regular users at some point in the next few months...This is a big deal for the 25% or so of Internet users who use Firefox to browse the web, bringing major improvements in privacy and security. First, the search query information from these users will be shielded from their Internet service providers and governments who might be using Deep Packet Inspection (DPI) equipment to monitor the activity of users or censor and filter search results. Second, the search query information will also be shielded from the websites that consumer visit after conducting a search. This information is normally leaked via the "referrer header"."
  • * DARPA's Active Authentication Program - No More Passwords

    Active Authentication: "The current standard method for validating a user’s identity for authentication on an information system requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console. The Active Authentication program seeks to address this problem by developing novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software based biometrics. Biometrics are defined as the characteristics used to uniquely recognize humans based on one or more intrinsic physical or behavioral traits. This program focuses on the behavioral traits that can be observed through how we interact with the world. Just as when you touch something your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a “cognitive fingerprint.”

    March 12, 2012
    * FTC Issues Report on the Experiences of Victims Recovering from Identity Theft

    News release: "The Federal Trade Commission issued a staff report, Using FACTA Remedies: An FTC Staff Report on a Survey of Experience of Identity Theft Victims, summarizing the results of a survey of identity theft victims who were asked to describe their experiences dealing with consumer reporting agencies and, more generally, exercising their rights under the Fair Credit Reporting Act (FCRA) as amended by the Fair and Accurate Credit Transactions Act (FACTA), to recover from identity theft. The survey showed that most of the respondents were generally satisfied with their experiences, but the report also noted areas for improvement. Congress has established several rights under the FACTA to help actual or potential identity theft victims protect themselves from, and recover from, identity theft. These rights enable victims to place fraud alerts on their credit report with the consumer reporting agencies, request a free credit report from the three national consumer reporting agencies when placing a fraud alert, block fraudulent information from appearing in their credit report, and receive a notice of these and other rights from the consumer reporting agencies."

    March 09, 2012
    * Pew - Search Engine Use 2012

    Search Engine Use 2012, by Kristen Purcell, Joanna Brenner, Lee Rainie, Mar 9, 2012

  • "Even though online Americans are more satisfied than ever with the performance of search engines, strong majorities have negative views of personalized search results and targeted ads...Google continues to dominate the list of most used search engines. Asked which search engine they use most often, 83% of search users say Google. The next most cited search engine is Yahoo, mentioned by just 6% of search users. When we last asked this question in 2004, the gap between Google and Yahoo was much narrower, with 47% of search users saying Google was their engine of choice and 26% citing Yahoo."
  • March 05, 2012
    * FTC Testimony Outlines Agency's Work to Protect Consumers, Promote Competition

    News release: "In testimony before the U.S. House Appropriations Subcommittee on Financial Services and General Government, the Federal Trade Commission summarized the agency's FY 2013 budget request and described its ongoing work to promote competition and protect American consumers. The testimony, delivered by FTC Chairman Jon Leibowitz and Commissioner J. Thomas Rosch, outlined steps the agency has taken to carry out its mission efficiently, without putting unnecessary burdens on businesses. It describes FTC initiatives such as the agency's efforts to stop scammers from taking advantage of financially distressed consumers, protect privacy, and ensure that American consumers benefit from competition in the health care, technology and energy sectors. The testimony states that the FTC has continued to bring law enforcement actions to stop con artists aiming to take advantage of financially strapped consumers using deceptive practices such as falsely promising that they can help modify consumers' mortgages or solve their debt problems; and by using threats and deception to collect consumer debts. Overall, the testimony states, the FTC has brought more than 90 cases since 2009 to put a stop to these types of scams. Since 2010, the agency has filed seven actions to combat illegal debt collection practices, and obtained more than $8.1 million in civil penalties."

    * DHS Privacy Office 2011 Data Mining Report to Congress, February 2012

    Department of Homeland Security Privacy Office 2011 Data Mining Report to Congress, February 2012

  • "The Department of Homeland Security Privacy Office (DHS Privacy Office or Office) is providing this report to Congress pursuant to the Department’s obligations under section 804 of the Implementing the Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act), entitled the Federal Agency Data Mining Reporting Act of 2007 (Data Mining Reporting Act or the Act). This report discusses activities currently deployed or under development in the Department that meet the Data Mining Reporting Act’s definition of data mining, and provides the information set out in the Act’s reporting requirements for data mining activities."

  • March 04, 2012
    * EFF - Mobile User Privacy Bill of Rights

    Mobile User Privacy Bill of Rights, March 2, 2012 | By Parker Higgins

  • "Mobile smartphone apps represent a powerful technology that will only become more important in the years to come. But the unique advantages of the smartphone as a platform—a device that's always on and connected, with access to real world information like user location or camera and microphone input—also raise privacy challenges. And given the sensitivity of the data that many consumers store on their phones, the stakes are even higher for manufacturers, carriers, app developers, and mobile ad networks to respect user privacy in order to earn and retain the ever-important trust of the public. Fortunately, frameworks exist for understanding the privacy rights and expectations of the users. The following guide of best practices pulls from documents like EFF's Bill of Privacy Rights for Social Network Users and the recently released White House white paper Consumer Data Privacy in a Networked World to set a baseline for what mobile industry players must do to respect user privacy."
  • March 01, 2012
    * EPIC: European Justice Minister Says Google Now in Violation of EU Law

  • "European Justice Minister Vivian Reding said today that Google's March 1 changes to its terms of service violate European Union law "in numerous respects." Commissioner Reding pointed to the failure of the company to obtain user consent, the lack of transparency, and the fact that most users do not read privacy policies. European privacy officials recently concluded that the changes do not comply with the European Union Data Protection Directive and asked the company to suspend its planned changes. In the US, EPIC has urged a federal court to require the Federal Trade Commission to determine whether Google's changes changes violate a 2011 Consent Order. The court denied the motion. The case is now on appeal. For more information, see EPIC v. FTC (Google Consent Order)."

  • February 28, 2012
    * New 'HTTPS Everywhere' Version Warns Users About Web Security Holes

    News release: "The Electronic Frontier Foundation (EFF) launched the 2.0 version of HTTPS Everywhere for the Firefox browser today, including an important new update that warns users about web security holes. The "Decentralized SSL Observatory" is an optional feature that detects encryption weaknesses and notifies users when they are visiting a website with a security vulnerability – flagging potential risk for sites that are vulnerable to eavesdropping or "man in the middle" attacks."

    * Microsoft Paper Focuses on Evolved Security, Privacy and Reliability Strategies for Cloud and Big Data

    News release: "Today at the RSA Conference 2012, Scott Charney, corporate vice president of Microsoft Trustworthy Computing, shared his vision for the road ahead as society and computing intersect in an increasingly interconnected world. In a new paper, Trustworthy Computing (TwC) Next, Charney encouraged industry and governments to develop more effective privacy principles focused on use and accountability, improve end-to-end reliability of cloud services through increased fault modeling and standards efforts, and adopt more holistic security strategies including improved hygiene and greater attention to detection and containment."

    February 26, 2012
    * Pew - Most users choose restricted privacy settings while profile "pruning" and unfriending people is on rise

    Privacy management on social media sites, by Mary Madden, Feb 24, 2012

  • "Social network users are becoming more active in pruning and managing their accounts. Women and younger users tend to unfriend more than others. About two-thirds of internet users use social networking sites (SNS) and all the major metrics for profile management are up, compared to 2009: 63% of them have deleted people from their “friends” lists, up from 56% in 2009; 44% have deleted comments made by others on their profile; and 37% have removed their names from photos that were tagged to identify them. Some 67% of women who maintain a profile say they have deleted people from their network, compared with 58% of men. Likewise, young adults are more active unfrienders when compared with older users."
  • February 25, 2012
    * EPIC - Petition Requests FAA to Conduct a Rulemaking on Drones and Privacy

    "Petition Requests FAA to Conduct a Rulemaking on Drones and Privacy
    EPIC, joined by more than 100 organizations, experts, and members of the public, has sent a petition to the Federal Aviation Administration, urging the agency to address the privacy threats associated with the increased use of drones in the United States. Congress recently passed legislation requiring the Agency to assess the safety of drones used by commercial and government operators. The petition asserts that "The privacy threat posed by the deployment of drone aircraft in the United States is great. The public should be given the opportunity to comment on this development." For more information, see EPIC: Unmanned Aerial Vehicles (UAVs) and Drones."

    * Illustrated Guide on Web Tracking and Options to Search More Safely

    DuckDuckGo: An introduction to the anonymous search engine

  • In an effort to educate Internet users about privacy, DuckDuckGo’s founder, Gabriel Weinberg, has been known to create educational and informative sites, including DontTrack.us, which informs users about the potential dangers of searching with Google.
  • February 24, 2012
    * FTC Takes Action to Stop Massive Robocalling Operations

    News release: "As part of the Federal Trade Commission's ongoing efforts to crack down on illegal, prerecorded "robocalls," the FTC is taking legal action to stop two operations that allegedly enabled telemarketers to place hundreds of millions of illegal prerecorded calls to consumers around the country, including many who had registered their phone numbers on the National Do Not Call Registry. The FTC's complaints, here and here, in both cases allege that the defendants offered "self-service" voice broadcasting – a service that makes it easy for marketers who have no telecommunications expertise to deliver tens of millions of robocalls for pennies a call. The defendants arranged for marketers to deliver prerecorded sales pitches by uploading a recorded message and list of telephone numbers through web sites owned by the defendants that would then dial each uploaded phone number and play the designated prerecorded message."

    February 23, 2012
    * White House Report - Consumer Data Privacy in a Networked World

    Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, February 2012

  • "Never has privacy been more important than today, in the age of the Internet, the World Wide Web and smart phones. In just the last decade, the Internet has enabled a renewal of direct political engagement by citizens around the globe and an explosion of commerce and innovation creating jobs of the future. Much of this innovation is enabled by novel uses of personal information. So, it is incumbent on us to do what we have done throughout history: apply our timeless privacy values to the new technologies and circumstances of our times. I am pleased to present this new Consumer Privacy Bill of Rights as a blueprint for privacy in the information age. These rights give consumers clear guidance on what they should expect from those who handle their personal information, and set expectations for companies that use personal data. I call on these companies to begin immediately working with privacy advocates, consumer protection enforcement agencies, and others to implement these principles in enforceable codes of conduct. My Administration will work to advance these principles and work with Congress to put them into law. With this Consumer Privacy Bill of Rights, we offer to the world a dynamic model of how to offer strong privacy protection and enable ongoing innovation in new information technologies."
  • See also Mozilla Led Effort for Do Not Track Finds Broad Support
  • * EPIC: State Attorneys General Cite Privacy Risks to Android Users, Demand Meeting with Google

    EPIC: "Attorneys general from 36 states and territories sent a letter to Google raising new questions about the plan to consolidate user data on March 1. "The new policy forces consumers to allow information across all of these products to be shared, without giving them the ability to opt out.," the letter says. The state AGs also say "this invasion of privacy is virtually impossible to escape for the nation's Android-powered smartphone users, who comprise nearly 50% of the national smartphone market. For these consumers, avoiding Google's privacy policy change may mean buying an entirely new phone at great personal expense." The AGs point out that Google told Android users "We will not reduce your rights under this Privacy Policy without your explicit consent." Last week, EPIC filed a lawsuit to force the Federal Trade Commission to require Google to honor its previous commitments to Google users. EPIC has alleged that the proposed changes in the company's practices violate a 2011 Consent Order. For more information, see EPIC: EPIC v. FTC (Google Consent Order)."

    * EFF - How to Remove Your Google Search History Before Google's New Privacy Policy Takes Effect

    EFF shows you how: "It is important to note that disabling Web History in your Google account will not prevent Google from gathering and storing this information and using it for internal purposes. More information here. On March 1st, Google will implement its new, unified privacy policy, which will affect data Google has collected on you prior to March 1st as well as data it collects on you in the future. Until now, your Google Web History (your Google searches and sites visited) was cordoned off from Google's other products. This protection was especially important because search data can reveal particularly sensitive information about you, including facts about your location, interests, age, sexual orientation, religion, health concerns, and more. If you want to keep Google from combining your Web History with the data they have gathered about you in their other products, such as YouTube or Google Plus, you may want to remove all items from your Web History and stop your Web History from being recorded in the future."

    February 20, 2012
    * Windows IE Team: Google Bypassing User Privacy Settings

    Follow up to Third-Party Cookie Blocking in Safari Bypassed For Millions of Users, this posting via the Windows Internet Explorer Engineering Team Blog: "When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies. Below we spell out in more detail what we’ve discovered, as well as recommendations to IE users on how to protect their privacy from Google with the use of IE9's Tracking Protection feature. We’ve also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers. We’ve found that Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different. Internet Explorer 9 has an additional privacy feature called Tracking Protection which is not susceptible to this type of bypass. Microsoft recommends that customers who want to protect themselves from Google’s bypass of P3P Privacy Protection use Internet Explorer 9 and click here to add a Tracking Protection List. Customers can find additional lists and information on this page."

    February 19, 2012
    * TRUSTe Privacy Index: Consumer Confidence Edition Shows 90% of U.S. Adults Worry About Online Privacy

    News release: "TRUSTe, the leading privacy management solutions provider, issued the first Consumer Confidence Edition (Q1 2012) of its ongoing TRUSTe Privacy Index Series. The Consumer Confidence Edition measures privacy concerns and sentiments of online U.S. adults and the impact on businesses. The study, conducted online on behalf of TRUSTe by Harris Interactive, reveals: 90 percent of online adults worry about their privacy online in general; 41 percent of online adults don't trust most businesses with their personal information online; and 88 percent of online adults avoid doing business with companies who they believe do not protect their privacy."

    February 17, 2012
    * Third-Party Cookie Blocking in Safari Bypassed For Millions of Users

    Safari Trackers, by Jonathan Mayer: "Apple’s Safari web browser is configured to block third-party cookies by default. We identified four advertising companies that unexpectedly place trackable cookies in Safari. Google and Vibrant Media intentionally circumvent Safari’s privacy feature. Media Innovation Group and PointRoll serve scripts that appear to be derived from circumvention example code. In the interest of clearly establishing facts on the ground, this post provides technical analysis of Safari’s cookie blocking feature and the four companies’ practices. It does not address policy or legal issues."

    February 16, 2012
    * FTC Report Raises Privacy Questions About Mobile Applications for Children

    News release: "The Federal Trade Commission today issued a staff report showing the results of a survey of mobile apps for children. The survey shows that neither the app stores nor the app developers provide the information parents need to determine what data is being collected from their children, how it is being shared, or who will have access to it. According to the FTC report, Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing, in 2008, smartphone users could choose from about 600 available apps. Today there are more than 500,000 apps in the Apple App Store and 380,000 in the Android Market. "Consumers have downloaded these apps more than 28 billion times, and young children and teens are increasingly embracing smartphone technology for entertainment and educational purposes. The report says the survey focused on the largest stores, the Apple App Store and the Android Market, and evaluated the types of apps offered to children, the disclosures provided to users, interactive features such as connectivity with social media, and the ratings and parental controls offered for such apps."

    February 12, 2012
    * FAQ - What is a privacyscore?

    "A privacyscore is a way to assess the privacy risk of using a website. Privacy risk is the chance that data about you will be used or shared in ways that you probably don't expect. Privacyscores cover two kinds of data:

    • We estimate privacy risk to personal data (such as your name or email address) based on the published policies of the website.
    • We estimate privacy risk to anonymous data (such as your interests and preferences) based on the privacy qualifications of the other companies who collect this kind of data across websites.
    • You can see privacyscores of the sites as you visit by using the privacyscore add-on for Firefox and Chrome."

    * EFF - The Heartbreaking Truth About Online Dating Privacy

    News release: "Millions of people use Internet dating sites to search for love and connection every day, but it could come a big cost for their privacy and security. The Electronic Frontier Foundation (EFF) has found that many services are taking shortcuts in safeguarding users' profiles and other sensitive data. In Six Heartbreaking Truths About Online Dating Privacy, EFF identifies serious security holes and counter-intuitive privacy settings that could expose daters' private information. For example, your dating profile – including your photo – can hang around long after you think you've taken yourself off the market. Some sites are also sucking up the vast quantity of data their users share and selling it to online marketers. If you aren't careful, your profile can also be indexed by Google, perhaps popping up in search results if you have an unusual nickname or other unique ways of describing yourself." See also:

  • Comparing Privacy and Security Practices on Online Dating Sites
  • Tell OkCupid to Protect Users' Privacy"
  • February 11, 2012
    * EPIC: Google Report Raises New Questions About Compliance with Consent Order

    EPIC: "The Google privacy compliance report, made public today, raises new questions about the company's failure to comply with an FTC Consent Order. The Order required Google to answer detailed questions about how it protects the personal information of Google users. But Google chose not to answer many of the questions. Most significantly, the company did not explain to the Commission the impact on user privacy of the proposed changes that will take place on March 1. EPIC has filed a lawsuit to force the Federal Trade Commission to require Google to comply with the Consent Order to protect the privacy interests of Google users. For more information, see EPIC v. FTC (Google Consent Order)."

    February 09, 2012
    * CDT - Congress Demands Drones Over America

    News release: "Congress is demanding drones in the air over the United States – without considering the civil liberties issues. Within the span of three days last week, the House and then the Senate passed a law – H.R. 658 – requiring the Federal Aviation Administration (FAA) to speed up, within 90 days, its current licensing process for government use of drones domestically and to open the national airspace to drone aircraft for commercial and private use by October 2015. While the law requires the FAA to develop guidance on drone safety, the law says absolutely nothing about the privacy or transparency implications of filling the sky with flying robots. As CDT and others have pointed out, drones are powerful surveillance devices capable of being outfitted with facial recognition cameras, license plate scanners, thermal imaging cameras, open WiFi sniffers, and other sensors. Drones’ unique ability to hover hundreds or thousands of feet in the air – undetected, for many hours – enables constant, pervasive monitoring over a wide area. Without clear privacy rules, public and private use of drones can usher in an era of unparalleled physical surveillance. Without transparency requirements, citizens will not even have the basic right to know who owns the drone watching them from above. Congress, the FAA, industry bodies, and the American people all should play a role in ensuring that drones are used responsibly."

    February 08, 2012
    * EPIC Sues Federal Trade Commission to Enforce Google Consent Order

    "EPIC today filed a Complaint and a Motion for Temporary Restraining Order and Preliminary Injunction in Federal District Court in Washington, DC. EPIC is seeking to compel the Federal Trade Commission to act prior to March 1, when Google plans to make changes in its terms of service that will make it possible for the company to combine user data without user consent. EPIC alleges that this change in business practice is in clear violation of the consent order that Google entered into on October 13, 2011. The consent order arises from a complaint that EPIC brought to the Commission in February, 2010 concerning Google Buzz and a similar attempt by Google to combine user data without user consent. For more information, see EPIC - In re Google Buzz, FTC - FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network."

    February 06, 2012
    * FTC Warns Marketers That Mobile Apps May Violate Fair Credit Reporting Act

    News release: "The Federal Trade Commission warned marketers of six mobile applications that provide background screening apps that they may be violating the Fair Credit Reporting Act. The FTC warned the apps marketers that, if they have reason to believe the background reports they provide are being used for employment screening, housing, credit, or other similar purposes, they must comply with the Act. According to the FTC, some of the apps include criminal record histories, which bear on an individual's character and general reputation and are precisely the type of information that is typically used in employment and tenant screening."

    February 02, 2012
    * EPIC Seeks Public Release of Google's Privacy Report

    "EPIC has filed a Freedom of Information Act request with the Federal Trade Commission for the Privacy Report that Google was recently required to submit to the agency. The Commission had previously investigated Google after EPIC filed a complaint regarding Google's Buzz product, which transformed private user contacts into publicly available social network data. Last fall the Commission reached a settlement with Google and, as a result, the company is subject to a consent order that requires it to file regular reports with the Commission. EPIC has requested that Google's first report, filed on January 26, 2012, be released to the public. Because of Google's plan to change its business practice on March 1, 2012, EPIC has asked the FTC to expedite the disclosure of the report. For more information see EPIC: In re Google Buzz."

    January 30, 2012
    * Domain-based Message Authentication, Reporting & Conformance

    "DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance", is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate."

    January 28, 2012
    * International Privacy Day: Top Concerns of Activists and Data Protection Authorities

    EFF: "This January 28 marks International Privacy Day. Different countries around the world are celebrating this day with their own events. This year, we are honoring the day by calling attention to recent international privacy threats and interviewing data protection authorities, government officials, and activists to gain insight into various aspects of privacy rights and related legislation in their own respective countries. As part of International Privacy Day, the EFF asked data protection authorities, politicians, and activists about privacy related issues and concerns for 2012. In addition to the individuals highlighted in our previous posts, EFF heard back from the Council of Europe, the European Data Protection Supervisor (EDPS), and activists from Canada, France and Spain. In various ways, all of the responses focused on government surveillance or data protection laws. For the Council of Europe and European Data Protection Supervisor, the focus was on data protection agreements, while the activists were mindful of the ever-increasing power of government authorities to surveil their citizens."

    * In honor of Data Privacy Day, the full ebook of lol...OMG!

    "In honor of Data Privacy Day, the full ebook of lol...OMG! (regularly $9.99) is being made available for FREE!"

  • "What if every mistake you ever made in college was captured and shared with everyone you know, and then with thousands of strangers every day for the rest of your life? Matt Ivester, creator of the most controversial website to ever hit college campuses, has taken his intimate knowledge of online behavior and documented the dangers of this new reality in his book, lol…OMG!: What Every Student Needs to Know About Online Reputation Management, Digital Citizenship and Cyberbullying."
  • * New Privacy Policy and Google Terms of Service in effect March 1, 2012

    "One policy, one Google experience - We’re getting rid of over 60 different privacy policies across Google and replacing them with one that’s a lot shorter and easier to read. Our new policy covers multiple products and features, reflecting our desire to create one beautifully simple and intuitive experience across Google."

  • See this FAQ and this Washington Post article, Google: New policy doesn’t supercede enterprise, government contracts for additional information.
  • January 25, 2012
    * Commission proposes a comprehensive reform of the data protection rules

    News release: The European Commission has today [January 24, 2012] a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy. Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe."

    * ACLU Lens: Google's New Privacy Policy

    ACLU: "Yesterday evening, Google announced a new privacy policy effective March 1. The new policy is consistent across the vast majority of Google products...the new privacy policy makes clear that Google will, for the first time, combine the personal data you share with any one of its products or sites across almost all of its products and sites (everything but Google Chrome, Google Books, and Google Wallet) in order to obtain a more comprehensive picture of you. And there’s no opting out. This comes on the heels of Google’s new Search, plus Your World, a feature combining search results from the public web with private information and photos you have shared (or that have been shared with you) through Google+ or Picasa...The head of Google’s privacy for product and engineering explained on Google’s blog that integrating an individual’s profiles across Google’s sites will help Google “figure[e] out what you really mean when you type in Apple, Jaguar or Pink,” provide more relevant ads, “provide reminders that you’re going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day” (thanks, Mom), and “ensure that our spelling suggestions, even for your friends’ names, are accurate...this data aggregation is not just about what ads you see, but as ACLU of Massachusetts describes, it creates an even larger treasure chest of personal information ripe for government picking."

    * Report from the Internet Privacy Workshop

    Report from the Internet Privacy Workshop - Internet Architecture Board (IAB) - via CDT: "The workshop report provides a useful overview of fundamental privacy design challenges that appear again and again: the increasing ease of user/device/application fingerprinting, unforeseen information leakage, difficulties in distinguishing first parties from third parties, complications arising from system dependencies, and the lack of transparency and user awareness of privacy risks and tradeoffs. The report also identifies a number of barriers to successful deployment and analysis of privacy-minded protocols and systems, including the difficulty of using generic protocols and tools to defend against context-specific threats; the tension between privacy protection and usability; and the difficulty of navigating between business, legal, and individual incentives."

    January 23, 2012
    * EPIC: Supreme Court Upholds Fourth Amendment in GPS Tracking Case

    "Today the Supreme Court unanimously held in U.S. v. Jones that the warrantless use of a GPS tracking device by the police violated the Fourth Amendment. The Court said that a warrant is required "[w]here, as here, the government obtains information by physically intruding on a constitutionally protected area," like a car. Concurring opinions by Justices Sotomayor and Alito urged the court to focus on the reasonableness of the suspect's expectation of privacy because physical intrusion is unnecessary to surveillance in the digital age. EPIC, joined by 30 legal and technical experts,filed a "friend of the court" brief. EPIC warned that, "it is critical that police access to GPS tracking be subject to a warrant requirement." For more information, see EPIC: US v. Jones, and EPIC: Location Privacy"

  • See also WSJ: FBI Turns Off Thousands of GPS Devices After Supreme Court Ruling
  • January 18, 2012
    * Google Launches Good to Know Campaign for Internet Safety

    "Google’s Good to Know campaign aims to help people stay safe on the Internet and manage the information they share online. The website and ads provide easy to use tips and advice on online security, help on understanding the data users share and tools they can use to manage their data. Written in clear language and featuring practical examples to illustrate complex security and privacy issues, the website and advertising campaign aim to empower users to tackle their online security concerns and make more informed decisions about their internet use. The U.S. campaign includes adverts in newspapers, on public transport and online. Download all print ads – (PDF)."

    January 15, 2012
    * New GAO Reports: Arctic Capabilities, Defense Contracting, Taxpayer Privacy
    January 13, 2012
    * EPIC - FOIA Documents Reveal Homeland Security is Monitoring Political Dissent

    "As the result of EPIC v. DHS, a Freedom of Information Act lawsuit, EPIC has obtained nearly thee hundred pages of documents detailing a Department of Homeland Security's surveillance program. The documents include contracts and statements of work with General Dynamics for 24/7 media and social network monitoring and periodic reports to DHS. The documents reveal that the agency is tracking media stories that "reflect adversely" on DHS or the U.S. government. One tracking report -- "Residents Voice Opposition Over Possible Plan to Bring Guantanamo Detainees to Local Prison-Standish MI" -- summarizes dissent on blogs and social networking cites, quoting commenters. EPIC sent a request for these documents in April 2004 and filed suit against the agency in December. For more information, see EPIC: EPIC v. Department of Homeland Security: Media Monitoring."

    * EPIC: FTC Adds Google+ to Antitrust Investigation

    EPIC: "Bloomberg News has reported that the Federal Trade Commission has expanded its antitrust investigation of Google to include Google's social networking service, Google+. The report comes after Google announced that it would include personal data gathered from Google+ in the results of users' searches, a move that led EPIC to urge the FTC to investigate the company. EPIC said that "Google's business practices raise concerns related to both competition and the implementation of the Commission’s consent order," referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of all Google products and services and subjects the company to regular privacy audits. Google first confirmed the FTC’s antitrust investigation in June 2011. Recently, the Senate held a hearing on Google's use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google's use of Youtube search rankings to give preferential treatment to its own video content over non-Google content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade Commission."

    January 12, 2012
    * EPIC Urges Trade Commission to Investigate Google Search

    EPIC: In a letter to the Federal Trade Commission, EPIC has called for an investigation of recent changes by Google to Google Search, the dominant search algorithm on the Internet. EPIC cited Google's decision to include personal data, such as photos, posts, and contact details, gathered from Google+ in Google Search results. “Google’s business practices raise concerns related to both competition and the implementation of the Commission’s consent order,” EPIC said, referring to a settlement that the FTC reached with Google that establishes new privacy safeguards for users of Google products and services and subjects the company to regular privacy audits. Recently, the Senate held a hearing on Google’s use of its dominance in the search market to suppress competition, and EPIC urged the Federal Trade Commission to investigate Google’s acquisition of Youtube, which allowed Google to give preferential treatment to Google's own video content. For more information, see EPIC: Google/DoubleClick and EPIC: Federal Trade."

    January 04, 2012
    * EPIC Urges Appeals Court to Shed Light on Google-NSA Agreement

    "EPIC filed the opening brief in EPIC v. NSA, No. 11-5233, challenging the National Security Agency’s response to EPIC's Freedom of Information Act request. EPIC is seeking information about the widely publicized cybersecurity agreement between the NSA and Google that followed the January 2010 China hack. The NSA claimed it "could neither confirm nor deny" the existence of any information about its relations with Google. After the attack, Google's implemented encryption technology for Gmail by default, a privacy safeguard EPIC and technical experts had urged in 2009. For more information, see EPIC v. NSA: Google / NSA Relationship."

    December 30, 2011
    * FTC Sends Biennial Report to Congress on the National Do Not Call Registry

    News release: "The Federal Trade Commission has approved a biennial report to Congress focusing on the use of the Do Not Call Registry by both consumers and businesses over the past two years, as well as the impact that new technologies have had on the Registry. As detailed in the report, the Do Not Call Registry now has more than 209 million active registrations, and more than eight million new phone numbers were registered in Fiscal Year 2011. During that time, approximately 35,000 sellers, telemarketers, and exempt organizations such as charities subscribed to access the Registry, paying fees totaling more than $13.7 million. The report concludes that since its inception, the Registry has successfully accepted consumer registrations and complaints, allowed businesses to obtain access to Registry data, and provided law enforcement with the tools needed to investigate complaints and bring appropriate actions."

    December 29, 2011
    * EPIC Sues DHS Over Covert Surveillance of Facebook and Twitter

    "EPIC has filed a Freedom of information Act lawsuit against the Department of Homeland Security to force disclosure of the details of the agency's social network monitoring program. In news reports and a Federal Register notice, the DHS has stated that it will routinely monitor the public postings of users on Twitter and Facebook. The agency plans to create fictitious user accounts and scan posts of users for key terms. User data will be stored for five years and shared with other government agencies.The legal authority for the DHS program remains unclear. EPIC filed the lawsuit after the DHS failed to reply to an April 2011 FOIA request. For more information, see EPIC: Social Networking Privacy."

  • See also DHS Privacy Impact Assessment for the Office of Operations Coordination and Planning Publicly Available Social Media Monitoring and Situational Awareness Initiative, Update January 6, 2011
  • December 23, 2011
    * EFF - Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices

    Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices, by Seth Schoen, Marcia Hofmann and Rowan Reynolds, December 2011

  • "Despite the lack of legal protections against the search itself, however, those concerned about the security and privacy of the information on their devices at the border can use technological measures in an effort to protect their data. They can also choose not to take private data across the border with them at all, and then use technical measures to retrieve it from abroad. As the explanations below demonstrate, some of these technical measures are simple to implement, while others are complex and require significant technical skill."
  • December 22, 2011
    * Report of Data Protection Audit of Facebook Ireland Published

    News release: "The Office of the Data Protection Commissioner, Ireland 21 December 2011 published the outcome of its audit of Facebook Ireland(FB-I) which was conducted over the last three months including on-site in Facebook Ireland’s Headquarters in Dublin. The report is available in 2 parts: Report of the Audit, including recommendations and the Facebook Technical Analysis Report...It is a comprehensive assessment of Facebook Ireland’s compliance with Irish Data Protection law and by extension EU law in this area...Deputy Commissioner, Gary Davis who led the conduct of the Audit stated that “this Audit was the most comprehensive and detailed ever undertaken by our Office. We set ourselves a very ambitious target for completion and publication as both this Office and Facebook, felt it was important that the outcome be published and opened to public comment and scrutiny...Facebook is constantly evolving and adapting in response to user needs and technical developments. Like any successful technology platform, the service needs to innovate by introducing new products and features in order to adapt to changing circumstances. Indeed the almost Darwinian nature of the site means that there will constantly be an absolute need to have in place robust mechanisms to keep pace with the innovation that is the source of the site’s success."

    December 21, 2011
    * FTC Guidance - Cookies: Leaving a Trail on the Web

    "Have you ever wondered why some online ads you see are targeted to your tastes and interests, or how websites remember your preferences from visit to visit? The answer may be in the “cookies." A cookie is information saved by your web browser, the software program you use to visit the web. Cookies can be used by companies that collect, store and share bits of information about your online activities to track your behavior across sites. Cookies also can be used to customize your browsing experience, or to deliver ads targeted to you. OnGuardOnline.gov wants you to know how cookies are used and how you can control information about your browsing activities. Here are answers to some commonly asked questions about cookies – what they are, what they do, and how you can control them."

    * Governmental Tracking of Cell Phones and Vehicles: The Confluence of Privacy, Technology, and Law

    CRS — Governmental Tracking of Cell Phones and Vehicles: The Confluence of Privacy, Technology, and Law. Richard M. Thompson, Law Clerk. December 1, 2011

  • "Technology has advanced considerably since the framers established the constitutional parameters for searches and seizures in the Fourth Amendment. What were ink quills and parchment are now cell phones and the Internet. It is undeniable that these advances in technology threaten to diminish privacy. Law enforcement’s use of cell phones and GPS devices to track an individual’s movements brings into sharp relief the challenge of reconciling technology, privacy, and law...This report will briefly survey Fourth Amendment law as it pertains to the government’s tracking programs. It will then summarize federal electronic surveillance statutes and the case law surrounding cell phone location tracking. Next, the report will describe the GPS-vehicle tracking cases and review the pending Supreme Court GPS tracking case, United States v. Jones. Finally, the report will summarize the geolocation and electronic surveillance legislation introduced in the 112th Congress."
  • December 19, 2011
    * Research: Reading Digits in Natural Images with Unsupervised Feature Learning

    Reading Digits in Natural Images with Unsupervised Feature Learning, Yuval Netzer, Tao Wang, Adam Coates, Alessandro Bissacco, Bo Wu1, Andrew Y. Ng

  • "Detecting and reading text from natural images is a hard computer vision task that is central to a variety of emerging applications. Related problems like document character recognition have been widely studied by computer vision and machine learning researchers and are virtually solved for practical applications like reading handwritten digits. Reliably recognizing characters in more complex scenes like
    photographs, however, is far more difficult: the best existing methods lag well behind human performance on the same tasks. In this paper we attack the problem of recognizing digits in a real application using unsupervised feature learning methods: reading house numbers from street level photos. To this end, we introduce a new benchmark dataset for research use containing over 600,000 labeled digits cropped from Street View images. We then demonstrate the difficulty of recognizing these digits when the problem is approached with hand-designed features. Finally, we employ variants of two recently proposed unsupervised feature learning methods and find that they are convincingly superior on our benchmarks."

  • December 15, 2011
    * UK clarifies law on information held in private email accounts

    News release: "The Information Commissioner’s Office (ICO) has today published new guidance making it clear that information concerning official business held in private email accounts is subject to the Freedom of Information Act. Information Commissioner, Christopher Graham said:

  • “It should not come as a surprise to public authorities to have the clarification that information held in private email accounts can be subject to Freedom of Information law if it relates to official business. This has always been the case – the Act covers all recorded information in any form. It came to light in September that this is a somewhat misunderstood aspect of the law and that further clarification was needed. That’s why we’ve issued new guidance today with two key aims – first, to give public authorities an authoritative steer on the factors that should be considered before deciding whether a search of private email accounts is necessary when responding to a request under the Act. Second, to set out the procedures that should generally be in place to respond to requests. Clearly, the need to search private email accounts should be a rare occurrence; therefore, we do not expect this advice to increase the burden on public authorities.”
  • * TRUSTe Privacy Index Shows Online Privacy Policies Are Lengthy, Complicated

    News release: "TRUSTe, the leading online privacy solutions provider, released its first privacy index as part of its new "Privacy Pulse" information series tracking changes and trends in online privacy. In the 2011 Website Edition of its Privacy Index, TRUSTe analyzed the privacy policies of the top 100 U.S. websites (as ranked by Alexa Sept. 2011) to evaluate privacy practices by measuring key policy attributes, as well as the type of disclosures contained in them. TRUSTe found that while nearly 100 percent of websites today include a privacy policy, existing policies are highly complex, lengthy and written in language that is confusing for the average person to understand. Additionally, the vast majority of privacy policies are not readily transparent regarding third-party usage of data or consumer choices."

    December 05, 2011
    * Governmental Tracking of Cell Phones and Vehicles: The Confluence of Privacy, Technology, and Law

    CRS - Governmental Tracking of Cell Phones and Vehicles: The Confluence of Privacy, Technology, and Law. Richard M. Thompson, Law Clerk, December 1, 2011

  • "Legislation has been introduced in the 112th Congress that proposes to update, clarify, or, in some instances, strengthen the privacy interests protected under the law and give law enforcement a clearer framework for obtaining crucial crime-fighting information. In particular, Senator Ron Wyden and Representative Jason Chaffetz introduced identical legislation, S. 1212 and H.R. 2168, entitled the Geolocational Privacy and Surveillance Act, or GPS bill, which would make it unlawful for a service provider to disclose or law enforcement to intercept or use a person’s location unless they obtained a warrant based upon probable cause or one of the limited exceptions applies. Senator Patrick J. Leahy has introduced the Electronic Communications Privacy Act Amendment Act of 2011 (S. 1011), which not only includes a warrant requirement for geolocation information, but also overhauls and updates other provisions of federal electronic surveillance law...This report will briefly survey Fourth Amendment law as it pertains to the government’s tracking programs. It will then summarize federal electronic surveillance statutes and the case law surrounding cell phone location tracking. Next, the report will describe the GPS-vehicle tracking cases and review the pending Supreme Court GPS tracking case, United States v. Jones. Finally, the report will summarize the geolocation and electronic surveillance legislation introduced in the 112th Congress."
  • December 03, 2011
    * New book, Cellular Convergence and the Death of Privacy

    NetworkWorld: "Engineering professor calls smartphone software 'appalling invasion of privacy

  • "A controversy over smartphone privacy has reignited this week following a coder's recent post detailing how a hidden software application on Android-based HTC phones can collect a range of information about the user's activities. The client program is from a venture-funded company called Carrier IQ out of Mountain View, Calif. It created software, dubbed by one security researcher as a classic rootkit, to collect a variety of "operational" data about the phone's usage, ostensibly to let carriers identify radio, performance and usage problems and correct them...AT&T, Sprint, HTC and Samsung have confirmed their use of the software, while Verizon, Nokia and RIM have said they do not use it."
  • Phone 'Rootkit' Maker Carrier IQ May Have Violated Wiretap Law In Millions Of Cases
  • December 01, 2011
    * BJS: Identity Theft Reported by Households, 2005-2010

    Identity Theft Reported by Households, 2005-2010: "Presents data on the nature of and trends in identity theft victimization among U.S. households from the National Crime Victimization Survey (NCVS). The NCVS defines identity theft as the misuse or attempted misuse of an existing credit card or another existing account or the misuse of personal information to open a new account or for other fraudulent purposes. Findings are based on experiences of all household members age 12 or older as reported by the head of household. The data brief examines changes in the percentage of households experiencing identity theft from 2005 to 2010. It describes differences in the types of identity theft experienced by households in 2010 compared to 2005, as well as changes in the demographic characteristics of victimized households. The brief also presents estimates on the monetary losses attributed to household victims of identity theft. Highlights include the following:

    • In 2010, 7.0% of households in the United States, or about 8.6 million households, had at least one member age 12 or older who experienced one or more types of identity theft victimization.
    • Among households in which at least one member experienced one or more types of identity theft, 64.1% experienced the misuse or attempted misuse of an existing credit card account in 2010.
    • From 2005 to 2010, the percentage of all households with one or more type of identity theft that suffered no direct financial loss increased from 18.5% to 23.7%."

    November 30, 2011
    * FTC Issues FY 2011 National Do Not Call Registry Data Book

    News release: "The Federal Trade Commission today issued the National Do Not Call Registry Data Book for Fiscal Year 2011. The FTC's National Do Not Call Registry provides consumers with an easy way to stop unwanted telemarketing calls...According to the Data Book, at the end of FY 2011 (September 30, 2011), the Do Not Call Registry contained 209,722,924 actively registered phone numbers, up from 201,542,535 at the end of FY 2010. In addition, the number of consumer complaints about unwanted telemarketing calls increased from 1,633,819 at the end of FY 2010 to 2,272,662 at the end of FY 2011. In its third year of publication, the Data Book contains a wealth of information about the Registry for FY 2011, including:

    • The number of active registrations and consumer complaint figures since the Registry began in 2003;
    • FY 2011 complaint figures by month and complaint type;
    • FY 2011 registration and complaint figures for all 50 states and the District of Columbia by population;
    • The number of entities accessing the Registry by fiscal year; and
    • An appendix on registration and complaint data by consumer state and area code."

    * Protecting and promoting the UK in a digital world

    The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world, November 2011

  • "Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society."
  • November 29, 2011
    * Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises

    News release: "The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established. The FTC's eight-count complaint against Facebook is part of the agency's ongoing effort to make sure companies live up to the privacy promises they make to American consumers. It charges that the claims that Facebook made were unfair and deceptive, and violated federal law."

    November 25, 2011
    * Consumer Reports - 10 tips to prevent ID theft while holiday shopping

    "Consumer Reports' Guide to online security outlines some of the most common Net threats—such as phishing, online scams, and computer viruses. (See: Best ways to stay safe online.) But our latest security report also notes that mobile phones and social media sites can also present a rising amount of ID theft risks since more consumers are using their smart phones to shop and sharing news of online bargains on Facebook. (See: Mobile phones: The new risk and Concerns about Facebook.) The Consumer Federation of America, a non-profit association of almost 300 consumer organizations, has compiled a list of 10 tips for having an ID theft-free holiday season (PDF) on its website, IDTheftInfo.org."

    November 24, 2011
    * Records for 4.9 million Texas military clinic and hospital patients stolen

    News release: "The loss of computer tapes by Science Applications International Corporation (SAIC) may have placed TRICARE patient data at risk. There is no evidence that any of the data has actually been accessed by a third party, and analysis shows the chance any data was actually compromised is low, but proactive measures are being taken to ensure that potentially affected patients are kept informed and protected. SAIC is a contractor for the TRICARE Management Activity. On September 14, TMA learned that an SAIC employee reported that on September 12 computer tapes containing personally identifiable and protected health information (PII/PHI) of 4.9 million military clinic and hospital patients in Texas, or those patients who had laboratory exams sent to the military hospitals in Texas, were stolen. The data contained on the tapes may include names, Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes."

  • Call Center Information for TRICARE Users - An Incident Response Call Center has been set up for individuals seeking further information concerning the reported loss of back-up computer tapes containing personally identifiable and protected health information (PII/PHI)."
  • November 19, 2011
    * The growing impact of full disk encryption on digital forensics

    The growing impact of full disk encryption on digital forensics - Eoghan Caseya, Geoff Fellowsb, Matthew Geigerc, Gerasimos Stellatosd

  • "The increasing use of full disk encryption (FDE) can significantly hamper digital investigations, potentially preventing access to all digital evidence in a case. The practice of shutting down an evidential computer is not an acceptable technique when dealing with FDE or even volume encryption because it may result in all data on the device being rendered inaccessible for forensic examination. To address this challenge, there is a pressing need for more effective on-scene capabilities to detect and preserve encryption prior to pulling the plug. In addition, to give digital investigators the best chance of obtaining decrypted data in the field, prosecutors need to prepare search warrants with FDE in mind. This paper describes how FDE has hampered past investigations, and how circumventing FDE has benefited certain cases. This paper goes on to provide guidance for gathering items at the crime scene that may be useful for accessing encrypted data, and for performing on-scene forensic acquisitions of live computer systems. These measures increase the chances of acquiring digital evidence in an unencrypted state or capturing an encryption key or passphrase. Some implications for drafting and executing search warrants to dealing with FDE are discussed."
  • November 18, 2011
    * WSJ: The Surveillance Catalog - Where governments get their tools

    "Documents obtained by The Wall Street Journal open a rare window into a new global market for the off-the-shelf surveillance technology that has arisen in the decade since the terrorist attacks of Sept. 11, 2001. The techniques described in the trove of 200-plus marketing documents include hacking tools that enable governments to break into people’s computers and cellphones, and "massive intercept" gear that can gather all Internet communications in a country. The documents—the highlights of which are cataloged and searchable here—were obtained from attendees of a secretive surveillance conference held near Washington, D.C., last month."

    November 15, 2011
    * EPIC: European Union Limits Use of Airport Body Scanners

    "The European Union has adopted strict new guidelines limiting the use of body scanners at EU airports. Under the new guidelines, European Union member states may only deploy airport body scanners if they comply with new regulations that protect health, privacy, and fundamental rights. The European Commission has also prohibited any devices that store, record, or transfer images of travelers as well as devices that display an image of the naked human body. As a result, backscatter x-ray devices are now effectively prohibited in airports in the European Union. The European Commission has also made clear that passengers may not be required to go through body scanners, following the conclusion reached by the federal appellate court in the United States in the EPIC v. DHS case, which held that passengers have a legal right to opt-out of body scanners. The body scanners have not done well during trials in Europe. Most recently a test in Germany found that the devices were ineffective. For more information, see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS (Suspension of the Body Scanner Program)."

    November 13, 2011
    * European Security Agency Report - Risks and benefits of emerging life-logging applications
    • To log or not to log? - Risks and benefits of emerging life-logging applications, November 11, 2011 via European Network and Information Security Agency (ENISA) - "European Union (EU) agency which acts as a centre of expertise for the EU Member States and European institutions. It gives advice and recommendations on good practice, and acts as a “switchboard” for exchanging knowledge and information. The agency also facilitates contacts between the European institutions, the Member States, and private business and industry."
    • "Recording aspects of one’s life, or life-logging, has a long established history in human society, but it is undergoing transformational change in terms of depth, volume and type of data. Before the 20th century, life-logging was restricted to recordings on paper media and involved written accounts, such as books, diaries, or collections of letters between people as well as person-constructed images such as drawings or paintings. By the 20th century, the media had broadened to include still photographic images, sound and moving images and most families kept at least an image life-log in the form of a photo album. By the end of the 20th century, most of these life-log data were digitally recorded with both the resolution and frequency of recording dramatically increasing year on year. Paper diaries and letters gave way to blogs, e-mail, and social networking status updates with the significant difference that the latter were potentially recorded forever and with a vastly more complete history than the episodic fragments of days gone by."
    • Appendix I Scenario Building and Analysis Template, accompanying the deliverable "To log or not to log? - Risks and benefits of emerging life-logging applications". File To log or not to log? - Risks and benefits of emerging life-logging applications [Appendix II]
    • Appendix II Risk Assessment Spreadsheet, accompanying the deliverable "To log or not to log? - Risks and benefits of emerging life-logging applications"
    November 12, 2011
    * Commentary - The WikiLeaks-Fueled Erosion of Civil Liberties Has Begun

    Atlantic Wire - Adam Clark Estes: "When a federal judge ruled that Twitter must reveal the private data of three WikiLeaks associates on Thursday, privacy advocates died a little inside. The two organizations that had defended the three users, American Civil Liberties Union (ACLU) and the Electronic Frontier Foundations (EFF), immediately filed mournful blog posts that respectively raised doubts about the United States government's secretive handling of the case and highlighted grave message the ruling sends about the future of privacy on the internet. But Wall Street Journal reporter Jennifer Valentine-DeVries sums up the implications of the case best with a leading question: "Should the government be able to collect information related to your Internet use without a warrant?" We now know that the federal court's answer is, "Yes."

    November 06, 2011
    * The Socialbot Network: When Bots Socialize for Fame and Money

    The Socialbot Network: When Bots Socialize for Fame and Money -
    Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, Matei Ripeanu -
    University of British Columbia Vancouver, Canada

  • "Online Social Networks (OSNs) have become an integral part of today's Web. Politicians, celebrities, revolutionists, and others use OSNs as a podium to deliver their message to millions of active web users. Unfortunately, in the wrong hands, OSNs can be used to run astroturf campaigns to spread misinformation and propaganda. Such campaigns usually start by in filrating a targeted OSN on a large scale. In this paper, we evaluate how vulnerable OSNs are to a large-scale infiltration by socialbots: computer programs that control OSN accounts and mimic real users. We adopt a traditional web-based botnet design and built a Socialbot Network (SbN): a group of adaptive socialbots that are orchestrated in a command-and-control fashion. We operated such an SbN on Facebook|a 750 million user OSN|for about 8 weeks. We collected data related to users' behavior in response to a large-scale in filtration where socialbots were used to connect to a large number of Facebook users. Our results show that (1) OSNs, such as Facebook, can be in filtrated with a success rate of up to 80%, (2) depending on users' privacy settings, a successful in filtration can result in privacy breaches where even more users' data are exposed when compared to a purely public access, and (3) in practice, OSN security defenses, such as the Facebook Immune System, are not e ffective enough in detecting or stopping a large-scale in filtration as it occurs."
  • * New Paper: Why parents help their children lie to Facebook about age: Unintended consequences of the COPPA

    "The Berkman Center for Internet & Society is pleased to share a new paper published in First Monday, Why parents help their children lie to Facebook about age: Unintended consequences of the ‘Children’s Online Privacy Protection Act,’ authored by Berkman community members danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey.

  • Abstract from the authors: Facebook, like many communication services and social media sites, uses its Terms of Service (ToS) to forbid children under the age of 13 from creating an account. Such prohibitions are not uncommon in response to the Children’s Online Privacy Protection Act (COPPA), which seeks to empower parents by requiring commercial Web site operators to obtain parental consent before collecting data from children under 13. Given economic costs, social concerns, and technical issues, most general–purpose sites opt to restrict underage access through their ToS. Yet in spite of such restrictions, research suggests that millions of underage users circumvent this rule and sign up for accounts on Facebook. Given strong evidence of parental concern about children’s online activity, this raises questions of whether or not parents understand ToS restrictions for children, how they view children’s practices of circumventing age restrictions, and how they feel about children’s access being regulated. In this paper, we provide survey data that show that many parents know that their underage children are on Facebook in violation of the site’s restrictions and that they are often complicit in helping their children join the site. Our data suggest that, by creating a context in which companies choose to restrict access to children, COPPA inadvertently undermines parents’ ability to make choices and protect their children’s data. Our data have significant implications for policy–makers, particularly in light of ongoing discussions surrounding COPPA and other age–based privacy laws."
  • November 01, 2011
    * Collection and sale of mobile phone user data

    CNNMoney: "Your phone company knows where you live, what websites you visit, what apps you download, what videos you like to watch, and even where you are. Now, some have begun selling that valuable information to the highest bidder. In mid-October, Verizon Wireless changed its privacy policy to allow the company to record customers' location data and Web browsing history, combine it with other personal information like age and gender, aggregate it with millions of other customers' data, and sell it on an anonymous basis."

    October 30, 2011
    * Privacy and Security in the Implementation of Health Information Technology: U.S. and EU Compared

    Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. and EU Compared, B.U. J. SCI. & TECH. L., Vol. 17, Winter 2011.

  • "The importance of the adoption of Electronic Health Records (EHRs) and the associated cost savings cannot be ignored as an element in the changing delivery of health care. However, the potential cost savings predicted in the use of EHR are accompanied by potential risks, either technical or legal, to privacy and security. The U.S. legal framework for healthcare privacy is a combination of constitutional, statutory, and regulatory law at the federal and state levels. In contrast, it is generally believed that EU protection of privacy, including personally identifiable medical information, is more comprehensive than that of U.S. privacy laws. Direct comparisons of U.S. and EU medical privacy laws can be made with reference to the five Fair Information Practices Principles (FIPs) adopted by the Federal Trade Commission and other international bodies. The analysis reveals that while the federal response to the privacy of health records in the U.S. seems to be a gain over conflicting state law, in contrast to EU law, U.S. patients currently have little choice in the electronic recording of sensitive medical information if they want to be treated, and minimal control over the sharing of that information. A combination of technical and legal improvements in EHRs could make the loss of privacy associated with EHRs de minimis. The EU has come closer to this position, encouraging the adoption of EHRs and confirming the application of privacy protections at the same time. It can be argued that the EU is proactive in its approach; whereas because of a different viewpoint toward an individual’s right to privacy, the U.S. system lacks a strong framework for healthcare privacy, which will affect the implementation of EHRs. If the U.S. is going to implement EHRs effectively, technical and policy aspects of privacy must be central to the discussion."
  • October 27, 2011
    * DOE IG - The Department's Unclassified Cyber Security Program – 2011

    DOE IG Evaluation Report - The Department's Unclassified Cyber Security Program – 2011, DOE/IG-0856 October 2011

  • "The Department had taken steps over the past year to address previously identified cyber security weaknesses and enhance its unclassified cyber security program. While these were positive steps, additional action is needed to further strengthen the Department's unclassified cyber security program and help address threats to its information and systems. For example, our FY 2011 evaluation disclosed that corrective actions had been completed for only 11 of the 35 cyber security weaknesses identified in our FY 2010 review. In addition, we identified numerous weaknesses in the areas of access controls, vulnerability management, web application integrity, contingency planning, change control management, and cyber security training. While many of the same or similar issues had been noted in prior FISMA reports, the number of weaknesses identified represented a 60 percent increase over our FY 2010 review."
  • October 26, 2011
    * EFF Sues for Answers About PATRIOT Act on Law's 10th Anniversary

    News release: "The Electronic Frontier Foundation (EFF) sued the Department of Justice (DOJ) today for answers about "secret interpretations" of the USA PATRIOT Act, signed into law ten years ago today. Several senators have warned that the DOJ is using Section 215 of the PATRIOT Act to support what government attorneys call a "sensitive collection program" that may be targeting large numbers of Americans. Section 215 allows for secret court orders to obtain "tangible things" when the FBI certifies they are relevant to a government investigation. The list of possible "tangible things" the government can obtain is seemingly limitless, and could include everything from driver's license records to Internet browsing patterns. Section 215 also limits the court's discretion to deny the order and prevents the recipient of an order from disclosing its existence."

    October 24, 2011
    * FTC Gives Final Approval to Settlement with Google over Buzz Rollout

    News release: "Following a public comment period, the Federal Trade Commission has accepted as final a settlement with Google, and authorized the staff to provide responses to the commenters of record. The settlement resolves charges that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleged that the practices violate the FTC Act. The settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. The Commission vote approving the final settlement was 4-0.

  • In the Matter of Google Inc., a corporation, FTC File No. 102 3136
  • October 18, 2011
    * Google Moves to Encrypt Your Search Queries

    Official Google Blog: "As search becomes an increasingly customized experience, we recognize the growing importance of protecting the personalized search results we deliver. As a result, we’re enhancing our default search experience for signed-in users. Over the next few weeks, many of you will find yourselves redirected to https://www.google.com (note the extra “s”) when you’re signed in to your Google Account. This change encrypts your search queries and Google’s results page. This is especially important when you’re using an unsecured Internet connection, such as a WiFi hotspot in an Internet cafe. You can also navigate to https://www.google.com directly if you’re signed out or if you don’t have a Google Account."

    October 16, 2011
    * SEC: views regarding disclosure obligations relating to cybersecurity risks and cyber incidents

    This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents, October 13, 2011

  • "For a number of years, registrants have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity1 have also increased, resulting in more frequent and severe cyber incidents. Recently, there has been increased focus by registrants and members of the legal and accounting professions on how these risks and their related impact on the operations of a registrant should be described within the framework of the disclosure obligations imposed by the federal securities laws. As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances."
  • * Markey to Amazon: Don’t Hold a Kindle Fire Sale on Privacy

    News release: "Concerned that the pairing of the new Kindle Fire tablet with its must-use Silk browser means Amazon could track each Web click of Kindle Fire users Congressman Edward J. Markey (D-Mass.) [October 14, 2011] sent a letter to Amazon’s CEO asking for responses to questions about tablets users’ privacy and security...In May 2011, Reps. Markey and Joe Barton (R-Texas) introduced the Do Not Track Kids Act of 2011, bipartisan legislation that amends the Children’s Online Privacy Protection Act of 1998 to extend, enhance and update the provisions relating to the collection, use and disclosure of children’s personal information. The legislation also establishes new protections for the personal information of children and teens."

    October 11, 2011
    * Tracking the Trackers: Where Everybody Knows Your Username

    Tracking the Trackers: Where Everybody Knows Your Username by Jonathan Mayer, posted on October 11, 2011

  • Click the local Home Depot ad and your email address gets handed to a dozen companies monitoring you. Your web browsing, past, present, and future, is now associated with your identity. Swap photos with friends on Photobucket and clue a couple dozen more into your username. Keep tabs on your favorite teams with Bleacher Report and you pass your full name to a dozen again. This isn't a 1984-esque scaremongering hypothetical. This is what's happening today."

  • October 08, 2011
    * Mining Data From Social Media for Marketing, Trend Spotting and More?

    The Economist: "The beauty of Twitter, the popular microblogging service, is that users have to keep it short: messages can only be 140 characters long. But companies that mine the stream of tweets for marketing and other purposes (see article in this week's issue of The Economist) get much more information. [Here is a map] of a tweet including all its metadata. The map was published by Raffi Krikorian, a developer at Twitter. It is 18 months old, but it is safe to say that the amount of metadata attached to a tweet has not decreased since."

    October 04, 2011
    * Account Deactivation and Content Removal: Guiding Principles and Practices for Companies and Users

    Account Deactivation and Content Removal: Guiding Principles and Practices for Companies and Users, Erica Newland, Caroline Nolan, Cynthia Wong, and Jillian York. The Berkman Center for Internet & Society and. The Center for Democracy & Technology, September 2011

  • "This report explores these dilemmas, and recommends principles, strategies, and tools that both user-generated content (UGC) platforms and users can adopt to mitigate the negative effects of account deactivation and content removal. We use select examples to highlight good company practices, including efforts to balance complex and often competing considerations—the enforcement of site guidelines, responses to government pressure, the free expression and privacy rights of users, and the potential risks faced by activists—in consistent, transparent, and accountable ways. Importantly, this report does not put forth a one-size-fits-all solution for the complex set of challenges raised by Terms of Use (ToU) enforcement. Platforms vary in terms of history, mission, content hosted, size, and user base, and no single set of practices will be an appropriate fit in every case. Moreover, while the examples in this report focus on platforms that host social media, the recommendations are broadly applicable to companies that host different types of user-generated content."
  • October 02, 2011
    * ACLU Cell Phone Location Tracking Public Records Request

    News release: "In a massive coordinated information-seeking campaign, 35 ACLU affiliates are filing over 381 requests in 32 states across the country with local law enforcement agencies large and small that seek to uncover when, why and how they are using cell phone location data to track Americans. The requests seek information from local law enforcement agencies, including:

    • whether law enforcement agents demonstrate probable cause and obtain a warrant to access cell phone location data;
    • statistics on how frequently law enforcement agencies obtain cell phone location data;
    • how much money law enforcement agencies spend tracking cell phones and
    • other policies and procedures used for acquiring location data.

    September 29, 2011
    * FTC Settlement Bans Alleged Spammer from Sending Unsolicited Text Messages

    News release: An operator who allegedly sent millions of illegal spam text messages to consumers is banned from sending any unsolicited text messages, under a settlement agreement with the Federal Trade Commission entered by a federal court. According to the FTC complaint filed in February 2011, the marketer sent a “mind-boggling” number of unsolicited commercial text messages pitching mortgage modification services to consumers, and misrepresented that he was affiliated with a government agency. The FTC alleged that many consumers had to pay fees to their mobile carriers to receive the unsolicited text messages. The FTC also alleged that the marketer advertised his text message blasting services by sending consumers illegal spam. The agency charged him with violating the FTC Act and the CAN-SPAM Act."

    September 28, 2011
    * EPIC: Bankrupt Borders Sells Customer Data to Barnes & Noble

    News release: "A bankruptcy court in New York has approved the sale of customer information, including email addresses, phone numbers, mailing addresses, and birth dates, from Borders to Barnes & Noble, following an earlier determination that the transfer violated Border's privacy policy. The judge has now required that former Borders customers receive an email notification and that the companies place prominent notices on their web sites and take outs ads in USA Today. Customers will have 15 days to opt-out of the transfer."

    * ACLU: How Long Is Your Cell Phone Company Hanging On To Your Data?

    News release: "What do you think about when choosing a cell phone provider? Their prices? Their coverage area? Whether they have spiffy, high-tech phones? Whether their phones work overseas or in the subway? What about how long they retain information about you and under what circumstances they turn it over to law enforcement? All of the nation's major mobile carriers are retaining their customers' location data for at least a year, according to a chart the Department of Justice (DOJ) developed in 2010 — and that the ACLU of North Carolina received in response to our public records request about local law enforcement's use of cell phone location information. And location info's not all they hang onto. We gave a copy of this document to Wired.com, which has written about it here."

    * Representatives Barton, Markey Urge FTC To Investigate Use Of “Supercookies”

    News release: "Representatives Joe Barton (R-Texas) and Edward J. Markey (D-Mass.), Co-Chairmen of the House Bi-Partisan Privacy Caucus, sent a letter to the Federal Trade Commission (FTC) asking the agency to investigate so-called “supercookies”, files that can be installed on computers without a user's knowledge. Supercookies allow websites to collect detailed personal data about users, including websites previously visited. Even when consumers choose to delete regular cookies from their computers, supercookies persist. According to a report last month in The Wall Street Journal (“Latest in Web Tracking: Stealthy ‘Supercookies’, August 18, 2011), it was discovered that companies have been installing supercookies on users’ computers without their knowledge. Even technical experts at the websites in the report stated they had no knowledge that the secret files were being installed."

  • See also Tracking the Trackers: To Catch a History Thief, by Jonathan Mayer
  • September 23, 2011
    * Obama Deficit Plan Would Allow Debt Collector Robo-Calls to Cell Phones

    News release: "Buried in President Obama’s deficit reduction plan (see page 28) is a proposal to allow debt collectors “to contact delinquent debtors via their cellular phones” when collecting debts owed to or guaranteed by the federal government. The proposal will not help reduce the deficit and is harmful for consumers, the National Consumer Law Center warned...Currently, debt collection calls to cell phones are limited because collectors must check their phone number lists against a list of known cell phones and cannot call those numbers unless the consumer has provided that number as a way of reaching them. Though the proposal is limited to debts owed or guaranteed by the federal government, millions of consumers will be affected, including graduates who can’t pay their loans due to the terrible job market, homeowners who are behind in mortgages, and people who are in tax disputes with the Internal Revenue Service. Families who have lost their homes to foreclosure could be exposed to cell phone calls for years if the delinquency on their mortgage is sold to debt buyers."

    * EPIC: Netflix Attacks Consumer Privacy Law

    EPIC: "Today Netflix announced that it has launched a DC lobbbying campaign against a federal privacy law that protects customer video rental information. The company, which is already under fire for dramatic hikes in the subscription price of its once popular DVD rental program, now claims that the privacy law prevents Facebook users from posting information about NetFlix on Facebook. According to OpenSecrets, operated by the Center for Responsive Politics, Netflix has ramped up its Washington influence, spending almost $200,000 in 2011, up from $20,000 in 2009. EPIC has described the Video Privacy Protection Act as "one of the strongest protections of consumer privacy against a specific form of data collection." The law always had an exception for user consent, which means that Facebook users are free to disclose information about the videos they rent. But NetFlix wants "blanket consent" so that all Netflix use will be posted routinely to Facebook. For more information, see EPIC: Video Privacy Protection Act."

    September 22, 2011
    * Report Provides Guidelines for Dilemmas of Account Deactivation and Content Removal

    "A report released today by the Center for Democracy & Technology and the Berkman Center for Internet & Society highlights the dilemmas companies and users face when enforcement of a website's Terms of Use policy results in deactivation of user accounts or removal of user-generated content. The report recommends principles, strategies, and tools that both companies and users can adopt to lessen the negative effects of account deactivation and content removal. The report, Account Deactivation and Content Removal: Guiding Principles and Practices for Companies and Users, outlines select examples of good company practices. Such practices feature rules and enforcement policies that are sensitive to users' free expression and privacy rights and to the potential risks faced by human rights activists, who are increasingly using social media tools in their work."

    * FINCEN: Identity Theft Trends, Patterns, and Typologies Based on Suspicious Activity Reports

    Identity Theft - Trends, Patterns, and Typologies Based on Suspicious Activity Reports. Filed by the Securities and Futures Industries January 1, 2005 – December 31, 2010. Report released September 2011.

  • "This report focuses on identity theft in the securities and futures industries. Based on Suspicious Activity Report by the Securities and Futures Industries (SAR-SF) filings, it describes recent patterns and trends of SAR-SF reporting and identifies methods by which identity thieves may access and abuse investment, retirement, and trust accounts to defraud individual account holders and/or securities firms. FinCEN added identity theft as a characterization of suspicious activity on the SAR-SF form in May 2004 following an increase in the reporting of this type of activity. This study is based on SAR-SF filings made between 2005 and 2010. It complements an October 2010 FinCEN report that described, in part, ways that identity thieves reportedly defraud individuals and depository institutions by gaining unauthorized access to credit cards, loans, and depository accounts...The number of SAR-SFs reporting identity theft grew by 89 percent from 2005 to 2010, and nearly 13 percent of all SAR-SF filings over the 6-year period in part characterized the reported activity as identity theft."
  • September 21, 2011
    * FTC Announces New and Improved OnGuardOnline Website

    News release: "Want to know more about Internet safety and security? Visit the new and improved OnGuardOnline.gov for practical tips and resources on how to be safe, secure and responsible online. Created through a partnership of 16 federal agencies led by the Federal Trade Commission, it’s a great source of free information for your home, school, community group, or workplace. OnGuardOnline’s new features include a cybersecurity blog and information updates via e-mail. Also, the FTC has partnered with the Department of Homeland Security and other agencies in the Stop.Think.Connect Campaign™ to raise awareness of the need for stronger cybersecurity with new approaches to help increase online safety and security. The new OnGuardOnline blog offers cybersecurity news from around the government, how-to articles and videos, and insights from federal officials. Check back regularly for updates, or sign up to get an e-mail when a new post is up. You can copy information from the site, adapt it, post it, or link to it, and you can share your thoughts on the blog. Updating your website or blog? Link to OnGuardOnline. Editing a newsletter? Use our articles. Need hand-outs for a talk you’re giving? Print publications from the website, or order free materials from the FTC."

    September 18, 2011
    * FTC Seeks Comment on Proposed Revisions to Children's Online Privacy Protection Rule

    News release: "The Federal Trade Commission is seeking public comment on proposed amendments to the Children’s Online Privacy Protection Rule, which gives parents control over what personal information websites may collect from children under 13. The FTC proposes these amendments to ensure that the Rule continues to protect children’s privacy, as mandated by Congress, as online technologies evolve. The Commission proposes modifications to the Rule in five areas: definitions, including the definitions of “personal information” and “collection,” parental notice, parental consent mechanisms, confidentiality and security of children’s personal information, and the role of self-regulatory “safe harbor” programs."

    September 15, 2011
    * Worldwide Web Consortium Launches Tracking Protection Working Group

    "The Tracking Protection Working Group is chartered to improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements. The group seeks to standardize the technology and meaning of Do Not Track, and of Tracking Selection Lists." See in Input Documents as follows

    September 13, 2011
    * CDT: Under Proposed Rule, Patients Will Receive Clinical Test Results Directly

    News release: "Ever have a medical test done and then had to wait around – sometimes anxiously, depending on the test – to get the lab test results from your doctor? That’s about to change. Yesterday, the Department of Health and Human Services (HHS) proposed regulations that would give patients the ability to access their clinical lab test results directly from the lab, instead of having to wait to receive the results from their health care provider. This change further empowers patients to manage their own health care and organize electronic copies of their own data – a major benefit of the health care system’s transition to digital records...Yesterday’s proposed regulations will change how test results get to patients. The proposed regulations would modify CLIA to permit labs to send results directly to patients, and the proposed regulations would also modify the HIPAA Privacy Rule to give patients the right to access or receive their lab results. Contrary state laws would be preempted. As with patients’ existing right of access, patients would have the ability to request their lab results in a particular form or format; for example, patients could request a paper copy of their test results, or to have the results sent electronically to the patients’ personal health record. (For more information on patients’ right to access their medical data, see CDT’s page on Getting Your Medical Records.)"

    September 10, 2011
    * Legislation Related to the Attack of September 11, 2001

    The Library of Congress - THOMAS: "This site was begun in September 2001 as a way of keeping the public readily apprised of legislation related to the terrorist attack on the United States that month. The selection, made by hand, is necessarily subjective, as the September 11th attack had a ripple effect on legislation in the second session of the 107th Congress, making boundaries difficult to draw. The site will not be updated after the conclusion of the 107th. Not included here are appropriations and authorization bills, which may include provisions relevant to our response to terrorism, but included are some bills related to bio-terrorism and not September 11th."

  • Bills & Joint Resolutions Signed Into Law | Other Resolutions Approved | Legislation With Floor Action | Legislation Without Floor Action
  • See also the 9/11 Commission Report and a continually updated topical set of related postings on 9/11
  • September 07, 2011
    * EPIC: DC Circuit Court Grants Access to Cell Phone Surveillance Records

    "The Circuit Court for the District of Columbia has ruled that the Department of Justice must release information regarding government surveillance of cell phone location data. The American Civil Liberties Union had filed a Freedom of Information Act request for information regarding current and past cases where the Department of Justice had accessed cell phone location data without a warrant. The agency sought to keep this information secret, claiming that releasing cell phone tracking data could implicate privacy of investigation subjects. The court, however, disagreed, stating, "The disclosure sought by the plaintiffs would inform this ongoing public policy discussion by shedding light on the scope and effectiveness of cell phone tracking as a law enforcement tool." For more information, see EPIC: Wiretapping and EPIC: Electronic Surveillance 1968-2010."

    August 28, 2011
    * The PII Problem: Privacy and a New Concept of Personally Identifiable Information

    The PII Problem: Privacy and a New Concept of Personally Identifiable Information (July 8, 2011). New York University Law Review, Vol. 86, 2011. Paul M. Schwartz and Daniel J. Solove.

  • Personally identifiable information (PII) is one of the most central concepts in information privacy regulation. The scope of privacy laws typically turns on whether PII is involved. The basic assumption behind the applicable laws is that if PII is not involved, then there can be no privacy harm. At the same time, there is no uniform definition of PII in information privacy law. Moreover, computer science has shown that in many circumstances non-PII can be linked to individuals, and that de-identified data can, in many circumstances, be re-identified. PII and non-PII are thus not immutable categories, and there is a risk that information deemed non-PII at one point in time can be transformed into PII at a later juncture. Due to the malleable nature of what constitutes PII, some commentators have even suggested that PII be abandoned as the means to define the boundaries of privacy law. In this Article, Professors Paul Schwartz and Daniel Solove argue that although the current approaches to PII are flawed, the concept of PII should not be abandoned. They develop a new approach called “PII 2.0,” which accounts for PII’s malleability. Based upon a standard rather than a rule, PII 2.0 is based upon a continuum of risk of identification. PII 2.0 regulates information that relates to either an “identified” or “identifiable” individual, and it establishes different requirements for each category. To illustrate their theory, Schwartz and Solove use the example of regulating behavioral marketing to adults and children. They show how existing approaches to PII impede the effective regulation of behavioral marketing and how PII 2.0 would resolve these problems."

  • August 25, 2011
    * EPIC - Federal Judge: Locational Data Protected Under Fourth Amendment

    "A Federal judge has ruled that law enforcement officers must have a warrant to access cell phone locational data. Courts are divided regarding whether or not this type of data should be protected by a warrant requirement. Judge Garaufis of the Eastern District of New York, found that "The fiction that the vast majority of the American population consents to warrantless government access to the records of a significant share of their movements by 'choosing' to carry a cell phone must be rejected…In light of drastic developments in technology, the Fourth Amendment doctrine must evolve to preserve cell-phone user's reasonable expectation of privacy in cumulative cell-site-location records." EPIC has filed amicus briefs in several related cases. For more information see: EPIC: Commonwealth v. Connolly, EPIC: US v. Jones, and EPIC: Locational Privacy."

    * ACLU Guide to New Facebook Privacy Controls

    "August 25, 2011 - Facebook is rolling out a series of changes to its privacy controls. We reviewed the changes in detail on Tuesday; now here’s how you can take advantage of these changes.

  • "Turn On “Profile Review” - One of the biggest changes to Facebook’s privacy controls is the option to review any content you’re tagged in (including photos, Places, and more) before that content is fed into your news feed. You can also review any tags that are added to photos or other content that you post yourself...."
  • * Symantec Intelligence Report - August 2011

    "Symantec Corp. announced the results of the August 2011 Symantec Intelligence Report, now combining the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. This month’s analysis reveals that once more spammers are seeking to benefit from fluctuations in the turbulent financial markets, most notably by sending large volumes of spam relating to certain “pink sheets” stocks in an attempt to “pump” the value of these stocks before “dumping” them at a profit. In a pump-and-dump stock scam, spammers promote certain stocks in order to inflate the price as much as possible so that they may then be sold before their valuation crashes back to reality. The spam for these scams tries to convince the prospective mark that the penny stock is actually worth more than its valuation, or that it will soon skyrocket. Most of these claims are either misleading or false. A successful pump-and-dump spam campaign will artificially drive up the price of the stock to a point where the scammers decide to sell their shares. This usually coincides with them ending the spam campaign, which in turn reduces the interest in the stock, helping to drive its valuation back to the original low price."

    August 18, 2011
    * Trends in Circumventing Web-Malware Detection

    Trends in Circumventing Web-Malware Detection. Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt. Google Technical Report rajab-2011a, July 2011

  • "Malicious web sites that compromise vulnerable computers are an
    ever-present threat on the web. The purveyors of these sites are
    highly motivated and quickly adapt to technologies that try to protect users from their sites. This paper studies the resulting arms race between detection and evasion from the point of view of Google’s Safe Browsing infrastructure, an operational web-malware detection system that serves hundreds of millions of users. We analyze data collected over a four year period and study the most popular practices that challenge four of the most prevalent web-malware detection systems: Virtual Machine client honeypots, Browser Emulator client honeypots, Classification based on domain reputation, and Anti-Virus engines. Our results show that none of these systems are effective in isolation. In addition to describing specific methods that malicious web sites employ to evade detection, we study trends over time to measure the prevalence of evasion at scale. Our results indicate that exploit delivery mechanisms are becoming increasingly complex and evasive."
  • * A Guide to Facebook Security For Young Adults, Parents, and Educators

    A Guide to Facebook Security For Young Adults, Parents, and Educators, Linda McCarthy, Keith Watson, and Denise Weldon-Siviy, August 2011. "This online guide explains how you can:

    • Protect your Facebook account
    • Avoid the scammers
    • Use advanced security settings
    • Recover a hacked Facebook account
    • Stop imposters

    August 16, 2011
    * McAfee White Paper on Global Cyberattacks

    Revealed: Operation Shady RAT by Dmitri Alperovitch, Vice President, Threat Research, McAfee: "An investigation of targeted intrusions into more than 70 global companies, governments, and non-profit organizations during the last five years."

  • "...the targeted compromises we are focused on — known as advanced persistent threats (APTs) — are much more insidious and occur largely without public disclosures. They present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat. What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including those from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition (SCADA) configurations, design schematics, and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries."
  • August 12, 2011
    * Writing and Maintaining Secure Online Passwords

    Haystack Logo...and how well hidden is YOUR needle?

  • "Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered.
    If every possible password is tried, sooner or later yours will be found. The question is: Will that be too soon...or enough later? This interactive brute force search space calculator allows you to experiment with password length and composition to develop an accurate and quantified sense for the safety of using passwords that can only be found through exhaustive search. Please see the discussion below for additional information."
  • August 10, 2011
    * Data-Enabled Government: How Well Is Our Personal Information Used and Protected?

    Data-Enabled Government: How Well Is Our Personal Information Used and Protected? - HP Business White Paper

  • "This is a summary of a longer report written in co-operation with the Economist Intelligence Unit. It examines the key issues surrounding the use and protection of personal data and draws on in-depth interviews with experts working on the front lines of public sector data management in the UK, Germany, France and Sweden, as well as academics and other authorities...Governments are continually expanding the breadth and depth of data they hold about their citizens, from the provision of public health and welfare services, to law enforcement and public security. In the pursuit of greater efficiency and improved public services, many are digitising operations and sharing information. However, the issues surrounding how to both deliver better service and safeguard private citizen data are becoming increasingly complex."
  • * Mobile App Security Study: appWatchdog Findings

    "Data (in)security is rapidly gaining consumer attention in major media. In 2011 major breaches at Sony, Epsilon and others have highlighted the risk consumers face from their data being compromised. Major corporations are now recognizing the urgency to implement strong and innovative security measures to ensure the security of their customers’ data. At the same time, both Apple and Google have seen stunning growth in the past few years and now dominate the smartphone market. Companies and app developers have leveraged these platforms to provide new mobile services, often bringing them to market very quickly. But what steps have the smartphone OS providers and app developers taken to secure the data on their customers’ smartphones? At viaForensics we believe in proactive forensics – applying the power of forensic methods proactively to improve digital security. With appWatchdog we utilize forensic techniques to investigate consumer mobile apps and understand what user data is stored and could be at risk. This white paper summarizes our findings for the first 100 tests, from November 2010 through June 2011."

    August 07, 2011
    * Study: Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning

    Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (July 29, 2011), Ayenson, Mika, Wambach, Dietrich James, Soltani, Ashkan, Good, Nathan and Hoofnagle, Chris Jay, Available at SSRN

  • In August 2009, we demonstrated that popular websites were using “Flash cookies” to track users. Some advertisers had adopted this technology because it allowed persistent tracking even where users had taken steps to avoid web profiling. We also demonstrated “respawning” on top sites with Flash technology. This allowed sites to reinstantiate HTTP cookies deleted by a user, making tracking more resistant to users’ privacy-seeking behaviors. In this followup study, we reassess the Flash cookies landscape and examine a new tracking vector, HTML5 local storage and Cache-Cookies via ETags. We found over 5,600 standard HTTP cookies on popular sites, over 4,900 were from third parties. Google-controlled cookies were present on 97 of the top 100 sites, including popular government websites. Seventeen sites were using HTML5, and seven of those sites had HTML5 local storage and HTTP cookies with matching values. Flash cookies were present on 37 of the top 100 sites. We found two sites that were respawning cookies, including one site – hulu.com – where both Flash and cache cookies were employed to make identifiers more persistent. The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and “Private Browsing Mode” is enabled."
  • August 05, 2011
    * Firefox Extension Defends Against Search Hijacking Schemes and Improves Web Security

    News release: "The Electronic Frontier Foundation (EFF), in collaboration with the Tor Project, has launched an official 1.0 version of HTTPS Everywhere, a tool for the Firefox web browser that helps secure web browsing by encrypting connections to more than 1,000 websites. HTTPS Everywhere was first released as a beta test version in June of 2010. Today's 1.0 version includes support for hundreds of additional websites, using carefully crafted rules to switch from HTTP to HTTPS. HTTPS protects against numerous Internet security and privacy problems, including the search hijacking on U.S. networks that was revealed by an article published today in New Scientist magazine. The article, entitled US internet providers hijacking users' search queries, documents how a company called Paxfire has been intercepting and altering search traffic on a number of ISPs' networks. HTTPS can prevent such attacks."

    August 03, 2011
    * McAfee Releases Online Banking Safety Guide for the 47 Percent of Consumers Who Are Underprotected

    News release: "Acting on recent data that reveals many consumers still aren’t protected by even basic antivirus software when banking online, McAfee today released an educational guide for banking safely on computers, tablets or mobile devices. According to Javelin Strategy & Research, in 2010 47 percent of household financial managers did not have antivirus software installed. Combining McAfee intelligence with the latest U.S. banking data from many top sources revealed that most consumers fall into one of three categories of online banking behavior, and that age tends to play a strong role in safety and security habits online. Most people’s level of confidence with banking online is associated with their overall comfort level online, including participating in such activities as shopping, searching, and social networking."

  • Complete details on each of the online banking personality types and accompanying graphics
  • Find out what phishing is, how to spot fake emails, and how to avoid it all together
  • August 01, 2011
    * House Committee Approves Controversial Measure to Require Data Retention for All Internet Users

    EPIC: "The House of Representatives Judiciary Committee voted to approve a bill that will require Internet Service Providers (ISPs) to retain data on every customer to allow the government to identify and track their online activity for one year. EPIC Director Marc Rotenberg testified against the bill at the subcommittee hearing, and his arguments were cited by committee members including Representative Jerrold Nadler (D-NY). After two days of deliberation, the bill was passed with an amendment to require ISPs to retain even more information: not only internet protocol addresses, but also customer names, addresses, phone records, type and length of service, and credit card numbers. This retention is a radical contradiction of the core American value that we are innocent until proven guilty, said Representative Jason Chaffetz (R-UT)."

    * Study: Faces of Facebook: Privacy in the Age of Augmented Reality

    Faces of Facebook: Privacy in the Age of Augmented Reality - FAQ only - See also slides here. Alessandro Acquisti (Heinz College, Carnegie Mellon University), Ralph Gross (Heinz College, Carnegie Mellon University) Fred Stutzman (Heinz College, Carnegie Mellon University), August 2011

  • "We investigated the feasibility of combining publicly available Web 2.0 data with off-the-shelf face recognition software for the purpose of large-scale, automated individual re-identification. Two experiments demonstrated the ability of identifying strangers online (on a dating site where individuals protect their identities by using pseudonyms) and offline (in a public space), based on photos made publicly available on a social network site. A third proof-of-concept experiment illustrated the ability of inferring strangers' personal or sensitive information (their interests and Social Security numbers) from their faces, by combining face recognition, data mining algorithms, and statistical re-identification techniques. The results highlight the implications of the inevitable convergence of face recognition technology and increasing online self-disclosures, and the emergence of "personally predictable" information. They raise questions about the future of privacy in an "augmented" reality world in which online and offline data will seamlessly blend."
  • July 28, 2011
    * WSJ: Marketers are spying on Internet users

    "Marketers are spying on Internet users -- observing and remembering people's clicks, and building and selling detailed dossiers of their activities and interests. The Wall Street Journal's What They Know series documents the new, cutting-edge uses of this Internet-tracking technology. The Journal analyzed the tracking files installed on people's computers by the 50 most popular U.S. websites, plus WSJ.com. The Journal also built an "exposure index" -- to determine the degree to which each site exposes visitors to monitoring -- by studying the tracking technologies they install and the privacy policies that guide their use."

    July 25, 2011
    * Report - Google Street View cars grabbed locations of phones, PCs

    CNET: "Google's Street View cars collected the locations of millions of laptops, cell phones, and other Wi-Fi devices around the world, a practice that raises novel privacy concerns, CNET has confirmed. The cars were supposed to collect the locations of Wi-Fi access points. But Google also recorded the street addresses and unique identifiers of computers and other devices using those wireless networks and then made the data publicly available through Google.com until a few weeks ago."

    July 17, 2011
    * ACLU: Lessons from the UK "Phone Hacking" Scandal

    Commentary: "Britain is now enmeshed in a gigantic scandal around privacy invasions by the press and police. It began with revelations about reporters for Rupert Murdoch's British tabloid newspaper News of the World hacking into the voicemail of a murdered young girl, and has expanded as other privacy invasions have come to light."

  • WSJ.com: Scandal Grows at News Corp. - "Former News Corp. executive Rebekah Brooks was arrested and the head of Scotland Yard stepped down, as a convulsive phone-hacking scandal raced into the loftiest ranks of Britain's business and law-enforcement worlds."
  • July 14, 2011
    * FTC Testifies on Protecting Consumers' Privacy

    "The Federal Trade Commission today told Congress that protecting consumers’ privacy – through law enforcement, education and policy initiatives – is a top priority at the agency. In delivering Commission testimony before the House Committee on Energy and Commerce Subcommittees on Commerce, Manufacturing, and Trade, and Communications and Technology, Commissioner Edith Ramirez said, “Privacy has been an important part of the Commission’s consumer protection mission for 40 years. During this time, the Commission’s goal in the privacy arena has remained constant: to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits offered by the dynamic and ever-changing marketplace."

    July 10, 2011
    * EPIC: European Parliament Takes Stance Against Airport Body Scanners

    Follow up to previous postings on whole body scanning at airports, via EPIC: The European Parliament has adopted a resolution that sets out strict safeguards for airport body scanners. The resolution requires that Member States only "deploy technology which is the least harmful for human health" and establish substantial privacy protection. The resolution prohibits the use of body scanners that use ionizing radiation. New guidelines also state that airport body scanners "must not have the capabilities to store or save data." EPIC currently is pursuing a lawsuit to suspend the use of body scanners in the United States, citing several federal laws and the US Constitution. EPIC has called the US airport body scanner program "invasive, ineffective, and unlawful." For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program) and EPIC: Whole Body Imaging Technology."

    July 02, 2011
    * Computer Engineering Student Creates 'Batphone' App Using Acoustics to Determine Location

    News release: "Outside, the global position system allows mobile phone users to pinpoint their location with surprising accuracy. But indoors, those who are lost are out of luck: GPS satellite signals can’t penetrate roofs. Researchers at the McCormick School of Engineering and Applied Science have determined one way of figuring out your location inside: by letting your phone listen. Their new mobile phone app, called Batphone, allows users to record ambient noise in a room and tag it with an acoustic fingerprint, which allows future users to use that database of fingerprints to determine their location." “We have found that the app has been very successful in determining locations,” says app developer Stephen Tarzia, a computer engineering graduate student in the Empathic Systems Project headed by electrical engineering and computer science professors Peter Dinda and Gokhan Memik and adjunct professor Robert Dick."

  • Take the test to determine your ears’ room identification abilities, or download the app at the iTunes store."
  • June 30, 2011
    * 2010 Wiretap Report Shows Increase in Authorized Intercepts

    "Federal and state applications for orders authorizing or approving the interception of wire, oral or electronic communications increased 34 percent in 2010, compared to the number reported in 2009. The interceptions are reported in the 2010 Wiretap Report, released today by the Administrative Office of the United States Courts (AOUSC). The current report covers intercepts concluded between January 1, 2010 and December 31, 2010. A total of 3,194 intercept applications by federal and state courts were authorized in 2010, with 1,207 applications by federal authorities authorized and 1,987 applications by 25 states authorized. One application was denied. Installed intercepts totaled 2,311."

    * FTC: Consumer Confidence in Internet Marketplace Depends on Privacy Protections

    News release: "The Federal Trade Commission told Congress that consumers must be confident that their privacy will be protected if they are to be willing to take advantage of all the benefits offered by the Internet marketplace. Commission testimony to the Senate Committee on Commerce, Science and Transportation, delivered by Commissioner Julie Brill, states that, “Privacy has been an important component of the Commission’s consumer protection mission for 40 years. During this time, the Commission’s goal in the privacy arena has remained constant: to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits offered by the dynamic and ever-changing marketplace.”

  • "Ioana Rusu, regulatory counsel for Consumers Union, the nonprofit publisher of Consumer Reports, shared new poll results when she testified at a Senate committee hearing on online privacy and data security tomorrow. A May poll conducted by Consumer Reports shows that two-thirds of consumers feel that the government should be involved with safeguarding their online privacy, while 81 percent of respondents agreed that they should be able to permanently opt out of Internet tracking from a single location."
  • June 29, 2011
    * Organization for Economic Cooperation and Development's proposed online copyright protection plan

    OECD draft Communiqué on Principles for Internet Policy-Making, June 29, 2011

  • "The policy-making principles in this communiqué are designed to help preserve the fundamental openness of the Internet while concomitantly meeting certain public policy objectives, such as the protection of privacy, security, children online, and intellectual property, as well as the reinforcement of trust in the Internet. Effective protection of intellectual property rights plays a vital role in spurring innovation and furthers the development of the Internet economy. Internet policy making principles need to take into account the unique social, technical and economic aspects of the Internet environment. It is clear that the open and accessible nature of the Internet needs to be supported for the benefit of freedom of expression, and to facilitate the legitimate sharing of information, knowledge and exchange of views by users including research and development that has brought about widespread innovation to our economies."
  • OECD Internet Economy (Home)
  • EFF Declines to Endorse OECD Draft Communiqué on Principles for Internet Policy-Making: "We oppose legal and policy frameworks that encourage Internet intermediaries to filter and block online content or disconnect Internet users under a “graduated response” system after alleged copyright violations. Civil society calls on OECD member states to defend free expression and support due process and procedural safeguards in the protection of intellectual property rights."
  • June 28, 2011
    * EPIC v. DHS Lawsuit -- FOIA'd Documents Raise New Questions About Body Scanner Radiation Risks

    EPIC: "In a FOIA lawsuit against the Department of Homeland Security, EPIC has just obtained documents concerning the radiation risks of TSA's airport body scanner program. The documents include agency emails, radiation studies, memoranda of agreement concerning radiation testing programs, and results of some radiation tests. One document set reveals that even after TSA employees identified cancer clusters possibly linked to radiation exposure, the agency failed to issue employees dosimeters - safety devices that could assess the level of radiation exposure. Another document indicates that the DHS mischaracterized the findings of the National Institute of Standards and Technology, stating that NIST "affirmed the safety" of full body scanners. The documents obtained by EPIC reveal that NIST disputed that characterization and stated that the Institute did not, in fact, test the devices. Also, a Johns Hopkins University study revealed that radiation zones around body scanners could exceed the "General Public Dose Limit." For more information, see EPIC: EPIC v. Department of Homeland Security - Full Body Scanner Radiation Risks and EPIC: EPIC v. DHS (Suspension of Body Scanner Program)."

    June 27, 2011
    * Know Your Digital Rights guide from EFF

    Know Your Rights! by Hanni Fakhoury, EFF Staff Attorney, June 2011

  • "Your computer, your phone, and your other digital devices hold vast amounts of personal information about you and your family. This is sensitive data that’s worth protecting from prying eyes — including those of the government. The Fourth Amendment to the Constitution protects you from unreasonable government searches and seizures, and this protection extends to your computer and portable devices. But how does this work in the real world? What should you do if the police or other law enforcement officers show up at your door and want to search your computer? EFF has designed this guide to help you understand your rights if officers try to search the data stored on your computer or portable electronic device, or seize it for further examination somewhere else. Because anything you say can be used against you in a criminal or civil case, before speaking to any law enforcement official, you should consult with an attorney."
  • * Consumer Groups Recommend Privacy Safeguards on "Smart Meter" Services

    EPIC: "The Trans-Atlantic Consumer Dialogue (TACD), a coalition of consumer groups in Europe and North America, adopted a report on privacy and electrical services at the 12th Annual TACD meeting held recently in Brussels. The Smart Meter White Paper warns the "dramatic increase in the granularity of data available and frequency of collection of household energy consumption means that the smallest detail of household life can be revealed." The TACD report sets out recommendations to protect the privacy of users of new energy services. For more information, see EPIC - Smart Grid and Privacy."

    June 24, 2011
    * Truth About Wireless Phones and the National Do-Not-Call List

    FCC: "You may be one of many consumers who have received emails saying you’re about to be assaulted by unwanted telemarketing calls to your wireless phone. Rest assured that placing telemarketing calls to wireless phones is -- and always has been -- illegal in most cases. Why the Confusion? The confusion seems to stem from recent discussions in the wireless phone industry about establishing a wireless 411 phone directory, much like your traditional (wired) 411 phone directory. A number of email campaigns seem to suggest that if your wireless telephone number is listed in a wireless 411 directory, it will be available to telemarketers, and you will start to receive sales calls. In addition, some of these email campaigns suggest that there is a separate do-not-call “cell phone registry,” which you must call to have your wireless phone number covered by the do-not-call rules. This information is wrong."

    June 23, 2011
    * FTC Files Amicus Brief in U.S. District Court Opposing Proposed Class Action Settlement with Debt Buyer Midland Funding LLC

    News release: "As explained in the amicus brief, the proposed settlement raises concerns in three areas in which the FTC has significant expertise: FDCPA and debt collection, privacy and data collection, and class action fairness. First, the FTC is the chief federal enforcer of the FDCPA and has conducted comprehensive assessments of debt collection activities, including its 2009 report, Collecting Consumer Debts: The Challenges of Change and its 2010 report, Repairing a Broken System: Protecting Consumers in Debt Collection Litigation and Arbitration. Second, the FTC safeguards consumers’ privacy and the security of their personal information under Section 5 of the FTC Act and the Gramm-Leach-Bliley Act. Finally, in connection with its Class Action Fairness Project, the FTC has studied how best to protect consumer interests and promote fairness in the class action context and has filed amicus briefs commenting on potentially unfair class settlements."

    * EPIC: Supreme Court Strikes Down Prescription Privacy Law

    "In a 6-3 decision, the Supreme Court struck down Vermont's prescription privacy law. IMS Health, Inc. v. Sorrell held that the Vermont statute, which bars disclosure of prescription data for marketing purposes, violates data mining firms' free speech rights. Vermont "burdened a form of protected expression that it found too persuasive. At the same time, the State has left unburdened those speakers whose messages are in accord with its own views. This the State cannot do." the Court wrote. The Court suggested that a more privacy-protective statute might have withstood Constitutional scrutiny, writing "the State might have advanced its asserted privacy interest by allowing the information’s sale or disclosure in only a few narrow and well-justified circumstances. A statute of that type would present quite a different case than the one presented here." EPIC filed an amicus brief on behalf of 27 technical experts and legal scholars, as well as nine consumer and privacy groups, arguing that the privacy interest in safeguarding medical records is substantial and that the "de-identification" techniques adopted by data-mining firms do not protect patient privacy. For more information, see EPIC: IMS Health v. Sorrell."

    June 15, 2011
    * Congress Should Enact Data Security and Breach Notification Law, FTC Says

    News release: "The Federal Trade Commission told Congress today during a hearing that to minimize the risk of identity theft or other harm, companies should employ reasonable safeguards to protect consumer information, collect only information for which they have a legitimate business need, and retain data only as long as necessary to fulfill the business purposes for which it was collected. The FTC also reiterated its recommendation that Congress pass legislation that would require companies to implement reasonable security practices and to notify consumers when there is a data security breach...The Commission expressed its support for federal legislation that would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The testimony notes that the Committee’s “Discussion Draft” of data security legislation accomplishes these key goals. The testimony highlights several other elements of the Discussion Draft, which gives the Commission authority to use the standard APA notice and comment procedures for rulemaking in connection with the legislation, provides for civil penalties for violations, and requires non-profit entities to adhere to the same data security and breach notification standards as for-profit entities."

    June 13, 2011
    * Report - FBI Expands Surveillance Power of Agents

    NYT: "The Federal Bureau of Investigation is giving significant new powers to its roughly 14,000 agents, allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. The F.B.I. soon plans to issue a new edition of its manual, called the Domestic Investigations and Operations Guide, according to an official who has worked on the draft document and several others who have been briefed on its contents. The new rules add to several measures taken over the past decade to give agents more latitude as they search for signs of criminal or terrorist activity. The F.B.I. recently briefed several privacy advocates about the coming changes. Among them, Michael German, a former F.B.I. agent who is now a lawyer for the American Civil Liberties Union, argued that it was unwise to further ease restrictions on agents’ power to use potentially intrusive techniques, especially if they lacked a firm reason to suspect someone of wrongdoing."

    June 10, 2011
    * EFF: How to Disable Facebook's Facial Recognition Feature

    Announcement by Eva Galperin: "Back in December of 2010, Facebook debuted its tag suggestion feature, which works by using facial recognition technology to examine photos in which you’ve already been tagged, and then creating what Facebook calls your “photo summary” or “photo comparison information,” or what we’ll call your “facial fingerprint.” Using this information, FB suggests your name to your friends when they upload a photo of you, and invites them to tag you in that photo. Over the last few months, Facebook has been slowly rolling this feature out to all of its users, which caught the attention of security firm Sophos, The New York Times, and the European Union, which has launched a probe to investigate the new feature."

    * EPIC, ACLU, EFF, and Others Urge Homeland Security to Stop Creation of National Identity System

    "EPIC and a coalition of privacy, consumer rights, and civil rights organizations filed a statement to the Department of Homeland Security in opposition to the proposed expansion of the employment verification system, "E-Verify." The agency announced plans to incorporate state driver license records that could significantly expand the use of the Homeland Security database. The groups said that the DHS proposal is unlawful and looks very similar to the REAL ID scheme that was previously defeated. EPIC has testified before Congress and published a Spotlight on Surveillance report about E-Verify. For more information, see EPIC: Employment Eligibility Verification System and EPIC: National ID."

    June 08, 2011
    * PricewaterhouseCoopers’ Health Research Institute Health Reform Prospering in a post-reform world

    PricewaterhouseCoopers’ Health Research Institute, Health Reform Prospering in a post-reform world, June 2001

  • "To prosper in the post-reform world, health executives will need to reassess current strategies and find ways to work together. This report illustrates the mega trends that each sector (provider, payer, and pharmaceutical and life sciences) will face as a result of health reform, the provisions in the law that are driving them, and recommendations on how organizations can turn these challenges into new opportunities. It concludes with a new vision for organizational strategy development that is based on cross-sector collaboration rather than siloed competition."
  • * EPIC: WhiteHouse.gov to Track Users for Two Years

    EPIC: "The White House modified its privacy policy for WhiteHouse.gov on June 3, 2011. The new policy is more than twice as long as the old policy. The new policy states the White House web site now uses persistent Google Analytics cookies that track users for up to two years. Previously the site employed only single-session cookies, which were automatically deleted when users closed their browsers. The site does not provide a means for visitors to opt out of receiving cookies. The present policy reflects changes the administration made last year to allow for use of tracking cookies by federal websites. For more information, see EPIC: White House Adopts Weird Opt-Out Privacy Policy for Public Access to Government Web Sites."

    June 06, 2011
    * EPIC: House Passes Budget for TSA, Cuts Funding for Body Scanners

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The House has approved the 2012 budget for the Transportation Security Administration, cutting $270 million from the amount originally requested by the Agency. The cuts include $76 million that had been designated for the purchase of 275 airport body scanners. Leading lawmakers and activists have called attention to the health risks associated with the scanners, as well as their invasiveness. Representative Jason Chaffetz (R-UT) criticized the machines as “slow” and “ineffective.”

    June 05, 2011
    * Survey Finds Nearly Half of 6- to 9-Year-Olds Talk to Friends Online and Use Social Networks

    News release: "AVG Technologies, Inc. announced it will make its leading Family Safety software available for free in exchange for a 99 cent donation to the American Red Cross family relief efforts in Joplin, Mo. The move comes in response to research the company conducted and has released over the course of the year on early childhood technology usage trends, “Digital Diaries" and is complemented with the release of a first-of-its-kind e-book and mobile application for teaching very young children the basics of online safety, Little Bird’s Internet Security Adventure.” AVG CEO JR Smith is making appearances across the country today urging parents to consider introducing their child to Little Bird to help them learn about online safety....Roughly half of today’s children (ages 6-9) are regularly talking to their friends online and using social networks, yet 58 percent of their parents admit they are not well-informed about their children’s online social networks. The “Digital Playground,” the third stage of AVG’s year-long “Digital Diaries” research program, further reveals the increasingly digitally-literate group of 6- to 9-year-olds and their parents in North America, Europe, Australia and New Zealand to find that:

    • More than half (51 percent) of 6- to 9-year-olds use some kind of children’s social network such as Club Penguin or WebKinz.
    • Roughly one in five use email, and despite being underage, 14 percent are on Facebook, according to their parents.
    • 47 percent of 6- to 9-year-olds talk to their friends on the Internet.
    • Almost one in six 6- to 9-year-olds and one in five 8- to 9-year-olds have experienced what their parents consider objectionable or aggressive behavior online.
    • American children average four hours online each week, slightly more than the worldwide average of 3.5 hours per week.
    • 58 percent of parents admit they are neither well-informed nor understand their children’s online social networks.
    • Only 56 percent of parents were certain their family computer has parental controls or safety programs in place."

    * Study - Privacy leakage vs. Protection measures: the growing disconnect

    Privacy leakage vs. Protection measures: the growing disconnect, Balachander Krishnamurthy - AT&T Labs Research; Konstantin Naryshkin - Worcester Polytechnic Institute; Craig E. Wills - Worcester Polytechnic Institute, May 2011.

  • "Numerous research papers have listed different vectors of personally identifable information leaking via traditional and mobile Online Social Networks (OSNs) and highlighted the ongoing aggregation of data about users visiting popularWeb sites. We argue that the landscape is worsening and existing proposals (including the recent U.S. Federal Trade Commission's report) do not address several key issues. We examined over 100 popular non-OSN Web sites across a number of categories where tens of millions of users representing diverse demographics have accounts, to see if these sites leak private information to prominent aggregators. Our results raise considerable concerns: we see leakage in sites for every category we examined; fully 56% of the sites directly leak pieces of private information with this result growing to 75% if we also include leakage of a site userid. Sensitive search strings sent to healthcare Web sites and travel itineraries on flight reservation sites are leaked in 9 of the top 10 sites studied for each category. The community needs a clear understanding of the shortcomings of existing privacy protection measures and the new proposals. The growing disconnect between the protection measures and increasing leakage and linkage suggests that we need to move beyond the losing battle with aggregators and examine what roles first-party sites can play in protecting privacy of their users."
  • June 03, 2011
    * Tenth Study by the Digital Future Project Finds High Levels of Concern about Corporate Intrusion in Personal Lives

    Press Release and Highlights: "The annual study of the impact of the Internet on Americans conducted by the Center for the Digital Future found that almost half of Internet users age 16 and older -- 48 percent -- are worried about companies checking their actions on the Internet. By comparison, the new question for the Digital Future Study found that only 38 percent of Internet users age 16 and older are concerned about the government checking what they do online."

    June 01, 2011
    * Google Issues Advisory - Ensuring your information is safe online

    Official Google Blog: "...Through the strength of our cloud-based security and abuse detection systems, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.) Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities."

    May 30, 2011
    * G8 Declaration - Renewed Commitment For Freedom and Democracy

    G8 Summit of Deauville - May 26-27, 2011: "We discussed new issues such as the Internet which are essential to our societies, economies and growth. For citizens, the Internet is a unique information and education tool, and thus helps to promote freedom, democracy and human rights. The Internet facilitates new forms of business and promotes efficiency, competitiveness, and economic growth. Governments, the private sector, users, and other stakeholders all have a role to play in creating an environment in which the Internet can flourish in a balanced manner. In Deauville in 2011, for the first time at Leaders' level, we agreed, in the presence of some leaders of the Internet economy, on a number of key principles, including freedom, respect for privacy and intellectual property, multi-stakeholder governance, cyber-security, and protection from crime, that underpin a strong and flourishing Internet. The "e-G8" event held in Paris on 24 and 25 May was a useful contribution to these debates."

    May 29, 2011
    * Reauthorization of PATRIOT Act on Deadline

    RollCall: "After two days of wrangling and last-minute deal-making in the Senate, Congress cleared a reauthorization of the USA PATRIOT Act on Thursday, and the Obama administration announced that the president signed the bill into law before provisions of the anti-terrorism act expired at midnight. A standoff over amendments in the Senate ate into the time needed to fly the enrolled bill to President Barack Obama, who is traveling in Europe. Instead of physically signing the bill, Obama planned to direct the use of an autopen to sign it, White House spokesman Nick Shapiro said in an email shortly after the House cleared the bill. “Failure to sign this legislation poses a significant risk to U.S. national security,” Shapiro said in the email. Autopens generate a facsimile of an individual’s signature and are frequently used by Members of Congress for signing constituent correspondence and other letters. The Justice Department’s Office of Legal Counsel advised in 2005 that the president may sign a bill by autopen."

    May 27, 2011
    * Draft Agreement Would Allow DHS to Store EU Passenger Data for 15 Years

    EPIC: "A draft agreement between the United States and the European Union will allow the U.S. Department of Homeland Security to store passenger data for up to 15 years. The passenger data includes names, addresses, phone numbers, and credit card information, and even ethnic origin, political opinions, and details of health or sex life. The 15 year time period in the proposed agreement is three times that allowed under Europe's existing Passenger Name Record regime. See also EPIC: EU-US Airline Passenger Data Disclosure."

    May 24, 2011
    * CRS: Privacy Protections for Personal Information Online

    Privacy Protections for Personal Information Online, Gina Stevens, Legislative Attorney, April 6, 2011

  • "There is no comprehensive federal privacy statute that protects personal information. Instead, a patchwork of federal laws and regulations govern the collection and disclosure of personal information and has been addressed by Congress on a sector-by-sector basis. Federal laws and regulations extend protection to consumer credit reports, electronic communications, federal agency records, education records, bank records, cable subscriber information, video rental records, motor vehicle records, health information, telecommunications subscriber information, children's online information, and customer financial information. Some contend that this patchwork of laws and regulations is insufficient to meet the demands of today's technology. Congress, the Obama Administration, businesses, public interest groups, and citizens are all involved in the discussion of privacy solutions. This report examines some of those efforts with respect to the protection of personal information. This report provides a brief overview of selected recent developments in the area of federal privacy law. This report does not cover workplace privacy laws or state privacy laws."
  • May 18, 2011
    * Report: Push for Electronic Medical Records Overlooks Security Gaps

    PBS Newshour: 'As the Obama administration pushes ahead with plans to increase the use of electronic medical records, two internal reports released Tuesday by the Department of Health and Human Services revealed "significant concerns" about security gaps in the system. The Office of the Inspector General found "a lack of general [information technology] security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals." The investigation audited computer security at seven large hospitals in different states, and found 151 major vulnerabilities, including unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. The auditors classified 124 of the breeches were "high impact" - resulting in costly losses, injury or death. According to the report, "outsiders or employees at some hospitals could have accessed, and at one of the seven hospitals did access, systems and beneficiaries' personal data."

    May 17, 2011
    * University Study: Google's Android OS ClientLogin Vulnerable to Hijacking

    Catching AuthTokens in the Wild - The Insecurity of Google's ClientLogin Protocol by Bastian Könings, Jens Nickels, and Florian Schaub, May 13, 2011

  • "In a recent blog post Dan Wallach outlined some of the risks of using Android smartphones in open Wifi networks. He found that some Android applications transmit data in the clear, allowing an attacker to eavesdrop any transmitted information. Besides third-party apps, such as Twitter or Facebook, also the Google Calendar app transmitted unencrypted information. Wallach stated that "an eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar". A fact that also applies to Google Contacts as another blog post revealed. We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs."

  • May 15, 2011
    * Office of the Director of National Intelligence 2010 Data Mining Report

    Office of the Director of National Intelligence, 2010 Data Mining Report For the Period January 1, 2010 through December 31, 2010 [via FAS, May 10, 2011]

  • "The ODNI did not engage in any activities to use or develop data mining functionality in the reporting period."
  • May 12, 2011
    * Obama Administration Unveils its Cybersecurity Legislative Proposal

    "...the Administration has transmitted a cybersecurity legislative proposal to Capitol Hill in response to Congress’ call for assistance on how best to address the cybersecurity needs of our Nation. This is a milestone in our national effort to ensure secure and reliable networks for Americans, businesses, and government; fundamentally, this proposal strikes a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cybersecurity. Just as importantly, it does so while providing a robust framework to protect civil liberties and privacy."

    May 11, 2011
    * Nothing to Hide: The False Tradeoff between Privacy and Security

    The False Tradeoff between Privacy and Security. (May 1, 2011). Daniel J. Solove, Nothing to Hide: The False Tradeoff between Privacy and Security, Chapter 1, Yale University Press, 2011.

  • "If you've got nothing to hide," many people say, "you shouldn't worry about government surveillance." Others argue that we must sacrifice privacy for security. But as Daniel J. Solove argues in this book, these arguments and many others are flawed. They are based on mistaken views about what it means to protect privacy and the costs and benefits of doing so. In addition to attacking the "Nothing-to Hide Argument," Solove exposes the fallacies of pro-security arguments that have often been used to justify government surveillance and data mining. These arguments - such as the "Luddite Argument,"the "War-Powers Argument," the "All-or-Nothing Argument," the "Suspicionless-Searches Argument," the "Deference Argument," and the "Pendulum Argument" - have skewed law and policy to favor security at the expense of privacy. The debate between privacy and security has been framed incorrectly as a zero-sum game in which we are forced to choose between one value and the other. But protecting privacy isn't fatal to security measures; it merely involves adequate oversight and regulation. The primary focus of the book is on common pro-security arguments, but Solove also discusses concrete issues of law and technology, such as the Fourth Amendment Third Party Doctrine, the First Amendment, electronic surveillance statutes, the USA-Patriot Act, the NSA surveillance program, and government data mining."
  • * UK Financial Regulator Consultation paper - 'Data Collection: Retail Mediation Activities Return and complaints data'

    "The FSA's Consultation paper CP11/08 is entitled 'Data Collection: Retail Mediation Activities Return and complaints data'. It was published in May 2011. Comments should reach us by July 8 2011.

  • The changes we are proposing to the Retail Mediation Activities Return (RMAR) and complaints data will be of interest to both advisers and providers active in the retail investment and corporate pensions markets. In addition, consumers and consumer bodies may be interested to know how we are proposing to use data to help us supervise and enforce the new Retail Distribution Review regime and ensure that the new rules are properly implemented. This is important because the data we propose to collect is intended to help us achieve our objective of establishing a resilient, effective and attractive retail investment and corporate pension market in which consumers can have confidence and trust."
  • May 10, 2011
    * FTC Testifies on Protecting Consumers' Privacy on Mobile Devices

    News release: "The Federal Trade Commission today told Congress that “the Commission is committed to protecting consumers’ privacy in the mobile sphere” by bringing enforcement actions where appropriate and “by working with industry and consumer groups to develop workable solutions that protect consumers while allowing innovation in this growing marketplace.” In Commission testimony before the Senate Judiciary Committee Subcommittee for Privacy, Technology and the Law, Jessica Rich, Deputy Director in the FTC’s Bureau of Consumer Protection said the FTC has been examining mobile and wireless issues since 2000, when the agency hosted a workshop on emerging wireless Internet and data technologies and the privacy, security, and consumer protection issues they raise. The FTC also hosted a technology forum in 2006 that featured mobile issues, two Town Halls to explore the use of radio frequency identification technology and its integration into mobile devices, and a forum in 2008 examining consumer protection issues in the mobile sphere. In addition, the FTC has taken law enforcement actions against companies that fail to protect the privacy and security of consumer information. The testimony highlighted four recent cases that illustrate how the FTC’s authority applies to the mobile arena. The FTC’s case against Google alleges that the company deceived consumers by using information collected from Gmail users to generate and populate a new social network, Google Buzz, without users’ consent. As part of the proposed settlement order, Google must protect the privacy of all of its customers – including mobile users."

    * Symantec: Facebook Applications Accidentally Leaking Access to Third Parties

    News release: "Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue. Facebook applications are Web applications that are integrated onto the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day. Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms. We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties. Access tokens are like ‘spare keys’ granted by you to the Facebook application. Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc."

    * Law Enforcement Use of Global Positioning (GPS) Devices to Monitor Motor Vehicles: Fourth Amendment Considerations

    CRS - Law Enforcement Use of Global Positioning (GPS) Devices to Monitor Motor Vehicles: Fourth Amendment Considerations, February 28, 2011

  • "As technology continues to advance, what was once thought novel, even a luxury, quickly becomes commonplace, even a necessity. Global Positioning System (GPS) technology is one such example. Generally, GPS is a satellite-based technology that discloses the location of a given object. This technology is used in automobiles and cell phones to provide individual drivers with directional assistance. Just as individuals are finding increasing applications for GPS technology, state and federal governments are as well. State and federal law enforcement use various forms of GPS technology to obtain evidence in criminal investigations. For example, federal prosecutors have used information from cellular phone service providers that allows real-time tracking of the locations of customers’ cellular phones. Title III of the Omnibus Crime Control and Safe Streets Act of 1958 (P.L. 90-351) regulates the interception of wire, oral, and electronic communications. As such, it does not regulate the use of GPS technology affixed to vehicles and is beyond the scope of this report. The increased reliance on GPS technology raises important societal and legal considerations. Some contend that law enforcement’s use of such technology to track motor vehicles’ movements provides for a safer society. Conversely, others have voiced concerns that GPS technology could be used to reveal information inherently private. Defendants on both the state and federal levels are raising Fourth Amendment constitutional challenges, asking the courts to require law enforcement to first obtain a warrant before using GPS technology."
  • May 08, 2011
    * UK - Consumer empowerment strategy - Better Choices: Better Deals

    Better Choices: Better Deals - Consumers Powering Growth. UK Department for Business, Innovations and Skills, April 2011

  • "This document aims to show how consumers can become empowered to make better choices and get better deals. It is about helping consumers to get better value, better customer service and better support when making choices or seeking help. By empowering consumers, Better Choices: Better Deals can also contribute to long term growth. More active consumers mean that our best and most innovative businesses benefit most, helping to improve overall economic performance. Many of the changes set out in Better Choices: Better Deals would have been impossible a decade ago. The internet, smart phones and new data management methods have increased the information available to consumers. This has created new opportunities for consumers, which we want to support. These technological changes have also given businesses more information about their customers’ shopping habits. In some areas, businesses know more about customers’ spending habits than they do themselves – with detailed knowledge of how they use their phone, or how likely they are to go over their overdraft limit. Better Choices: Better Deals is about putting customers in charge: in charge of their own personal data which can be used to inform their purchasing decisions and lifestyle choices. However, our vision of consumer empowerment goes far beyond the hidden value in information. We want, for example, to foster renewed and widespread interest in collective purchasing, enabling consumers to be stronger by acting together. We want Government organisations to publish more of their data on consumer issues, especially on complaints. And above all, we want this strategy to stimulate feedback to Government about how we can support consumers to get better choices, better deals from business and Government. Please go to www.bis.gov.uk/betterchoices
    to let me know what you think."
  • * Article: The Path Dependence of European Copyright

    Larsson, Stefan, The Path Dependence of European Copyright (April 15, 2011). SCRIPT-ed, Vol. 8, No. 1, April 2011. Available at SSRN: http://ssrn.com/abstract=1824228

  • "This article analyses the path dependence of European copyright. It shows how copyright is legally constructed, is harmonised through international treaties and European regulatory efforts in terms of InfoSoc Directive and the IPRED, and is also affected by the Data Retention Directive and the Telecommunications Reform package. Furthermore, the “secretly” negotiated ACTA agreement is discussed as it may impose stronger copyright on Member States. This means that the formulations and metaphors of how copyright is constructed and conceptualised contribute towards various lock-in effects as the dependence on the given path increases. The strong path dependence of European copyright law results in regulation that suffers from legitimacy issues. Copyright construction is a legal complex that in general is based on ideas of the conditions of an analogue world for distribution and production of copies, but it is armed with increasingly protective measures when faced with human conduct in the context of digital networks. To some extent, this most probably involves the expansion of the concepts and metaphors that once described only non-digital practice. The trend in European copyright is therefore strongly protectionist, through the expanding and strengthening of rights and their enforcement, and in that it is self-reinforcing, being locked into certain standards. The path dependence of European copyright serves as a strong argument for those who benefit from its preservation, signalling that there are power structures supporting the colonisation by this specific legal path of other legal paths that protect other values, such as consumer privacy or versions of integrity. There is a clear tendency in targeting the ISPs and other intermediaries in attempts to keep the copyright path intact. The development of European copyright, in its broad sense, not only re-builds the Internet in terms of traceability, but also law enforcement in terms of mass-surveillance."
  • May 06, 2011
    * Applications Made to Foreign Intelligence Surveillance Court During 2010

    FISA Annual Reports to Congress 2010 [via FAS]

  • "During calendar year 2010, the Government made 1,579 applications to the Foreign Intelligence Surveillance Court (hereinafter "FISC") for authority to conduct electronic surveillance andlor physical searches for foreign intelligence purposes. The 1,579 applications include applications made solely for electronic surveillance, applications made solely for physical search, and combined applications requesting authority for electronic surveillance and physical search. Of these, 1,511 applications included requests for authority to conduct electronic surveillance. Of these 1,511 applications, five were withdrawn by the Government. The EISC did not deny any applications in whole, or in part. The FISC made modifications to the proposed orders in fourteen applications. Thus, the FISC approved collection activity in a total of 1,506 of the applications that included requests for authority to conduct electronic surveillance."
  • * EPIC: Do Not Track Bills Introduced in Congress, Move Forward in California

    "Rep. Markey (D-MA) and Rep. Barton (R-TX) released a discussion draft of the "Do Not Track Kids Act of 2011." This Act establishes enhanced protections for the use and disclosure of the personal information of children and teens online. In February, Rep. Speier (D-CA) introduced the broader Do Not Track Me Online Act. And in California, the Senate Judiciary Committee voted to move their Do Not Track bill, SB 761, to the next stage in the Appropriations Committee. EPIC submitted a statement to Congress saying that an effective Do Not Track initiative must ensure that a consumer's decision to opt-out is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Online Tracking and Behavioral Advertising."

    May 05, 2011
    * The Deciders: Facebook, Google, and the Future of Privacy and Free Speech

    The Deciders: Facebook, Google, and the Future of Privacy and Free Speech, Jeffrey Rosen

  • "Open Planet [24/7 ubiquitous surveillance system] is not a technological fantasy. Most of the architecture for implementing it already exists, and it would be a simple enough task for Facebook or Google, if the companies chose, to get the system up and running: face recognition is already plausible, storage is increasing exponentially; and the only limitation is the coverage and scope of the existing cameras, which are growing by the day. Indeed, at a legal Futures Conference at Stanford in 2007, Andrew McLaughlin, then the head of public policy at Google, said he expected Google to get requests to put linked surveillance networks live and online within the decade. How, he, asked the audience of scholars and technologists, should Google respond?"
  • May 04, 2011
    * Hearing on The Threat of Data Theft to American Consumers

    Via CDT - The Threat of Data Theft to American Consumers: "Two high profile data (Sony's Playstation and Epsilon) breaches have grabbed headlines lately because of their recency, data breach is a major longstanding problem for consumers, businesses and government. According to Privacy Rights Clearinghouse, a staggering 600 million records have been breached due to the roughly 2,460 data breaches made public since 2005.5 According to a 2010 Ponemon benchmark study, the cost of data breaches to businesses – in terms of preventing, detecting, and notifying individuals of breach, as well as legal defense and lost business opportunities – have risen considerably over the past several years. Consumers whose personal information is lost or stolen in data breaches face increased risks of identity theft, spam and phishing attacks, reduced trust toward services on which they depend, and sometimes humiliating loss of privacy over sensitive medical conditions."

    May 03, 2011
    * EPIC Proposes "Fair Information Practices" for Google

    "Today EPIC submitted detailed comments on a landmark privacy agreement that requires Google to adopt a "Comprehensive Privacy Plan" to safeguard the privacy and personal information of Internet users. In comments to the Federal Trade Commission, EPIC recommended that the FTC require Google to adopt and implement comprehensive Fair Information Practices complaint EPIC: In re Google Buzz ..."

    May 01, 2011
    * CDT: "Take Back Your Privacy's" Top 5 Privacy Tips

    Cyrus Nemati, CDT: "If you've been following our Take Back Your Privacy campaign, you've seen our weekly privacy tips. Each week, we offer readers a new way to protect their privacy online through plug-ins, browser tricks, programs, and general privacy best practices. While each tip has merit in its own right, there are a few tips that give you a great amount of control over your online privacy. Without further ado, here are Take Back Your Privacy's Top Five Privacy Tips."

    April 29, 2011
    * Four Major Communications Carriers Respond to Questions About Customer Data Collection

    The big four phone carriers spill on their location and customer data collection policies: "The recent uproar over location tracking in smartphones has gotten ugly and fingers are bound to be pointed. But in the spirit of transparency, the four major carriers have outlined and detailed their location tracking applications s well as what exactly that data is being used for. The honesty does come as a response to the revelation that iPhones, Android devices, and Windows Phone 7 units are tracking user location."

  • Markey, Barton Respond to Wireless Companies - Follows Inquires of Apple Collection of Personal Location Information by iPhones, iPads: "Congressmen Edward Markey (D-Mass.) and Joe Barton (R-Tex.) today released the responses from the four major U.S. wireless carriers – AT&T, Verizon, Sprint, and T-Mobile – after the lawmakers wrote to the companies inquiring about their data collection, storage and disclosure practices for customers’ personally identifiable information. Reps. Markey and Barton, co-Chairmen of the House Bi-Partisan Privacy Caucus, wrote to the wireless carriers in response to a New York Times report that a German mobile phone company tracked the locations and destinations of one of its customers, including latitude and longitude coordinates. “The responses of the wireless carriers provide important insights into how each company collects, uses and stores personal location data, including examples of how consumers can grant or withhold consent when location-based services are utilized,” said Rep. Markey. “Consumer consent and control are critical to ensure adequate privacy protections, and the responses shine a light on the various methods used to safeguard consumers’ sensitive information."
  • April 26, 2011
    * PC World: A trade group raises concerns about the FTC settlement with Google over Buzz

    A trade group raises concerns about the FTC settlement with Google over Buzz, by Grant Gross

  • "The U.S. Federal Trade Commission's proposed settlement with Google over its bungled launch of the Buzz social-networking service could have disastrous effects on the rest of the e-commerce industry, the head of a trade group said. Privacy groups and some FTC officials are pressing to set the Buzz settlement as an online privacy standard. And one provision of the proposed settlement would be a "real killer" for the rest of the e-commerce industry, said Steve DelBianco, executive director of trade group NetChoice. The proposed settlement, with public comments due next Monday, requires Google to get "express affirmative consent" from its users for "any new or additional sharing" of personal information with third parties if the new sharing is a change in Google's practices. This provision, if it becomes an industry standard enforced by the FTC, would require all online businesses to get opt-in permission from customers for minor changes in the way they share information with partners or other businesses, DelBianco said. Opt-in requirements would make it difficult for social-networking and online content sites to roll out new innovations and pay for their free services, he said. The calls for the settlement to become a privacy standard "can't be allowed to produce side effects for the rest of the industry for something Google did inappropriately," DelBianco said. "If the FTC gets its way and imposes the Google settlement on the entire industry, Google's competitors have to obtain express, affirmative consent before releasing any new features that would just share non-sensitive user data with third-party apps and advertisers."
  • * Commentary: Welcome to the age of data: Watch your back!

    Welcome to the age of data: Watch your back! by Molly Wood

  • "This week's iPhone location tracking scandal is just the latest glaring spotlight on how much of your personal information is gushing out the door, whether unprotected on your own devices and ripe for the picking, or into corporate and botnet servers worldwide. Personal information is the currency of the post-technological age, and the cost of "free" has never been higher. Your data, on an increasingly minute and personal level, powers every Web or network-based company, from start-up to monolith. Google maintains literally acres of servers dedicated to storing your communications--from e-mail to texts to the transcripts of your voice mail; your browsing and shopping habits; your blog posts; your photos; your calendar appointments; and of course, your intensely personal search histories. If you're logged in to a Google service, that information is all tied to your IP address. Only the thinnest of artificial technical barriers--a sort of loose privacy honor system--keeps Google from combining the data into a scarily accurate digital version of you (like the first digital Cylon, if you will). But pity poor Google, which must gather all this information by increasingly intrusive means, like the DoubleClick ad cookie that tracks your browsing all across the Web, surreptitious Wi-Fi sniffing, and sending location information about you back to its data centers even when you're not running location apps. On the other side of the aisle lies Facebook, which has cleverly cajoled 500 million users (and growing) into giving up virtually all the same information for free. Profiles, Places, Deals, and of course, the ever-present Like button, which lets you easily record your preferences for everything from opinions to shoes to celebrities and bands...you can almost imagine Facebook whispering a little "thank you" every time you click that little blue button."

  • April 24, 2011
    * 'HTTPS Now' Campaign Urges Users to Take an Active Role in Protecting Internet Security

    News release: "The Electronic Frontier Foundation (EFF) and Access have launched an international campaign for HTTPS Now, rallying consumers around the world to help us make web surfing safer. HTTPS (Hypertext Transfer Protocol Secure) protects web surfing by encrypting requests from a user's browser and the resulting pages that are displayed, but many websites default to using the unencrypted and vulnerable HTTP protocol. The HTTPS Now campaign takes a three-pronged approach to protecting web surfing, including distributing updated tools for people to use to protect their web browsing, taking an Internet-wide survey of the state of HTTPS deployment, and helping website operators implement HTTPS. As a first step, individuals using the web are encouraged to install HTTPS Everywhere, a security tool for the Firefox browser developed by EFF and the Tor Project. HTTPS Everywhere automatically encrypts a user's browsing, changing it from HTTP to HTTPS whenever possible."

    * Dutch Data Protection Authority issues several administrative orders against Google

    News release: "[April 19, 2011], the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP) has issued several administrative orders against Google for incremental penalty payments. Investigations by the CBP show that Google has, for a period of two years, systematically, and without the data subjects’ knowledge, collected MAC addresses of more than 3,6 million WiFi routers, in combination with the calculated location of those routers. This was done by using the so called ‘Street View cars’. MAC addresses in combination with their calculated locations, qualify, in this context, as personal data, because the collected data provide information about the WiFi router’s owners. The Dutch DPA also concludes that Google, using the same Street View cars, collected so called payload data, the contents of internet communication. This information contains personal data such as e-mail addresses, medical data and information concerning financial transactions.
    Google has been ordered to, within three months, inform the data subjects – off line as well as on line – about the collection of data originating from WiFi routers by the Street View cars. Within the same period of three months, Google must also offer an on line possibility to opt-out from the database in order to enable people to object to the processing of the data concerning their WiFi routers. In case Google does not comply with the administrative order within the time period granted, the penalty amount can increase to a maximum of one million euros. Furthermore, Google is obliged to destroy the payload data it has collected in the Netherlands within four weeks. Read the Dutch press release and the relevant documents (only in Dutch)."

    April 23, 2011
    * Tracking Citizen Whereabouts Using SmartPhone Logs

    Declan McCullagh,Chief political correspondent, CNET: How police have obtained iPhone, iPad tracking logs

  • "Law enforcement agencies have known since at least last year that an iPhone or iPad surreptitiously records its owner's approximate location, and have used that geolocation data to aid criminal investigations. Apple has never publicized the undocumented feature buried deep within the software that operates iPhones and iPads, which became the topic of criticism this week after a researcher at a conference in Santa Clara, Calif., described in detail how it works. Apple had acknowledged to Congress last year only that "cell tower and Wi-Fi access point information" is "intermittently" collected and "transmitted to Apple" every 12 hours. At least some phones running Google's Android OS also store location information, Swedish programer Magnus Eriksson told CNET today. And research by another security analyst suggests that "virtually all Android devices" send some of those coordinates back to Google."
  • WSJ.com: Apple, Google Collect User Data
  • 3 New Thoughts on Mobile Location – A Follow up to Apple Location Tracking
  • April 22, 2011
    * Information Security Oversight Office released its Fiscal Year 2010 Annual Report to the President

    Information Security Oversight Office’s (ISOO) Report to the President for Fiscal Year (FY) 2010: "This report provides information on the status of the security classification program as required by Executive Order 13526, “Classified National Security Information” (the Order). It provides statistics and analysis concerning key components of the system, primarily classification and declassification, and coverage of ISOO’s reviews. It also contains information with respect to industrial security in the private sector as required by Executive Order 12829, as amended, “National Industrial Security Program.” FY 2010 was a notable year for the security classification program. The initial implementation of Executive Order 13526 began in earnest and remains ongoing. To comply with your direction that a government-wide implementing directive be issued within 180 days, we led an interagency working group that developed 32 C.F.R. Part 2001 which became effective and binding on all appropriate Executive branch agencies on June 25, 2010. However, we are concerned about delays in the issuance of agency regulations implementing the Order. Despite the preparation of agency drafts and the completion of our review last Fall, many agencies failed to issue their regulations in final form by December 2010 and many have yet to issue them as of the date of this letter [April 15, 2011]."

    April 20, 2011
    * CRS - Privacy Protections for Personal Information Online

    Privacy Protections for Personal Information Online, Gina Stevens, Legislative Attorney, April 6, 2011

  • "There is no comprehensive federal privacy statute that protects personal information. Instead, a patchwork of federal laws and regulations govern the collection and disclosure of personal information and has been addressed by Congress on a sector by-sector basis. Federal laws and regulations extend protection to consumer credit reports, electronic communications, federal agency records, education records, bank records, cable subscriber information, video rental records, motor vehicle records, health information, telecommunications subscriber information, children’s online information, and customer financial information. Some contend that this patchwork of laws and regulations is insufficient to meet the demands of today’s technology. Congress, the Obama Administration, businesses, public interest groups, and citizens are all involved in the discussion of privacy solutions. This report examines some of those efforts with respect to the protection of personal information. This report provides a brief overview of selected recent developments in the area of federal privacy law. This report does not cover workplace privacy laws or state privacy laws."

  • April 19, 2011
    * Verizon Risk Team: 2011 Data Breach Investigations Report

    News release: "Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the "Verizon 2011 Data Breach Investigations Report." These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices. The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date. According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action. The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.

  • 2011 Data Breach Investigations Report, A study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit."
  • * EPIC - Solicitor General to Supreme Court: Review GPS Tracking Cases

    "The Solicitor General filed a petition with the Supreme Court about the growing dispute in the federal courts over warrantless locational tracking. There is a split among the appellate court about GPS tracking by police agencies. The petition appeals a decision from the DC Circuit which held that the warrantless tracking of a motor vehicle violates the Constitutional right against unlawful searches. Earlier, EPIC filed an amicus brief in the Massachusetts Supreme Judicial Court case that also held that a warrant is required for the use of a GPS tracking device. For more information, see EPIC - Commonwealth v. Connolly and EPIC - Locational Privacy."

    April 18, 2011
    * Digital Agenda: children using social networks at a younger age; many unaware of basic privacy risks, says survey

    EU: "77% of 13-16 year olds and 38% of 9-12 year olds in the EU have a profile on a social networking site, according to a pan-European survey carried out for the European Commission. Yet, a quarter of children who use social networking sites like Facebook, Hyves, Tuenti, Nasza-Klasa SchuelerVZ, Hi5, Iwiw or Myvip say their profile is set to "public" meaning that everyone can see it, and many of these display their address and/or phone number. The figures highlight the importance of the European Commission's upcoming review of the implementation of the Safer Social Networking Principles for the EU. This agreement was brokered by the Commission in 2009 (IP/09/232) when major social networking companies agreed to implement measures to ensure the online safety of their under 18s users. Children's safety online is an important part of the Digital Agenda for Europe (see IP/10/581, MEMO/10/199 and MEMO/10/200)."

    * EDPS opinion on EU Financial Regulation: EU budget needs clear rules on transparency, also to protect individuals' personal data

    "On 15 April 2011, the European Data Protection Supervisor (EDPS) adopted an opinion on the Commission's proposal aimed at revising the financial rules applicable to the annual budget of the European Union ("EU Financial Regulation"). The proposal covers several matters which involve the processing of personal data by the EU institutions and by entities at Member State level. One of the most significant new elements introduced by the proposal is the possibility to publish decisions on administrative and financial penalties. Such publication would entail the disclosure of information about the person concerned in an identifiable way. The EDPS believes that this provision does not meet the requirements of data protection law. To better comply with data protection rules, it should be improved by explicitly indicating the purpose for the disclosure and by ensuring the consistent application of the possibility of what is in fact naming and shaming of persons, with use of clear criteria to demonstrate the necessity of the disclosure."

    April 17, 2011
    * White House Releases National Strategy for Trusted Identities in Cyberspace

    National Strategy for Trusted Identities in Cyberspace, Enhancing Online Choice, Efficiency, Security, and Privacy - April 2011

  • "A secure cyberspace is critical to our prosperity 1 We use the Internet and other online environments to increase our productivity, as a platform for innovation, and as a venue in which to create new businesses “Our digital infrastructure, therefore, is a strategic national asset, and protecting it—while safeguarding privacy and civil liberties—is a national security priority” and an economic necessity. By addressing threats in this environment, we will help individuals protect themselves in cyberspace and enable both the private sector and government to offer more services online As a Nation, we are addressing many of the technical and policy shortcomings that have led to insecurity in cyberspace Among these shortcomings is the online authentication of people and devices: the President’s Cyberspace Policy Review established trusted identities as a cornerstone of improved cybersecurity...The National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy) charts a course for the public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transactions."
  • April 16, 2011
    * SSA IG: Personally Identifiable Information Made Available to the Public Via the Death Master File

    Follow-up: Personally Identifiable Information Made Available to the Public Via the Death Master File (Limited Distribution), A-06-10-20173, 3/31/11

  • "SSA implemented procedures to report erroneous death entry-related personally identifiable information (PII) breaches to the United States Computer Emergency Readiness Team each week. SSA also hired a contractor to provide ongoing reviews of Death Master File (DMF) exposure related to 26,930 individuals whose PII SSA inadvertently exposed from July 2006 through January 2009. The contractor evaluated available data for anomalous patterns that could identify organized misuse. SSA stated that, to date, the contractor has identified no organized misuse. However, SSA did not implement a risk-based approach for distributing DMF information, attempt to limit the amount of information included on the DMF version sold to the public, or explore alternatives to inclusion of individuals’ full Social Security number (SSN). SSA continued to publish the DMF with the knowledge its contents included the PII of living numberholders."
  • April 13, 2011
    * FTC Testifies on Protecting Social Security Numbers; Millions of Consumers are Victims of Identity Theft Each Year

    "The Federal Trade Commission today told a House subcommittee that millions of consumers are victims of identity theft each year at a cost of billion of dollars and countless hours of consumers’ time to repair the damage. In testimony before the House Ways and Means Committee’s Social Security Subcommittee, the agency said helping protect consumers from ID theft and deal with its consequences is a critical part of the FTC’s consumer protection mission. In the testimony, the FTC recommended legislation to help mitigate the identity theft problem by making Social Security numbers less useful to identity thieves and making the numbers harder to access."

    April 07, 2011
    * Epsilon Data Breach Threatens E-mail Privacy of Millions

    Via EPIC: "Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data."

    April 05, 2011
    * Symantec Internet Security Threat Report: Trends for 2010

    Symantec Internet Security Threat Report Trends for 2010, Volume 16, Published April 2011

  • "Spam and phishing data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; MessageLabs™ Intelligence, a respected source of data and analysis for messaging security issues, trends and statistics; as well as other Symantec technologies. Data is collected in more than 86 countries from around the globe. Over 8 billion email messages, as well
    as over 1 billion Web requests are processed per day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future."
  • "Symantec recorded over 3 billion malware attacks in 2010 and yet one stands out more than the rest - Stuxnet. This attack captured the attention of many and led to wild speculation on the target of the attacks and who was behind them...."
  • April 04, 2011
    * News reports that federal grand jury is investigating mobile apps privacy

    IDG News Service - "Pandora and possibly other makers of popular smartphone applications are being questioned by a federal grand jury about their privacy practices. In a filing with the U.S. Securities and Exchange Commission on Monday, Pandora said that early this year it was served with a subpoena to produce documents in connection with a federal grand jury "which we believe was convened to investigate the information sharing processes of certain popular applications that run on the Apple and Android mobile platforms," it said. The company also wrote that it believes similar subpoenas were issued to publishers of numerous other smartphone applications. Pandora was informed that it is not a specific target of the investigation, it said. Pandora has been the subject of class-action lawsuits charging it with violating computer privacy laws."

    March 31, 2011
    * FTC Chairman Issues Commission's 2011 Annual Report Highlights Agency Accomplishments to Protect Consumers and Competition

    "Federal Trade Commission Chairman Jon Leibowitz today issued the FTC’s 2011 Annual Report at the American Bar Association’s Section of Antitrust Law Spring Meeting in Washington, DC, highlighting the agency’s continued efforts to protect financially distressed consumers and promote competition during the economic downturn.

  • “Over the past year, the FTC has challenged unscrupulous business practices and anticompetitive mergers, shut down shady operations and deceptive marketing campaigns, and protected consumers’ privacy and their pocketbooks,” Chairman Leibowitz said. “The agency’s actions in the past 12 months have had far-reaching effects in protecting consumers and competition in critical sectors of our economy – from high tech to health care, financial services to online commerce.”
  • March 30, 2011
    * FTC Charges Deceptive Privacy Practices in Google’s Rollout of Its Buzz Social Network

    News release: "Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States."

    March 29, 2011
    * German study reports on mobile phone tracking of personal lives

    Via EFF: "Your cell phone company knows everywhere you go, twenty-four hours a day, every day. How concrete is this fact for you? It's very concrete for Malte Spitz, a German politician and privacy advocate. He used German privacy law — which, like the law of many European countries, gives individuals a right to see what private companies know about them — to force his cell phone carrier to reveal what it knew about him. The result? 35,831 different facts about his cell phone use over the course of six months. As the German newspaper website Zeit Online reports:

  • This profile reveals when Spitz walked down the street, when he took a train, when he was in an airplane. It shows where he was in the cities he visited. It shows when he worked and when he slept, when he could be reached by phone and when was unavailable. It shows when he preferred to talk on his phone and when he preferred to send a text message. It shows which beer gardens he liked to visit in his free time. All in all, it reveals an entire life."
  • To show just how extensive this data is, Spitz chose to make it all available to the public; Zeit Online used it to prepare a remarkable interactive map, which animates Spitz's movements, moment by moment, over the course of half a year. It's correlated with information Spitz willingly posted on the web, and, according to him and the newspaper, is remarkably, eerily accurate. Try it out."
  • Tell-all telephone reveals politician’s life
  • * German study reports on mobile phone tracking of personal lives

    Via EFF: "Your cell phone company knows everywhere you go, twenty-four hours a day, every day. How concrete is this fact for you? It's very concrete for Malte Spitz, a German politician and privacy advocate. He used German privacy law — which, like the law of many European countries, gives individuals a right to see what private companies know about them — to force his cell phone carrier to reveal what it knew about him. The result? 35,831 different facts about his cell phone use over the course of six months. As the German newspaper website Zeit Online reports:

  • This profile reveals when Spitz walked down the street, when he took a train, when he was in an airplane. It shows where he was in the cities he visited. It shows when he worked and when he slept, when he could be reached by phone and when was unavailable. It shows when he preferred to talk on his phone and when he preferred to send a text message. It shows which beer gardens he liked to visit in his free time. All in all, it reveals an entire life."
  • To show just how extensive this data is, Spitz chose to make it all available to the public; Zeit Online used it to prepare a remarkable interactive map, which animates Spitz's movements, moment by moment, over the course of half a year. It's correlated with information Spitz willingly posted on the web, and, according to him and the newspaper, is remarkably, eerily accurate. Try it out."
  • Tell-all telephone reveals politician’s life
  • March 27, 2011
    * Privacy Impact Assessment for the Use of Unidirectional Social Media Applications Communications and Outreach

    Privacy Impact Assessment for the Use of Unidirectional Social Media Applications Communications and Outreach, March 8, 2011. Kathleen McShea
    Director of New Media and Web Communications, Office of Public Affairs, Department of Homeland Security

  • "Unidirectional social media applications encompass a range of applications, often referred to as applets or widgets, that allow users to view relevant, real-time content from predetermined sources. The Department of Homeland Security (DHS or Department) intends to use unidirectional social media tools including desktop widgets, mobile apps, podcasts, audio and video streams, Short Message Service (SMS) texting, and Really Simple Syndication (RSS) feeds, among others, for external relations (communications and outreach) and to disseminate timely content to the public about DHS initiatives, public safety, and other official activities and one-way notifications. These dynamic communication tools broaden the Department’s ability to disseminate content and provide the public multiple channels to receive and view content. The public will continue to have the option of obtaining comparable content and services through the Department’s official websites and other official means. This Privacy Impact Assessment (PIA) analyzes the Department’s use of unidirectional social media applications."
  • March 25, 2011
    * EPIC Urges Court to Order Release of 2,000 Airport Body Scanner Images

    "EPIC asked a federal court in Washington, DC to reconsider its earlier decision allowing the Department of Homeland Security to keep secret 2,000 airport body scanner images in EPIC's Freedom of Information Act lawsuit. The Court relied on a legal theory in its decision, "Exemption High b(2)," that was recently struck down by the Supreme Court in Navy v. Milner. In Milner, the Court held that FOIA exemption 2 only applies to records concerning employee relations and human resources issues. Milner overturns previous lower court decisions that applied the exemption to broader categories of records, allowing federal agencies to block disclosure of documents to the public. EPIC argues in its motion that the Department of Homeland Security is unlawfully withholding information about the airport scanners from the public. For more information, see EPIC-Milner v. Dept. of Navy and EPIC v. DHS - Body Scanners."

    March 23, 2011
    * AVG Study Reveals Alarming Complacency Among Users of Mobile Devices on Security

    Smartphone Security - Survey of U.S. consumers, Ponemon Institute© Research Report, Sponsored by AVG Technologies, Independently conducted by Ponemon Institute LLC, Publication Date: March 2011

  • News release: "AVG Technologies, one of the leading providers of consumer security software, today revealed details of a sobering study uncovering new statistics about the data security risks involved in everyday smartphone use. Findings are the result of a recent study conducted by the Ponemon Institute in concert with AVG of 734 random US consumers over age 18 regarding their mobile communications behavior. The study confirmed AVG’s concerns focus on consumers indifference to the many serious security risks associated with the storage and transmission of sensitive personal data on iPhone, Blackberry and Android devices. Following are three of the most alarming:
    • 89 percent of respondents were unaware that smartphone applications can transmit confidential payment information such as credit card details without the user’s knowledge or consent.
    • 91 percent of respondents were unaware that financial applications for smartphones can be infected with specialized malware designed to steal credit card numbers and online banking credentials, yet nearly a third (29 percent) report already storing credit and debit card information on their devices and 35 percent report storing “confidential” work related documents as well.
    • 56 percent of respondents did not know that failing to properly log off from a social network app could allow an imposter to post malicious details or change personal settings without their knowledge. Of those aware, 37 percent were unsure whether or not their profiles had already been manipulated.
  • March 22, 2011
    * EPIC: Courts Rejects Google Books Settlement as Unfair

    EPIC: "Judge Denny Chin struck down a proposed settlement between Google and copyright holders that would have imposed significant privacy risks on e-book consumers. Google's proposal would have entitled the company to collect each users' search queries as well as the titles and page numbers of the books they read. In a February 2010 hearing before the Court, EPIC President Marc Rotenberg explained EPIC Press Release: EPIC Urges Court To Reject Google Books Settlement; EPIC: Google Books Settlement and Privacy."

    March 16, 2011
    * FTC Testifies Before Senate Commerce Committee on Privacy; Industry Efforts to Implement "Do Not Track" System Already Underway

    News release: "In testimony before the Senate Committee on Commerce, Science and Transportation, the Federal Trade Commission discussed its efforts to protect consumer privacy through enforcement actions, consumer education, and policy initiatives like the FTC staff’s recent preliminary privacy report. The report proposes a framework to balance consumer privacy with industry innovation by: 1) building privacy protections into everyday business practices (“privacy-by-design”); 2) simplifying privacy choices for consumers; and 3)improving transparency with clearer, shorter privacy notices. The Commission told Congress that industry stakeholders have made important progress in implementing Do Not Track, a mechanism proposed in the staff's preliminary privacy report last December that would allow consumers to choose not to have their Internet browsing tracked by third parties. The testimony noted that two of the major Internet browsers – Microsoft and Mozilla – “have recently announced the development of new choice mechanisms for online behavioral advertising that seek to provide increased transparency, greater consumer control, and improved ease of use.”

  • "...the ACLU's Chris Calabrese testified before the Senate Commerce, Science and Transportation Committee on the state of online consumer privacy. In his testimony, Chris describes the danger that looms if Congress does not enact some online protections. He says: "If this collection of data is allowed to continue unchecked, then capitalism will build what the government never could — a complete surveillance state online."
  • * EPIC Urges Congress to Suspend Body Scanner Program, Require Public Comment Period

    EPIC: "In a hearing before the House Oversight Subcommittee on National Security, EPIC urged Congress to suspend the use of airport body scanners for primary screening. EPIC said the devices were not effective and were not minimally intrusive, as courts have required for airport searches. EPIC cited TSA documents obtained in EPIC's FOIA lawsuit which showed that the machines are designed to store and transfer images, and not designed to detect powdered explosives. EPIC was joined on the panel by radiation expert Dr. David Brenner, who has frequently pointed out the radiation risks created by these machines. The TSA, which is a federal agency funded by taxpayer dollars and responsible for the body scanner program, originally refused to testify at hearing. Eventually they showed up. Chairman Jason Chaffetz, who had previously sponsored a bill regarding body scanners, grilled the TSA officials and said the hearing would continue with more questions. For more information see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS."

    * Report: 2010 U.S. Cost of a Data Breach

    News release: "The Ponemon Institute proudly presents the 2010 U.S. Cost of a Data Breach, the sixth annual study concerning the cost of data breach incidents for U.S.-based companies sponsored by Symantec Corporation. The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009. The study also found that for the second straight year organizations’ need to respond rapidly to data breaches drove the associated costs higher. The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors."

    March 11, 2011
    * FTC Accepts Final Settlement with Twitter for Failure to Safeguard Personal Information

    News release: "The Federal Trade Commission has finalized a proposed settlement that it announced in June 2010 with social networking site Twitter, which resolved charges that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information. The FTC alleged that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account. The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” In addition, Twitter offered its users privacy settings that enabled them to designate their tweets as private."

    * EFF: Court Rules Against Privacy in Battle Over Twitter Records

    ACLU And EFF Plan To Appeal Ruling In Case Challenging Government Attempt To Obtain Private Data in WikiLeaks Investigation

  • "A federal magistrate judge in Virginia ruled today that the government can collect the private records of three Twitter users as part of its investigation related to WikiLeaks, and that those users and the public can be prevented from seeing some of the documents that the government submitted to the court to justify obtaining their records. The court denied the government's request to conduct last month's hearing about the records in secret, however, and the court made public all of the documents related to the users' legal challenge. The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union plan to appeal the decision on behalf of their client Birgitta Jonsdottir, an Icelandic parliamentarian. The secret government demands for information about the subscribers' communications came to light only because Twitter took steps to ensure their customers were notified and had the opportunity to respond. The ACLU and EFF also asked the court to make public any similar orders to any other companies."
  • March 08, 2011
    * Civil Liberties and Industry Groups Release Cybersecurity White Paper

    News release: "For the first time, industry groups and civil liberties interests have come together to advocate a comprehensive, common approach to cybersecurity. That approach is reflected in today's release of a cybersecurity white paper that rejects government mandates and advocates for a stronger partnership between industry and government. The 20-page white paper is a joint release from CDT, U.S. Chamber of Commerce, Business Software Alliance, TechAmerica, and the Internet Security Alliance."

    * FTC Releases List of Top Consumer Complaints in 2010

    News release: "The Federal Trade Commission today released the list of top consumer complaints received by the agency in 2010. The list showed that for the 11th year in a row, identity theft was the number one consumer complaint category. Of 1,339,265 complaints received in 2010, 250,854 – or 19 percent – were related to identity theft. Debt collection complaints were in second place, with 144,159 complaints. The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted."

    March 02, 2011
    * Inspector General Finds Homeland Security's Contract Management Process Noncompetitive

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The Inspector General of the Department of Homeland Security released a report finding that the agency's contract files did not "contain[] sufficient evidence of justification and approval, market research, and acquisition planning" for the $1.3 billion dollars in noncompetitive contracts the agency entered into in fiscal year 2010. The noncompetitive process raises doubts that the agency secured the "best possible value" for the goods and services and that the contracts were awarded to "eligible and qualified vendors." The IG recommended that the agency’s Chief Procurement Officer pursue corrective action plans. EPIC previously criticized the agency’s contracting practices regarding whole body scanners. For related information see EPIC: EPIC v. DHS: Body Scanners (Suspend the Program) and EPIC: EPIC v. DHS (FOIA)."

    February 28, 2011
    * "Nano hummingbird" like drones under development with Pentagon funding

    News release: AeroVironment Develops World’s First Fully Operational Life-Size Hummingbird-Like Unmanned Aircraft for DARPA

  • Nano Hummingbird [see accompanying video] - "AeroVironment (AV) is developing the Nano Air Vehicle (NAV) under a DARPA sponsored research contract to develop a new class of air vehicle systems capable of indoor and outdoor operation. Employing biological mimicry at an extremely small scale, this unconventional aircraft could someday provide new reconnaissance and surveillance capabilities in urban environments."

  • February 27, 2011
    * Internet Crime Complaint Center - 2010 Internet Crime Report

    2010 Internet Crime Report, The Internet Crime Complaint Center (IC3), February 2011

  • "Now in its tenth year, the Internet Crime Complaint Center (IC3) has become a vital resource for victims of online crime and for law enforcement investigating and prosecuting offenders. In 2010, IC3 received the second-highest number of complaints since its inception. IC3 also reached a major milestone this year when it received its two-millionth complaint. On average, IC3 receives and processes 25,000 complaints per month. IC3 is more than a repository for victim complaints. It serves as a conduit for law enforcement to share information and pursue cases that often span jurisdictional boundaries. IC3 was founded in 2000 as a joint effort between the National White Collar Crime Center (NW3C)/Bureau of Justice Assistance (BJA) and the Federal Bureau of Investigation (FBI). That partnership leveraged the resources necessary to aid law enforcement in every aspect of an Internet fraud complaint.
    The most common victim complaints in 2010 were non-delivery of payment/merchandise, scams impersonating the FBI (hereafter “FBI-related scams”) and identity theft. Victims of these crimes reported losing hundreds of millions of dollars."
  • February 23, 2011
    * Deloitte - Privacy and Security in Health Care: A Fresh Look

    Privacy and Security in Health Care: A Fresh Look

  • "Privacy and security is a significant challenge for every health care organization and a concern for every U.S. citizen. The move toward an entirely automated health care system featuring electronic and personal health records, clinical data warehousing, and increased transparency means more data is at risk and suggests an urgent review of industry privacy and security safeguards. The potential liability for data breaches is significant and increasing. Stakeholders must act now to prevent compromising sensitive patient data, preserve brand value, and avoid substantial financial penalties for violations. This Issue Brief from the Deloitte Center for Health Solutions (DCHS):
    • Provides an update about current and emergent privacy and security challenges in health care;
    • Examines notable hot spots where current policies, rules, and regulations are a focus of industry risk;
    • Reviews the state of preparedness for privacy and security risk throughout the industry;
    • Suggests an approach to assessing an organization's current preparedness."
  • February 17, 2011
    * FOIA Request Yields FBI Documents on Expanding Federal Surveillance Laws

    "EFF just received documents in response to a 2-year old FOIA request for information on the FBI’s "Going Dark" program, an initiative to increase the FBI's authority in response to problems the FBI says it's having implementing wiretap and pen register/trap and trace orders on new communications technologies. The documents detail a fully-formed and well-coordinated plan to expand existing surveillance laws and develop new ones. And although they represent only a small fraction of the documents we expect to receive in response to this and a more recent FOIA request, they were released just in time to provide important background information for the House Judiciary Committee’s hearing [February 17, 2011] on the Going Dark program."

    February 15, 2011
    * FTC Offers Tips on Wise Use of Wi-Fi Networks

    News release: "The Federal Trade Commission, the nation’s consumer protection agency, released tips to help people protect their personal information while they use public wireless networks – Wi-Fi hotspots in coffee shops, libraries, airports, hotels, universities, and other public places. While convenient, public Wi-Fi networks often are not secure. When using wireless networks, it’s best to send only personal information that is encrypted – either by an encrypted website or a secure network. Encryption scrambles information sent over the internet into a code so that it’s not accessed by others. An encrypted website protects only the information sent to and from that site. A secure wireless network encrypts all the information sent over it. To determine if a website is encrypted, look for https at the beginning of the web address (the “s” is for secure), and a lock icon at the top or bottom of the browser window. Some websites use encryption only on the sign-in page, but if any part of the session isn’t encrypted, the entire account could be vulnerable. Look for https and the lock icon throughout the site, not just at sign in."

  • OnGuard Online: Tips for Using Public Wireless Networks
  • February 13, 2011
    * Backgrounder - 10 Conservative Principles for Cybersecurity Policy

    10 Conservative Principles for Cybersecurity Policy, by Paul Rosenzweig, George Washington University School of Law; Posted FEbruary 10, 2011

  • "In the age of the Internet, which now determines daily life for Americans, many threats to the U.S. now exist in the cyber domain. Cybersecurity is a near constant theme in Washington, as well as for private companies around the country. Congress and government agencies are clamoring to develop policies and strategies to protect national security and commercial interests. Internet attacks are already a standard feature of modern life, and the threats and their implications—from hacking into company sites to steal credit card numbers to hacking into government computers for espionage—are growing fast. Cybersecurity must be addressed—the right way. This Heritage Foundation paper outlines the basic facts of the Internet—and the policy principles to which they lead."
  • February 12, 2011
    * Advanced sign-in security for your Google account

    Official Google Blog: "Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples...that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information...2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your Account Settings page."

    February 11, 2011
    * California Supreme Court Rules Zip Code is Personal Information

    EPIC: "In Pineda v. William Sonoma, the California Supreme Court has determined that merchants may not require credit card customers to provide ZIP codes. In a unanimous decision, the Court found that ZIP codes are "personal identification information" under the state Credit Card Act of 1971. In the Pineda case, the customer believed that providing an SSN was necessary to complete a credit card transaction. The merchant subsequently used the SSN to determine the customer's home address. The California court said that the Credit Card Act "intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction." For more information, see EPIC - Social Security Numbers and EPIC - Reidentification."

    February 07, 2011
    * Digital Signage Federation Releases Digital Signage Privacy Standards

    "The Digital Signage Federation (DSF), a professional membership association, announced today the release of new industry standards for digital signage privacy. The “Digital Signage Privacy Standards” are a set of voluntary privacy guidelines recommended by DSF for digital signage companies, their partners and the venues that host these systems....The DSF Standards Committee is comprised of eight members from different sectors of the industry, and is chaired by Ken Goldberg, CEO of Real Digital Media. Harley Geiger, a committee member and Policy Counsel at the Center for Democracy & Technology, was instrumental in leading the effort to develop policies that safeguard consumer privacy and preserve the public’s trust in the digital signage industry. Subsequently, the Digital Signage Privacy Standard includes strong principles in the following categories:

    • Transparency
    • Individual Participation
    • Purpose Specification
    • Data Minimization
    • Use Limitation
    • Data Quality & Integrity
    • Security
    • Accountability

    * Facebook Enables Full-Session Encryption

    EPIC: "Facebook will now allow full-session HTTPS. The switch to encrypted cloud-based computing promotes privacy and security, particularly when users access Facebook from public Internet access points. Previously, Facebook only used HTTPS when users’ passwords were being sent to the site. Third party applications currently do not support HTTPS. Users can opt into HTTPS through their “Account Settings;” however, HTTPS is not yet the default. Facebook will use "social authentication, rather than traditional CAPTCHA, to deter hackers. EPIC has previously recommended the adoption of strong privacy techniques for cloud-based services. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Google subsequently established HTTPS by default for Gmail. For related information, see EPIC: Facebook, EPIC: Cloud Computing, and EPIC: Social Networking Privacy."

    * State Cyberbullying Laws

    State Cyberbullying Law - A Brief Review of State Cyberbullying Laws and Policies, Sameer Hinduja, Ph.D. and Justin W. Patchin, Ph.D., Cyberbullying Research Center, updated January 2011

    February 06, 2011
    * New on LLRX.com: Emerging Legal Issues in Social Media, Part I

    Emerging Legal Issues in Social Media: In Part 1 of his commentary, Ken Strutin discusses how the growth of social media and social networking applications has permeated and extended the range of legal investigation, discovery and litigation. The materials he highlights represent a current sampling of notable developments in law enforcement, law practice, civil and criminal litigation, and technology's influence on human behavior.

    January 31, 2011
    * CDT Releases Draft Definition of 'Do Not Track'

    News release: "The Center for Democracy & Technology today released a proposal that sketches the parameters of what Do Not Track (DNT) means. The document is intended to identify the types of behaviors that DNT should prohibit, and jumpstart a discussion aimed at developing a common understanding of the terms of this emerging technology. The concept of DNT technology is gaining momentum; however, definitions underlying technology—such as what "tracking" actually means—are still in flux...CDT suggests that the following definition for "tracking" in the context of Do Not Track:

  • Tracking is the collection and correlation of data about the Internet activities of a particular user, computer, or device, over time and across non-commonly branded websites, for any purpose other than fraud prevention or compliance with law enforcement requests."
  • January 30, 2011
    * New Report: European Privacy and Human Rights (EPHR) 2010

    "Privacy International, EPIC, and the Center for Media and Communications Studies (CMSC) released European Privacy and Human Rights (EPHR) 2010, a report investigating the scope of privacy and data protection laws in Europe. The study includes 33 individual reports covering issues from privacy enforcement to ID cards, biometrics, and data-sharing and video surveillance The study ranks privacy protections across the European Union (EU). An interactive map allows is available. The EPHR is based on EPIC's report Privacy & Human Rights: An International Survey of Privacy Laws and Developments."

    January 24, 2011
    * China: Student Informant System to Expand, Limiting School Autonomy, Free Expression

    Via FAS: China: Student Informant System to Expand, Limiting School Autonomy, Free Expression (U//FOUO - "Unclassified // For Official Use Only")- 23 November 2010, CIA-DI-10-05021 [This report was prepared by the Open Source Works, which was charged by the Director for Intelligence with drawing on language trained analysts to mine open-source information for new or alternative insights on intelligence issues.]

  • Chinese educators and Communist Party officials are expanding the student informant system (SIS) to a growing number of Chinese universities, colleges, vocational institutes, and lower level schools. Students designated as student-informants, who report to an academic affairs department, engage in political spying on both professors and fellow students and denounce professors and students for politically subversive or unconventional views. (U//FOUO) The principal objective of the SIS is to ensure campus stability and to control the debate and discussion of politically sensitive issues. Students have had their scholarships revoked and their academic records penalized because of information provided by student informants that is sometimes highly subjective, such as facial expressions. Since 2002, the SIS has added a separate, secret system of student informants who report to university security departments. (U//FOUO) Despite some teacher and student resistance, the government appears determined to continue to use the SIS as a tool to ensure political stability on Chinese campuses, as evidenced by government studies touting its utility and effectiveness for improving education. The limited public debate on the SIS focuses on its impact on freedom of speech, the risk of spreading a culture of denunciation, and the harm the system does to cultivating talented students. (U//FOUO)"
  • * Do-Not-Track" Option Now on IE, Firefox and Chrome

    National Journal: Google and Mozilla both announced that they will be adding "do-not-track" options to their Internet browsers, allowing users to prevent websites from gathering personal information and selling it to advertisers. Mozilla announced its plan Sunday with Google following suit Monday. According to a company statement, Google's "Keep My Op-Outs" feature will be available as an extension for download on its Chrome browser Monday. "We made available, for all major browsers, a downloadable browser plugin that enables you to permanently opt out of Google's advertising cookie, even if you deleted all your browser's cookies," according to the statement." Mozilla's Firefox version will be an HTTP header that will tell websites that a user wants to opt-out what's called "online behavioral advertising." "The advantages to the header technique are that it is less complex and simple to locate and use, it is more persistent than cookie-based solutions, and it doesn't rely on user's finding and loading lists of ad networks and advertisers to work," said Mozilla technology and privacy officer Alex Fowler wrote in a blog post Sunday. Microsoft announced a similar feature for its Internet Explorer in December."

    * The UK National Identity Card and the Identification Card for EEA nationals ceased to be valid legal documents on 21 January 2011

    UK Home Office: "The Government began the process of scrapping identity cards by introducing the Identity Documents Bill to Parliament on 26 May 2010. The Bill made provision for the cancellation of the UK National Identity Card, the Identification Card for EEA nationals and the destruction of the National Identity Register. This Bill has completed the parliamentary process and the Identity Documents Act 2010 received Royal Assent on 21 December 2010. In line with the terms of the Act identity cards ceased to be valid legal documents for the purposes of confirming identity, age or for travel in Europe on 21 January 2011. Under the terms of the Act the National Identity Register will be destroyed within two months of the Act coming in to force. This means all personal information supplied during process of applying for an identity card, including photographs and fingerprints, will be destroyed by 21 February 2011. Refunds will not be provided and identity card holders are not required to return the card to IPS. As the card will cease to be a legal document, if you have an identity card you should consider securely destroying it. If you choose to retain your identity card, you should ensure that it is kept in a safe and secure place. The statutory post of Identity Commissioner, set up under the Identity Cards Act 2006 to provide independent oversight of the National Identity Service, is also terminated under the terms of the Act."

    January 23, 2011
    * New Report - Domestic Intelligence: New Powers, New Risks

    Domestic Intelligence: New Powers, New Risks [released 01/18/11], by Emily Berman - Counsel in the Liberty and National Security Program at the Brennan Center for Justice

  • "Successful domestic counterterrorism policy is vital to keep the homeland safe. In this effort, policymakers must resist the oft-exhibited tendency to overreact to the threats we face. This overreaction, time and again, takes a similar form: In the face of a perceived existential threat, we expand the scope of the government’s powers while simultaneously diminishing oversight of and accountability for the use of those powers. We fail to ensure that these powers will be employed in a manner consistent with our fundamental values. Civil liberties—such as privacy and freedom of expression, association, and religion—are often curtailed. In the wake of 9/11, government action exhibited this tendency across a wide range of counterterrorism policies."
  • January 19, 2011
    * Supreme Court Affirms Right to Informational Privacy, But Says Privacy Act Safeguards Sufficient for NASA Records

    EPIC: "The Supreme Court has issued a decision in NASA v. Nelson, a case brought by NASA scientists who argued that the government's invasive background checks violated the Constitution. The Supreme Court found amicus brief , cosigned by 27 technical experts and legal scholars, which highlighted problems with the Privacy Act, including the "routine use" exception, security breaches, and the agency's authority to carve out its own exceptions. For more information, see EPIC: NASA v. Nelson."

    January 18, 2011
    * 2010 Year-End Electronic Discovery and Information Law Update

    "Gibson Dunn 2010 Year-End Electronic Discovery and Information Law Update calls for Reform Reach Crescendo. Sanctions Granted Less Frequently. Government's Duties Clarified. No Reasonable Expectation of Privacy In Social Media."

  • "There were also numerous interesting developments in e-discovery case law. This Update is based on our review of 323 decisions, which are listed in an appendix. The number of decisions in this area continues to grow at a brisk pace, as the 2010 total was 60% higher than the approximately 200 cases we reviewed in our 2009 Year-End Update (which, in turn, was double the number of cases we identified in 2008). Although we have reported the trends for the entire year, we have chosen to focus our discussion on decisions rendered in the second half of the year rather than to repeat what appeared in our 2010 Mid-Year Electronic Discovery and Information Law Update. Some highly significant decisions from the first half of the year -- for example, Pension Committee -- are discussed here through the prism of later developments and reactions from the bench and bar."
  • January 16, 2011
    * Comment: Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable Information

    McIntyre, Joshua J., The Number is Me: Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable Information (August 15, 2010). DePaul Law Review, Vol. 60, No. 3, 2011.

  • "Although computer logs typically correlate online activity only to Internet Protocol (IP) addresses, those addresses can be used to expose the individuals behind the computers. While various federal statutes protect similar data, such as telephone numbers and mailing addresses, as Personally Identifiable Information, federal privacy law does not sufficiently protect IP addresses. It has become commonplace for litigants to subpoena Internet Service Providers (ISPs) to unmask online speakers, and, because many ISPs have no reason to fight these subpoenas, they readily give up their subscribers’ names, addresses, telephone numbers, and other identifying data without demanding any court oversight or providing any notice to those identified. Left unchecked, such reporting could undermine free speech and the free exchange of ideas by encouraging users to censor their own online conduct. This Comment explores the possibility of protecting the IP address itself as Personally Identifiable Information (PII). It explores the various definitions of PII and the relevant technical aspects of IP addressing. It concludes that, despite some technical shortcomings, IP addresses are functionally similar to other types of PII and should be similarly protected in order to protect online privacy."

  • January 13, 2011
    * EPIC Uses FOIA to Obtain TSA documents on Airport Screening Procurement Specifications

    Follow up to previous postings on government implementation of whole body scanning technology at airports, this News release: "A federal district court has granted the Department of Homeland Security's motion to conclude one of EPIC's Freedom of Information Act lawsuits. EPIC was seeking more than 2,000 images generated by airport body scanners held by the TSA. The DHS objected to the disclosure and the court sided with the government. The court relied on a legal theory, "Exemption High (b)(2)" that is currently under review by the Supreme Court in Milner v. Dept. of Navy. As a result of this lawsuit, EPIC obtained many documents concerning the airport screening program, including Procurement Specifications, Operational Requirements, traveler complaints, and vendor contracts with L3 and Rapiscan, that were subsequently made available to the public. EPIC may appeal the district court's decision as to the release of the body scanner images. For more information see EPIC: EPIC v. DHS and EPIC: Body Scanners."

    January 12, 2011
    * DHS Privacy Office 2010 Data Mining Report to Congress

    DHS Privacy Office 2010 Data Mining Report to Congress, December 2010

  • "This is the DHS Privacy Office’s fifth comprehensive report to Congress on DHS activities that involve data mining, and the third report pursuant to the Data Mining Reporting Act. The Homeland Security Act expressly authorizes the Department to use data mining, among other analytical tools, in furtherance of its mission. DHS exercises this authority to engage in data mining in the programs discussed in this report, all of which have been reviewed by the Chief Privacy Officer for potential impacts on privacy. The DHS Chief Privacy Officer’s authority for reviewing DHS data mining activities stems from three principal sources: the Privacy Act, the E-Government Act, and the Homeland Security Act, which states, in part, that the DHS Chief Privacy Officer is responsible for “assuring that the [Department’s] use of technologies sustains, and does not erode, privacy protections relating to the use, collection, and disclosure of personal information.” The DHS Privacy Office’s privacy compliance policies and procedures are based on the Fair Information Practice Principles (FIPPs), which are rooted in the tenets of the Privacy Act and memorialized in the December 2008 Privacy Policy Guidance Memorandum 2008-01, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security. The DHS Privacy Office compliance process discussed below is designed to identify and mitigate risks to privacy that may be posed by any DHS program, project, or information technology system."
  • * Report: Protecting the Digital Economy

    "On January 10, 2011, the EastWest Institute released a report detailing the results of the First Worldwide Cybersecurity Summit: Protecting the Digital Economy, and outlining the cybersecurity initiative’s next steps as it prepares for the Second Worldwide Cybersecurity Summit in London on June 1-2. At the summit, held from May 3 to 5, 2010 in Dallas, Texas, EWI brought together over 400 technical experts, policy elites and national security officials from the Cyber40, an informal grouping of the world’s most digitally-advanced countries—among others, the United States, China, India, Russia and Estonia. Participants worked to identify problems facing crucial sectors of the Internet, such as financial services and essential government services, and forge concrete solutions to protect the world’s digital infrastructure."

    January 09, 2011
    * Next Steps to Enhance Online Security, Planned National Office for Identity Trust Strategy

    News release: "At a forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt announced plans to create a National Program Office to help foster an environment in which sensitive online transactions can be carried out with greater levels of trust. The National Program Office, to be established within the Department of Commerce, would coordinate federal activities needed to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC), an Obama administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will make the online environment more secure and convenient for consumers. The national office would serve as the point of contact to bring the public and private sectors together to meet this challenge."

    January 05, 2011
    * National Taxpayer Advocate Delivers Annual Report to Congress; Focuses on Tax Reform, Collection Issues, and Implementation of Health Care Reform

    News release: "National Taxpayer Advocate Nina E. Olson today released her annual report to Congress, identifying the need for tax reform as the number one priority in tax administration. The Advocate expressed continuing concern that the IRS’s increasing use of hard-core enforcement actions, particularly tax liens, is inflicting unnecessary harm on financially struggling taxpayers. The report also examines challenges the IRS is facing in implementing the new health care law."

    * California Supreme Court Affirms Warrantless Search of Suspects Cell Phone Text Messages

    PEOPLE v. DIAZ, Criminal Appeal, Start Date: 09/09/2008. Opinion issued - Petition for review after the Court of Appeal affirmed a judgment of conviction of a criminal offense. This case presents the following issues: (1) Was defendant's cell phone an item "immediately associated with the person of the arrestee" within the meaning of United States v. Edwards (1974) 415 U.S. 800, and thus subject to search incident to his arrest? (2) Was the warrantless search of the cell phone an hour and a half after the arrest, while defendant was being interrogated, invalid under United States v. Chadwick (1977) 433 U.S. 1? The court ordered briefing deferred pending the decision of the United States Supreme Court in Arizona v. Gant, No. 07-542, cert. granted Feb. 25, 2008, __ U.S. __ [128 S.Ct. 1443, 170 L.Ed.2d 274], or further order of this court."

  • California Supreme Court opinion, The People v. Diaz, January 3, 2011: "We granted review in this case to decide whether the Fourth Amendment to the United States Constitution permits law enforcement officers, approximately 90 minutes after lawfully arresting a suspect and transporting him to a detention facility, to conduct a warrantless search of the text message folder of a cell phone they take from his person after the arrest. We hold that, under the United States Supreme Court's binding precedent, such a search is valid as being incident to a lawful custodial arrest. We affirm the Court of Appeal's judgment."
  • * Top Issues Facing Social Security Administration Management - Fiscal Year 2011

    Top Issues Facing Social Security Administration Management - Fiscal Year 2011, December 2010

  • "The Reports Consolidation Act of 2000 requires that we summarize for inclusion in the Social Security Administration’s (SSA) Performance and Accountability Report, our perspective on the most serious management and performance challenges facing SSA. We have determined that the top management issues facing SSA in Fiscal Year 2011 are: Implement the American Recovery and Reinvestment Act Effectively and Efficiently, Improve Customer Service, Improve the Timeliness and Quality of the Disability Process, Improve Transparency and Accountability, Invest in Information Technology Infrastructure to Support Current and Future Workloads, Reduce Improper Payments and Increase Overpayment Recoveries, Reduce the Hearings Backlog and Prevent its Recurrence, and Strengthen the Integrity and Protection of the Social Security Number."
  • January 02, 2011
    * U.S. Airports Increasing Looking at Private Airport Security Screening Options

    WaPo: As outrage over screenings rises, sites consider replacing TSA - "For airports, the change isn't about money. At issue, airport managers and security experts say, is the unwieldy size and bureaucracy of the federal aviation security system. Private firms may be able to do the job more efficiently and with a personal touch, they say. Airports that choose private screeners must submit the request to the TSA. There are no specific criteria for approval, but federal officials can decide whether to grant the request "based on the airport's record of compliance on security regulations and requirements." The TSA pays for the cost of the screening and has the final say on which company gets the contract. Rep. John L. Mica (R-Fla.), the incoming chairman of the House Transportation and Infrastructure Committee, has written to 200 of the nation's largest airports, urging them to consider switching to private companies. The TSA was "never intended to be an army of 67,000 employees," he said."

  • Related postings on government implementation of whole body scanning technology at airports
  • December 28, 2010
    * Forbes: WikiLeaks And The New Corporate Disclosure Crisis

    WikiLeaks And The New Corporate Disclosure Crisis - Stephanie Nora White and Rebecca Theim: "If the scandals that have plagued corporate America in the past two years haven't gotten you thinking about your own company's vulnerabilities, then the latest revelations out of WikiLeaks certainly should. In an interview with Forbes' Andy Greenberg, WikiLeaks founder Julian Assange declared that half the documents that have been fed to the organization are from corporations, and that sometime early next year his organization plans what presumably will be the first of many corporate disclosures. It will begin with information about one of the nation's leading banks. The target is rumored to be Bank of America, and the bank's stock tumbled 3% shortly after the rumors were publicized. Got your attention now? WikiLeaks is promising to give a voice to the disenfranchised, disgusted and disillusioned within Corporate America, those who have knowledge of company behavior ranging from distasteful to criminal. "Companies turn people into leakers by their failure to listen, look and respond," says business consultant and author Margaret Heffernan, whose forthcoming book, Willful Blindness: Why We Ignore the Obvious at Our Peril, will tackle the issue. In other words, it will no longer be a company's general counsel who will decide if and when something is disclosed to the public. Now, it's any insider with a flash drive who's troubled or disgruntled by an organization's conduct. And the types of information WikiLeaks is disclosing can be more damaging--and memorable--than a traditional corporate crisis."

    December 27, 2010
    * Washington Post: Auditor's Question TSA Spending Checkpoint Screening Technologies

    Washington Post: Auditors question TSA's use of and spending on technology: "The massive push to fix airport security in the United States after the attacks of Sept. 11, 2001, led to a gold rush in technology contracts for an industry that mushroomed almost overnight. Since it was founded in 2001, the TSA has spent roughly $14 billion in more than 20,900 transactions with dozens of contractors. In addition to beefing up the fleets of X-ray machines and traditional security systems at airports nationwide, about $8 billion also paid for ambitious new technologies. The agency has spent about $800 million on devices to screen bags and passenger items, including shoes, bottled liquids, casts and prostheses. For next year, it wants more than $1.3 billion for airport screening technologies. But lawmakers, auditors and national security experts question whether the government is too quick to embrace technology as a solution for basic security problems and whether the TSA has been too eager to write checks for unproven products."

    December 22, 2010
    * Gallup: U.S. Internet Users Ready to Limit Online Tracking for Ads

    Follow up to FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers, this news from Gallup: "U.S. Internet users would likely welcome a "Do Not Track" measure like the one the Federal Trade Commission is currently considering to keep advertisers from tracking their movements online. Gallup finds Internet users largely aware that advertisers use their online browsing history to target ads to their interests, but largely opposed to such tactics -- even if they help to keep websites free...The results, from a USA Today/Gallup poll conducted Dec. 10-12, 2010, come as the Federal Trade Commission considers a measure that would allow Internet users to essentially opt out of online tracking, as they do with the telemarketing "Do Not Call" list. AdWeek in a recent editorial said such a measure would amount to an "apocalypse" for online advertisers, particularly for the fast-growing $1.1 billion industry that relies on these tactics to target content to users."

    December 21, 2010
    * Oral Argument Set in EPIC Lawsuit to Suspend Airport Body Scanners

    "The United States Court of Appeals for the District of Columbia Circuit has scheduled oral argument in EPIC's case, No. 10-1157, against the Department of Homeland Security. The court set a March 10, 2011 date for the parties to present oral argument before the Court. EPIC filed suit against the Department of Homeland Security to suspend the body scanner program because it is "unlawful, invasive, and ineffective." In its opening brief, EPIC argued that the federal agency has violated the Administrative Procedures Act, the Privacy Act, the Religious Freedom Restoration Act, the Video Voyeurism Prevention Act, and the Fourth Amendment. For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology.

  • Washington Post - Full-body scanners: Exposing issues of privacy, and body image
  • December 19, 2010
    * WSJ: Unique Phone ID Numbers Explained

    WSJ: "More than half the smartphone apps tested by The Wall Street Journal sent a serial-number-like identifier for the phone to tracking companies. Some tracking companies use these IDs to create profiles of cellphone users for marketing purposes. The use of these identifiers poses a greater risk than tracking technologies typically used on PC Web browsers, said Heng Xu, an assistant professor of information sciences and technology at Pennsylvania State University. This is because the numbers are difficult or impossible to delete and can be tied to other data, like a person’s location at a given moment, she said."

    December 18, 2010
    * WSJ: Your Apps Are Watching You

    "Few devices know more personal details about people than the smartphones in their pockets: phone numbers, current location, often the owner's real name—even a unique ID number that can never be changed or turned off. These phones don't keep secrets. They are sharing this personal data widely and regularly, a Wall Street Journal investigation has found. An examination of 101 popular smartphone "apps"—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitted the phone's location in some way. Five sent age, gender and other personal details to outsiders."

    December 16, 2010
    * Commerce Department Unveils Policy Framework for Protecting Consumer Privacy Online While Supporting Innovation

    News release: "The Department of Commerce today issued a report detailing initial policy recommendations aimed at promoting consumer privacy online while ensuring the Internet remains a platform that spurs innovation, job creation, and economic growth. The report outlines a dynamic framework to increase protection of consumers’ commercial data and support innovation and evolving technology. The Department is seeking additional public comment on the plan to further the policy discussion and ensure the framework benefits all stakeholders in the Internet economy."

  • Internet Policy Task Force Privacy Green Paper
  • * 11.7 Million Persons Reported Identity Theft Victimization in 2008

    News release: "An estimated 11.7 million persons, representing five percent of all persons age 16 or older in the United States, were victims of identity theft during the two years prior to being surveyed in 2008, the Bureau of Justice Statistics (BJS) announced today. The financial losses due to the identity theft totaled more than $17 billion. Identity theft was defined in the survey as the attempted or successful misuse of an existing account, such as a debit or credit account, misuse of personal information to open a new account, or misuse of personal information for other fraudulent purposes, such as obtaining government benefits. Approximately 6.2 million victims (three percent of all persons age 16 or older) experienced the unauthorized use or attempted use of an existing credit card account, the most prevalent type of identity theft. An estimated 4.4 million persons reported the misuse or attempted misuse of a banking account, such as a debit, checking or savings account. Another 1.7 million persons experienced the fraudulent misuse of their information to open a new account, and about 618,900 persons reported the misuse of their information to commit other crimes, such as fraudulently obtaining medical care or government benefits or providing false information to law enforcement during a crime or traffic stop. About 16 percent of all victims (1.8 million persons) experienced multiple types of identity theft during the two-year period."

  • The report, Victims of Identity Theft, 2008 (NCJ 231680), was written by BJS statisticians Lynn Langton and Michael Planty.
  • December 13, 2010
    * Judiciary Committee Plans Hearing on Wikileaks

    Follow up to postings on Wikileaks, news of a Hearing on the Espionage Act and the Legal and Constitutional Issues Raised by WikiLeaks, Thursday 12/16/2010.

  • Pew Research Center: Public Sees WikiLeaks as Harmful
  • December 10, 2010
    * United Nations Marks International Human Rights Day 2010

    EPIC: December 10 marks the United Nation's annual International Human Rights Day, which celebrates the signing of the Universal Declaration of Human Rights. The Declaration sets forth universal privacy rights in Article 12 and rights to freedom of expression in Article 19. The Declaration's importance and influence is recognized in the U.S. State Department's annual Human Rights Reports. In 2009, the Public Voice published the Madrid Privacy Declaration, which affirmed these international rights to privacy and free and open expression. You can find more information and resources through the U.N. Dag Hammarskjöld Library's Human Rights Day page."

    December 07, 2010
    * CRS: Changes in Airport Passenger Screening Technologies and Procedures: Frequently Asked Questions

    Changes in Airport Passenger Screening Technologies and Procedures: Frequently Asked Questions, Bart Elias, Specialist in Aviation Policy, November 23, 2010

  • "During 2010, TSA introduced whole body imaging (WBI) systems at airport checkpoints around the United States. Previously, the systems were used only on a trial basis at a small number of airports. They are now in use as a primary screening method at most busy passenger airports. These systems, which the TSA refers to as advanced imaging technology (AIT) systems, capture an image of what lies underneath an individual’s clothing. Critics have referred to this as a “virtual strip search.” If an individual considers this screening method too invasive or revealing or prefers not to undergo AIT imaging for any other reason, TSA provides the option of submitting to a pat-down search instead. In response to aircraft bombing attempts and intelligence regarding terrorist explosives concealment methods, TSA also has changed pat-down procedures to more thoroughly inspect individuals for concealed items. The use of pat-down procedures has also become more frequent, including searches conducted at gates immediately prior to boarding."
  • December 05, 2010
    December 01, 2010
    * FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers

    News release: "The Federal Trade Commission, the nation’s chief privacy policy and enforcement agency for 40 years, issued a preliminary staff report today that proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services. The proposed report also suggests implementation of a “Do Not Track” mechanism – likely a persistent setting on consumers’ browsers – so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities....The report states that industry efforts to address privacy through self-regulation “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The framework outlined in the report is designed to reduce the burdens on consumers and businesses."

  • Federal Trade Commission (Bureau of Consumer Protection) A Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (December 1, 2010)
  • November 28, 2010
    * Internet Crime Complaint Center - Holiday Shopping Tips

    Holiday Shopping Tips: "This holiday season the FBI reminds shoppers that cyber criminals aggressively create new ways to steal money and personal information. Scammers use many techniques to fool potential victims, including conducting fraudulent auction sales, reshipping merchandise purchased with stolen credit cards, and selling fraudulent or stolen gift cards through auction sites at discounted prices...If you have received a scam email, please notify the IC3 by filing a complaint at http://www.IC3.gov. For more information on e-scams, please visit the FBI's New E-Scams and Warnings webpage at http://www.fbi.gov/cyberinvest/escams.htm."

    November 27, 2010
    November 25, 2010
    * Google - Promoting Free Trade for the Internet Economy

    Google: "..we’re releasing a white paper, Enabling Trade in the Era of Information Technologies: Breaking Down Barriers to the Free Flow of Information, that explores the ways that governments impose limits on the free flow of information online. It’s pretty wonky stuff, but the premise is simple: In addition to infringing human rights, governments that block the free flow of information on the Internet are also blocking trade and economic growth. Over the last two decades, the Internet has delivered tremendous economic and trade benefits. It has driven record increases in productivity, spurred innovation, created new economies, and fueled international trade. In part this is because the Internet makes geographically distant markets easy to reach. But this engine of economic growth is increasingly coming under attack. According to one study, more than forty governments now engage in broad-scale restriction of online information. Governments are blocking online services, imposing non-transparent regulation, and seeking to incorporate surveillance tools into their Internet infrastructure. These are the trade barriers of the 21st century economy...we urge policymakers in the United States, European Union and elsewhere to take steps to break down barriers to free trade and Internet commerce. These issues present challenges, but also an opportunity for governments to align 21st century trade policy with the 21st century economy."

    November 23, 2010
    * Majority of Americans Now Oppose Body Scanners and TSA Pat Downs

    EPIC: "A new poll by Zogby International finds that 61% of Americans polled between Nov. 19 and Nov. 22 oppose the use of full body scans and TSA pat downs. Of those polled, 52% believe the enhanced security measures will not prevent terrorist activity, almost half (48%) say it is a violation of privacy rights, 33% say they should not have to go through enhanced security methods to get on an airplane, and 32% believe the full body scans and TSA pat downs to be sexual harassment. The Zogby Poll is the most recent survey of American opinion on the new airport screening procedures. Combined with earlier polls by USA Today and the Washington Post-ABC News, the Zogby Poll reflects declining support for the TSA program."

    • News release: "U.S. Rep. Rush Holt, a scientist and the Chairman of the House Select Intelligence Oversight Panel, Friday wrote the Administrator of the Transportation Security Administration (TSA), reiterating his concerns about the use of body imaging technology, notably about potential health effects and the effectiveness of the screening to detect the full range of explosive threats known or anticipated to be used by potential terrorists...the majority of the radiation from X-ray backscatter machines strikes the top of the head, which is where 85 percent of the 800,000 cases of basal cell carcinoma diagnosed in the United States each year develop."
    • Airport body-scanner manufacturers armed for K Street battle: "...Companies like L-3 Communications, the defense contractor, are providing several of the scanners under a nearly $165 million TSA contract won earlier this year, are well-prepared for the fight."
    • WaPo: Protesters' body scanner opt-out day could bring nationwide delays at airports

    November 22, 2010
    * EFF Tool Offers New Protection Against Exploits of Webpage Security Flaws

    News release: "The Electronic Frontier Foundation (EFF) has launched a new version of HTTPS Everywhere, a security tool that offers enhanced protection for Firefox browser users against "Firesheep" and other exploits of webpage security flaws. HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking... This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough...Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly."

    November 21, 2010
    * New TSA Sreening Procedures for Pilots Rolling Out

    Follow up to previous postings on government implementation of whole body scanning technology at airports, this news release: "The Air Line Pilots Association, Int’l (ALPA), welcomed the Transportation Security Administration (TSA) announcement of expedited screening for airline pilots as important action to move the nation toward a threat-based strategy that focuses security resources where the risk is highest and away from a one-size-fits-all approach...ALPA proposed the creation of a highly secure and effective security screening system that would quickly and accurately verify the identity and employment status of active airline pilots. As a result, ALPA’s Crew Personnel Advanced Screening System (CrewPASS) program would identify individual pilots as trusted and, as a result, enhance the overall security of air travel and reduce passenger delays. In [the November 19, 2010] announcement, the TSA acknowledged ALPA for developing the CrewPASS concept and committed to phasing in CrewPASS nationally. The CrewPASS system is currently operating at Baltimore-Washington Thurgood Marshall International, Pittsburgh International, and Columbia Metropolitan airports."

  • TSA Statement from Administrator John S. Pistole: "In all such security programs, especially those that are applied nation-wide, there is a continual process of refinement and adjustment to ensure that best practices are applied and that feedback and comment from the traveling public is taken into account."
  • November 15, 2010
    * Frequent Flyer Backlash Heightens Over Full-body Scanners at Airports

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via National Journal, "The Transportation Security Administration is working to create an alternative screening process for pilots, the agency's chief said this morning, amid mounting protests by airline pilots over new airport scanners criticized as invasive and hazardous to health due to radiation exposure."

    * UK: Google Street View (GSV) collection of payload data

    "The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals." Snipped from November 3, 2010 letter from ICO to Global Privacy Counsel, Google France: "My office now understands that GSV (Google Street View) cars driving in the UK before May 2010 were equipped with the same equipment as the GSV cars in countries where regulators found some instances where entire emails and URLs were captured, as well as passwords. As such, my office believes that while most of the payload data gathered from the UK is fragmentary, in some instances it is possible that entire emails and URLs were captured, as well as passwords. It is my view that the collection of this information is a serious breach of the first data protection principle..."

    November 10, 2010
    * Intel - 2010 HIMSS Security Survey

    2010 HIMSS Security Survey Sponsored by Intel, Final Report, November 3, 2010

  • "Now in its third year, the 2010 HIMSS Security Survey [Healthcare Information and Management Systems Society], sponsored by Intel reports the opinions of information technology (IT) and security professionals from healthcare provider organizations across the U.S. regarding key issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations. This year, the study was supported by Medical Group Management Association (MGMA) to encourage additional representation in the medical group and ambulatory space. The study was designed to collect information on a multitude of security-related items, including organizations’ general security environment, access to patient data, access tracking and audit logs, security in a networked environment and technology tools in place. This year, we’ve added a series of questions to evaluate how healthcare organizations are handling patient identity issues."

  • November 07, 2010
    * FTC Names Edward W. Felten as Agency's Chief Technologist

    News release: "Federal Trade Commission Chairman Jon Leibowitz [November 4, 2010] announced the appointment of Edward W. Felten as the agency’s first Chief Technologist. In his new position, Dr. Felten will advise the agency on evolving technology and policy issues. Dr. Felten is a professor of computer science and public affairs and founding director of the Center for Information Technology Policy at Princeton University. He has served as a consultant to federal agencies, including the FTC, and departments of Justice and Defense, and has testified before Congress on a range of technology, computer security, and privacy issues. He is a fellow of the Association of Computing Machinery and recipient of the Scientific American 50 Award. Felten holds a Ph.D. in computer science and engineering from the University of Washington. Dr. Felten’s research has focused on areas including computer security and privacy, especially relating to consumer products; technology law and policy; Internet software; intellectual property policy; and using technology to improve government."

    * OMB Memo - Sharing Data While Protecting Privacy

    Sharing Data While Protecting Privacy, November 3, 2010 - The judicious use of accurate and reliable data plays a critical role in initiatives designed to increase the transparency and efficiency of Federal programs and to enhance our capacity to gauge program effectiveness. Sharing data among agencies also allows us to achieve better outcomes for the American public through more accurate evaluation of policy options, improved stewardship of taxpayer dollars, reduced paperwork burdens, and more coordinated delivery of public services. As advances in technology enhance tools for data sharing, Federal agencies can and should seek new approaches for identifying and sharing high-value data responsibly and appropriately. This Memorandum strongly encourages Federal agencies to engage in coordinated efforts to share high-value data for purposes of supporting important Administration initiatives, informing public policy decisions, and improving program implementation while simultaneously embracing responsible stewardship."

    * New Business Center Can Help Boost Compliance with FTC Law

    News release: "The Federal Trade Commission has a new Business Center at Business.ftc.gov that gives business owners, attorneys, and marketing professionals the tools they need to understand and comply with the consumer protection laws, rules, and guides the FTC enforces. The Business Center provides practical, plain-language guidance about advertising, credit, telemarketing, privacy, and a host of other topics. A series of short videos explain the bottom line about what businesses need to know to comply, and the Business Center blog gives readers the latest compliance tips and information."

    November 02, 2010
    * Google Buzz Class Action Settlement

    Email I received Tuesday evening, 9:49pm ET: "Google rarely contacts Gmail users via email, but we are making an exception to let you know that we've reached a settlement in a lawsuit regarding Google Buzz, a service we launched within Gmail in February of this year. Shortly after its launch, we heard from a number of people who were concerned about privacy. In addition, we were sued by a group of Buzz users and recently reached a settlement in this case. The settlement acknowledges that we quickly changed the service to address users' concerns. In addition, Google has committed $8.5 million to an independent fund, most of which will support organizations promoting privacy education and policy on the web. We will also do more to educate people about privacy controls specific to Buzz. The more people know about privacy online, the better their online experience will be. Just to be clear, this is not a settlement in which people who use Gmail can file to receive compensation. Everyone in the U.S. who uses Gmail is included in the settlement, unless you personally decide to opt out before December 6, 2010. The Court will consider final approval of the agreement on January 31, 2011. This email is a summary of the settlement, and more detailed information and instructions approved by the court, including instructions about how to opt out, object, or comment, are available at http://www.BuzzClassAction.com."

    October 28, 2010
    * EFF: Government Withholds Records on Need for Expanded Surveillance Law

    News release: "The Electronic Frontier Foundation (EFF) filed suit against three agencies of the Department of Justice (DOJ) today, demanding records about problems or limitations that hamper electronic surveillance and potentially justify or undermine the Administration's new calls for expanded surveillance powers. The issue has been in the headlines for more than a month, kicked off by a New York Times report that the government was seeking to require "back doors" in all communications systems -- from email and webmail to Skype, Facebook and even Xboxes -- to ease its ability to spy on Americans. The head of the FBI publicly claimed that these "back doors" are needed because advances in technology are eroding agents' ability to intercept information. EFF filed a Freedom of Information Act (FOIA) request with the Federal Bureau of Investigation (FBI), the Drug Enforcement Agency (DEA), and the DOJ Criminal Division to see if that claim is backed up by specific incidents where these agencies encountered obstacles in conducting electronic surveillance."

    * Report - You're It! What Your Smartphone Might Be Saying Behind Your Back

    Geotag, You're It! What Your Smartphone Might Be Saying Behind Your Back, Privacy Rights Clearinghouse, October 18, 2010

  • "Snap a photo of a sunset with your iPhone and you can upload it to Twitter with a few clicks. But your smartphone might be transmitting more than a pretty photograph. It could be collecting and storing data about your real-time location – and then broadcasting that information when you upload photos onto the Internet...In Cybercasing the Joint: On the Privacy Implications of Geotagging, two researchers from the University of California Berkeley investigated how different websites incorporate geotagged media. By examining photos and videos on Flickr, Craigslist and Youtube, they found 1.3% to 4.3% of uploaded media included embedded location data. Not surprisingly, they found geotagged photos and videos were most often captured through high-end cameras and smartphones (rather than basic cell phones)."
  • October 24, 2010
    * FinCEN Study Examines Rise in Identity Theft SARs; Awareness Helps Deter Greater Loss

    Identity Theft Trends, Patterns, and Typologies Reported in Suspicious Activity Reports Filed by Depository Institutions January 1, 2003 – December 31, 2009, released October 2010 by the Financial Crimes Enforcement Network

  • "Reports of identity theft have been increasing for more than a decade...Identity theft was the sixth most frequently reported characterization of suspicious activity within the period of the study, behind structuring/money laundering, check fraud, mortgage loan fraud, credit card fraud, and counterfeit check fraud. Based upon analysis of the study sample, the number of identity theft related depository institution SAR [Suspicious Activity Report] filings submitted during calendar year (CY) 2009 was 123 percent higher than the number reported in CY 2004. This compares with an 89 percent increase in the numbers of all depository institution SAR filings made in CY 2004 versus CY 2009."

  • October 22, 2010
    * EPIC: Google Ends Secret Wifi Data Gathering

    EPIC: "Following numerous protests around the world, Google has ended its illegal collection of wifi data transmissions. The company, which originally claimed it was not even collecting wifi data, was forced to admit that the practice has been ongoing for three years in more than thirty countries, following an independent investigation initiated by European privacy officials. Investigations are still underway to determine the extent of Google's liability. EPIC wrote to the FCC earlier this year, pointing out that the practice violated US wiretap laws."

    • EPIC - Investigations of Google Street View
    • Official Google Blog: "Creating stronger privacy controls inside Google: "In May we announced that we had mistakenly collected unencrypted WiFi payload data (information sent over networks) using our Street View cars. We work hard at Google to earn your trust, and we’re acutely aware that we failed badly here. So we’ve spent the past several months looking at how to strengthen our internal privacy and security practices, as well as talking to external regulators globally about possible improvements to our policies."

    October 20, 2010
    * FTC Testifies on the Rights of Employees Under the Fair Credit Reporting Act

    News release: "The Federal Trade Commission today told the Equal Employment Opportunity Commission that the Fair Credit Reporting Act (FCRA) imposes requirements on Consumer Reporting Agencies (CRAs) - which include the three major credit bureaus - and on employers that use the information “to ensure that sensitive consumer report information is used with fairness, impartiality, and respect for consumers’ privacy.” Commission testimony given by Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, states that FCRA requirements placed on CRAs and employers are designed to promote privacy, accuracy, and fairness in the use of consumer reports. For example, before giving a consumer report to an employer, the CRA must take reasonable steps to ensure that the employer has a legitimate basis to obtain the report; must inform the employer of his or her obligation to provide certain notices to consumers; and must obtain the employer’s certification that he or she is complying with the FCRA and will not use consumer report information in violation of equal opportunity laws."

    October 18, 2010
    * National Protect Your Identity Week - Learn How to Deter, Detect and Defend Against ID Theft

    News release: "This is National Protect Your Identity Week, and the Federal Trade Commission, the nation’s consumer protection agency, has information to help consumers, businesses, and law enforcement officials safeguard personal information and take action if an identity thief strikes.

    • www.ftc.gov/idtheft is a one-stop national resource to learn about the crime of identity theft. Consumers can learn how to avoid identity theft – and what to do if their identity is stolen. Businesses can learn to help their customers deal with identity theft and prevent problems in the first place. Law enforcement officials will find resources that help victims of identity theft.
    • www.YouTube.com/FTCVideos has short educational videos that help consumers learn more about identity theft, phishing, reducing spam, and protecting their computers against unwanted intrusions.
    • www.onguardonline.gov/games lets consumers test their cyber smarts with interactive games on everything from phishing and computer security to social networking and e-mail scams.
    • www.ftc.gov/freereports offers details about a consumer’s right to get a free copy of his or her credit report from each of the three national credit reporting companies, upon request, once every 12 months. Reviewing one’s credit report regularly is an effective way to deter and detect identity theft."

    * State of the Internet 2010: A Report on the Ever-Changing Threat Landscape

    State of the Internet 2010: A Report on the Ever-Changing Threat Landscape, CA Technologies Internet Security Business Unit
    Internet Security Intelligence Report, October 2010

  • "Today approximately 1.8 billion people use the Internet to do everything from conduct business, communicate with friends and family, keep up with current events or simply entertain themselves playing games or watching videos. Each individual and each Internet connected device presents a certain footprint that is exposed and often manipulated for criminal or political gain. Malware, or malicious software, is often the catalyst for this manipulation, while targets span the gamut from corporate and national secrets to personal information that can be used to directly steal money or perpetuate another crime. Technology and the Internet provide the = means and opportunity, while global socioeconomic trends provide the motive to perpetuate these crimes. Supporting this criminal activity and adding to the challenges of protection and law enforcement is the growth of a criminal ecosystem. This network of criminals and services introduces multiple layers of anonymity while providing modular functionality for perpetuating cybercrime. In this paper we have defined this ecosystem as “Crimeware-as-a-Service,” and we share examples of how this ecosystem is exploiting the latest technology trends of cloud computing and social media. The ability to perpetuate these crimes across the Internet without swift and severe repercussions further fuels this Crimeware, challenging security professionals and governments alike to find new ways to protect valuable information."

  • October 17, 2010
    * WSJ: Facebook in Privacy Breach Top-Ranked Applications Transmit Personal IDs

    WSJ: "Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people's names and, in some cases, their friends' names—to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found. The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings. The practice breaks Facebook's rules, and renews questions about its ability to keep identifiable information about its users' activities secure. The problem has ties to the growing field of companies that build detailed databases on people in order to track them online—a practice the Journal has been examining in its What They Know series. It's unclear how long the breach was in place. On Sunday, a Facebook spokesman said it is taking steps to "dramatically limit" the exposure of users' personal information."

    October 14, 2010
    * New FOIA Documents Reveal DHS Social Media Monitoring During Obama Inauguration

    EFF: "As noted in our first post, EFF recently received new documents via our FOIA lawsuit on social network surveillance, filed with the help of UC Berkeley’s Samuelson Clinic, that reveal two ways the government has been tracking people online: Citizenship and Immigration’s surveillance of social networks to investigate citizenship petitions and the DHS’s use of a “Social Networking Monitoring Center” to collect and analyze online public communication during President Obama’s inauguration. This is the second of two posts describing these documents and some of their implications. In addition to learning about surveillance of citizenship petitioners, EFF also learned that leading up to President Obama’s January 2009 inauguration, DHS established a Social Networking Monitoring Center (SNMC) to monitor social networking sites for “items of interest.” In a set of slides [PDF] outlining the effort, DHS discusses both the massive collection and use of social network information as well as the privacy principles it sought to employ when doing so."

    October 12, 2010
    * Reps. Markey, Barton Release Responses From Websites on Tracking of Consumer Behavior

    Follow up to posting, WSJ Tracks how marketers are spying on Internet users, this news release: "Representatives Edward J. Markey (D-Mass.) and Joe Barton (R-Texas), Co-Chairman of the House Bi-Partisan Privacy Caucus, released responses to the letters they had sent to companies identified in a Wall Street Journal investigation as reportedly installing intrusive consumer-tracking technologies to track and/or target consumers visiting these company Web sites. “The responses [links to which are included in this news release] raise a number of concerns, including whether consumers are able to effectively shield their personal Internet habits and private information from the prying eyes of online data gatherers,” Rep. Markey said. “Consumers may be unaware that the sites they visit, coordinating with a cadre of analytics firms, advertising networks and offline data companies, may be tracking their activities around the Internet. While the responses that Rep. Barton and I received cite privacy policies and opt-out choices to enable consumers to preserve their privacy, these policies can be complicated and laborious to navigate. For example, a single website may have business relationships with a dozen or more third-party data firms that display advertisements on its site. A consumer may have to visit each of these sites, consulting its privacy policy and clicking through to opt-out, if such an option is provided. In some cases, a list of all third party affiliates is not readily accessible, keeping consumers in the dark.”

    October 11, 2010
    * WSJ spotlights people-search sites and commercial data brokers

    Escaping the ‘Scrapers’: "The Internet has given rise to a dizzying array of people-search sites and data brokers that gather and compile public information and social-networking profiles. The sites gather information from public sources such as property records and telephone listings, and other information is harvested by “scraping” — or copying — websites where people post information about themselves. The fact that the information is from public records or posted on the Internet generally means that the companies have a right to use it. And many of the firms emphasize that the data will still be available in public records or elsewhere online, even if the information is removed from specific sites. As long as the source of the information remains available, it can simply be scraped again. But determined consumers willing to navigate the maze of companies have some options for requesting that their data be removed from certain sites."

    * WSJ Tracks how marketers are spying on Internet users

    What They Know - interactive graphic: "Marketers are spying on Internet users -- observing and remembering people's clicks, and building and selling detailed dossiers of their activities and interests. The Wall Street Journal's What They Know series documents the new, cutting-edge uses of this Internet-tracking technology. The Journal analyzed the tracking files installed on people's computers by the 50 most popular U.S. websites, plus WSJ.com. The Journal also built an "exposure index" -- to determine the degree to which each site exposes visitors to monitoring -- by studying the tracking technologies they install and the privacy policies that guide their use."

    October 10, 2010
    * WSJ: Former FTC Employee Files Complaint Over Google Privacy

    WSJ: "A former Federal Trade Commission employee has filed a complaint with the agency accusing Google Inc. of not adequately protecting the privacy of consumers’ search queries. The complaint was filed September 6 by Christopher Soghoian, who worked until August as a technologist with the FTC’s Division of Privacy and Identity Protection. It calls on the agency to investigate Google and to “compel Google to take proactive steps to protect the privacy of individual users’ search terms.” The complaint alleges Google shares with third parties users’ search queries, including those that contain personal information. In an emailed statement, Google said its passing of search-query data to third parties “is a standard practice across all search engines” and that “webmasters use this to see what searches bring visitors to their websites.” The statement added, “Google does not pass any personal information about the source of the query to the destination website.”

  • Via Christopher Soghoian's blog posting: "The complaint centers around an obscure feature in web browsers, known as the HTTP referrer header. Danny Sullivan, a widely respected search engine industry analyst has written that the HTTP referrer header is "effectively the Caller ID of the internet. It allows web site owners and marketers to know where visitors came from." However, while practically everyone with a telephone knows about the existence of caller ID, as Danny also notes, the existence of the referrer header is "little known to most web surfers." This header reveals to the websites you visit the URL of the page you were viewing before you visited that site. When you visit a site after clicking on a link in a search engine results page, that site learns the terms you searched for (because Google and the other search engines include your search terms in the URL).
  • October 08, 2010
    * FTC Chairman Leibowitz Announces New Resources Communities Can Use to Promote Online Child Safety

    News release: "The Federal Trade Commission today unveiled a community outreach kit with new resources to help parents and communities keep kids safe online and on their mobile phones. With more than five million copies of the Net Cetera: Chatting with Kids About Being Online guide already in the hands of families across the country, FTC Chairman Jon Leibowitz announced the expanded campaign."

    October 06, 2010
    * Privacy Groups Object to Google's "Simplified" Privacy Policy

    "EPIC and 14 other privacy and consumer protection groups (including the American Library Association) sent a letter to Google CEO Eric Schmidt about Google's revised privacy policy. Under this new policy, twelve specific Google privacy policies will be replaced by a single policy that will enable greater data sharing within the corporation. EPIC previously raised similar concerns about Google Buzz in a complaint to the Federal Trade Commission. In the complaint, EPIC argued that Google's Gmail-specific privacy policy was more protective of users than their general privacy policy. For more information, see EPIC: In re Google Buzz."

    September 27, 2010
    * Biometric Recognition: Challenges and Opportunities

    "Biometric recognition--the automated recognition of individuals based on their behavioral and biological characteristic--is promoted as a way to help identify terrorists, provide better control of access to physical facilities and financial accounts, and increase the efficiency of access to services and their utilization. Biometric recognition has been applied to identification of criminals, patient tracking in medical informatics, and the personalization of social services, among other things. In spite of substantial effort, however, there remain unresolved questions about the effectiveness and management of systems for biometric recognition, as well as the appropriateness and societal impact of their use. Moreover, the general public has been exposed to biometrics largely as high-technology gadgets in spy thrillers or as fear-instilling instruments of state or corporate surveillance in speculative fiction. Now, as biometric technologies appear poised for broader use, increased concerns about national security and the tracking of individuals as they cross borders have caused passports, visas, and border-crossing records to be linked to biometric data. A focus on fighting insurgencies and terrorism has led to the military deployment of biometric tools to enable recognition of individuals as friend or foe. Commercially, finger-imaging sensors, whose cost and physical size have been reduced, now appear on many laptop personal computers, handheld devices, mobile phones, and other consumer devices. Biometric Recognition: Challenges and Opportunities addresses the issues surrounding broader implementation of this technology, making two main points: first, biometric recognition systems are incredibly complex, and need to be addressed as such. Second, biometric recognition is an inherently probabilistic endeavor. Consequently, even when the technology and the system in which it is embedded are behaving as designed, there is inevitable uncertainty and risk of error. This book elaborates on these themes in detail to provide policy makers, developers, and researchers a comprehensive assessment of biometric recognition that examines current capabilities, future possibilities, and the role of government in technology and system development."

    September 24, 2010
    * FTC Testifies on Data Security Legislation

    News release: [On September 22, 2010] the Federal Trade Commission told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach. In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, Associate Director for Privacy and Identity Protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations..
    The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted."

    September 23, 2010
    * Google Transparency Report - Interactive map of Government Requests

    Transparency Report: "Transparency is a core value at Google. As a company we feel it is our responsibility to ensure that we maximize transparency around the flow of information related to our tools and services. We believe that more information means more choice, more freedom and ultimately more power for the individual. We’ve created an interactive map of Government Requests that shows the number of government inquiries for information about users and requests for Google to take down or censor content. We hope this step toward greater transparency will help in ongoing discussions about the appropriate scope and authority of government requests. Our interactive Traffic graphs provide information about traffic to Google services around the world. Each graph shows historic traffic patterns for a given country/region and service. By illustrating outages, this tool visualizes disruptions in the free flow of information, whether it's a government blocking information or a cable being cut. We hope this raw data will help facilitate studies about service outages and disruptions."

    September 21, 2010
    * EU Passenger Name Record (PNR) External Strategy; FAQs

    EU Passenger Name Record (PNR) External Strategy (9/21/10): "The European Commission adopted today a package of proposals on the exchange of Passenger Name Record (PNR) data with third countries (countries outside the EU), consisting of an EU external PNR strategy and recommendations for negotiating directives for new PNR agreements with the United States, Australia and Canada."

  • The Passenger Name Record (PNR) - Frequently Asked Questions

  • September 20, 2010
    * A Review of the FBI's Investigations of Certain Domestic Advocacy Groups

    A Review of the FBI's Investigations of Certain Domestic Advocacy Groups, September 2010

  • The Atlantic: "FBI agents misled officials and the public, violated their own policy manual, used poor judgment, and engaged in sloppy police work when they investigated certain left-leaning, high-profile, domestic advocacy groups in the years immediately following 9/11, the Justice Department announced today following a four-year-long internal investigation by the Office of the Inspector General. The official review of FBI conduct toward groups like PETA and Greenpeace and the Catholic Worker arose from revelations made public in 2005 that federal agents had used the threat of terrorism as a justification for tracking the legal, associative conduct of members of certain left-leaning groups. Concerned about the chilling impact of no-warrant domestic surveillance upon political advocacy groups whose members were exercising their constitutionally-protected free speech rights, Congressional Democrats and First Amendment activists had sought the probe. It began in 2006 and covered the the years 2001-2006 during the administration of President George W. Bush. The 209-page report, signed by Inspector General Glenn A. Fine, concluded that while none of the groups were targeted by the FBI for their views alone--one of the key allegations made by critics of the surveillance--the Bureau nevertheless engaged in tactics and strategies toward those groups and their members that were inappropriate, misleading, and in some cases counterproductive. Moreover, the OIG accused FBI witnesses of continuing to the present day to thwart a full and complete investigation into the matter by offering "incomplete and inconsistent accounts of events." An FBI spokesman said the Bureau "regrets that inaccurate information was provided."
  • * Guidelines for Smart Grid Cyber Security: Privacy and the Smart Grid

    Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid. The Smart Grid Interoperability Panel – Cyber Security Working Group, August 2010

  • "The Smart Grid brings with it many new data collection, communication, and information sharing capabilities related to energy usage, and these technologies in turn introduce concerns about privacy. Privacy relates to individuals. Four dimensions of privacy are considered: (1) personal information—any information relating to an individual, who can be identified, directly or indirectly, by that information and in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, locational or social identity; (2) personal privacy—the right to control the integrity of one’s own body; (3) behavioral privacy—the right of individuals to make their own choices about what they do and to keep certain personal behaviors from being shared with others; and (4) personal communications privacy—the right to communicate without undue surveillance, monitoring, or censorship."
  • September 17, 2010
    * WSJ Investigates Extensive Web Tracking of Children Online

    "A Wall Street Journal investigation into online privacy has found that popular children's websites install more tracking technologies on personal computers than do the top websites aimed at adults."

  • "Marketers are spying more on young Internet users than on their parents, building detailed profiles of their activities and interests. The Wall Street Journal’s What They Know series documents the new, cutting-edge uses of this Internet-tracking technology. The Journal analyzed the tracking files installed on people’s computers by 50 of the most popular U.S. websites for children and teenagers. The Journal also built an “exposure index” — to determine the degree to which each site exposes visitors to monitoring — by studying the tracking technologies they install and the privacy policies that guide their use."
  • September 12, 2010
    * EPIC: Surveillance Court Seeks Public Comments on Proposed Rules

    "The Foreign Intelligence Surveillance Act (FISA) authorizes a special court, the Foreign Intelligence Surveillance Court (FISC), to undertake electronic surveillance in the United States for foreign intelligence information. The FISC is now seeking public comments concerning its procedures. Comments must received by Monday, October 4, 2010. EPIC previously submitted an amicus brief regarding FISA authority and national security. EPIC will be submitting comments to the FISC and endorse changes that improve accountability and transparency for FISA orders."

    September 05, 2010
    * Views on Genetic Testing: An AARP Bulletin Survey

    Views on Genetic Testing: An AARP Bulletin Survey, by: Helen W. Brown, Ph.D., Research & Strategic Analysis: "A large majority of Americans have never been tested for their genetic makeup, according to a recent AARP Bulletin survey. Moreover, most would not consider undergoing genetic testing to find out if they are susceptible to a disease such as Alzheimer’s, cancer, or diabetes. The top reasons why respondents have not had genetic testing include never having given it any thought (63%), the cost (32%), not wanting to know the results (21%), concerned someone else may get the results (20%), and being skeptical of science (12%)."

    September 03, 2010
    * Google says it is simplifying and updating privacy policies

    Official Google Blog: "Long, complicated and lawyerly — that's what most people think about privacy policies, and for good reason. Even taking into account that they’re legal documents, most privacy policies are still too hard to understand. So we’re simplifying and updating Google’s privacy policies. To be clear, we aren’t changing any of our privacy practices; we want to make our policies more transparent and understandable. As a first step, we’re making two types of improvements:

    1. Most of our products and services are covered by our main Google Privacy Policy. Some, however, also have their own supplementary individual policies. Since there is a lot of repetition, we are deleting 12 of these product-specific policies. These changes are also in line with the way information is used between certain products—for example, since contacts are shared between services like Gmail, Talk, Calendar and Docs, it makes sense for those services to be governed by one privacy policy as well.
    2. We’re also simplifying our main Google Privacy Policy to make it more user-friendly by cutting down the parts that are redundant and rewriting the more legalistic bits so people can understand them more easily. For example, we’re deleting a sentence that reads, “The affiliated sites through which our services are offered may have different privacy practices and we encourage you to read their privacy policies,” since it seems obvious that sites not owned by Google might have their own privacy policies..."

    September 02, 2010
    * EPIC Challenge to Airport Body Scanner Program Moves Forward in Federal Court

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The United States Court of Appeals for the District of Columbia Circuit has set a briefing schedule for EPIC v. DHS, No. 10-1157, EPIC's challenge to the airport body scanner program. EPIC has alleged that that the Department of Homeland Security has violated three federal laws (the Administrative Procedures Act, the Privacy Act, and the Religious Freedom Restoration Act) and that the body scanner search itself is unconstitutional, given what the courts have said about the permissible scope of airport screening procedures. EPIC's initial brief will be due November 1, 2010. Subsequent briefs from DHS and EPIC will be due by December 15, 2010. In earlier open government litigation against DHS, EPIC obtained evidence that the devices are designed to store and record images."

    August 30, 2010
    * EPIC Presses for Release of Government Documents on Health Risks of Airport Body Scanners

    Follow up to previous postings on government implementation of whole body scanning technology at airports, "EPIC has filed an appeal with the Transportation Security Administration, challenging the agency's denial of expedited processing and fee waivers for an EPIC Freedom of Information Act request. EPIC's is seeking documents from the TSA concerning full body scanner radiation risks and testing. EPIC challenged the TSA's denial of expedited processing, arguing that by delaying to release of the records, the agency was risking the health of travelers and its own employees. EPIC also argued that the record request was particularly timely, as three US Senators recently wrote to the Department of Homeland Security about the safety of the airport body scanners and the risk to air travelers. Separately, EPIC has urged a federal court to suspend the program, pending an independent review of the health risks and privacy impact."

    August 24, 2010
    * U.S. and Foreign Govt' buy backscatter x-ray scanners mounted in vans

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via Forbes news that "American Science & Engineering, a company based in Billerica, Massachusetts, has sold U.S. and foreign government agencies more than 500 backscatter x-ray scanners mounted in vans that can be driven past neighboring vehicles to see their contents...While the biggest buyer of AS&E’s machines over the last seven years has been the Department of Defense operations in Afghanistan and Iraq...law enforcement agencies have also deployed the vans to search for vehicle-based bombs in the U.S."

    August 23, 2010
    August 22, 2010
    * High-tech trash carts will monitor recycling by Cleveland residents

    Cleveland.com: "..the city will roll out next year with new trash and recycling carts embedded with radio frequency identification chips and bar codes. The chips will allow city workers to monitor how often residents roll carts to the curb for collection. If a chip show a recyclable cart hasn't been brought to the curb in weeks, a trash supervisor will sort through the trash for recyclables. Trash carts containing more than 10 percent recyclable material could lead to a $100 fine, according to Waste Collection Commissioner Ronnie Owens. Recyclables include glass, metal cans, plastic bottles, paper and cardboard."

    August 21, 2010
    * FOIA Lawsuit Raises Questions for Senator About Retention of Body Scanner Images

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The Chairman and Ranking Member of the Homeland Security Committee, along with four other Senators, have sent a letter to the head of the US Marshal Service to ask why the federal agency stored more than 35,000 images from whole body imaging scans taken at the Orlando federal courthouse. The letter follows a Freedom of Information Act lawsuit, filed by EPIC, in which the Marshal Service was forced to disclose the fact that it had stored body scanner images. EPIC has also filed an emergency motion in federal court to suspend the program, pending a thorough review of the airport body scanner program. For more information, see EPIC: Whole Body Imaging Technology and EPIC v. DHS (Suspension of Body Scanner Program). ">letter to the head of the US Marshal Service to ask why the federal agency stored more than 35,000 images from whole body imaging scans taken at the Orlando federal courthouse. The letter follows a Freedom of Information Act lawsuit, filed by EPIC, in which the Marshal Service was forced to disclose the fact that it had stored body scanner images. EPIC has also filed an emergency motion in federal court to suspend the program, pending a thorough review of the airport body scanner program."

    August 11, 2010
    * An Analysis of Private Browsing Modes in Modern Browsers

    An Analysis of Private Browsing Modes in Modern Browsers, by Gaurav Aggarwal and Elie Bursztein, Stanford University; Collin Jackson, CMU; Dan Boneh, Stanford University

  • "We study the security and privacy of private browsing modes recently added to all major browsers. We first propose a clean definition of the goals of private browsing and survey its implementation in different browsers. We conduct a measurement study to determine how often it is used and on what categories of sites. Our results suggest that private browsing is used differently from how it is marketed. We then describe an automated technique for testing the security of private browsing modes and report on a few weaknesses found in the Firefox browser. Finally, we show that many popular browser extensions and plugins undermine the security of private browsing. We propose and experiment with a workable policy that lets users safely run extensions in private browsing mode."
  • August 10, 2010
    * National Security Letter Recipient Can Speak Out For First Time Since FBI Demanded Customer Records From Him

    Follow up to previous postings on National Security Letters, this news release: "The FBI has partially lifted a gag it imposed on American Civil Liberties Union client Nicholas Merrill in 2004 that prevented him from disclosing to anyone that he received a national security letter (NSL) demanding private customer records. Merrill, who received the NSL as the president of an Internet service provider (ISP), can now reveal his identity and speak about his experience for the first time since receiving the NSL. The ACLU and New York Civil Liberties Union filed a lawsuit challenging the NSL statute and the gag order on behalf of Merrill (then called John Doe) in April 2004, which resulted in numerous court rulings finding the NSL statute unconstitutional. Merrill was the first person ever to challenge an NSL in court...NSLs are secret record demands the FBI issues to obtain access to personal customer records from ISPs, libraries, financial institutions and credit reporting agencies without court approval or even suspicion of wrongdoing. Because the FBI can gag NSL recipients to prohibit them from disclosing anything about the record demands they receive, the FBI's use and potential abuse of the NSL power has been shrouded in excessive secrecy. While the NSL served on Merrill stated that he was prohibited from telling anyone about it, he decided to challenge the demand in court because he believed that the FBI was ordering him to turn over constitutionally protected information about one of his clients. Because of the FBI-imposed gag, Merrill was prohibited from talking about the NSL or revealing his identity and role in the lawsuit until today, even though the FBI abandoned its demand for records from Merrill more than three years ago."

    * WSJ Graphic Examines Google's Widening Reach

    "Google, a company with vast pools of data about us, is moving into the world of highly targeted ads." See this graphic for details covering 1998 to present.

    August 09, 2010
    * Google and Verizon offer joint policy proposal for an open Internet

    Official Google Blog: "The original architects of the Internet got the big things right. By making the network open, they enabled the greatest exchange of ideas in history. By making the Internet scalable, they enabled explosive innovation in the infrastructure. It is imperative that we find ways to protect the future openness of the Internet and encourage the rapid deployment of broadband. Verizon and Google are pleased to discuss the principled compromise,
    Verizon-Google Legislative Framework Proposal, our companies have developed over the last year concerning the thorny issue of “network neutrality."

  • New York Times: Web Plan From Google and Verizon Is Criticized
  • August 07, 2010
    * CDT Comparison Chart on Current Privacy Bills

    "CDT submits the following chart as an addendum to the written testimony of Leslie Harris, President and Chief Executive Officer of the Center for Democracy and Technology before the House Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection on The BEST PRACTICES Act of 2010 and Other Federal Privacy Legislation on July 22, 2010. The chart compares some of the key provisions in both bills, and issues CDT’s recommendations about the approach we believe privacy legislation should take."

  • Text of H.R. 5777, the BEST PRACTICES Act
  • Text of H.R. ___, a bill to require notice to and consent of an individual prior to the collection and disclosure of certain personal information relating to that individual.
  • * EPIC FOIA - Feds Save Thousands of Body Scan Images

    Follow up to previous postings on government implementation of whole body scanning technology at airports, "In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of individuals stripped naked. The 100 images are a small sample of more than 35,000 at issue in the EPIC lawsuit. EPIC has pursued a but the DHS refuses to release the images it has obtained. EPIC has also filed suit to stop the deployment of the machines in US airports. For more information, see EPIC Body Scanners, EPIC - EPIC v. DOJ (Marshall Service FOIA)

    August 04, 2010
    * EPIC FOIA - Feds Save Thousands of Body Scan Images

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC new the organization has filed an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of individuals stripped naked. The 100 images are a small sample of more than 35,000 at issue in the EPIC lawsuit. EPIC has pursued a but the DHS refuses to release the images it has obtained. EPIC has also filed suit to stop the deployment of the machines in US airports. For more information, see EPIC Body Scanners and EPIC - EPIC v. DOJ (Marshall Service FOIA).

    * Verizon 2010 Data Breach Investigations Report

    2010 Data Breach Investigations Report, A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service

  • "In some ways, data breaches have a lot in common with fingerprints. Each is unique and we learn a great deal by analyzing the various patterns, lines, and contours that comprise each one. The main value of fingerprints, however, lies in their ability to identify a particular individual in particular circumstances. In this sense, studying them in bulk offers little additional benefit. On the other hand, the analysis of breaches in aggregate can be of great benefit; the more we study, the more prepared we are to stop them. Not surprisingly, the United States Secret Service (USSS) is also interested in studying and stopping data breaches. This was a driving force in their decision to join us in this 2010 Data Breach Investigations Report. They’ve increased the scope of what we’re able to study dramatically by including a few hundred of their own cases to the mix. Also included are two appendices from the USSS. One delves into online criminal communities and the other focuses prosecuting cybercrime. We’re grateful for their contributions and believe organizations and individuals around the world will benefit from their efforts. With the addition of Verizon’s 2009 caseload and data contributed from the USSS, the DBIR series now spans six years, 900+ breaches, and over 900 million compromised records."
  • August 01, 2010
    * WSJ Investigation - The Web's New Gold Mine: Your Secrets

    The Web's New Gold Mine: Your Secrets - A Journal investigation finds that one of the fastest-growing businesses on the Internet is the business of spying on consumers. First in a series, by Julia Angwin: "The Journal conducted a comprehensive study that assesses and analyzes the broad array of cookies and other surveillance technology that companies are deploying on Internet users. It reveals that the tracking of consumers has grown both far more pervasive and far more intrusive than is realized by all but a handful of people in the vanguard of the industry.

    • The study found that the nation's 50 top websites on average installed 64 pieces of tracking technology onto the computers of visitors, usually with no warning. A dozen sites each installed more than a hundred. The nonprofit Wikipedia installed none.
    • Tracking technology is getting smarter and more intrusive. Monitoring used to be limited mainly to "cookie" files that record websites people visit. But the Journal found new tools that scan in real time what people are doing on a Web page, then instantly assess location, income, shopping interests and even medical conditions. Some tools surreptitiously re-spawn themselves even after users try to delete them.
    • These profiles of individuals, constantly refreshed, are bought and sold on stock-market-like exchanges that have sprung up in the past 18 months."

    * Pew Research: Reputation Management and Social Media

    Pew Internet: Reputation Management and Social Media - How people monitor their identity and
    search for others online
    by Mary Madden, Aaron Smith, May 26, 2010

  • "More than half (57%) of adult internet users say they have used a search engine to look up their name and see what information was available about them online, up from 47% who did so in 2006. Young adults, far from being indifferent about their digital footprints, are the most active online reputation managers in several dimensions. For example, more than two-thirds (71%) of social networking users ages 18-29 have changed the privacy settings on their profile to limit what they share with others online."
  • July 29, 2010
    * National Cyber Security Alliance launches Web portal for 2010 National Cyber Security Awareness Month

    News release: "The National Cyber Security Alliance (NCSA), a public-private partnership focused on educating a digital citizenry to stay safe and secure online, today launched its National Cyber Security Awareness Month Web portal with information on events, activities, promotions and educational materials to be used in preparation for the online safety month to be held in October. Anyone – family, employers, consumers, teachers, and students – interested in online safety is encouraged to access the portal, and all materials are free to use."

    * Commerce Dept. launches major inquiry into cyber challenges to the Internet economy

    [Federal Register: July 28, 2010 (Volume 75, Number 144)] [Notices][Page 44216-44223]: "The Department of Commerce's Internet Policy Task Force is conducting a comprehensive review of the nexus between cybersecurity challenges in the commercial sector and innovation in the Internet economy. The Department seeks comments from all stakeholders, including the commercial, academic and civil society sectors, on measures to improve cybersecurity while sustaining innovation. Preserving innovation, as well as private sector and consumer confidence in the security of the Internet economy, are important for promoting economic prosperity and social well-being overall. In particular, the Department seeks to develop an up-to-date understanding of the current public policy and operational challenges affecting cybersecurity, as those challenges may shape the future direction of the Internet and its commercial use, both domestically and globally. After analyzing comments on this Notice, the Department intends to issue a report that will contribute to the Administration's domestic and international policies and activities in advancing both cybersecurity and the Internet economy."

  • "The Internet has become vitally important to U.S. innovation, prosperity, education, civic activity and cultural life as well as aspects of our national security. A top priority of the Department of Commerce is to ensure that the Internet remains an open and trusted infrastructure, both for commercial entities and individuals. In pursuit of this priority, the Department has created an Internet Policy Task Force whose mission is to identify leading policy challenges and to recommend possible solutions. The Task Force leverages expertise across many bureaus at the Department, including those responsible for cybersecurity standards and best practices, information and communications policy, international trade, intellectual property, business advocacy and export control. This Notice of Inquiry is one in a series of inquiries from the Task Force. Other reviews examine information privacy, global free flow of information on the Internet, and online copyright protection issues. The Task Force may explore additional areas in the future."
  • July 28, 2010
    * Wired Exclusive: Google, CIA Invest in ‘Future’ of Web Monitoring

    Exclusive - Google, CIA Invest in ‘Future’ of Web Monitoring, By Noah Shachtman, July 28, 2010: "The investment arms of the CIA and Google are both backing a company that monitors the web in real time — and says it uses that information to predict the future. The company is called Recorded Future, and it scours tens of thousands of websites, blogs and Twitter accounts to find the relationships between people, organizations, actions and incidents — both present and still-to-come. In a white paper, the company says its temporal analytics engine “goes beyond search” by “looking at the ‘invisible links’ between documents that talk about the same, or related, entities and events.” The idea is to figure out for each incident who was involved, where it happened and when it might go down. Recorded Future then plots that chatter, showing online “momentum” for any given event."

    July 24, 2010
    * FTC Testifies on Efforts to Protect Consumer Privacy

    News release: "The Federal Trade Commission testified [July 22, 2010] about FTC efforts to protect consumer privacy and commented on legislative proposals to improve privacy protections before the U.S. House Subcommittee on Commerce, Trade, and Consumer Protection of the Committee on Energy and Commerce. The testimony presented by David Vladeck, Director of the FTC’s Bureau of Consumer Protection, described the FTC’s law enforcement actions to hold companies accountable for protecting consumer privacy, focusing on data security, identity theft, children’s privacy, and protecting consumers from intrusive spam, spyware, and telemarketing. The testimony noted that the FTC has brought 28 actions charging businesses with failing to protect consumers’ personal information and 15 actions charging website operators with collecting information from children without parents’ consent. The FTC also has brought 15 spyware cases and dozens of actions challenging illegal spam, including an action against a rogue Internet Service Provider that resulted in a temporary 30 percent drop in spam worldwide. Finally, the FTC has brought 64 actions alleging violations of the Do Not Call Rule, resulting in violators paying almost $40 million in civil penalties and giving up nearly $18 million, including consumer redress."

    July 23, 2010
    * 38 States AG Now Invetigating Google Street View

    Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, this news release: "Attorney General Richard Blumenthal today on behalf of the executive committee of a 38-state coalition asked Google whether it tested its Street View software before use -- which should have revealed that the program collected data transmitted over wireless computer networks. Google has acknowledged unauthorized collection of data -- possibly including emails, passwords, web browsing and other confidential information – but called it a mistake. In a letter to Google, Blumenthal also asks whether the company’s program was designed to collect random bits of information broadcast over wireless networks or download specific types of data and whether it has sold or otherwise used technical network information also collected."

    July 21, 2010
    * DHS Announces Dramatic Expansion of Airport Body Scanner Program

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "On July 20, 2010, the Department of Homeland Security announced a substantial change in the deployment of body scanners in US airports. According to the DHS Secretary, the devices, which had once been part of a pilot program for secondary screening, will now be deployed in 28 additional airports. The devices are designed to capture and store photographic images of naked air travelers. EPIC has filed an emergency motion in federal court, urging the suspension of the program and citing violations of several federal statutes and the Fourth Amendment. Public opposition to the program is also growing."

    July 20, 2010
    * EPIC Pursues Lawsuit Against Homeland Security, Urges Court to Suspend Body Scanner Program

    Follow up to previous postings on government implementation of whole body scanning technology at airports, today, EPIC filed a reply in its case against the Department of Homeland Security, EPIC v. DHS,10-1157. EPIC had previously filed a petition and motion for emergency stay, asking the court to suspend the use of the machines. EPIC argued that the use of body scanners for primary screening in U.S. airports violates several federal laws and the Fourth Amendment. In its reply to the government's motion, EPIC also cited the growing public opposition to the program, the decision of major airports not to use body scanners, as well as the agency's failure to adequately address Constitutional concerns."

    July 19, 2010
    * Users can now track Metro SmarTrip travel online - just as their employers and law enforcement can do

    "Metro today announced an enhanced Web site on which customers can check the balance of their SmarTrip card, monitor any SmartBenefits activity through their employers, and review their usage over time, including on their iPhones and Blackberrys. Users can also report cards online as stolen, lost, cracked or malfunctioning, though they can't add to their balance from a credit card. The immediate reaction from normally-skeptical Metro riders seemed positive for the long-anticipated move. In April, Metro's board approved changes to its privacy policy to allow card owners to monitor activity on their cards - pieces of plastic that hold up to $300 in fares at a time, with many employers, including the federal government, reloading the cards with money each month. It's clear why privacy considerations were important: When I registered my own card with the site and logged on, it became apparent that the timestamped information linked to my SmarTrip was enough to reconstruct nearly all my movements around the region, since I rely almost entirely on Metrobus and Metrorail to get around, and even illustrate habits and routines."

    July 17, 2010
    * Hearing: Planning for the Future of Cyber Attack Attribution

    "EPIC Executive Director Marc Rotenberg testified [July 15, 2010]before the House Committee on Science and Technology regarding Planning for the Future of Cyber Attack Attribution. In his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies."

    July 10, 2010
    * Pew Research: Millennials' Likely Lifelong Online Sharing Habit

    Millennials will make online sharing in networks a lifelong habit

  • "Tech experts generally believe that today’s tech-savvy young people – the ‘digital natives’ who are known for enthusiastically embracing social networking – will retain their willingness to share personal information online even as they get older and take on more responsibilities. Experts surveyed say that the advantages Millennials see in personal disclosure will outweigh their concerns about their privacy."
  • June 29, 2010
    * Presidential Memorandum: Unleashing the Wireless Broadband Revolution

    Unleashing the Wireless Broadband Revolution: "Expanded wireless broadband access will trigger the creation of innovative new businesses, provide cost-effective connections in rural areas, increase productivity, improve public safety, and allow for the development of mobile telemedicine, telework, distance learning, and other new applications that will transform Americans' lives. Spectrum and the new technologies it enables also are essential to the Federal Government, which relies on spectrum for important activities, such as emergency communications, national security, law enforcement, aviation, maritime, space communications, and numerous other Federal functions. Spectrum is also critical for many State, local, and tribal government functions. As the wireless broadband revolution unfolds, innovation can enable efficient and imaginative uses of spectrum to maintain and enhance the Government's capabilities. In order to achieve mobile wireless broadband's full potential, we need an environment where innovation thrives, and where new capabilities also are secure, trustworthy, and provide appropriate safeguards for users' privacy. These characteristics will continue to be important to the adoption of mobile wireless broadband."

  • White House Fact Sheet: Doubling the Amount of Commercial Spectrum to Unleash the Innovative Potential of Wireless Broadband
  • June 28, 2010
    * White House Launches Opt-Out Privacy Policy for Public Access to Government Web Sites

    EPIC: "The White House has announced a new "Clear Notice and Personal Choice" policy for the use of Web Measurement and Customization Technologies for government web sites. The policy is remarkable in that there does not appear to be any legal basis to allow federal agencies to routinely disclose personal information of citizens to private companies. The policy is accompanied by new Guidance for Agency Use of Third-Party Websites and Applications. The White House also announced a National Strategy for Trusted Identities in Cyberspace. EPIC had urged the White House to uphold Privacy Act obligations in use of web 2.0 services. For more information, see EPIC - Privacy and Government Contracts with Social Media Companies."

    June 27, 2010
    * Google Announces Encrypted Search URL Has Changed

    Follow up to Google Launches Encrypted Search in Beta, via the Official Google Enterprise Blog, the announcement that the company moved encrypted search from https://www.google.com to https://encrypted.google.com. "The site functions in the same way. However, if school network administrators decide to block encrypted searches on https://encrypted.google.com, the blocking will no longer affect Google authenticated services like Google Apps for Education."

    * Legislating Consumer Privacy Online & Off

    Legislating Consumer Privacy Online & Off: Last month, Congressmen Rick Boucher and Cliff Stearns, respectively Chairman and Ranking Member of the House Subcommittee on Communications, Technology and the Internet, released a discussion draft of legislation "to assure the privacy of information about individuals both on the Internet and offline." This is the most significant movement in over half a decade to craft privacy rules for consumers in the digital age."

    June 26, 2010
    * OMB: New Guidance for Online Use of Web Measurement and Customization Technologies

    OMB Guidance for Online Use of Web Measurement and Customization Technologies, June 25, 2010, M-10-22

  • "As the Internet continues to evolve, the Federal Government has new opportunities to promote these commitments by engaging with citizens, explaining what Federal agencies are doing, seeking public comments, and improving the delivery of services. In the private sector, it has become standard for commercial websites to use web measurement and customization technologies to engage with members of the public. For government agencies, the potential benefits of web measurement and customization technologies are clear. With the help of such technologies, agencies will be able to allow users to customize their settings, avoid filling out duplicative information, and navigate websites more quickly and in a way that serves their interests and needs. These technologies will also allow agencies to see what is useful to the public and respond accordingly. Services to customers and users can be significantly improved as a result...This Memorandum establishes new procedures and provides updated guidance and requirements for agency use of web measurement and customization technologies. The central goal is to respect and safeguard the privacy of the American public while also increasing the Federal Government’s ability to serve the public by improving and modernizing its activities online. Any use of such technologies must be respectful of privacy, open, and transparent, and solely for the purposes of improving the Federal Government’s services and activities online."
  • * The National Strategy for Trusted Identities in Cyberspace

    The Comprehensive National Cybersecurity Initiative: "President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure."

  • National Strategy for Trusted Identities in Cyberspace - Creating Options for Enhanced Online Security and Privacy, June 25, 2010
  • June 24, 2010
    * FTC Takes Action Against Twitter, Social Network Service Settles Charges It Deceived Consumers

    Twitter Settles Charges that it Failed to Protect Consumers’
    Personal Information; Company Will Establish Independently Audited Information Security Program
    : "Social networking service Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the agency’s first such case against a social networking service. The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers had designated private, and the ability to send out phony tweets from any account including those belonging to then-President-elect Barack Obama and Fox News, among others."

    * Privacy International: UK Police begin investigation into Google Wi-Fi grab

    Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, via Privacy International, "Crime reference number 2318672/10 was today issued by London's Metropolitan Police, marking the commencement of investigations into Google for alleged criminal interception of Wireless communications content. Privacy International, which brought the complaint, has been briefed by police on the likely path the investigation will take. In the first instance police will conduct initial inquiries into the essential facts of the case before deciding which (if any) law may have been breached. In this case PI has brought the action under two laws - the Regulation of Investigatory Powers Act and the Wireless Telegraphy Act. The police will need to seek advice on which legislation to focus on, as each involves a different prosecution process."

    June 19, 2010
    * French National Commission on Computing and Liberty: Google WiFi Snooping Captured Emails and Passwords

    Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, via EPIC: "The French National Commission on Computing and Liberty (CNIL) has released preliminary results (French) (English) of the Google Street View investigation in France. According to the CNIL, Google "saved passwords for access to mailboxes" and obtained content of electronic messages. The CNIL is pursuing the investigation to determine whether Google engaged in "unfair and unlawful collection of data" as well as "invasion of privacy and individual liberties." Investigations are now underway in at least 18 countries and five states in the US. EPIC has prepared a preliminary survey of Investigations of Google Street View."

    * More State AGs Launch Investigations into Google Street View

    Follow up to Several State Attorneys General Announce Probes of Google Wireless Data Collection, an update via EPIC: "Several state attorneys general have opened investigations of Google, following disclosures that the company captured and stored Wi-Fi data in addition to digital images. These states include Connecticut, Illinois, Massachusetts, Michigan, and Missouri. Maryland and New York are also reported to be pursuing investigations. Connecticut AG Richard Blumenthal described the "driveby data sweeps" of WiFi networks as "deeply disturbing, a potentially impermissible, pernicious invasion of privacy." In a subsequent statement, the Connecticut Attorney General said he will determine the legality of Google's WiFi collection practices. Earlier, EPIC sent a letter to the Federal Communications Commission urging the FCC to determine whether Google may have violated the Wiretap Act and the Communications Act. Google has since grounded its entire Street View fleet and ceased all WiFi data collection. For more information, see EPIC - Investigations of Google Street View."

    June 17, 2010
    * Supreme Court Rules Against Text Message Privacy, Permits Search of Public Employee's Pager

    EPIC: "The Supreme Court has issued a ruling in City of Ontario v. Quon, a case concerning the reasonablenees of a search of a public employee's pager. EPIC filed a "friend of the court" brief in the case, arguing that data minimization practices should be followed for electronic searches, and that the search, which uncovered personal texts unrelated to the purpose of the search, was therefore unreasonable. EPIC urged the Supreme Court to apply the approach set out in Comprehensive Drug Testing v. United States, which allows a government agency to undertake appropriate searches without unnecessarily violating privacy interests. The Court ruled that the search was reasonable, reversing the Ninth Circuit's decision that such a search be conducted through the least intrusive means possible. For more information, see EPIC: City of Ontario v. Quon."

    June 16, 2010
    * Privacy International Launches System to Shed Light on Controversial Technologies

    EPIC: "International watchdog Privacy International has announced the launch of a new website for bringing transparency to "technical mysteries" behind controversial systems. Cracking the Black Box identifies key questions regarding mysterious technologies and asks experts, whistleblowers, and other concerned parties to "help crack the box" by anonymously contributing ideas and input. The organization responsible for the technology in question is then invited to provide an official response. The first two issues addressed on the PI site are the Google Wi-Fi controversy and the EU proposal to retain search data."

    June 15, 2010
    * Several State Attorneys General Announce Probes of Google Wireless Data Collection

  • News release: "Attorney General Richard Blumenthal is asking Google whether its “street view” cars collected personal information transmitted over wireless networks without permission while photographing Connecticut streets and homes. Google has acknowledged that “street view” cars in some locations have intercepted information from unsecured personal WIFI networks. In Europe, notably Ireland, Google admitted intercepting packets of data from unsecured WIFI networks. Private litigation alleges that Google also did so in the United States. Published reports say the captured, private online information may include general web browsing, passwords, personal emails and other data. Blumenthal wrote Google asking the company whether it gathered such data in Connecticut. If it did, the attorney general is demanding that the company tell his office how much and what kind of information it collected, when and where it did so, why, where the data is stored and other information."
  • News release: "Attorney General Chris Koster sent a letter to Google, asking the company to provide details on personal information it may have collected from Missourians in connection with Google's Street View Service. Recent media reports and admissions by the company indicate that as part of Google's effort to collect data for its mapping service Street View, the company may have gained access to residents' communications sent over public Wi-Fi networks."
  • New York Times: States Discuss Joint Probe of Google’s Data Collection
  • June 14, 2010
    * EPIC Recommends Consumer Privacy Protections for California Smart Grid

    "In formal comments to the California Public Utility Commission, EPIC said that utility customers should control the use of personal information generated by Smart Grid services. EPIC warned that companies will otherwise use the data for purposes not related to electricity delivery, consumption management, or payment. EPIC urged the California Commission to include a requirement that limits the use of personal data by third party providers offering energy management services. The Commission acknowledged EPIC's March 2010 comments and EPIC's April 2010 comments in the proposed California Smart Grid plan. For more information, see EPIC Smart Grid."

    June 09, 2010
    * Google Posts Audit of WiFi Code Used to Collect Data in Europe

    Official Google Blog: "When we announced three weeks ago that we had mistakenly included code in our software that collected samples of payload data from WiFi networks, we said we would ask a third party to review the software at issue, how it worked, and what data it gathered. That report, by the security consulting firm Stroz Friedberg, is now complete and was sent to the interested data protection authorities today. In short, it confirms that Google did indeed collect and store payload data from unencrypted WiFi networks, but not from networks that were encrypted. You can read the report here. We are continuing to work with the relevant authorities to respond to their questions and concerns.

  • Privacy International: "Google today published an audit on its blog of the code used to collect Wi-Fi data as part of the company's global Street View operation. The report asserts that the system had intent to identify and store all unencrypted Wi-Fi content. This analysis establishes that Google did, beyond reasonable doubt, have intent to systematically intercept and record the content of communications and thus places the company at risk of criminal prosecution in almost all the 30 jurisdictions in which the system was used. The independent audit of the Google system shows that the system used for the Wi-Fi collection intentionally separated out unencrypted content (payload data) of communications and systematically wrote this data to hard drives. This is equivalent to placing a hard tap and a digital recorder onto a phone wire without consent or authorisation. The report states: "While running in memory, gslite permanently drops the bodies of all data traffic transmitted over encrypted wireless networks. The gslite program does write to a hard drive the bodies of wireless data packets from unencrypted networks." This means the code was written in such a way that encrypted data was separated out and dumped, leaving vulnerable unencrypted data to be stored on the Google hard drives. This action goes well beyond the "mistake" promoted by Google. It is a criminal act commissioned with intent to breach the privacy of communications. The communications law of nearly all countries permits the interception and recording of content of communications only if a police or judicial warrant is issued. All other interception is deemed unlawful."
  • June 06, 2010
    * New Yorker: Julian Assange and WikiLeak's mission for total transparency

    No Secrets, by Raffi Khatchadourian: "[Julian Paul] Assange is an international trafficker, of sorts. He and his colleagues collect documents and imagery that governments and other institutions regard as confidential and publish them on a Web site called WikiLeaks.org. Since it went online, three and a half years ago, the site has published an extensive catalogue of secret material, ranging from the Standard Operating Procedures at Camp Delta, in Guantánamo Bay, and the “Climategate” e-mails from the University of East Anglia, in England, to the contents of Sarah Palin’s private Yahoo account. The catalogue is especially remarkable because WikiLeaks is not quite an organization; it is better described as a media insurgency. It has no paid staff, no copiers, no desks, no office. Assange does not even have a home. He travels from country to country, staying with supporters, or friends of friends—as he once put it to me, “I’m living in airports these days.” He is the operation’s prime mover, and it is fair to say that WikiLeaks exists wherever he does. At the same time, hundreds of volunteers from around the world help maintain the Web site’s complicated infrastructure; many participate in small ways, and between three and five people dedicate themselves to it full time. Key members are known only by initials—M, for instance—even deep within WikiLeaks, where communications are conducted by encrypted online chat services. The secretiveness stems from the belief that a populist intelligence operation with virtually no resources, designed to publicize information that powerful institutions do not want public, will have serious adversaries."

  • Wired: U.S. Intelligence Analyst Arrested in Wikileaks Video Probe
  • May 30, 2010
    * EU data protection group says Google, Microsoft and Yahoo! do not comply with data protection rules

    Article 29 Data Protection Working Party Press Release, Brussels, 26 May 2010: EU data protection group says Google, Microsoft and Yahoo! do not comply with data protection rules

  • "The Article 29 Data Protection Working Party, a group of European data protection authorities, today told the three major search engine operators – Google, Yahoo! and Microsoft – that their methods of making users’ search data anonymous still do not comply with the European Union’s Data Protection Directive 95/46/EC. The Article 29 Working Party recognises the search engines’ efforts to bring their policies in line with European data protection legislation. However, in letters sent to the companies, the Working Party urges them to use an outside auditor to verify their commitments to make users’ internet search data truly anonymous."
  • May 26, 2010
    * House Energy and Commerce Committee Send Letter to Google About Gathering Data Sent over Private Wi-Fi networks

    News release: "Today, Chairman Henry A. Waxman, Subcommittee Chairman Ed Markey, and Ranking Member Joe Barton sent a letter to Eric Schmidt, Chairman & CEO of Google, regarding recent reports of data collection over private Wi-Fi networks in conjunction with Google's Street View product. The Committee is concerned about the accuracy and completeness of Google's public explanations and request information regarding the nature and use of the private data collected, the underlying technology of the Street View vehicle fleet, and the impact on consumer privacy."

    May 23, 2010
    * Google Launches Encrypted Search in Beta

    "With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience. To use search over SSL, visit https://www.google.com New window icon each time you perform a search. Note that only Google web search is available over SSL, so other search products like Google Images and Google Maps are not currently available over SSL. When you're searching over SSL, these properties may not appear in the left panel."

    * CBS News: Digital Photocopiers Loaded With Secrets

    Your Office Copy Machine Might Digitally Store Thousands of Documents That Get Passed on at Resale

  • "At a warehouse in New Jersey, 6,000 used copy machines sit ready to be sold. CBS News chief investigative correspondent Armen Keteyian reports almost every one of them holds a secret. Nearly every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine. In the process, it's turned an office staple into a digital time-bomb packed with highly-personal or sensitive data. If you're in the identity theft business it seems this would be a pot of gold. "The type of information we see on these machines with the social security numbers, birth certificates, bank records, income tax forms," John Juntunen said, "that information would be very valuable. Juntunen's Sacramento-based company Digital Copier Security developed software called "INFOSWEEP" that can scrub all the data on hard drives. He's been trying to warn people about the potential risk - with no luck."
  • May 09, 2010
    * Senate Unanimously Passes Faster FOIA Act

    EPIC: "The Senate unanimously passed the Faster FOIA Act of 2010, introduced by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), that will establish a 16-member commission to determine methods for reducing delays in processing FOIA requests. Government reports reveal substantial delays in disclosing records subject to the open government law. The legislation seeks to improve the processing of FOIA requests. EPIC frequently uses the FOIA to obtain information about government programs that impact privacy rights."

    May 03, 2010
    * Study: Economic Impact of Privacy on Online Behavioral Advertising

    BusinessWire: "A new study of 90 organizations actively engaged in online marketing concludes that in spite of an acknowledged return on investment, hundreds of millions of dollars are being held back from online behavioral advertising (OBA) over concerns that a lack of consumer trust in the practice could damage brand reputation. The study, Economic Impact of Privacy on Online Behavioral Advertising, conducted independently by the Ponemon Institute, found that although 70 percent of companies agreed that behaviorally targeted advertising substantially increases marketing and sales performance, and in spite of an overall favorable return, most companies surveyed have limited their online advertising budgets over privacy concerns. In fact, extrapolated results suggest that budgets would be as much as four times higher if not for these concerns. Among the study’s noteworthy results:
    98 percent of companies surveyed said they have restricted OBA because of privacy concerns;

  • 63 percent of companies surveyed rated OBA as their most effective form of marketing; and,
  • Overall, companies surveyed reported under-spending on OBA budgets by 75 percent due to privacy concerns.
  • For the 90 companies benchmarked, the total amount not spent on OBA was $604.9 million."
  • * U.S. Courts: More States Report Wiretap Activity

    News release: "A total of 2,376 federal and state applications for orders authorizing the interception of wire, oral or electronic communications, known as wiretaps, was reported in 2009. The number of applications for orders by federal authorities was 663; the number of applications reported by state prosecuting officials was 1,713. No applications were denied. The Omnibus Crime Control and Safe Streets Act of 1968 requires the Administrative Office of the U.S. Courts to report to Congress the number and nature of federal and state applications for wiretap orders. The 2009 Wiretap Report covers intercepts concluded between January 1, 2009 and December 31, 2009."

    April 26, 2010
    * FY 2010 Reporting Instructions for Federal Information Security Management Act and Agency Privacy Management

    EPIC: "A new White House memo sets out the Federal Information Security Management Act of 2002 (FISMA) standards for federal agencies. All agencies must comply with the FISMA standard and report security practices for information under agency control. The standard also extends obligations to agency contractors. By November 15, 2010, all agencies must be capable of monitoring all information traffic on their networks; and make reports to CyberScope, a platform launched last year to provide a single government-wide security management tool for FISMA reports. The Memorandum included requirements to respond to breaches of personal information. Agency Inspectors General will provide oversight of agency FISMA compliance."

    * Report highlights commonalities between airport baggage screening and medical image searches

    Generalized ‘satisfaction of search’: Adverse influences on dual-target search accuracy - Mathias S. Fleck, Ehsan Samei, and Stephen R. Mitroff, Department of Psychology & Neuroscience, Center for Cognitive Neuroscience, Duke University, Carl E. Ravin Advanced Imaging Laboratories, Department of Radiology, Duke University Medical Center

  • "The successful detection of a target in a radiological search can reduce the detectability of a second target, a phenomenon termed “satisfaction of search” (SOS). Given the potential consequences, here we investigate the generality of SOS with the goal of simultaneously informing radiology, cognitive psychology, and non-medical searches such as airport luggage screening. Ten experiments utilizing non-medical searches and untrained searchers suggest SOS is affected by a diverse array of factors, including: (1) the relative frequency of different target types, (2) external pressures (reward and time), and (3) expectations about the number of targets present. Collectively, these experiments indicate that SOS arises when searchers have a biased expectation about the low likelihood of specific targets or events, and when they are under pressure to perform efficiently. This first demonstration of SOS outside of radiology implicates a general heuristic applicable to many kinds of searches. In an example like airport luggage screening, the current data suggest that the detection of an easy-to-spot target (e.g., a water bottle) might reduce detection of a hard-to-spot target (e.g., a box cutter)."
  • Related postings on government implementation of whole body scanning technology at airports
  • April 25, 2010
    * Commerce Internet Policy Task Force Nexus Between Privacy Policy and Innovation in Internet Economy

    "The Department of Commerce’s Internet Policy Task Force is conducting a comprehensive review of the nexus between privacy policy and innovation in the Internet economy. The Department seeks public comment from all Internet stakeholders, including the commercial, academic and civil society sectors, on the impact of current privacy laws in the United States and around the world on the pace of innovation in the information economy..The Department has launched the Privacy and Innovation Initiative to identify policies that will enhance: (1) The clarity, transparency,
    scalability and flexibility needed to foster innovation in the information economy; (2) the public confidence necessary for full citizen participation with the Internet; and (3) uphold
    fundamental democratic values essential to the functioning of a free market and a free society."

    April 21, 2010
    * Coalition Petitions Homeland Security to Suspend Airport Body Scanners

    Follow up to previous postings on government implementation of whole body scanning technology at airports, this news release: "EPIC and a broad coalition of organizations sent a formal petition to the Department of Homeland Security to demand that the agency suspend the airport body scanner program. The petition states that the "uniquely intrusive search" is unreasonable and violates the Constitution. The petition further states the program fails to comply with several federal laws, including the Religious Freedom Restoration Act, the Privacy Act of 1974, and the Administrative Procedures Act. The petitioners also argue that the machines are ineffective and that there are better, less costly security technology. The petitioners contend that the TSA has routinely misled the pubic about the ability of the devices to store and transmit detailed images of travelers' naked bodies. In a Freedom of Information Act lawsuit, EPIC has already obtained technical documents, vendor contracts, and hundreds of traveler complaints."

    April 20, 2010
    * Pew Internet Study: Teens and Mobile Phones

    Teens and Mobile Phones - Text messaging explodes as teens embrace it as the centerpiece of their communication strategies with friends, April 20, 2010

  • "Daily text messaging among American teens has shot up in the past 18 months, from 38% of teens texting friends daily in February of 2008 to 54% of teens texting daily in September 2009. And it's not just frequency – teens are sending enormous quantities of text messages a day. Half of teens send 50 or more text messages a day, or 1,500 texts a month, and one in three send more than 100 texts a day, or more than 3,000 texts a month. Older teen girls ages 14-17 lead the charge on text messaging, averaging 100 messages a day for the entire cohort. The youngest teen boys are the most resistant to texting – averaging 20 messages per day. Text messaging has become the primary way that teens reach their friends, surpassing face-to-face contact, email, instant messaging and voice calling as the go-to daily communication tool for this age group. However, voice calling is still the preferred mode for reaching parents for most teens."
  • See also via EPIC: "The U.S. Supreme Court held arguments in City of Ontario v. Quon. The Court will determine whether a government employer can review the contents of private text messages sent from an employee's pager through a private communications company. EPIC filed a "friend of the court" brief arguing that data minimization practices should be applied to public sector searches and that the search was therefore unreasonable."
  • April 19, 2010
    * NYT: Cyberattack on Google Said to Hit Password System

    Follow up to Google Announces "A new approach to China", from the New York Times: "Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s web services, including e-mail and business applications."

    * Federal Regulators Release Model Consumer Privacy Notice Online Form Builder

    News release: "Eight federal regulators released an Online Form Builder today that financial institutions can download and use to develop and print customized versions of a model consumer privacy notice. The Online Form Builder, based on the model form regulation published in the Federal Register on December 1, 2009, under the Gramm-Leach-Bliley Act, is available with several options. Easy-to-follow instructions for the form builder will guide an institution to select the version of the model form that fits its practices, such as whether the institution provides an opt-out for consumers. To obtain a legal "safe harbor" and so satisfy the law's disclosure requirements, institutions must follow the instructions in the model form regulation when using the Online Form Builder."

    April 18, 2010
    * How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies?

    Hoofnagle, Chris Jay, King, Jennifer, Li, Su and Turow, Joseph, How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies? (April 14, 2010). Available at SSRN: http://ssrn.com/abstract=1589864

  • "Media reports teem with stories of young people posting salacious photos online, writing about alcohol-fueled misdeeds on social networking sites, and publicizing other ill-considered escapades that may haunt them in the future. These anecdotes are interpreted as representing a generation-wide shift in attitude toward information privacy. Many commentators therefore claim that young people “are less concerned with maintaining privacy than older people are.” Surprisingly, though, few empirical investigations have explored the privacy attitudes of young adults. This report is among the first quantitative studies evaluating young adults’ attitudes. It demonstrates that the picture is more nuanced than portrayed in the popular media. In this telephonic (wireline and wireless) survey of internet using Americans (N=1000), we found that large percentages of young adults (those 18-24 years) are in harmony with older Americans regarding concerns about online privacy, norms, and policy suggestions. In several cases, there are no statistically significant differences between young adults and older age categories on these topics. Where there were differences, over half of the young adult-respondents did answer in the direction of older adults. There clearly is social significance in that large numbers of young adults agree with older Americans on issues of information privacy. A gap in privacy knowledge provides one explanation for the apparent license with which the young behave online. 42 percent of young Americans answered all of our five online privacy questions incorrectly. 88 percent answered only two or fewer correctly. The problem is even more pronounced when presented with offline privacy issues – post hoc analysis showed that young Americans were more likely to answer no questions correctly than any other age group. We conclude then that that young-adult Americans have an aspiration for increased privacy even while they participate in an online reality that is optimized to increase their revelation of personal data."
  • April 14, 2010
    * EFF, Yahoo and Google Argue for Fourth Amendment Protection of Email

    News release: "The Electronic Frontier Foundation (EFF) along with Google and numerous other public interest organizations and Internet industry associations joined with Yahoo! in asking a federal court Tuesday to block a government attempt to access the contents of a Yahoo! email account without a search warrant based on probable cause. The Department of Justice is seeking the emails as part of a case that is under seal, and the account holder has apparently not been notified of the request. Government investigators maintain that because the Yahoo! email has been accessed by the user, it is no longer in "electronic storage" under the Stored Communications Act (SCA) and therefore does not require a warrant, even though that same legal theory has been flatly rejected by the one Circuit Court to address it. Yahoo! is challenging the government request before a federal magistrate judge in Denver, arguing that the SCA and Fourth Amendment require the government to get a search warrant before compelling Yahoo! to disclose the email. In an amicus brief filed in support of Yahoo! Tuesday, EFF says that the company is simply following the law and protecting the constitutional privacy rights of its customers."

    April 13, 2010
    * Most Americans Willing to Sacrifice Some Privacy to Enhance Safe Air Travel, According to Latest Unisys Security Index

    Follow up to previous postings on government implementation of whole body scanning technology at airports, this news release: "Ninety-three percent of Americans said they are willing to sacrifice some level of privacy to increase safety when traveling by air, according to research conducted in January and February by Unisys Corporation (NYSE: UIS). Nearly two-thirds of Americans (65%) said they are willing to cooperate with full electronic body scans at the airport, and more than half (57%) would be willing to submit to identity checks using biometric data such as iris scans or fingerprints. Nearly three quarters of Americans (72%) said they are willing to provide personal data in advance of air travel to increase security. The findings, part of the latest bi-annual Unisys Security Index, illustrate that recent events such as the attempted Christmas Day airline bombing may have made security a priority for air travelers. A clear majority of citizens in nearly every country surveyed said they would be willing to forgo privacy to increase air travel security. For example, 90% of citizens in the United Kingdom and 70% of Australians said they would submit to electronic body scans."

    April 12, 2010
    * NIST: Guide to Protecting the Confidentiality of Personally Identifiable Information

    NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, Erika McCallister, Tim Grance, Karen Scarfone, April 2010.

  • "The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years. Breaches involving PII are hazardous to both individuals and organizations. Individual harms may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or remediation costs. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, "If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds." This document provides guidelines for a risk-based approach to protecting the confidentiality of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies,5 but other organizations may find portions of the publication useful. Each organization may be subject to a different combination of laws, regulations, and other mandates related to protecting PII, so an organization‘s legal counsel and privacy officer should be consulted to determine the current obligations for PII protection. For example, the Office of Management and Budget (OMB) has issued several memoranda with requirements for how Federal agencies must handle and protect PII. To effectively protect PII, organizations should implement the following recommendations."
  • April 11, 2010
    * No EU-US Agreement on Transfer of EU Financial Data to US or Deployment of Airport Body Scanners

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "A meeting between top United States counter-terrorism officials and European counterparts ended in Madrid today with no agreement to restart a program that gave the US access to European financial data. The Terrorist Finance Tracking Program operated in secret from 2001 to 2006. European legislators objected to the program as a violation of EU privacy law. There also appeared to be no EU support for the further deployment of body scanners in European airports. EPIC has raised several objections to the body scanner program, including a letter with Ralph Nader to the administration, Congressional Testimony, and open government litigation, which revealed that the devices store and record images."

    * Utilities Telecom Council Smart Grid Conference

    "Smart Grid policies that maximize the benefits to consumers need to encompass more than just the electric or telecom sectors policies. The purpose of the Summit is to create a forum to align policies for energy, telecommunication, the environment and the economy, and fulfill the promises of smart grid deployments. The Summit brings together dozens of representatives from a wide variety of policy communities including: state and federal legislative, regulatory and administrative agencies, labor, consumers, and representatives from the major energy and smart grid associations. In this first of its kind multiple-policy, multiple-community Summit, the UTC intends to provide a forum for this next level of policy development..."

  • Smart Grid Summit, Privacy Perspective on Protecting the Grid and Consumer Data, Lillie Coney, Associate Director Electronic Privacy Information Center (EPIC)
  • April 08, 2010
    * Three Groups Urge FTC to Investigate “Wild West” of Online Data Collection

    News release: "Three consumer protection organizations on Thursday filed a complaint with the Federal Trade Commission (FTC), demanding the commission investigate growing privacy threats in the “Wild West” online. The U.S. Public Interest Research Group, the Center for Digital Democracy and the World Privacy Forum challenged the commission to investigate the growing privacy threats to consumers from the practices conducted by the real-time data-targeting auction and exchange online marketplace. Increasingly and largely unknown to the public, technologies enabling the real-time profiling, targeting, and auctioning of consumers is becoming commonplace. Adding to the privacy threat, explains the new complaint, is the incorporation and expanding role of an array of outside data sources for sale online that provide detailed information on a consumer."

    April 04, 2010
    * Gizmodo: How to Completely Erase Your Hard Drives, SSDs and Thumb Drives

    Follow up to postings on security issues and erasing hard drive, from Gizmodoa detailed article with accompanying screen shots and product references: "With stories abounding of identity theft aided by information lifted from discarded storage devices, you want devices you no longer plan to use to have no usable information when they head out the door. Here's how to wipe them clean...When you erase/delete a file from your computer, it's not really gone until the areas of the disk it used are overwritten by new information. If you use the normal Windows delete function, the "deleted" file is sent to the Recycle Bin until the space it uses is required by other files. If you use Shift-Delete to bypass the Recycle Bin, the space occupied by the file is marked as available for other files. However, the file could be recovered days or even weeks later with third-party data recovery software. As long as the operating system does not reuse the space occupied by a file with another file, the "deleted" file can be recovered."

    April 02, 2010
    * DHS Announces New Measures to Strengthen Aviation Security

    News release: "Department of Homeland Security (DHS) Secretary Janet Napolitano today announced that the Transportation Security Administration (TSA) will begin implementing new enhanced security measures for all air carriers with international flights to the United States to strengthen the safety and security of all passengers—superseding the emergency measures put in place immediately following the attempted terrorist attack on Dec. 25, 2009...Secretary Napolitano also commended today’s release of the Surface Transportation Security Priority Assessment as another important step in efforts to protect the nation’s traveling public from acts of terrorism—conducted by the Obama administration in its first year as a thorough review of the nation’s surface transportation security efforts, which cover mass transit, commuter and long-distance passenger rail, freight rail, commercial vehicles and pipelines."

    April 01, 2010
    * EPIC: TSA Concedes Body Scanners Store and Record Images

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "In response to a Congressional inquiry, led by Congressman Bennie Thompson, the Transportation Security Agency acknowledged that images on body scanner machines would be recorded for "testing, training, and evaluation purposes." The TSA also did not dispute that test mode could be activated in airports, but said this "would" not happen. As part of an ongoing lawsuit, EPIC had previously obtained TSA documents describing the machines' capabilities to store and transmit detailed images of travelers' naked bodies."

  • Homeland Security Blog: "TSA's deployment of new screening technology known as AIT. Public discussion and debate is good, and we at TSA have worked hard to inform, educate and adjust our screening protocols in the interests of security, efficiency, safety and privacy. Our FY 2011 budget request includes $573 million to purchase 500 Advanced Imaging Technology (AIT) units and to operationally staff, operate and maintain 1,000 units, which includes the 500 units we are deploying now. This is indeed an important investment decision and not something we take lightly. We don't take the threats we're facing lightly either."
  • * OnGuardOnline.gov Off to a Fast Start with Online Child Safety Campaign

    News release: "The Federal Trade Commission today reported to Congress that it is getting the word out about Internet safety for children by aggressively promoting a new booklet, Net Cetera: Chatting with Kids About Being Online, to schools, police and sheriff’s departments, and PTAs nationwide. Net Cetera explains to parents and their children how to deal with issues such as social networking, cyberbullying, using mobile phones safely, and protecting the family computer from badware. The booklet is practical, plain-language, and value-neutral, so all parents – regardless of whether they are technologically savvy – can use it to help their kids make better decisions about online behavior. It is the most recent addition to the OnGuardOnline.gov consumer education campaign, which helps people guard against Internet fraud, secure their computers, and protect their privacy."

    March 31, 2010
    * Court Rejects Government's Executive Power Claims and Rules That Warrantless Wiretapping Violated Law

    Follow up to previous postings on the Domestic Surveillance Program, via EFF, Kevin Bankston: "Today, Chief Judge Vaughn Walker of the federal district court in San Francisco found that the government illegally wiretapped an Islamic charity's phone calls in 2004, granting summary judgment for the plaintiffs in Al-Haramain Islamic Foundation v. Obama. The court held the government liable for violating the Foreign Intelligence Surveillance Act (FISA). Today's order is the first decision since ACLU v. NSA to hold that warrantless wiretapping by the National Security Agency was illegal. The decision in ACLU v. NSA was overturned on other grounds in 2007, and the focus of the government's litigation strategy since then has been to avoid having any court rule on the merits of the issue. The court's thorough decision is a strong rebuke to the government's argument that only the Executive Branch may determine if a case against the government can proceed in the courts, by invoking state secrets. The Obama Administration adopted this "state secrets privilege" theory from the Bush Administration's legal positions in this and other warrantless wiretapping cases."

    * Report - The One-Way-Mirror Society: Privacy Implications of the New Digital Signage Networks

    World Privacy Forum: "New forms of sophisticated digital signage networks are being deployed widely by retailers and others in both public and private spaces. From simple people-counting sensors mounted on doorways to sophisticated facial recognition cameras mounted in flat video screens and end-cap displays, digital signage technologies are gathering increasing amounts of detailed information about consumers, their behaviors, and their characteristics, like age, gender, and ethnicity. These technologies are quickly becoming ubiquitous in the offline world, and there is little if any disclosure to consumers that information about behavioral and personal characteristics is being collected and analyzed to create highly targeted advertisements, among other things. Few if any consumers expect that the video screen they are watching, the kiosk they are typing on, or the game billboard they are interacting with is watching them back while gathering images of them and behavioral information. This is creating a one-way-mirror society with no notice or opportunity for consumers to consent to being monitored in retail, public, and other spaces or to consent to having their behavior analyzed for marketing and profit. The privacy problems inherent in digital networks are profound, and to date these issues have not been adequately addressed by anyone. This report by the World Privacy Forum seeks to shed light in a dark area and to start a more robust public debate. In addition to the report, the WPF has released with a group of the nation's leading consumer groups a set of privacy principles to be used in digital signage networks."

  • The One-Way-Mirror Society, Privacy Implications of the new Digital Signage Networks, by Pam Dixon, January 27, 2010
  • March 30, 2010
    * Advocacy Groups, Companies Call for an Update of the Privacy Framework for Law Enforcement Access to Digital Information

    News release: "A broad coalition of privacy groups, think tanks, technology companies and academics today issued principles for updating the key federal law that defines the rules for government access to email and private files stored in the Internet “cloud.” The coalition cited the need to preserve traditional privacy rights in the face of technological change while also ensuring that law enforcement agents can carry out investigations and that industry has the clarity needed to innovate. To set a consistent standard in line with the traditional rules for law enforcement access in the offline world, the group’s recommendations focus on the Electronic Communications Privacy Act (ECPA). Passed in 1986 and not significantly updated since, it establishes standards for government access to email and other electronic communications in criminal investigations."

  • The group’s principles are detailed here: "... Customers are, at best, confused about the security of their data in response to an access request from law enforcement. Companies are uncertain of their responsibilities and unable to assure their customers that subscriber data will be uniformly protected. The current state of the law does not well serve law enforcement interests either as resources are wasted on litigation over applicable standards, and prosecutions are in jeopardy should the courts ultimately rule on the Constitutional questions. The solution is a clear set of rules for law enforcement access that will safeguard end-user privacy, provide clarity for service providers, and enable law enforcement officials to conduct effective and efficient investigations."
  • * New Jersey Supreme Court Rules in Favor of Employee Email Privacy

    EPIC: "The New Jersey Supreme Court ruled in favor of a female employee whose employer read emails that she sent while using Yahoo Mail on a company-owned laptop. The employee, Marina Stengart, had exchanged emails with her attorney regarding a possible discrimination lawsuit against the employer. The employer then pulled the emails off of the laptop's hard drive and used them to prepare a defense to the discrimination suit. The New Jersey Supreme Court found that "Under the circumstances, Stengart could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them." The Supreme Court of the United States is set to consider employee privacy in City of Ontario v. Quon, in which EPIC submitted a "friend of the court brief."

    March 29, 2010
    * Identity Theft Resource Center - 2010 Breaches Occuring at Record Level

    Although many organizations do not report breaches on a timely basis, or in many instances, report them at all, the most recent Identity Theft Resource Center report reveals data protection remains a critical issue for organizations, especially financial services.

    March 26, 2010
    * Leader of Hacking Ring Sentenced for Massive Identity Thefts from Payment Processor and U.S. Retail Networks

    Follow up to Major International Hacker Pleads Guilty For Massive Attack On U.S. Retail And Banking Networks, this DOJ news release: "The leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government has been sentenced to 20 years and one day in prison for his role in a series of hacks into a major payment processor and several retail networks, announced Assistant Attorney General for the Criminal Division Lanny A. Breuer; U.S. Attorney for the District of Massachusetts Carmen Milagros Ortiz; U.S. Attorney for the Eastern District of New York Benton J. Campbell; U.S. Attorney for the District of New Jersey Paul J. Fishman; and Director of the U.S. Secret Service Mark Sullivan."

    * New Application Can Monitor Employee Use of Social Networks

    News release: "Social Sentry provides corporations the ability to monitor the social networking communications of their employees. Delivered as an easy to deploy SaaS offering, Social Sentry enables businesses to monitor employee activity on all major social networks such as Facebook and Twitter. It provides granular and real-time tracking to eliminate significant corporate risks related to: Compliance issues; Leakage of sensitive information; HR issues; Legal exposure; Brand damage; Financial impact."

    March 24, 2010
    * Opposition to Proposed Worker Biometric ID Under Consideration in US

    EPIC: "Senators Charles Schumer and Lindsey Graham have proposed a new national identity card. The Senators would require that "all U.S. citizens and legal immigrants who want jobs" obtain a "high-tech, fraud-proof Social Security card" with a unique biometric identifier. The card, they say, would not contain private information, medical information, or tracking techniques, and the biometric identifiers would not be stored in a government database. EPIC has testified in Congress and commented to federal agencies on the privacy and security risks associated with national identification systems and biometric identifiers."

    March 18, 2010
    * EPIC Recommends That Congress Suspend Body Scanning Program

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "In testimony before the House Committee on Homeland Security, EPIC President Marc Rotenberg urged Congress to halt the plan to deploy body scanners in the nation's airports. "Based on the documents we've obtained, the views of experts, the concerns of American, and the extraordinary cost, Congress should suspend the program," said Mr. Rotenberg. In a recent letter to President Obama, EPIC and Ralph Nader recommended an independent review to assess health impacts, privacy safeguards, and the actual effectiveness of the devices. Through FOIA litigation, EPIC has obtained technical specifications, vendor contracts, and hundreds of complaints from US air travelers about the body scanners. A recent report from the GAO has also raised questions about the effectiveness and cost of the devices."

    March 09, 2010
    * CRS — Satellite Surveillance: Domestic Issues

    Satellite Surveillance: Domestic Issues, Richard A. Best Jr. Specialist in National Defense, Jennifer K. Elsea, Legislative Attorney, February 1, 2010

  • "This report provides background on the development of intelligence satellites and identifies the roles various agencies play in their management and use. Issues surrounding the current policy and proposed changes are discussed, including the findings of an Independent Study Group (ISG) with respect to the increased sharing of satellite intelligence data. There follows a discussion of legal considerations, including whether satellite reconnaissance might constitute a “search” within the meaning of the Fourth Amendment; an overview of statutory authorities, as well as restrictions that might apply; and a brief description of executive branch authorities and Department of Defense directives that might apply. The report concludes by discussing policy issues Congress may consider as it deliberates the potential advantages and pitfalls that may be encountered in expanding the role of satellite intelligence for homeland security purposes.
  • * FinCEN Provides Anti-Fraud Information for 12th Annual National Consumer Protection Week

    News release: "FinCEN joins with other Federal, State and Local government agencies and consumer protection organizations to recognize the 12th Annual National Consumer Protection Week (NCPW), March 7-13. This coordinated consumer education campaign encourages individuals across the country to take full advantage of their consumer rights. FinCEN provides a number of special resources to educate consumers, and the financial institutions that serve them, of potential fraud and scam attempts. FinCEN's rules help consumers by requiring financial institutions to be on the alert for illicit activity. Requirements that a financial institution know its customers can help both to provide better customer service and to prevent that customer from becoming a victim of fraud."

  • Information and "Red Flags" on Mortgage Fraud, Foreclosure Rescue Scams, and Insurance Products: http://www.fincen.gov/foreclosurerescue.html, and http://www.fincen.gov/mortgagefraud.html
  • March 08, 2010
    * EPIC v. DHS: EPIC Obtains Complaints About Airport Body Scanners

    Follow up to previous postings on government implementation of whole body scanning technology at airports - "In response to an EPIC Freedom of Information Act lawsuit, the Department of Homeland Security and the Transportation Security Administration (TSA) released more documents about body scanners in US airports. The documents include many complaints from travelers who went through the devices. Travelers reported that they were not told about the pat down alternative or that they were going to be subject to a body scan by TSA officials. Travelers also expressed concern about radiation risks to pregnant women and the image capture of young children without clothes. EPIC has previously obtained whole body imaging vendor contracts, operational requirements, and procurement specifications from TSA. EPIC and Ralph Nader have urged President Obama to suspend the program until an independent review is completed."

    March 04, 2010
    * Declassified Version of U.S. Cybersecurity Plan Released by White House

    The Comprehensive National Cybersecurity Initiative: "President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure In May 2009, the President accepted the recommendations of the resulting Cyberspace Policy Review, including the selection of an Executive Branch Cybersecurity Coordinator who will have regular access to the President. The Executive Branch was also directed to work closely with all key players in U.S. cybersecurity, including state and local governments and the private sector, to ensure an organized and unified response to future cyber incidents; strengthen public/private partnerships to find technology solutions that ensure U.S. security and prosperity; invest in the cutting-edge research and development necessary for the innovation and discovery to meet the digital challenges of our time; and begin a campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms and begin to build the digital workforce of the 21st century. Finally, the President directed that these activities be conducted in a way that is consistent with ensuring the privacy rights and civil liberties guaranteed in the Constitution and cherished by all Americans."

    March 03, 2010
    * FTC, Partners Launch 12th National Consumer Protection Week

    News release: "The Federal Trade Commission and other government agencies and national consumer groups are sponsoring the 12th annual National Consumer Protection Week from March 7-13, 2010. The event is a coordinated consumer education campaign that encourages individuals across the country to take full advantage of their consumer rights. This year’s theme, Dollars & Sense: Rated “A” for All Ages, highlights the importance of using good consumer sense at every stage of life, from grade school to retirement. In keeping with the theme, the consumer education campaign features a Web site with a page for kids and parents, as well as games, videos, and links other Web sites that teach practical lessons about the role of business and government in everyday life. The site, www.consumer.gov/ncpw, provides information that encourages people to take full advantage of their consumer rights, and promotes free resources to help people protect their privacy, manage money and debt, avoid identity theft, understand credit and mortgages, and steer clear of frauds and scams."

    March 01, 2010
    * GAO Calls for Further Analysis Before Deploying Whole Body Imaging Machines

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The Government Accountability Office (GAO) recently released a report regarding the deployment of body scanners. The GAO cited its 2009 recommendations to the Transportation Security Administration (TSA): that the TSA conduct operational tests to ensure that the whole body imaging machines are reliable, and the that TSA conduct an assessment of the whole body imaging machines' vulnerabilities. In its latest report, the GAO warned TSA of the importance of full operational tests, citing the puffer machine debacle as an example of the government waste that results from insufficient operational testing. The GAO also expressed concern over TSA's lack of complete risk assessments and inability to "provide documentation to show how they have addressed the concerns raised in the 2009 GAO report regarding the susceptibility of the technology to terrorist tactics." Because of this, the GAO concluded that it is unclear whether the body scanners or other technologies would have detected the weapon used in the December 25 attempted attack."

    February 28, 2010
    * Study Ranks Top 20 Companies for Privacy in 2010, Facebook Drops Off List

    EPIC: "Ponemon Institute released its annual study identifying the top twenty companies that are most trusted for privacy. American Express was ranked first, earning the Most Trusted for Privacy distinction for the fifth year in a row. Facebook suffered several privacy missteps over the last year, including a recent change in privacy settings at the end of 2009, and as a result, failed to make the 2010 list. Google, however, returned to the Top 20, ranked at 13. The survey also produced significant findings regarding consumer attitudes towards privacy, including the finding that consumers feel they are losing control over their personal information. Further, the responses revealed that consumers’ fear of identity theft is the main factor for brand trust diminishment, while a company’s implementation of privacy features contribute to brand trust. Other significant positive factors were limits on the collection of personal information and online anonymity."

    February 24, 2010
    * Hearing: The Collection and Use of Location Information for Commercial Purposes

    "The Subcommittee on Commerce, Trade, and Consumer Protection and the Subcommittee on Communications, Technology, and the Internet held a joint hearing titled, The Collection and Use of Location Information for Commercial Purposes, on Wednesday, February 24, 2010, in 2141 Rayburn House Office Building. The hearing examined privacy and other issues related to the commercial collection, use, and sharing of location-based information."

    February 18, 2010
    * NetWitness Discovers Massive ZeuS Compromise

    News release: "NetWitness, the world leader in advanced persistent threat detection and real-time network forensics, announced today that its analysts have discovered a dangerous new ZeuS botnet affecting 75,000 systems in 2,500 organizations around the world. The newly-discovered infestation, dubbed the "Kneber botnet" after the username linking the infected systems worldwide, gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information to miscreants who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities. NetWitness first discovered the Kneber botnet in January during a routine deployment of the NetWitness advanced monitoring solutions. Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines."

  • The “Kneber” BotNet - A ZeuS Discovery and Analysis: At its core, ZeuS is a botnet system designed to steal information from an infected host. Unlike a traditional keylogger system, which records every keystroke, ZeuS can specifically target information desired by the criminal miscreant."
  • February 17, 2010
    * EPIC Files Complaint With FTC Allegeding Google Buzz Privacy Violations

    Follow up to Google Buzz Social Media Integrated into Gmail, news that "EPIC has filed a complaint with the Federal Trade Commission, urging the FTC to open an investigation into Google Buzz. Last week, Google tried to transform its popular email service into an untested social networking service. As a consequence, Google displayed social networking lists based on a user's most frequent address book contacts. The change was widely criticized. EPIC's complaint cites clear harms to service subscribers, and alleges that the change in business practices "violated user expectations, diminished user privacy, contradicted Google's privacy policy, and may have violated federal wiretap laws."

    February 13, 2010
    * 2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise

    2010 Identity Fraud Survey Report: Consumer Version

  • "More than 11 million adult consumers became victims of identity fraud in 2009, up from nearly 10 million in 2008. The number of fraud victims rose for the second year in a row. On the other hand, victims’ out-of-pocket costs and the time required to resolve fraud have decreased. Out-of-pocket costs can include unreimbursed losses, lost wages due to time taken off work, and possible legal fees for those victims attempting to prosecute. Banks have stepped up their efforts in counteracting fraud and minimizing the cost and inconvenience suffered by consumers. Most victims don’t experience any out-of-pocket costs, but those who did suffered an average cost of $373. The average time to resolve the fraud for these victims was 21 hours. Due to the zero-liability fraud protection offered by most banks and credit card companies, most victims will only have to pay out-of-pocket expenses to cover their time in resolving fraud, not for reimbursing fraudulent charges...This report provides easy to follow guidelines and recommendations for consumers to protect themselves against this $54 billion crime."

  • February 09, 2010
    * Google Buzz Social Media Integrated into Gmail

    Official Google Blog: "Google Buzz is a new way to start conversations about the things you find interesting. It's built right into Gmail, so you don't have to peck out an entirely new set of friends from scratch — it just works. If you think about it, there's always been a big social network underlying Gmail. Buzz brings this network to the surface by automatically setting you up to follow the people you email and chat with the most. We focused on building an easy-to-use sharing experience that richly integrates photos, videos and links, and makes it easy to share publicly or privately (so you don't have to use different tools to share with different audiences). Plus, Buzz integrates tightly with your existing Gmail inbox, so you're sure to see the stuff that matters most as it happens in real time."

  • Update: See the following critiques on the privacy issues with the new Buzz - via Foreign Policy, Wrong kind of buzz around Google Buzz and via CNET, Google Buzz: Privacy nightmare and Google Buzz: A Privacy Checklist, PCWorld
  • February 07, 2010
    * Third Circuit to Hear Crucial 4th Amendment Cell Phone Privacy Case

    3rd Circuit to Mull Privacy of Cell Phone Data, Shannon P. Duffy: "In a case that could prove to be one of the most important privacy rights battles of the modern era, the 3rd U.S. Circuit Court of Appeals will hear argument this week on the proper legal standard to apply when prosecutors demand cell phone location data. The data, which are recorded about once every seven seconds whenever a cell phone is turned on, effectively track the whereabouts and the comings and goings of every cell phone user. Justice Department lawyers argue that, by statute, they need only show "reasonable grounds" to believe that such records are "relevant and material to an ongoing criminal investigation." But a federal magistrate judge in Pittsburgh strongly disagreed in February 2008, issuing a 52-page opinion that said the prosecutors must meet the "probable cause" standard."

    February 03, 2010
    * Federal Budget Announced for Fiscal Year 2011, Surveillance Projects Scrutinized

    Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The Office of Management and Budget has released the federal budget for fiscal year 2011. The budget proposes funding for several new surveillance initiatives, including over $700 million to the Department of Homeland Security for "Passenger Aviation Security". The Department would like to purchase 500 body scanner machines for U.S. airports, bringing the projected total number of machines to 1,000 at a cost of over $200 million by the end of 2011. The new budget also includes several hundred million dollars for the Department of Justice's national security programs, which were recently the subject of a critical Inspector-General's report for improper use of authority."

  • See also Bloomberg: Airport Body Scanning Raises Radiation Exposure, Committee Says
  • February 02, 2010
    * Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence

    Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, Dennis C. Blair, Director of National Intelligence, February 2, 2010

  • "The national security of the United States, our economic prosperity, and the daily functioning of our government are dependent on a dynamic public and private information infrastructure, which includes telecommunications, computer networks and systems, and the information residing within. This critical infrastructure is severely threatened. This cyber domain is exponentially expanding our ability to create and share knowledge, but it is also enabling those who would steal, corrupt, harm or destroy the public and private assets vital to our national interests. The recent intrusions reported by Google are a stark reminder of the importance of these cyber assets, and a wake-up call to those who have not taken this problem seriously. Companies who promptly report cyber intrusions to government authorities greatly help us to understand and address the range of cyber threats that face us all. I am here today to stress that, acting independently, neither the US Government nor the private sector can fully control or protect the country’s information infrastructure. Yet, with increased national attention and investment in cyber security initiatives, I am confident the United States can implement measures to mitigate this negative situation."
  • January 30, 2010
    * EPIC Urges FTC to Protect Users' Privacy On Cloud Computing and Social Networking Services

    "EPIC submitted comments to the FTC prior to the agency’s second privacy roundtable. EPIC warned of the ongoing privacy risks associated with cloud computing and social networking privacy, highlighting the Google cloud computing complaint and Facebook privacy complaint filed by EPIC in 2009. The comments note that the FTC has failed to take any meaningful action with respect to either complaint, demonstrating the Commission's “lack of leadership and technical expertise.” EPIC's comments also draw attention to the success of international privacy initiatives, in hopes of encouraging the FTC to take meaningful action to protect American consumers."

    January 29, 2010
    * Navy Establishes U.S. Fleet Cyber Command at Fort Meade, MD

    OPNAV NOTICE 5400, January 11, 2010: "Action will establish U. S. Fleet Cyber Command as an echelon II command to serve as the Navy Component Commander to United States Cyber Command upon its establishment. Interim reporting will be to United States Strategic Command. Command will provide for operational employment of the Navy's cyber, network operations, information operations, cryptologic and space forces, and serve as the Navy's Service Cryptologic Component Commander to the National Security Agency. U.S. Tenth Fleet. will be re-commissioned to control operations supporting U. S. Fleet Cyber Command.

  • Mission: To direct Navy cyberspace operations globally to deter and defeat aqgression and to ensure freedom of action achieve military objectives in and through cyberspace; to organize and direct Navy cryptologic operations worldwide and support information operations (IO) and space planning and operations, as directed; to execute cyber missions as directed by USCYBERCOM; to direct, operate, maintain, secure and defend the Navy's portion of the Global Information Grid (GIG); to deliver integrated cyber, 10, cryptologic and space capabilities; to deliver global Navy cyber network common operational picture; and to develop, coordinate and assess Navy cyber operational requirements."
  • January 26, 2010
    * Ponemon 2009 Annual Study: Cost of a Data Breach

    "This 2009 Ponemon Institute 2009 Annual Study: Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventive Solutions examines the costs incurred by 45 organizations after experiencing a data breach. Results were not hypothetical responses; they represent the cost estimates of activities resulting from the actual data loss incidents. This is the fifth annual survey of this issues. Breaches included in the survey included ranged from approximately 5,000 records to more than 101,000 records from 15 different industry sectors."

    January 25, 2010
    * FTC Releases Agenda for Second Roundtable on Consumer Privacy and More Information for Third Roundtable

    News release: "The Federal Trade Commission today released the agenda for its second roundtable on consumer privacy issues scheduled for January 28, 2010. The second roundtable, hosted by the Berkeley Center for Law and Technology, will take place at the University of California, Berkeley, School of Law Booth Auditorium. The roundtable is the second of three public events designed to explore the privacy challenges that are posed by technology and business practices that collect and use consumer data. The agenda continues the public dialogue by focusing on how technology affects consumer privacy, including its potential to weaken and/or strengthen privacy protections. The roundtable will also explore privacy implications of several evolving technologies, including social networking and other platform services, cloud computing, and mobile computing."

    January 20, 2010
    January 11, 2010
    * EPIC Posts TSA Documents on Body Scanners

    Follow up to previous postings on government implementation of whole body scanning technology at airports, news that EPIC has posted more than 250 pages of documents it obtained in a Freedom of Information Act lawsuit concerning body scanners. The documents, released by the Department of Homeland Security, reveal that Whole Body Imaging machines can record, store, and transmit digital strip search images of Americans. This contradicts assurances made by the TSA. The documents include TSA Procurement Specifications, TSA Operational Requirements, TSA contract with L3, TSA contract with Rapiscan (1), and TSA contract with Rapiscan (2). The DHS has withheld other documents that EPIC is seeking."

    * Panda Security Publishes Virus Yearbook 2009

    Annual Report PandaLabs 2009

  • "The last 12 months really have marked a turning point in the history of IT security. This has been for several reasons, yet without doubt the main one has been the way in which criminal organizations have consolidated underground business models. In 2009, hackers have made more money than in any previous year, underlined not least by the total number of new and different malware samples received by PandaLabs throughout the year, exceeding by far the forecasts we made in 2008. At time of writing, there are over 40 million malware samples in our Collective Intelligence system, and we are still receiving an average of 55,000 new samples every day. This trend, which began in 2008 and has been consolidated in 2009, will continue to determine the daytoday activity of anti-malware laboratories during 2010...In this report we will take a look at how malware is evolving worldwide and we will try to analyze the main trends of 2010. Without revealing too much, let’s just say the future doesn’t look too bright."
  • January 09, 2010
    * Book Review - The Secret Sentry: The Untold History of the National Security

    The New York Review of Books - Who's in Big Brother's Database? By James Bamford - The Secret Sentry: The Untold History of the, National Security Agency, by Matthew M. Aid, Bloomsbury.

  • "...this library expects few visitors. It's being built by the ultra-secret National Security Agency — which is primarily responsible for "signals intelligence," the collection and analysis of various forms of communication—to house trillions of phone calls, e-mail messages, and data trails: Web searches, parking receipts, bookstore visits, and other digital "pocket litter." Lacking adequate space and power at its city-sized Fort Meade, Maryland, headquarters, the NSA is also completing work on another data archive, this one in San Antonio, Texas, which will be nearly the size of the Alamodome. Just how much information will be stored in these windowless cybertemples? A clue comes from a recent report prepared by the MITRE Corporation, a Pentagon think tank. "As the sensors associated with the various surveillance missions improve," says the report, referring to a variety of technical collection methods, "the data volumes are increasing with a projection that sensor data volume could potentially increase to the level of Yottabytes (1024 Bytes) by 2015."["Data Analysis Challenges" (December 2008), p. 13.] Roughly equal to about a septillion (1,000,000,000,000,000,000,000,000) pages of text, numbers beyond Yottabytes haven't yet been named. Once vacuumed up and stored in these near-infinite "libraries," the data are then analyzed by powerful infoweapons, supercomputers running complex algorithmic programs, to determine who among us may be—or may one day become—a terrorist. In the NSA's world of automated surveillance on steroids, every bit has a history and every keystroke tells a story."

  • January 05, 2010
    * FTC Approves Two Reports to Congress on the National Do Not Call Registry

    News release: "The Federal Trade Commission, as required by The Do-Not-Call Registry Fee Extension Act of 2007, has approved two reports to Congress: a biennial report focusing on the use of the Do Not Call Registry by both consumers and businesses, as well as the impact that new technologies have had on the Registry, and a one-time report on enforcement efforts and consumers’ perceptions of the Registry’s effectiveness. As detailed in the first report, the Do Not Call Registry now has more than 191 million active registrations, and more than 18 million new phone numbers were registered in Fiscal Year (FY) 2009. During that time, approximately 45,000 sellers, telemarketers, and exempt organizations such as charities subscribed to access the Registry, paying fees totaling more than $15.5 million. In addition, during FY 2009, the FTC implemented a new procedure for tracking disconnected and reassigned phone numbers, which addresses problems that may arise as a result of new telecommunications technologies and the ease of transporting numbers from one telephone service provider to another. According to the second report, since 2003 when the Do Not Call Registry was put in place, research has consistently shown widespread public awareness of the program and a steady increase in the number of phone numbers registered. Together, the FTC and the Federal Communications Commission have collected penalties totaling over $22 million from Registry violators, and due to these enforcement actions and the agencies’ consumer education campaigns, consumers who have joined the Registry have reported dramatic reductions in the number of unwanted calls they receive."

    * Presidential Report on Radiation Protection Advice: Screening of Humans for Security Purposes Using Ionizing Radiation Scanning Systems

    Follow up to previous postings on government implementation of whole body scanning technology at airports, see Presidential Report on Radiation Protection Advice: Screening of Humans for Security Purposes Using Ionizing Radiation Scanning Systems - A Report Prepared by the National Council on Radiation Protection and Measurements: "This Presidential Report from the National Council on Radiation Protection and Measurements (NCRP) presents radiation protection advice concerning ionizing radiation-producing devices that are being evaluated for various uses in screening of humans for the purpose of security. Chief among the devices being evaluated at the present time are scanning systems that utilize x rays. This report addresses systems utilizing ionizing radiation, but also describes briefly some systems under consideration that utilize nonionizing radiation sources."

  • New York Times Op-Ed: How 12/25 Was Like 9/11: "Government agencies are most likely to succeed when structure matches mission. With its many jurisdictional boundaries and its persistent bureaucratic fault lines, our current system, although greatly improved since 9/11, affords too many opportunities to let information slip, too many occasions for human frailty to assert itself."
  • December 31, 2009
    * FTC Issues Staff Report on Agency's Fraud Forum

    News release: "The Federal Trade Commission today issued a Fraud Forum staff report that examines more effective ways to protect consumers from fraudulent schemes and focus the collective knowledge and experience of forum participants to fight fraud. The February 2009 Forum was attended by academics, consumer advocates, industry representatives, and state and federal law enforcers. The Fraud Forum Report summarizes information presented at the event during panel and small group discussions on a range of issues including: the psychology of scammers and their victims, fraud statistics, under-reported fraud, and the role of private industry in detecting and preventing fraud."

  • A Staff Report On The Federal Trade Commission’s Fraud Forum By The Commission’s Division of Marketing Practices (December 2009)
  • December 29, 2009
    * CRS Report - Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping

    Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, December 3, 2009: "Depending on one’s perspective, wiretapping and electronic eavesdropping are either “dirty business,” essential law enforcement tools, or both. This is a very general overview of the federal statutes that proscribe wiretapping and electronic eavesdropping and of the procedures they establish for law enforcement and foreign intelligence gathering purposes. Although the specifics of state law are beyond the scope of this report, citations to related state statutory provisions have been appended. The text of pertinent federal statutes and a selected bibliography of legal materials appear as appendices as well."

    December 22, 2009
    * EFF: An E-Book Buyer's Guide to Privacy

    "...e-reader technology also presents significant new threats to reader privacy. E-readers possess the ability to report back substantial information about their users' reading habits and locations to the corporations that sell them. And yet none of the major e-reader manufacturers have explained to consumers in clear unequivocal language what data is being collected about them and why. As a first step towards addressing these problems, EFF has created a first draft of our Buyer's Guide to E-Book Privacy. We've examined the privacy policies for the major e-readers on the market to determine what information they reserve the right to collect and share."

    December 19, 2009
    * EPIC Defends Privacy of Facebook Users: Files Complaint with the Federal Trade Commission

    News release: "EPIC has filed a complaint with the Federal Trade Commission, urging the FTC to open an investigation into Facebook’s revised privacy settings. The EPIC complaint, signed by nine other privacy and consumer organizations, states that the "changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations." EPIC cites widespread opposition from Facebook users, security experts, bloggers, and news organizations. A previous EPIC complaint to the FTC, concerning the data broker industry, produced the largest settlement in the FTC's history. For more information, see EPIC: In re Facebook and EPIC Facebook Privacy."

    December 18, 2009
    * EPIC Files Lawsuit for Information about "Digital Strip Search" Devices

    Follow up to previous postings on government implementation of whole body scanning technology at airports, this news: On December 17, 2009, EPIC filed a lawsuit against the Department of Justice concerning the use of devices that capture images of individuals stripped naked. The Transportation Security Administration has confirmed the Whole Body Imaging machines are being used in at least one Virginia federal court by the US Marshall Service. EPIC submitted a FOIA request for information about these devices including the contracts with the manufacturer of the machines, and information about technical specifications and training materials. The Marshall Service failed to respond adequately to the request. EPIC filed suit, said that the agency had not performed a sufficient search and should disclose the documents requested."

    * Cybersafety Booklet for Parents and Kids Now Available

    News release: "A new booklet released today by the Federal Trade Commission and other government agencies helps parents and teachers steer kids safely through the online and mobile phone worlds. Net Cetera: Chatting with Kids About Being Online was unveiled...by FTC Chairman Jon Leibowitz, U.S. Secretary of Education Arne Duncan, and Federal Communications Commission Chairman Julius Genachowski."

    December 09, 2009
    * FTC Exploring Privacy Roundtable Series

    "The Federal Trade Commission [is hosting] a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation." Via EPIC, The second privacy roundtable will be held on Data Privacy Day - January 28, 2010 - at the University of California, Berkeley School of Law.

  • FTC Privacy Initiatives Website
  • November 21, 2009
    * Federal Regulators Issue Final Model Privacy Notice Form

    News release: "Eight federal regulatory agencies today released a final model privacy notice form that will make it easier for consumers to understand how financial institutions collect and share information about consumers. Under the Gramm-Leach-Bliley Act (GLB Act), institutions must notify consumers of their information-sharing practices and inform consumers of their right to opt out of certain sharing practices. The model form issued today can be used by financial institutions to comply with these requirements. The Financial Services Regulatory Relief Act of 2006 amended the GLB Act to require the agencies to propose a succinct and comprehensible model form that allows consumers to easily compare the privacy practices of different financial institutions, and has an easy-to-read font...The final rule provides that a financial institution that chooses to use the model form obtains a "safe harbor" and will satisfy the disclosure requirements for notices. The rule also removes, after a transition period, the sample clauses now included in the appendices of the agencies’ privacy rules. The final model privacy form was developed jointly by the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission."

    November 15, 2009
    * ACLU Report - Building American Institutions to Protect Privacy in the Face of New Technology and Government Powers

    "The American Civil Liberties Union today released a new report, Enforcing Privacy: Building American Institutions to Protect Privacy in the Face of New Technology and Government Powers, November 2009, written by Jay Stanley, recommending steps Congress should take to create the vigorous privacy oversight institutions that are desperately needed in the United States to counterbalance the rush of new technologies and expanding government powers, and called for the Obama administration to move quickly to fill the seats on the Privacy and Civil Liberties Oversight Board (PCLOB)."

    November 09, 2009
    * EPIC Sues Homeland Security for Information About Digital Strip Search Devices

    Follow up to previous postings on airport whole body imaging technology, "EPIC filed a Freedom of Information Act lawsuit challenging the Department of Homeland Security's failure to make public details about the agency's Whole Body Imaging program. The devices capture detailed naked images of air travelers in the United States. After the agency announced that the body scanners would become the primary screening device in US airports, EPIC demanded that the agency disclose records that describe the scanners' capacity to save and transmit images. In June, EPIC sent a letter to the Secretary of Homeland Security Janet Napolitano urging her to suspend the digital strip searches."

    November 08, 2009
    * CDT Highlights Policy Issues Related to New Identity Management Systems

    "CDT released a whitepaper highlighting policy issues related to responsible user-centric identification systems. The paper comes as the U.S. Government begins launching a series of pilot programs that will use third party user credentials to authenticate users to federal Web sites and discusses possible challenges to be considered as these activities are expanded in order to provide a better user experience."

  • Whitepaper on User-Centric Identity - November 02, 2009
  • November 06, 2009
    * ACS Panel: Living Online - Privacy and Security Issues in a Digital Age

    "The American Constitution Society for Law and Policy (ACS) hosted an event exploring challenges to privacy in a growing digital age. The event featured a keynote address by Christopher N. Olsen, the Assistant Director in the Division of Privacy and Identity Protection at the Federal Trade Commission, which was followed by a diverse panel of experts who discussed the myriad issues surrounding the availability of information in cyberspace, including privacy concerns such as potential government dissemination of financial and health
    records."

    November 05, 2009
    * Civil Society Groups and Privacy Experts Release Madrid Declaration, Reaffirm International Privacy Laws, Identify New Challenges and Call for Concrete Action to Safeguard Privacy

    EPIC: "In a crisply worded declaration, over 100 civil society organizations and privacy experts from more than 40 countries have set out an expansive statement on the future of privacy. The Madrid Declaration affirms that privacy is a fundamental human right and reminds "all countries of their obligations to safeguard the civil rights of their citizens and residents." The Madrid Declaration warns that "privacy law and privacy institutions have failed to take full account of new surveillance practices." The Declaration urges countries "that have not yet established a comprehensive framework for privacy protection and an independent data protection authority to do so as expeditiously as possible." The civil society groups and experts recommend a "moratorium on the development or implementation of new systems of mass surveillance." Finally, the Declaration calls for the "establishment of a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions." The Madrid Declaration was released at the Public Voice conference in Madrid on Global Privacy Standards."

    November 04, 2009
    * Google Launches Privacy Dashboard for Users Signed Into Accounts

    Official Google Blog: "In an effort to provide you with greater transparency and control over their own data, we've built the Google Dashboard. Designed to be simple and useful, the Dashboard summarizes data for each product that you use (when signed in to your account) and provides you direct links to control your personal settings. Today, the Dashboard covers more than 20 products and services, including Gmail, Calendar, Docs, Web History, Orkut, YouTube, Picasa, Talk, Reader, Alerts, Latitude and many more. The scale and level of detail of the Dashboard is unprecedented, and we're delighted to be the first Internet company to offer this — and we hope it will become the standard. [Includes a quick video] to learn more and then try it out for yourself at www.google.com/dashboard."

    October 28, 2009
    * FOIA Lawsuit Yields Unclassified FBI Domestic Investigations and Operations Guide

    New York Times: "In September 2008, the Bush administration changed domestic intelligence-gathering rules. The Federal Bureau of Investigation's interpretation of those rules was recently made public when the bureau released a redacted copy of its "Domestic Investigations and Operation Guide" in response to a Freedom of Information lawsuit. The new rules have given F.B.I. agents the most power in national security matters that they have had since the post-Watergate era."

    October 24, 2009
    * Privacy Coalition Seeks Investigation of DHS Chief Privacy Office

    "EPIC joined the Privacy Coalition letter sent to the House Committee on Homeland Security urging them to investigate the Department of Homeland Security's (DHS) Chief Privacy Office. DHS is unrivaled in its authority to develop and deploy new systems of surveillance. The letter cited DHS use of Fusion Center, Whole Body Imaging, funding of CCTV Surveillance, and Suspicionless Electronic Border Searches as examples of where the agency is eroding privacy protections."

    October 23, 2009
    * FCC Seeks Input on Empowering Parents and Protecting Children in an Evolving Media Landscape

    News release: "The Federal Communications Commission (FCC) today released a Notice of Inquiry (NOI) asking how children can be served and protected and parents can be further empowered in the new digital media landscape. The NOI comes almost 20 years after enactment of the Children’s Television Act and follows the Commission’s recently issued Child Safe Viewing Act Report, which examined parental control technologies for video and audio programming. Children live in a dramatically different media environment from the one their parents and grandparents grew up in decades ago. From television to mobile devices to the Internet, electronic media today offer an array of opportunities to, among other things, access educational content, communicate with family and peers, and acquire the skills and technological literacy necessary to compete in a global economy. However, digital media can also pose risks of harm to children, including exposing them exploitative advertising, inappropriate content, and cyberbullying, as well as potentially contributing to childhood obesity and other negative health impacts. The NOI asks to what extent children are using electronic media today, the benefits and risks this presents, and the ways in which parents, teachers, and children can help reap the benefits while minimizing the risks of using these technologies."

    October 22, 2009
    * DOE OIG - The Agency's Unclassified Cyber Security Program 2009

    Evaluation Report, The Department's Unclassified, Cyber Security Program - 2009. DOE/IG-0828 October 2009

  • "Industry experts report that security challenges and threats are continually evolving as malicious activity has become more web-based and attackers are able to rapidly adapt their attack methods. In addition, the number of data breaches continues to rise. In an effort to mitigate and address threats and protect valuable information, the Department of Energy anticipated spending about $275 million in Fiscal Year (FY) 2009 to implement cyber security measures necessary to protect its information technology resources. These systems and data are designed to support the Department's mission and business lines of energy security, nuclear security, scientific discovery and innovation, and environmental responsibility."
  • October 20, 2009
    * HHS OIG: Medicare Part D Plan Sponsor Electronic Prescribing Initiatives

    Medicare Part D Plan Sponsor Electronic Prescribing Initiatives (OEI-05-08-00322), Otober 16, 2009

  • "E-prescribing occurs when a prescriber uses a computer or an electronic hand-held device, such as a personal digital assistant, to write and send a prescription directly to a dispenser. Before a prescriber sends a prescription to a dispenser, he or she can request electronic data regarding patient eligibility, formulary and benefits, and medication history from the patient’s health insurance plan."
  • * Whole-body scanners activated in airports around the world

    Follow up to previous postings on airport whole body imaging technology, this article from the Economist.com: "Much excitement in Manchester where trials have started of Britain’s first whole-body scanner. The machine takes X-ray photographs of passengers, and can reveal concealed threats without requiring the removal of clothing."

  • BBC news: "Action on Rights for Childen (Arch) claim the Rapiscan equipment could break the Protection of Children Act 1978, under which it is illegal to create an indecent image of a child."
  • October 19, 2009
    * Consumer Data Broker ChoicePoint Failed to Protect Consumers' Personal Data

    News release: "ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft. ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and requires the company to pay $275,000. In April 2008, ChoicePoint (now a subsidiary of Reed Elsevier, Inc.) turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention."

    October 18, 2009
    * New on LLRX: Legal Implications of Cloud Computing - Part Two (Privacy and the Cloud)

    Legal Implications of Cloud Computing - Part Two (Privacy and the Cloud): As a follow-up to last month's article that provided an overview of cloud computing in the context of significant legal issues, this article by Tanya Forsheit reviews the issues of privacy and cross-border data transfers.

    October 17, 2009
    * Book Review: Who's in Big Brother's Database?

    Who's in Big Brother's Database? By James Bamford - A review of The Secret Sentry: The Untold History of the National Security Agency by Matthew M. Aid.

  • "On a remote edge of Utah's dry and arid high desert, where temperatures often zoom past 100 degrees, hard-hatted construction workers with top-secret clearances are preparing to build what may become America's equivalent of Jorge Luis Borges's "Library of Babel," a place where the collection of information is both infinite and at the same time monstrous, where the entire world's knowledge is stored, but not a single word is understood. At a million square feet, the mammoth $2 billion structure will be one-third larger than the US Capitol and will use the same amount of energy as every house in Salt Lake City combined."
  • October 16, 2009
    * SF AG Shepherds Witness ID Protection Bill to Signature by Governor

    Kate Mosher in The Recorder: "Under a bill signed into law by the governor this week and sponsored by San Francisco District Attorney Kamala Harris, prosecutors hope witnesses in the state's relocation program will be harder to find through Internet searching. Gang members have targeted witnesses through Internet search engines even when witnesses weren't aware their personal information was online, said Sen. Mark Leno, who authored SB 748, which was signed Sunday. The new law goes after people or agencies that disclose phone numbers, addresses or other identifying information of protected witnesses."

    October 13, 2009
    * Report: Abortion and Unintended Pregnancy Decline Worldwide as Contraceptive Use Increases

    News release: "Increases in global contraceptive use have contributed to a decrease in the number of unintended pregnancies and, in turn, a decline in the number of abortions, which fell from an estimated 45.5 million procedures in 1995 to 41.6 million in 2003. While both the developed and the developing world experienced these positive trends, developed regions saw the greatest progress. Within the developing world, improvement varied widely, with Africa lagging behind other regions, according to Abortion Worldwide: A Decade of Uneven Progress, a major new Guttmacher Institute report released today."

    October 12, 2009
    October 10, 2009
    * Government Reminds Us About Safeguards to Protect Privacy, Personal Information Online

    News release: "To promote cyber safety outreach and education, the FCC recently partnered with OnGuardOnline.gov, a joint effort of 12 federal agencies and 18 non-government organizations, developed and managed by the FTC. OnGuardOnline.gov provides practical and timely tips to help consumers be on guard against Internet fraud, secure their computers, and protect their personal information. Among the recommendations that consumers should follow:

      1. Use security software that updates automatically;
      2. Keep operating systems and Web browsers up-to-date;
      3. Keep passwords private and secure; and
      4. Always back-up important files.

    October 07, 2009
    * FBI - Major Cyber Fraud Takedown

    FBI news release: "The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks. [October 7, 2009], authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme. The United States government is extremely grateful for the extraordinary assistance provided by the Egyptian government in this matter."

  • Citing Cybercrime, FBI Director Doesn't Bank Online: "The head of the U.S. Federal Bureau of Investigation has stopped banking online after nearly falling for a phishing attempt."
  • * European Commission: The Future of the Internet and Europe's Digital Agenda

    Viviane Reding, Member of the European Commission in charge of Information Society and Media, The Future of the Internet and Europe's Digital Agenda - Brussels, 6 October 2009

  • "In less than 10 years, the internet has grown from being a novel technical gadget application into becoming central to the economic systems of the developed world. This is because of its horizontal nature, it is everywhere, used throughout industry, economy and society whether for business or for leisure. It has driven more than half of the productivity gains in both the EU and the USA. It is the medium through which Information and Communication technologies can be exploited leading to innovation in business and a wide range of economic and societal benefits to citizens and consumers... One issue that is getting my full attention is the protection of privacy and of personal data in the online environment."
  • October 06, 2009
    * Study Says Employers Increasingly Monitoring Outbound Emails

    National Law Journal: "The economy has employers extra jittery about company secrets getting out, so nervous that they're hiring staff just to monitor outbound e-mails. That's the conclusion of a recent study by Proofpoint, an Internet security and data loss prevention company, which found that 38 percent of large U.S. employers are monitoring outbound e-mail to prevent data leaks, up from 29 percent in 2008."

  • Outbound Email and Data Loss Prevention in Today’s Enterprise, 2009

  • October 02, 2009
    * UK Cybercrime Report 2009

    UK Cybercrime Report 2009

  • "UK cybercrime has rebounded to worrying levels, not seen since 2006, as a result of the recession and consumer complacency, according to Garlik’s annual UK Cybercrime report, now in its third year. The report, which analyses publicly available data to build a comprehensive view of cybercrime in the UK, revealed that during 2008 cybercriminals adapted to the social and economic changes in the UK to exploit victims in new ways and commit over 3.6 million criminal acts online (that’s over one every 10 seconds). In addition, the researchers believe that there is a growing complacency amongst consumers, demonstrating poor understanding of their responsibility to protect their personal information against fraud. One of the most significant changes in cybercrime has been the 207% increase in account takeover fraud indicating that criminals have now shifted their efforts from opening new accounts with stolen identities to accessing existing accounts. Savvy criminals have got round the drying up of available credit in the current economic climate to maintain their illegal activities. The report also highlights that online banking fraud has increased by a staggering 132%, with losses totalling £52.5 million, compared to £22.6 million in the previous year. This sharp rise can be mostly attributed to nearly 44,000 phishing websites specifically targeting banks and building societies in the UK. The total number of cybercrimes has increased annually between 2006 and 2008, however, the good news is that sexual offences have decreased as a category each year. All other categories dipped in 2007 but then in 2008 bounced back above their 2006 figure."
  • October 01, 2009
    * New Rules Protect Patients' Genetic Information

    News release: "Individuals’ genetic information will have greater protections through new regulations issued today by the U.S. Departments of Health and Human Services (HHS), Labor, and the Treasury. The interim final rule will help ensure that genetic information is not used adversely in determining health care coverage and will encourage more individuals to participate in genetic testing, which can help better identify and prevent certain illnesses."

    September 29, 2009
    * Survey: Two-Thirds of Americans Object to Online Tracking

    New York Times: "About two-thirds of Americans object to online tracking by advertisers — and that number rises once they learn the different ways marketers are following their online movements, according to a new survey from professors at the University of Pennsylvania and the University of California, Berkeley."

  • Contrary to what marketers say, Americans Reject Tailored Advertising and the activities that enable it. Joseph Turow, Annenberg School for Communication, University of Pennsylvania, et al.September 2009.
  • September 28, 2009
    * DOJ OIG Testimony on Reauthorizing the USA Patriot Act

    Statement of Glenn A. Fine, Inspector General, U.S. Department of Justice before the Senate Committee on the Judiciary concerning Reauthorizing the USA Patriot Act, September 23, 2009

  • "Our reports recognized the significant challenges the FBI faced and the major organizational changes it was undergoing during our review period. Nevertheless, we concluded that the FBI engaged in serious misuse of NSL [national security letters] authorities. For example, from 2003 to 2005 the FBI identified 26 possible intelligence violations involving its use of NSLs. The possible violations included issuing NSLs without proper authorization and making improper requests under the statutes cited in the NSLs. However, in addition to the possible violations reported by the FBI, we conducted an independent review of FBI case files in four field offices to determine if there were unreported violations of NSL authorities, Attorney General Guidelines, or internal FBI policies governing the approval and use of NSLs. Our review of 293 national security letters in 77 files found 22 possible violations that had not been identified or reported by the FBI. The violations we found fell into three categories: improper authorization for the NSL, improper requests under the pertinent national security letter statutes, and unauthorized collections."
  • September 24, 2009
    * EFF: Government Must Provide More Info on Campaign to GiveTelecoms Retroactive Immunity

    News release: "A judge ordered the government Thursday to release more records about the lobbying campaign to provide immunity to the telecommunications giants that participated in the NSA's warrantless surveillance program. U.S. District Judge Jeffrey S. White ordered the records be provided to the Electronic Frontier Foundation (EFF) by October 9, 2009. The decision is part of EFF's long-running battle to gather information about telecommunications lobbying conducted as Congress considered granting immunity to companies that participated in illegal government electronic surveillance. Telecom immunity was eventually passed as part of the FISA Amendments Act (FAA) of 2008, but a bill that would repeal the immunity -- called the JUSTICE Act -- was introduced in the Senate last week."

    September 23, 2009
    * DOD OIG Audit - Sanitization and Disposal of Excess Information Technology Equipment

    Sanitization and Disposal of Excess Information Technology Equipment (Report No. D-2009-104)

  • "We determined whether DOD Components sanitized and disposed of excess unclassified information technology (IT) equipment in accordance with Federal and DOD requirements. We also determined whether the Defense Reutilization and Marketing Service (DRMS) disposed of excess IT equipment in accordance with security requirements; and whether the Army, Navy, and Air Force properly safeguarded sensitive information on excess unclassified IT equipment. We visited 6 DOD Components, 9 DRMS processing centers, and 2 contractors and selected a nonstatistical sample 543 of 4,105 pieces of excess unclassified IT equipment. What We Found: DOD Components’ internal controls were not adequate. Specifically, DOD Components did not properly sanitize, document, or fully account for excess unclassified IT equipment before releasing the equipment to other organizations. Furthermore, DRMS processing centers processed excess unclassified IT equipment for disposal or redistribution without proof that equipment had been properly sanitized."
  • Related on postings on recovering data from discarded or resold computers and their hard drives
  • * Wired: Threat Level Privacy, Crime and Security Online Newly Declassified Files Detail Massive FBI Data-Mining Project

    "A fast-growing FBI data-mining system billed as a tool for hunting terrorists is being used in hacker and domestic criminal investigations, and now contains tens of thousands of records from private corporate databases, including car-rental companies, large hotel chains and at least one national department store, declassified documents obtained by Wired.com show. Headquartered in Crystal City, Virginia, just outside Washington, the FBI’s National Security Branch Analysis Center (NSAC) maintains a hodgepodge of data sets packed with more than 1.5 billion government and private-sector records about citizens and foreigners, the documents show, bringing the government closer than ever to implementing the “Total Information Awareness” system first dreamed up by the Pentagon in the days following the Sept. 11 attacks."

    September 20, 2009
    * EU: intelligent information system supporting observation, searching and detection for security of citizens in urban environment

    EU Project INDECT - "The main objectives of the INDECT project are: to develop a platform for: the registration and exchange of operational data, acquisition of multimedia content, intelligent processing of all information and automatic detection of threats and recognition of abnormal behaviour or violence, to develop the prototype of an integrated, network-centric system supporting the operational activities of police officers, providing techniques and tools for observation of various mobile objects, to develop a new type of search engine combining direct search of images and video based on watermarked contents, and the storage of metadata in the form of digital watermarks, to develop a set of techniques supporting surveillance of internet resources, analysis of the acquired information, and detection of criminal activities and threats."

    * DHA OIG Audit of TSA Privacy Stewardship

    OIG-09-97 - Transportation Security Administration Privacy Stewardship (PDF, 36 pages), August 28, 2009

  • "We performed an audit of the Transportation Security Administration’s (TSA) privacy stewardship. Our audit objective was to determine whether TSA’s plans and activities instill and promote a privacy culture and comply with federal privacy laws and regulations. As part of this audit, we surveyed 2,285 TSA employees on their knowledge of the Privacy Act, the proper handling of personally identifiable information, privacy incident response, and privacy stewardship. The results of this survey are discussed throughout the report."
  • September 19, 2009
    * Legality of Intrusion-Detection System To Protect Unclassified Computers Networks In Executive Branch

    In following this January 9, 2009 memo, Legal Issues Relating to the Testing, Use and Deployment of an Intrusion-Detection System (EINSTEIN 2.0) to Protect Unclassified Computer Networks in the Executive Branch, this DOJ memo released September 18, 2009: Legality of Intrusion-Detection System To Protect Unclassified Computers Networks In Executive Branch - "Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws."

  • Department of Homeland Security Privacy Impact Assessment EINSTEIN 2, May 19, 2008. United States Computer Emergency Readiness Team (US-CERT): "EINSTEIN 2, will incorporate network intrusion detection technology capable of alerting the United States Computer Emergency Readiness Team (US‐CERT) to the presence of malicious or potentially harmful computer network activity in federal executive agencies’ network traffic. EINSTEIN 2 principally relies on commercially available intrusion detection capabilities to increase the situational awareness of the US‐CERT. This network intrusion detection technology uses a set of pre‐defined signatures based upon known malicious network traffic."
  • September 17, 2009
    * JUSTICE Act Would Fix Long Standing Problems with PATRIOT Act and Other Surveillance Laws

    News release and Fact Sheet: "U.S. Senators Russ Feingold (D-WI), Dick Durbin (D-IL), Jon Tester (D-MT), Tom Udall (D-NM), Jeff Bingaman (D-NM), Bernie Sanders (I-VT), Daniel Akaka (D-HI) and Ron Wyden (D-OR) have introduced legislation to fix problems with surveillance laws that threaten the rights and liberties of American citizens. The Judicious Use of Surveillance Tools In Counterterrorism Efforts (JUSTICE) Act would reform the USA PATRIOT Act, the FISA Amendments Act and other surveillance authorities to protect Americans’ constitutional rights, while preserving the powers of our government to fight terrorism. The JUSTICE Act reforms include more effective checks on government searches of Americans’ personal records, the “sneak and peek” search provision of the PATRIOT Act, “John Doe” roving wiretaps and other overbroad authorities. The bill will also reform the FISA Amendments Act, passed last year, by repealing the retroactive immunity provision, preventing “bulk collection” of the contents of Americans’ international communications, and prohibiting “reverse targeting” of innocent Americans. And the bill enables better oversight of the use of National Security Letters (NSLs) after the Department of Justice Inspector General issued reports detailing the misuse and abuse of the NSLs. The Senate Judiciary Committee will hold a hearing on Wednesday, September 23rd, on reauthorization of the USA PATRIOT Act."

    * CDT: Technology Can Provide Needed Transparency for Government Programs

    "CDT told a congressional panel today that providing the public with direct, online access to complex government programs, such as TARP, would strengthen oversight. Media, watchdog groups, researchers and citizens could then better analyze the data for a wide variety of purposes. CDT asked the House Oversight and Investigations Subcommittee to ensure that legislation explicitly require that TARP resources be made available to the public on the Web. CDT also noted that more sophisticated data--such as location and mapping data--are being collected today by government agencies; however, aging federal privacy law needs to be updated to ensure these new types of information are protected as well."

  • CDT Testimony Before House Oversight and Investigations Subcommittee, Utilizing Technology to Improve TARP and
    Financial Oversight - September 17, 2009

  • Related postings on financial system
  • September 13, 2009
    * Senators Lieberman, Collins Point to Cybercrime Epidemic

    News release: "Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., Sunday said the latest trend in cybercrime is directed at small to medium sized companies that have been robbed of both data and dollars...The thieves steal in amounts under $10,000 to avoid triggering a bank report required by anti-money laundering law. The malware is so well written that the traffic seems to be coming from an authorized computer – and possibly is a legitimate computer that has been commandeered. The money is then transferred to “money mules” who may have been recruited over internet job boards or who have posted resumes on a job listing serviceThe Committee will hold a hearing September 14, 2009, Cyber Attacks: Protecting Industry Against Growing Threats, to examine this new trend, and the Senators plan to introduce broad cyber security legislation later this fall that will improve cyber security in the private sector."

    September 11, 2009
    * International Hacker Pleads Guilty for Massive Hacks of U.S. Retail Networks

    Follow up to August 1, 2009 posting - Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks - today's news release: "An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of Massachusetts Michael Loucks, U.S. Attorney for the Eastern District of New York Benton J. Campbell and Director of the U.S. Secret Service Mark Sullivan. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity. Albert Gonzalez, 28, of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. Gonzalez was indicted in August 2008 in the District of Massachusetts on charges related to these hacks."

    September 09, 2009
    * EPIC Gives Obama Administration Mixed Grades for Privacy

    "EPIC released the Privacy Report Card for the Obama Administration at a morning briefing held at the National Press Club. EPIC gave the Administration an “Incomplete” for Consumer Privacy, A- for Medical Privacy, C+ for Civil Liberties, and a B for Cyber Security. Privacy Coalition members participating in the event included US PIRG, Consumer Federation of America, the Liberty Coalition, Association of American Physicians and, Surgeons, and the Bill of Rights Defense Committee. In December 2008, the Privacy Coalition urged the new Administration to address growing public concerns about privacy protection."

    September 07, 2009
    * CDT Urges Privacy Requirements Be Included in Google Books Settlement

    "CDT filed a "friend of the court" brief in the Southern District of New York [September 4, 2009] requesting that key privacy requirements be included in the Court's approval of the class-action settlement that would dramatically expand Google Book Search. CDT previously released a report in July analyzing the privacy implications of this settlement and is urging the judge to guarantee strong privacy safeguards for the exciting new services Google will be able to offer. The brief asks that the court approve the proposed settlement of the copyright infringement lawsuit between Google and authors and publishers, but to retain oversight in order to monitor implementation of a privacy plan."

    September 04, 2009
    * Google Publishes Books Privacy Policy

    Google Books Privacy Policy, September 3, 2009

  • "The main Google Privacy Policy describes how we treat personal information when you use Google's products and services, including Google Books. This additional Policy for Google Books does three things: (1) it highlights key provisions of the main Google Privacy Policy in the context of the Google Books service, (2) it describes privacy practices specific to the Google Books service, and (3) it describes planned privacy practices for services proposed in the Google Books legal settlement, which is currently awaiting court approval...All of the provisions of the Google Privacy Policy apply to the Google Books service..."

  • September 01, 2009
    * Online Behavioral Tracking and Targeting, Legislative Primer September 2009

    Online Behavioral Tracking and Targeting Concerns and Solutions, Legislative Primer September 2009 - from the Perspective of: Center for Digital Democracy, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Privacy Lives, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest Research Group, The World Privacy Forum.

  • News release: "EFF and a coalition of other consumer and privacy groups called on Congress today to protect Americans' privacy from invasive online behavioral tracking and targeting. In letters sent to the House Energy and Commerce Committee and two subcommittees, the groups delivered a legislative primer:
    "Tracking people’s every move online is an invasion of privacy. It’s like being followed by an invisible stalker – individuals aren’t aware that it’s happening, who is tracking them, and how the information will be used. They’re not asked for their consent and have no meaningful control over the collection and use of their information, often by third-parties with which they have no relationships."
  • August 30, 2009
    * New Rule Prohibiting Unwanted "Robocalls" to Take Effect on September 1

    News release: "Beginning September 1, 2009, prerecorded commercial telemarketing calls to consumers – commonly known as robocalls – will be prohibited, unless the telemarketer has obtained permission in writing from consumers who want to receive such calls, the Federal Trade Commission announced today...The new requirement is part of amendments to the agency’s Telemarketing Sales Rule (TSR) that were announced a year ago. After September 1, sellers and telemarketers who transmit prerecorded messages to consumers who have not agreed in writing to accept such messages will face penalties of up to $16,000 per call."

    August 26, 2009
    * DHS OIG: Role of the No Fly and Selectee Lists in Securing Commercial Aviation

    OIG-09-64 - Role of the No Fly and Selectee Lists in Securing Commercial Aviation (PDF, 63 pages] Redacted, July 2009.

  • "Although the use of the No Fly and Selectee lists is largely successful in identifying potential terrorists who could threaten commercial aviation, some individuals not included on the lists may also present vulnerabilities to aviation security. However, passenger prescreening against terrorist watch lists proposed by the Secure Flight program is only one component of a larger security cycle that protects the nation’s commercial aviation system. International and domestic security activities within and outside of the Department of Homeland Security, such as intelligence gathering, law enforcement investigations, visa issuance, and border protection, mitigate potential vulnerabilities not addressed by the Secure Flight program and enhance commercial aviation security overall."
  • August 25, 2009
    * NIST Guidelines recommends best practices for next generation of portable biometric acquisition devices

    "A new publication that recommends best practices for the next generation of portable biometric acquisition devices—Mobile ID—has been published by Commerce’s National Institute of Standards and Technology (NIST). Devices that gather, process and transmit an individual’s biometric data—fingerprints, facial and iris images—for identification are proliferating. Previous work on standards for these biometric devices has focused primarily on getting different stationary and desktop systems with hard-wired processing pathways to work together in an interoperable manner. But a new generation of small, portable and versatile biometric devices are raising new issues for interoperability."

  • Mobile ID Device Best Practice Recommendation, Version 1.0. August 2009, National Institute of Standards and Technology
  • August 18, 2009
    * FTC Issues Final Breach Notification Rule for Electronic Health Information

    News release: " The Federal Trade Commission has issued a final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached. Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009. The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential."

    August 17, 2009
    * DOE IG: Protection of the Department of Energy's Unclassified Sensitive Electronic Information

    Audit Report, Protection of the Department of Energy's Unclassified Sensitive Electronic Information - DOE/IG-0818 August 2009:

  • "The Department of Energy and its contractors store and process massive quantities of sensitive information to accomplish national security, energy, science, and environmental missions. Sensitive unclassified data, such as personally identifiable information (PII), official use only, and unclassified controlled nuclear information require special handling and protection to prevent misuse of the information for inappropriate purposes. Industry experts have reported that more than 203 million personal privacy records have been lost or stolen over the past three years, including information maintained by corporations, educational institutions, and Federal agencies. The loss of personal and other sensitive information can result in substantial financial harm, embarrassment, and inconvenience to individuals and organizations. Therefore, strong protective measures, including data encryption, help protect against the unauthorized disclosure of sensitive information."
  • * Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks

    News release: "Albert Gonzalez, 28, of Miami, Fla., was indicted today for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards, announced Assistant Attorney General of the Criminal Division Lanny A. Breuer, Acting U.S. Attorney for the District of New Jersey Ralph J. Marra Jr. and U.S. Secret Service Assistant Director for Investigations Michael Merritt...The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."

    August 14, 2009
    * Federal Websites: Cookie Policy

    Federal Websites: Cookie Policy - Posted by Michael Fitzpatrick is Associate Administrator, OMB Office of Information and Regulatory Affairs, Vivek Kundra is Federal CIO: "During the Open Government Initiative outreach, Federal employees and the public have asked us questions about the federal government’s policy on cookies. As part of our effort to create a more open and innovative government, we’re working on a new cookie policy that we’ll want your input on."

    August 12, 2009
    * EPIC Forces Disclosure of Government Contracts with Social Media Companies, Privacy Terms Missing

    "In response to an EPIC Freedom of Information Act Request, the Government Services Administration released several contracts between the federal government and web 2.0 companies, including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that “no specific Web 2.0 guidance currently exists,” but provided EPIC with Training Slides that raise privacy issues. The GSA Agreement with Google actually states that, “to the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google.” Some of the agreements also permit companies to track users of government web sites for advertising purposes."

    * US and Switzerland Reach Settlement Over Secret Bank Accounts

    News release: "The out-of-court settlement sought in the US civil proceedings against UBS has been reached. The details of the arrangement were worked out between Switzerland and the USA over the last few days. The judge was informed during a telephone conference on Wednesday. The settlement now has to be signed by both states."

  • Washington Post: "The U.S. government had sought a federal court ruling compelling Switzerland's largest bank, UBS, to turn over the names of Americans suspected of dodging taxes through the use of 52,000 secret accounts."
  • August 09, 2009
    * Personal Prescription and Medical Data Widely Sold and Distributed

    New York Times, And You Thought a Prescription Was Private : "...in fact, prescriptions, and all the information on them — including not only the name and dosage of the drug and the name and address of the doctor, but also the patient’s address and Social Security number — are a commodity bought and sold in a murky marketplace, often without the patients’ knowledge or permission...

  • See also CDT's Health Privacy Project which states that the organization "will take on key policy questions, including: the proper role of notice and consent, the right of patients to access their own health records in electronic formats, identification and authentication, secondary uses, and enforcement mechanisms. It will address both the traditional exchange of records among providers and payers, as well as new consumer access services and Personal Health Records."
  • * Senators Consider PATRIOT Act Reforms

    EPIC: "Senators Russ Feingold (D-WI) and Dick Durbin (D-IL) are drafting legislative reforms to revise the USA PATRIOT Act. The USA PATRIOT Act allows authorities to conduct surveillance without judicial review through the use of National Security Letters. The Senators asked the Attorney General and the Chairmen of the Senate Judiciary and Intelligence Committee to consider two previous bills that add protections to PATRIOT ACT. Pursuant to a EPIC lawsuit, a federal judge had ordered the Justice Department to provide for independent judicial inspection of documents relating to warrantless wiretapping. For more information, see EPIC USA PATRIOT Act, EPIC FISA, EPIC Wiretapping, and EPIC National Security Letters."

    August 08, 2009
    * Social Networking Sites and the Surveillance Society

    Fuchs, Christian. 2009. Social Networking Sites and the Surveillance Society. A Critical Case Study of the Usage of studiVZ, Facebook, and MySpace by Students in Salzburg in the Context of Electronic Surveillance. Salzburg/Vienna: Research Group UTI. ISBN 978-3-200-01428-2.

  • "674 students from Salzburg participated in the study that was conducted by the eTheory Research Group (University of Salzburg, ICT&S Center). 88.3% of the respondents use studiVZ, 39.5% Facebook, 15.9% MySpace, 9.0% Xing, 7.4% Lokalisten. Each of 61 other social networking sites (SNS) is used by less than 1%. Study author associate professor Christian Fuchs: "There are indications for a strong economic concentration in the area of social networking sites. On the one hand concerning usage, but as a consequence on the other hand also in relation to profits that are made by advertising".
    59.1% of the respondents see the maintenance of social contacts as the biggest advantage of SNS, 55.7% say that economic and political surveillance is the greatest risk. Fuchs: "Students are very aware of the massive collection of personal data on these platforms, they use them nonetheless because of the expected communicative advantages. This does not mean that they are incautious, but that there is a structural lack of alternative platforms. Non-commercial, non-profit SNS do not have to evaluate data for personalized advertisements, therefore the probability of surveillance and data abuse decreases. But such platforms are currently hardly existent or completely unknown, therefore young people − the main usage group of social networking sites − have to rely on commercial service providers that collect, store, and evaluate personal data in order to accumulate profits by targeted advertising"."
  • August 05, 2009
    * Report: On Locational Privacy, and How to Avoid Losing it Forever

    On Locational Privacy, and How to Avoid Losing it Forever, By Andrew J. Blumberg and Peter Eckersley, August 2009: "Over the next decade, systems which create and store digital records of people's movements through public space will be woven inextricably into the fabric of everyday life. We are already starting to see such systems now, and there will be many more in the near future...Locational privacy (also known as “location privacy”) is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use. The systems discussed [in this report] have the potential to strip away locational privacy from individuals..."

    August 02, 2009
    * TSA testing full body scanners at Cleveland Hopkins Airport

    wkyc.com: "TSA has revealed it is testing scanning technology at Cleveland Hopkins Airport that allows screeners to see through clothing. Despite public concern over what's viewed by some as invasive imagery, TSA is moving ahead with the advanced imagery technology it claims will improve security by allowing screeners to quickly scan passengers for weapons without a need for physical contact. Once testing and training are complete, the new scanners will go into full-time use at Hopkins."

  • See also EPIC's extensive topical resource: Whole Body Imaging Technology ("Backscatter" X-Ray and Millimeter Wave Screening)
  • July 22, 2009
    * Privacy Opposition to Google Books Settlement Grows

  • The ACLU of Northern California, the Electronic Frontier Foundation, and the Samuelson Law, Technology & Public Policy Clinic at Berkeley Law School sent a letter to Google CEO Eric Schmidt (PDF) today. It was about books. Why books? Google is planning to dramatically expand its book service, Google Book Search. The good news is that millions of books will be available for browsing, reading, and purchasing online. But the bad news is that Google is leaving reader privacy behind. What you choose to read says a lot about who you are, what you value, and what you believe. You should be able to read about politics, health, or anything else without worrying that someone is looking over your shoulder. That’s why the ACLU has fought alongside libraries and bookstores time and again to defend the privacy of readers. Now we need your help to protect reader privacy into the digital era. Currently, Google Book Service can monitor the books you browse and search for, the pages you read, and even the notes you write in the “margins.” Without strong privacy protections, all of your browsing and reading history may be collected, tracked, and turned over to the government or third parties without your knowledge or consent."

  • July 19, 2009
    * New on LLRX - Seeking Bypass: What Will Ultimately End Confidence in the Necessity of Parental Involvement Laws?

    Seeking Bypass: What Will Ultimately End Confidence in the Necessity of Parental Involvement Laws? - Public interest law advocate Diana Philip's commentary focuses specifically on the multifaceted, complex and challenging issues that encompass the dichotomy between reproductive health care and rights available to adult pregnant women and pregnant minors. Diana's position includes references to seminal legal cases as well as to selected scholarly literature in the field of juvenile reproductive health.

    * Reevaluating REAL ID Act

    PASS ID Act Addresses Major Privacy Concerns in REAL ID: "CDT testified [July 15, 2009] before the Senate Committee on Homeland Security and Governmental Affairs hearing on reevaluating the REAL ID Act. CDT testified in support of the PASS ID Act, noting that it mitigates or corrects critical privacy and security flaws introduced by REAL ID, while still establishing minimum federal standards for the issuance of driver's licenses and ID cards. While the PASS ID Act does not address all flaws in the REAL ID program, merely repealing REAL ID does not address all of the underlying privacy and security risks posed by government identification programs, CDT said. PASS ID provides the opportunity to start building privacy guidance and protections into all state identification programs, addressing trends and issues that will exist regardless of REAL ID implementation."

    July 18, 2009
    * Javelin: U.S. Credit Card Issuers Dramatically Improve Customer Fraud Detection

    News release: Javelin Strategy & Research released its Fifth Annual Card Issuers’ Identity Safety Scorecard, which analyzes the top 25 U.S. card issuers’ capabilities for protecting customers from identity fraud. To compile the report, Javelin incorporated data from annual household, consumer, and issuer surveys using Javelin’s Prevention, Detection and Resolution™ criteria to accurately reflect customer demands and trends in how issuers protect against fraud. The Javelin scorecard is a structured assessment of each issuer’s fraud protection services. The scorecard ranks features that best empower two major victims of the nation’s $48B identity fraud problem—cardholders and issuers—showing how to turn the tables on a worrying method of crime."

    July 13, 2009