The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Thursday, March 31, 2005

List of Schiavo Donors To Be Sold to Marketing Company 

This is a little weird. The parents of Terri Schiavo are going to sell the list of their supporters to a direct marketing firm, according to WKMG:

Yahoo! News - List of Schiavo Donors To Be Sold:

"If you expressed your support to Terri Schiavo and her parents fight to keep her alive, you may begin to receive a steady stream of solicitations, according to a Local 6 News report.

Terri Schiavo's parents have agreed to sell their list of supporters to a direct-mailing firm, Local 6 News reported...."

See also The New York Times > Washington > List of Schiavo Donors Will Be Sold by Direct-Marketing Firm. Thanks to Boing Boing for the links.


ChoicePoint to allow people access to personal records 

According to the Associated Press, ChoicePoint is planning to open up its records, allowing individuals to have access to information about them:

AP Wire | 03/31/2005 | ChoicePoint to allow people access to personal records:

"LOS ANGELES - An executive of embattled data broker ChoicePoint Inc. said the company is developing a system that would allow people to review their personal information that is sold to law enforcement agencies, employers, landlords and businesses.

'You will receive the reports that we have on you,' Don McGuffey, the firm's vice president for data acquisition, told the state's Senate's Banking, Finance and Insurance Committee on Wednesday.

ChoicePoint's announcement comes a month after it disclosed that thieves used previously stolen identities to create what appeared to be legitimate businesses seeking personal records. The bandits, who operated undetected for more than a year, opened up 50 accounts and received vast amounts of data on consumers, including their credit reports..."

The only thing I have to add is that they had better make sure that people are who they say they are before handing over records ....

Labels: ,

Japan privacy law comes into force this week 

Japan's new privacy law is coming into force this week. PC World has a nice summary of the new law: - Japan Tightens Personal Data Protection:

"TOKYO -- Starting April 1, businesses throughout Japan, including foreign companies, must comply with legislation that sets out new rules for handling personal data.

The Personal Information Protection Law, effective April 1, applies to any company with offices in Japan that holds personal data on 5000 or more individuals, according to Kazuhito Masui, an attorney at Shiba International Law Offices, a major international law firm based in Tokyo.

Personal data as defined by the law includes a person's name, address, date of birth, sex, home and mobile phone numbers, and also a person's e-mail address if that address is recognizably the person's name. The 5000 minimum includes company employees, Masui said in an interview last week...."


Wednesday, March 30, 2005

Yes Virginia, there is a free-standing non-statutory right to employee privacy in Ontario. Maybe. This month. 

In December of '04, I blogged about a case in which an arbitrator ruled that employees in the provincially regulated private sector in Ontario have no right to privacy. (See PIPEDA and Canadian Privacy Law: Employees in Ontario (and perhaps other Canadian provinces) have no right to privacy.) Since this area is consistently inconsistent, here is a rececent decision of an Ontario arbitrator who has decided, yes Virginia, there is a free-standing non-statutory right to employee privacy in Ontario, at least under "arbitral law": LIUNA, Loc. 625 v. Prestressed Systems Inc.

Employees expect their privacy to be protected. Sometimes a tribunal will side with the employee. Sometimes it will side with the employer. The easiest thing to do is assume that there is a right to privacy, adopt the reasonableness standards adopted by the pro-privacy adjudicators and privacy commissioners, and fight it out only if you need to.

Labels: ,

Incident: Encrypted tapes containing health information on hundreds of thousands of Albertans missing or tampered with 

It appears a bit coincidental that I posted this morning that organizations should encrypt data to prevent privacy breaches (PIPEDA and Canadian Privacy Law: Managing privacy risks using basic technology) and I've just discovered the Calgary Herald is reporting that encrypted mainframe tapes containing health records of "hunreds of thousands" of Albertans have gone missing. I hope this is a "non-incident", but in any event the Information and Privacy Commissioner of Alberta is on the case:

Alberta health records go astray: 'Hundreds of thousands' of files feared breached:

"Confidential health records of 'hundreds of thousands' of Albertans disappeared or were tampered with while in the hands of a courier earlier this month, prompting an investigation by the province's Information and Privacy Commissioner.

Details were scarce, but government sources told the legislature bureau on Tuesday that Privacy Commissioner Frank Work has been called in to investigate after data -- digitized, encrypted, and stored on large reel-to-reel tapes -- went missing or was otherwise tampered with while in transit between two government facilities.

It appears the tapes were backups, mainly for archival purposes. The information is considered confidential and could include medical records, prescriptions and billing history.

Sources would not confirm if the tapes were recovered or the police were investigating.

The sources said Health and Wellness Minister Iris Evans was assured by an expert with IBM Canada that a mainframe computer system and the proper encryption code would be needed to read the data.

Nonetheless, there is some concern that organized criminal gangs could have the ability to crack the code and use the highly private information...."


CBC Calgary - Privacy commissioner looking into missing health info:

"...'There are names, health care and payroll numbers, payroll rates and the family status of the names on it,' Deere said. 'So there's no real personal health information on it, per se.

'But we take any potential breach of privacy quite seriously, and that's what this is, a potential breach. So we've reported it to the privacy commissioner and he's investigating.'

Deere said birth dates weren't part of the information on the tapes...."

Labels: , , ,

ATM Fraud and Security Whitepaper 

Thanks to Cryptome for linking to a very interesting whitepaper produced by Diebold, one of the leading makers of banking machines. Entitled ATM Fraud and Security, the whitepaper provides an overview of the state of the art in ATM Fraud, including skimming, shoulder surfing, overlays, and PIN interception. Scary stuff, but good to know about.


Managing privacy risks using basic technology 

Over the last year and a bit, I've noticed dozens of privacy incidents (PIPEDA and Canadian Privacy Law: Summaries of incidents cataloged on PIPEDA and Canadian Privacy Law). So often, the incidents are too similar. When I read about a new incident, I often think that nobody must have been paying attention to any of the earlier ones, since the same mistakes are repeated over and over again.

One thing that is painfully obvious is that too few organizations are encrypting their data. Encryption is easy and you have probably already paid for the function (if you run Windows XP). If any of the organizations involved in the following incidents had encrypted their data, they likely would have avoided much of the damage chronicled below:

Computers, even servers, are highly portable and very easily stolen. Encryption of data on the hard drive (or backup tape) is the last line of defence. It is amazing to see that too few organizations do it. To state what should be obvious: encrypt your data.

Labels: , , , , ,

Privacy fears over UK medical database 

A number of folks, including physicians, are concerned about the possible privacy impact of a central electronic health records system being implemented in the UK: BBC NEWS | Health | Privacy fears over NHS database

It sounds a lot like the system being rolled out in Nova Scotia, which has encountered some privacy-related turbulence. Physicians, who are responsible for patient information under PIPEDA are not keen to trust the government with this information. The provincial government, on the other hand, isn't subject to PIPEDA and doesn't really see it as its problem. It is the province's problem if it wants a provincial electronic medical record....

Labels: , ,

PEI Privacy commissioner resigns 

According to the CBC - Charlottetown, Karen Rose has resigned as the island's Information and Privacy Commissioner: CBC Prince Edward Island - Privacy commissioner resigns. I saw her speak a few times and she was always impressive. No news or speculation on who her replacement will be.


Tuesday, March 29, 2005

Putting together the pieces 

I teach Internet and Media Law at Dalhousie Law School. Last night we had a guest speaker, Lisa Taylor, a CBC journalist and law school grad. One of the topics discussed was publication bans and how they are inadvertently compromised when different media outlets choose to disclose limited -- but different -- information. This got me thinking about other ways of piecing together information.

A while ago, I blogged about an article in the Halifax paper related to stores leaving card numbers unobscured on receipts (PIPEDA and Canadian Privacy Law: Article: Who has your number?). I've noticed that more and more stores are omitting many of the digits on debit card and credit card receipts.

While emptying the loads of junk from my pockets at the end of the day, I glanced at the pile of papers I had accumulated in the previous twenty four hours. I was happy to see that all of the stores I had visited had blocked out digits of my card numbers, presumably to protect their customers. When I took a closer look, I noticed that they are completely inconsistent in how they do it. Some leave only the first four and last four digits. Some omit the last digits. So if you took my little pile of papers, you could completely recreate my debit card number. Hm... Perhaps we need a little consistency in how we protect identities. If I had emptied my pockets into the garbage, anybody trolling through my trash for personal information would be able to get the card numbers. And expiry dates for credit cards. Perhaps the debit terminal manufacturers and distributors could get together and figure this out.

Labels: ,

DHS spins RFID ... presto! Contactless integrated circuits! 

The Department of Homeland Security is learning that RFID has negative connotations. According to Wired News, they're trying to rename them, at least in their cards:

Wired News: RFID Cards Get Spin Treatment:

"... The distinction is part of an effort by the Department of Homeland Security and one of its RFID suppliers, Philips Semiconductors, to brand RFID tags in identification documents as 'proximity chips,' 'contactless chips' or 'contactless integrated circuits' -- anything but 'RFID.' ..."

I suppose they didn't want to call them "auto id chips" or "spy chips".

Labels: , ,

Incident: Stolen Berkeley Laptop Exposes Data of 100,000 

Yet another university to add to the incident file. Someone walked off with a University of California Berkeley laptop containing personal information related to almost 100K students, alumni, applicants, etc. Thanks to the California privacy law, the University is required to inform each affected individual.

Stolen Laptop Exposes Data of 100,000:

"A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft.

University officials waited until Monday to announce the March 11 crime, hoping that police would be able to catch the thief and reclaim the computer. When that didn't happen, the school publicized the theft to comply with a state law requiring consumers be notified whenever their Social Security numbers or other sensitive information have been breached...."

See also Yahoo! News - Stolen Laptop Exposes Data of 100,000, ABC News: Stolen Laptop Exposes Data of 100,000 and The New York Times > National > Thief Takes Laptop With Berkeley Data.

Labels: , ,

Monday, March 28, 2005

Your data, for all the world to see 

The Daily Pennsylvanian has an article/opinion pience about, an internet-based data aggregator and background check service. (See previous mentions: PIPEDA and Canadian Privacy Law: CIPPIC complaint raises a number of novel and interesting issues, PIPEDA and Canadian Privacy Law: Jurisdictional limits on Canadian privacy law, and PIPEDA and Canadian Privacy Law: CIPPIC v Part deux.)

I am sure the author is not alone in his opinions: - Your data, for all the world to see:

"Tucked away in the rodeo-ridden town of Cheyenne, Wyo., is a small, seven-person company that is quietly blurring the conventional boundaries between public and private life. Founded by India-born Jay Patel, is a self-proclaimed "worldwide leader in people information, verifications and profiling" in the emerging field of person-to-person search technology. The firm utilizes proprietary person-based data query/extraction systems (akin to old-fashioned intelligence gathering) in addition to online algorithmic searches to deliver "All Best Information Known Accurately."

The company has its roots in the most precarious of human endeavors -- dating (coincidentally, Abika was also the name of the man responsible for compiling the ancient knowledge found in the Kamasutra). In a recent interview with The Times of India, Patel described meeting an intriguing woman at a local Sam's Club and thereafter rushing home to his computer to dredge up every piece of her personal history he could find on the Internet. On the next date he surprised her with intimate details of her life and, fortunately for Patel, wasn't immediately branded as a stalker. Three weeks later, they were married.


Abika's overwhelming success -- the company processed more than three million personal information requests just last year -- combined with its relative ease of use has slowly attracted the attention of both domestic and foreign privacy watchdogs. The Electronic Privacy Information Center in Washington, for example, has warned of the perils of unregulated data mining, lax enforcement of the Fair Credit Reporting Act (a federal law enacted to prevent improper disclosure of personal financial history) and the overarching potential for identity theft.


The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa has expressed similar concerns, particularly over the inaccuracies of Abika's psychological profiling methods and their potential for unfair discrimination and commercial abuse, and has filed complaints against Abika with the privacy commissioner of Canada and the U.S. Federal Trade Commission. To date, however, neither EPIC nor CIPPIC has made any progress toward curtailing this nascent industry.

Critics of these privacy groups note that most of the information in question is technically "public," albeit fragmented, and hence companies like Abika cannot be faulted for the mere acts of aggregation and inference. In an increasingly connected world, the rise of Abika and its brethren seem almost inevitable -- natural by-products of globalization and the growing culture of communication. Early warnings by parents and grade-school teachers ("don't say or do anything you might later regret") come to mind, with substantially more bite.

A potential error in this line of reasoning, however, lies in equating "public" with "equally publicly accessible." As EPIC has often noted, much of the information gleaned by data-mining companies comes from the expensive purchase of consumer records from other companies, an endeavor far from the reach of the average citizen. Accordingly, an immediate institutional and monetary bias in access is realized, forging an intrinsic difference in the meaning of "publicly accessible" for the individual and "publicly accessible" for the corporation, the latter being more comprehensive and inclusive.

As a result, individuals are inherently disadvantaged not only in knowing what information is known about them but also, importantly, who knows such information and whether it is indeed correct. This becomes acutely germane when faulty conclusions are drawn upon incorrect information (say, when a firm rejects a job applicant based upon erroneous data concerning past criminal/social history) or when extrapolated statistical conclusions are used to predict future behaviors (say, when law enforcement personnel, who are becoming quite fond of Abika's services, are identifying suspects)...."

Labels: , ,

Sunday, March 27, 2005

US Privacy Law: Not 'if' but 'when' 

Today's Toledo Blade has a lengthy article on the current privacy/security incidents and the push toward new legislation:

"ID theft: Not 'if,' but 'when'
Computer breaches spur calls for new laws

Many people learned a lesson the hard way recently: Big Brother barely has his eyes open when it comes to the data brokers that gather personal information on millions of Americans.

Which means, security and consumer experts warn, that unless states and Congress institute tough laws, all the paper-shredding in the world will not protect an increasing number of people from falling victim to identity theft...."

Labels: ,

Saturday, March 26, 2005

Did TSA mislead the public on passengers' private data? DHS thinks so. 

According to an investigation by the Department of Homeland Security, and reported on by Yahoo news (Report: TSA Misled Public on Personal Data), the Transportation Security Administration misled the public about its role in getting passenger information from airlines while testing its passenger profiling software.

CBS News has a strongly-worded headline for its coverage of the story: CBS News | Airline Passenger Privacy Betrayed

Labels: , ,

Friday, March 25, 2005

Incident: Purdue warns hackers hit some computers 

Once again, a university computer system containing personal information has been compromised by hackers. There is no confirmation that sensitive personal information has been compromised, but Purdue University officials are notifying students and employees that their information may have been disclosed:

Purdue warns hackers hit some computers:

"WEST LAFAYETTE, Ind. -- Purdue University officials have sent letters to more than 1,200 employees, students, graduates and business affiliates, alerting them that their personal information might have been illegally obtained through computers on campus.

Officials discovered Jan. 27 that someone hacked into the computers in the College of Liberal Arts' Theatre Division.

The hacking probably started in November when someone used special software to access the theater computers and two other campus systems, school officials said. 'While this information was vulnerable, we cannot say with certainty whether it actually was accessed,' Joseph Bennett, vice president for university relations, said Thursday. 'We take this very seriously because files on these computers contained information that could be used to commit identity theft.'"

Labels: ,

Incident: NWU's Kellog School of Management systems hacked 

Another one for the incident file (Summaries of incidents cataloged on PIPEDA and Canadian Privacy Law). The Kellog School of Management is reporting that their computer systems have been hacked. All that is suspected to have been lost are userids and passwords, but other personal information may have been compromised. From WBBM 780:


" - EVANSTON, IL -- Computer hackers apparently went to work at Northwestern University's Kellogg School of Management. WBBM's Bob Conway reports...

A security breach has been detected in the computer server system at Northwestern University's Kellogg School of Management.


Thus far, no one at Kellogg has reported any unauthorized use of their information.

When the server problem was discovered on March 20, the affected systems were immediately taken off-line and rebuilt. On Wednesday, Kellogg Information Systems determined that Kellogg user IDs and passwords, which provide access to various information sources on the Northwestern system, were potentially obtained by the hackers.

While the university said it has no evidence that personal identification was accessed, Northwestern has taken the precautionary measure of disabling all passwords and user IDs for Kellogg School faculty and staff (approximately 500) and students (approximately 3,000) affected. Kellogg Information Systems is also working to create new passwords for approximately 18,000 of the school's alumni whose passwords were also potentially obtained.

An investigation is ongoing and it appears that the servers were not targeted to obtain personal information. Stay tuned to WBBM Newsradio 780 for the latest developments "

Labels: ,

Who is dumber, the phisher or the phished? 

Getting personal information by "phishing" isn't new, but I've only recently received my first phising e-mail. It actually is a bit funny since whoever wrote it is pretty stupid. It's also a bit scary because I'm sure it has snagged more than a few folks. Here's the message, with some of my favorite bits highlighted:


Dear Bank of Oklahoma customer. Please read this message and follow it's [sic] instructions.

Unauthorized Account Access

We recently reviewed your account, and we suspect an unauthorized ATM based transaction on your account. Therefore as a preventive measure we have temporary limited your access to sensitive Bank of Oklahoma features.

To ensure that your account is not compromised please login to Bank of Oklahoma Internet Banking and Investing by clicking this link, verify your identify and your online accounts will be reactivated by our system.

To get started, please click the link below:

[link removed]

Important information from Bank of Oklahoma.

This e-mail contains information directly related to your account with us, other services to witch you have subscribed, and/or any application you may have submitted. Bank of Oklahoma and its service providers are committed to protecting your privacy and ask you to send sensitive account information through e-mail.

If your bank demonstrates its "commitment to protecting your privacy" by asking you to send sensitive account information via e-mail, you are being scammed or you are with the wrong bank.

While looking into this particular scam, I happened upon the Anti-phishing Workgoup, which has more info on the Bank of Oklahoma e-mail and many, many more.


Survey Reveals That People Will Give Away Their Identity For A Chance To Win Theatre Tickets 

Infosecurity Europe did a little research on the streets of London, showing that most people will trade away sensitive personal information for a chance to win something. I'd like to see some followup research to find out how people actually felt about giving up that information. I bet more than a few felt a little squeamish, but gave it up anyway:

HNS - Survey Reveals That People Will Give Away Their Identity For A Chance To Win Theatre Tickets:

"... The first question researchers asked was, "What is your name?", which seems reasonable enough if someone is potentially going to send you some vouchers, 100% of those surveyed gave their names. They were then asked a series of questions about their views on the theatre in London. People were then asked if they knew how actors came up with their stage name. They were then told it was a combination of their pets name and mothers maiden name and were asked what they thought their stage name would be. Ninety four percent (94%) of respondees then went on to give their mothers maiden name and pet's name. To obtain the address and post code, researchers asked for their address details in order to post them the vouchers if they won, 98% gave their address and post code. To find out the name of their first school the question was asked, "Did you get involved in acting in plays at school?" and then "What was the name of your first school?". Ninety six percent (96%) gave the name of their first school, this answer along with mother's maiden name are key pieces of identity information used by banks.

In order to find out date of birth researchers said that in order to prove they had carried out the survey they needed their date of birth, 92% gave their date of birth and 92% also gave their home phone number in case there was a problem delivering the vouchers. At the end of a 3 minute survey, the researchers were armed with sufficient information to open bank accounts, credit cards, or even to start stealing their victim's identity. The researchers did not give any verification of their identity, their only tool was a clipboard and the offer of the chance to win a voucher for theatre tickets...."

Their techniques were sneaky and misleading, but someone trying to steal identities will be sneaky and misleading.


The Fed now requires customer notificatioin of security breaches under GLBA 

The Office of the Comptroller of the Currency, Board of Governors of the Federal Reservem, the Federal Deposit Insurance Corporation, Office of Thrift Supervision, yesterday released a guidance document under the Gramm-Leach-Bliley Act requiring banks to notify customers of security breaches involving their sensitive personal information:
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

"III. Overview of Final Guidance

The final Guidance states that every financial institution should develop and implement a response program designed to address incidents of unauthorized access to customer information maintained by the institution or its service provider. The final Guidance provides each financial institution with greater flexibility to design a risk-based response program tailored to the size, complexity and nature of its operations. The final Guidance continues to highlight customer notice as a key feature of an institution’s response program. However, in response to the comments received, the final Guidance modifies the standard describing when notice should be given and provides for a delay at the request of law enforcement. It also modifies which customers should be given notice, what a notice should contain, and how it should be delivered. A more detailed discussion of the final Guidance and the manner..."


Thursday, March 24, 2005

And the month isn't even over yet ... 

The Register ran a story yesterday (that I would have otherwise missed - Thanks, PrivacySpot) about the litany of privacy stories that have appeared in the spotlight this March. The title is "ID theft is inescapable", but the story also has other lessons...

ID-theft and privacy are real issues for consumers. The media now much more likely to run with the stories. Though I have no hard facts to back this up, I do not think this March madness is a symptom of increased hacking and criminality. Rather, it is a reflection of how ordinary consumers are concerned, how the media report on the issue and how legislators are stepping in to address this concern. Much of this activity would have been unreported had it not been for the California law that requires notification for security lapses. But that law was a response to consumer fears.

The lesson is that how organizations manage and protect consumer information is under the spotlight and bright light is pretty unforgiving. I have seen, first hand, that a growing group of consumers are making decisions based on how companies respect their privacy. You can call them "privacy concerned." A large portion can be called neutral, and they'll walk if a company doesn't respect their privacy. This is now a simple reality for companies that deal with personal information.

ID theft is inescapable The Register:

"March 2005 might make history as the apex of identity theft disclosures. Privacy invasion outfit ChoicePoint, payroll handler PayMaxx, Bank of America, Lexis Nexis, several universities, and a large shoe retailer called DSW all lost control of sensitive data concerning millions of people.

Credit card and other banking details, names, addresses, phone numbers, Social Security numbers, and dates of birth have fallen into the hands of potential identity thieves. The news could not be worse...."

Labels: , , ,

It's ten o'clock in Alberta. Do you know where your medical records are? 

The Red Deer Advocate is reporting that a sudden medical clinic closure has left the town's residents wondering where their medical records are:

Medical records being sought:

"Mar 22 2005

By andrea miller

A women's health clinic that suddenly closed last week is being questioned about missing medical records.

The Alberta College of Physicians and Surgeons is trying to find out what happened to the medical files of hundreds of patients of the clinic, said spokeswoman Kelly Eby.

The province's privacy commissioner is also looking for answers to ensure compliance with the Freedom of Information and Protection of Privacy Act.

The Healthporte Medical Clinic in Red Deer closed last week after struggling to find enough doctors since opening last July.

Patients and the clinic's two doctors arrived last Tuesday to find a closure notice on the building in Cronquist Business Park...."

Labels: , ,

ChoicePoint still under fire, from all sides 

(Sorry for the light blogging in the last day or so. I was in Newfoundland for a commercialization seminar.)

ChoicePoint is continuing to come under fire for a number of reasons ...

Wired news is running a story on alleged problems with their background checks:

Wired News: ChoicePoint's Checks Under Fire:

"As data broker ChoicePoint wrestles with the fallout from the sale of personal data to identity thieves and an investigation into two executives' sale of company stock, it faces questions on another front: its background-checking services.

Several lawsuits and consumer complaints in the last few years have accused ChoicePoint of providing inaccurate and out-of-date information in its criminal background reports, resulting in unfair job losses for applicants...."

Thanks to Privacy Digest for the link.

I expect there'll be some fuss about the company raising the CEO's bonus from $1.5M to $1.8M:

News from The Associated Press:

"WASHINGTON (AP) -- ChoicePoint Inc., which sells consumer data and recently acknowledged a major security breach, raised its top executive's 2004 bonus to $1.8 million from $1.5 million a year before, according to a regulatory filing Wednesday...."

And execs are being investigated for stock sales before the privacy incident was made public:

SEC investigating ChoicePoint stock sales:

"MAR. 4 8:13 A.M. ET Data collector ChoicePoint Inc. announced the Securities and Exchange Commission is investigating stock sales by its top two executives. The company also said it will also stop selling personal information about consumers to small businesses...."

Labels: ,

Tuesday, March 22, 2005

How RSS can reduce privacy risks 

Here's an interesting comment on The Information Security News blog from Clearwater Associates on using RSS instead of mailing lists to reduce your privacy risks. In short, if you don't have a mailing list that can be compromised, you effectively reduce the risk of having your mailing list compromised. And it gives complete control to your readers. Check it out here:

The Information Security News - Blog Archive - Editorial: How RSS can reduce privacy risks:

"Offering web site content updates via an RSS feed rather than by opt-in email can reduce the risk of privacy exposures. Because subscribing to an RSS feed is a 'pull' technology, it avoids the collection of personal information (email address, name, etc.) that would normally get collected in order to maintain a subscription to a site update alert, newsletter or digest..."


Media coverage of UC-Chico hacker incident. 

A few days ago, I blogged about a hacking incident at the University of California, Chico (see PIPEDA and Canadian Privacy Law: Incident: Hacker Accesses Thousands of Personal Data Files at CSU Chico). In the meantime, the mainstream media have really picked up on the story, as evidenced by Google News. This is just one in a series of university hacking incidents, but in this post-ChoicePoint age, the media is taking notice in a serious way. Just google it here.

Labels: , , ,

beSpacific: Another Antispyware Bill Introduced Today 

Sabrina I. Pacifici's fantastic blog, beSpacific, is reporting that yet another anti-spyware bill has been introduced in the US Congress:

beSpacific: Another Antispyware Bill Introduced Today

Press release: "U.S. Senator Ron Wyden (D-Ore.) today announced the introduction of legislation to prohibit a variety of surreptitious practices that result in spyware, adware and other unwanted software being placed on consumers’ computers. The bipartisan SPYBLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) Act, introduced with Senator Conrad Burns (R-Mont.), would prohibit the installation of software on a computer without the owner’s notice and consent. The legislation also requires reasonable “uninstall” procedures for all downloadable software. Spyware, adware and other hidden programs often secretly piggyback on downloaded Internet software without the user’s knowledge, transmitting information about computer usage and generating pop-up advertisements. Frequently such software is designed to be virtually impossible to uninstall."

  • Related legislation: H.R. 29, the Spy Act.

  • Labels:

    Taking "googling yourself" to the next level 

    Rob Hyndman sent me a link yesterday to an article in the Globe and Mail about a service called Zoominfo:
    Globetechnology: Startup helps control personal info on Web:

    "...The practice of typing your name into an Internet search engine and seeing what pops up is now common, but the results can be unpredictable. The Internet holds surprising amounts of personal information between its ever-expanding corners, and some of it may be outdated, inaccurate or embarrassing.

    ZoomInfo's computers have compiled individual Web profiles of 25 million people, summarizing what the Web publicly says about each person. The service, launched Monday, allows Web surfers to search for their profile, then change it for free...."

    It looks like it scrapes the internet for information about people and compiles it into one handy-dandy place. I put in my name and was surprised about what it had to say about me. Thankfully, most of it was positive, but it was also a bit scary. I put my wife's name and it knew all about her too, based on media interview she had done at the beginning of the year. It says you can control what is in it, but I doubt too many people will use that feature. I also wonder how they authenticate people. Can they tell the two hundred David Frasers apart?

    You can even look up by "company". The Central Intelligence Agency may have some concerns about this ... ZoomInfo Search: central intelligence agency. Or the National Security Agency ... ZoomInfo Search: national security agency.


    Debate over Solove and Hoofnagle's privacy proposal 

    I blogged a little while ago about a new proposed privacy regime put forward by Daniel Solove and Chris Hoofnagle (see PIPEDA and Canadian Privacy Law: Daniel Solove, Chris Hoofnagle propose a new model privacy regime for the United States) and I've been waiting for Denis Bailey of the Open Society Paradox to comment on it. He's posted a summary of his thoughts on his blog, which provide food for thought: The Open Society Paradox: The Whole Kit and Caboodle - Solove and Hoofnagle Go For Regime Change.

    Labels: ,

    Monday, March 21, 2005

    Tune in today ... ROB TV at 5:00 eastern 

    I've been invited to be on Squeeze Play on Report on Business TV this afternoon. They are looking for a discussion on PIPEDA's first full year of implementation, commentary on the most recent privacy fiascoes in the United States and where we are headed in Canada. I'll be on ROBTv this afternoon around 5:15 (EST), or you can catch it on their internet archive available at I think ROBTV's on basic cable from coast to coast.

    Update: The direct link to the video is here.


    Addressing privacy when moving medical records online 

    From today's Contra Costa Times (registration required), an article on the promise and perils of online medical records: | 03/21/2005 | Online health records arrive, with privacy concerns:

    ".... Recently, feeling curious about whether she needed more tests several years after a benign biopsy for breast cancer, she reread her detailed biopsy report online and felt reassured.

    'It was very comforting,' said Perlman, a 51-year-old former CEO who lives in Menlo Park and now consults for high-tech companies. 'I feel like I've been able to be much more proactive with things like figuring out for myself what's the right schedule for a physical.'

    Perlman's online ventures in medical care are just the beginning. Not far in the future, your entire medical record could be online, available to your doctors, the local emergency room, even the Lake Tahoe hospital that treats you when you break your leg skiing.

    The idea is to move those bulging paper patient charts into the digital age, creating a record that travels with you rather than gathering dust in your doctor's office or a hospital's storage warehouse.

    Electronic medical records, say health experts, can help cut health care costs and improve patient safety. For example, they can help doctors avoid prescribing a drug that might interact badly with one you're already taking or eliminate duplicative -- and expensive -- lab tests...."


    How-to: Erase Old Hard Disks 

    Engadget - a must-bookmark for the gadget obsessed - ran a piece last week on how to completely erase the contents of a hard-drive: How-to: Erase Old Hard Disks - Engadget -


    Scrutinizing online privacy statements for transparency and disclosure 

    Rusty Weston and Keith Dawson, in Optimize Magazine (a part of the TechWeb Business Technology Network), scrutnize online privacy statements of a number of companies to look at how transaparent they really are. The article focuses on whether the companies disclose offshore processing of customer information, but the article is a usefull lesson on how to be transparent to gain customer trust.

    Optimize Magazine > Global Issues << Shining Light On Privacy Policies >> March 2005:

    "If you read a few dozen corporate privacy policies, you may be excused for believing that the same guy who drafts the fine print in rental-car contracts wrote these while moonlighting. There is some truth to that notion: It's easy to find boilerplate privacy forms on the BBB OnLine site. These policies generally are so vague--and cookie-cutter in style--it appears that they exist to give attorneys wiggle room if the disclosure is ever challenged in court.

    The premise of our review of privacy statements by companies engaged in outsourcing of various kinds (they don't in all cases offshore customer data to third parties) is to determine how these firms handle the concept of customer disclosure. What policy language is the state of the art? Which statements need a serious policy review?...."


    Investigators Argue for Access to Private Data 

    The New York Times, which has had great coverage of the latest privacy debate, is running an article in today's edition giving the private investigator's perspective on data aggregators:

    The New York Times > Technology > Investigators Argue for Access to Private Data:

    "Diany Castillo, a 54-year-old home health care aide who lives in Brooklyn, says she is grateful that the fragmented bits of her past - her moves from one state to another, her marriages and her name changes - can be found in the vast commercial databases that contain personal information on tens of millions of Americans.

    Last October, a private investigator in Los Angeles used those digital bread crumbs to track down Ms. Castillo and send her a letter. Her estranged daughter, Diani Ramos, adrift for nearly a decade on the streets of southern California, was looking for her, the letter said.

    The two were reunited in November.

    In the heated debate over privacy rights and the sale of personal information by the data-mining industry, the story of Ms. Castillo and Ms. Ramos may represent a contrarian's view. "

    Labels: ,

    Sunday, March 20, 2005

    What your photocopier knows about you ... 

    The Alberta Information and Privacy Commissioner's office is raising the alert about security and privacy issues related to newer photocopiers and fax machines. Their hard-drives may store information without the user's knowledge:

    Yahoo! News - Alta privacy office says hi-tech fax machines an overlooked security risk:

    "CALGARY (CP) - In the realm of high-tech dangers, few would consider the lowly fax machine or photocopier a security risk.

    That would be naive, says Tim Chander, research manager of Alberta's Office of Information and Privacy.

    'It's not your grandfather's printer anymore - these things are computers with hard drives that can be connected to the Internet,' said Chander.

    'Anything you're photocopying (is) copied and stored on the hard drives unless they are overwritten.'

    Chander said most businesses, government offices and health authorities lease their office equipment without considering the security ramifications.

    'We haven't had a complaint come to our office. We just want organizations to be aware that anyone photocopying personal, business or health information to realize that when your lease is up, your information is going out the door,' he said...."

    Labels: , ,

    Surveillance cameras coming to Halifax's public places 

    In the wake of a number of "swarmings" on Spring Garden Road, Halifax's main shopping street, the local merchants' association is proposing to subsidise video surveillance of the entire area:

    The Daily News

    Crime watch

    By Richard Dooley

    EYES ON THE ROAD: Spring Garden Road Area Business Association manager Bernard Smith says the group has offered to subsidize outdoor night-vision surveillance cameras for merchants, to scan the streets for trouble, after a series of downtown swarmings. (Photo: DARRELL OAKE)

    A series of swarming-style robberies in downtown Halifax over the last two weeks — the latest early yesterday — has convinced businesses in the area to ask for more police feet in the street and eyes in the sky. The Spring Garden Road Area Business Association is quietly telling downtown businesses it will subsidize exterior night vision surveillance cameras set up to scan the street for potential trouble.

    The association is also asking for the return of beat cops to Spring Garden Road...."

    So far, I haven't heard of a privacy backlash, but I expect there may be one forthcoming.

    Labels: , ,

    Saturday, March 19, 2005 Time Warner Ordered to Identify Sender of Offensive Email 

    InternetCases is running a summary of a recent Maine decision in which the Court ordered cable provider Time Warner to disclose the identity of an individual who allegedly impersonated the plaintiff in the case, sending an offensive cartoon. The US legislation requires that the cable company give the John Doe notice of the request; in this case, the unnamed individual was represented at the hearing: Time Warner Ordered to Identify Sender of Offensive Email:

    "In the case of Fitch v. Doe, the Supreme Court of Maine has held that while the Cable Communications Policy Act of 1984 generally prohibits a cable operator's disclosure of subscriber information, an exception provided in the Act allows disclosure to nongovernmental entities pursuant to court order, so long as the subscriber has received notification thereof.

    On Christmas Eve 2003, an anonymous person sent an email under Plaintiff Fitch's name with a derogatory cartoon attached. Fitch filed suit in Maine state court against the unknown sender of the email (John or Jane Doe). Fitch then sought an order directing Time Warner (the ISP of the account from which the message was sent) to disclose Doe's identity. Doe's counsel objected to the disclosure, arguing that the disclosure was forbidden by the Cable Communications Policy Act of 1984, 47 U.S.C.A. s 551 (the 'Act'), and that Doe did not consent to allow Time Warner to disclose his identity. The trial court ordered disclosure, finding that Doe's agreement with Time Warner provided such consent.

    Doe appealed to the Maine Supreme Court, but the lower court's decision to order disclosure was affirmed. Although the court concluded that the lower court erred in determining Doe had consented to disclosure, such disclosure was authorized under an exception found in the Act...."

    Labels: , ,

    Canton: Non-secure ID database scary prospect 

    David Canton's regular column in the London Free Press is about the insecurity of databases that are used to establish identity and government initiatives to make ID more secure:

    London Free Press: Business Section - Non-secure ID database scary prospect:

    "After the terrorist attacks of Sept. 11, 2001, governments began looking for solutions to identification problems that had plagued them for decades. The United Kingdom and the United States suggested introducing national identification cards and driver's licences respectively with 'smart card' radio frequency identification (RFID) technologies. Canada has also considered the idea...."

    Labels: ,

    LexisNexis Tightens Data Security 

    LexisNexis is following Westlaw's lead in restricting access to social security numbers and drivers license numbers:

    Yahoo! News - LexisNexis Tightens Data Security:

    "NEW YORK - LexisNexis, which last week said intruders had accessed dossiers on about 32,000 people in one of its database products, has restricted access to individuals' Social Security (news - web sites) and drivers license numbers...."


    Friday, March 18, 2005

    BC outsourcing fight not over yet 

    The BC union that kicked off the Canadian debate over privacy, outsourcing and the USA Patriot Act has taken their arguments to court, according to ITBusiness. The article doesn't really say what the legal basis of their attempt to derail the government's ousourcing plans are, particularly after the government amended the public sector privacy law:

    "The British Columbia Government and Service Employees' Union on Wednesday ended the third and final day of a Supreme Court case to block the outsourcing of its Medical Services Plan database management to a U.S. firm.

    Union lawyers told the court that privatization of the Medical Services Plan (MSP) would violate the Canada Health Act and potentially jeopardize the privacy of patient data. The province has already signed a $324-million with Reston, Virginia-based Maximus Inc., which will deliver its services through two new Canadian subsidiaries, Maximus BC Health Inc. and Maximus BC Health Benefit Operations Inc. The BCGEU has asked for an injunction that would prevent the partnership from moving ahead until the broader issues in the case can be resolved. The Supreme Court had not made a decision at press time...."

    Labels: , , , ,

    AOL's EULA: Fear, confusion and a fanatical devotion to legalese ... 

    The editorial staff of the Harvard Crimson have produced an opinion piece related to the AOL Instant Messenger privacy fuss. Though the focus is on jargon-laden EULAs (end-user license agreements), privacy notices have may of the same characteristics:

    The Harvard Crimson Online :: Opinion:

    "You've Got Jargon: AOL’s two main weapons are fear, confusion, and a fanatical devotion to legalese


    We do it without a moment’s thought. We click the box and accept the “terms” without pause. What are the actual terms? No one really knows—and, more often than not, no one really cares. But perhaps we should pay more attention to the content of these curious provisos—these End-User License Agreements (EULAs) that accompany most any piece of software. If the new changes to the terms of service of one of America Online (AOL) Inc.’s most popular applications are any indication, it’s easy to pull a fast one on unassuming customers without any real accountability. In their current, indecipherable form, however, it’s safe to assume that people will continue to “agree” to these terms without thinking. It is essential that EULAs be more up-front and comprehensible; they should be written in “plain English” to avoid any underhanded policies that might require signing away one’s soul—inadvertently.

    The changes in question affect something very dear to almost any Harvard student, and increasingly almost any person who owns a personal computer, cell phone, or other trendy technological device that allows for epistolary e-interaction. And it stirs paranoia in anyone who generally enjoys the world of impersonal, anti-social online banter. That is, it affects the users of the ubiquitous AOL Instant Messenger (AIM).

    AOL’s new terms, affecting anyone who downloaded AIM after Feb. 4, 2004 as well as anyone planning to update the program in the future, explain that, “by posting content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this content in any medium. You waive any right to privacy.” Frightening words, indeed....."

    Labels: ,

    Daniel Solove, Chris Hoofnagle propose a new model privacy regime for the United States 

    Danile Solove of GWU Law School and Chris Hoofnagle of EPIC have jointly produced a model of privacy regulation as a basis for discussion for privacy law reform in the United States. Reading it from a Canadian perspective, it looks a lot like the Canadian Standards Association Model Code for the Protection of Personal Information that is now the law, via the Personal Information Protection and Electronic Documents Act.

    SSRN-A Model Regime of Privacy Protection by Daniel Solove, Chris Hoofnagle:

    VERSION 1.1

    Privacy protection in the United States has often been criticized, but critics have too infrequently suggested specific proposals for reform. Recently, there has been significant legislative interest at both the federal and state levels in addressing the privacy of personal information. This was sparked when ChoicePoint, one of the largest data brokers in the United States with records on almost every adult American citizen, sold data on about 145,000 people to fraudulent businesses set up by identity thieves.

    In the aftermath of the ChoicePoint debacle, both of us have been asked by Congressional legislative staffers, state legislative policymakers, journalists, academics, and others about what specifically should be done to better regulate information privacy. In response to these questions, we believe that it is imperative to have a discussion of concrete legislative solutions to privacy problems.

    What appears below is our attempt at such an endeavor. Privacy experts have long suggested that information collection be consistent with Fair Information Practices. This Model Regime incorporates many of those practices and applies them specifically to the context of commercial data brokers such as Choicepoint. We hope that this will provide useful guidance to legislators and policymakers in crafting laws and regulations. We also intend this to be a work-in-progress in which we collaborate with others. We welcome input from other academics, policymakers, journalists, and experts as well as from the industries and businesses that will be subject to the regulations we propose. We invite criticisms and constructive suggestions, and we will update this Model Regime to incorporate the comments we find most helpful and illuminating. We also aim to discuss some of the comments we receive in a commentary section. To the extent to which we incorporate suggestions and commentary, and if those making suggestions want to be identified, we will graciously acknowledge those assisting in our endeavor.

    Notice, Consent, Control, and Access
    1. Universal Notice
    2. Meaningful Informed Consent
    3. One-Step Exercise of Rights
    4. Individual Credit Management
    5. Access to and Accuracy of Personal Information

    Security of Personal Information
    6. Secure Identification
    7. Disclosure of Security Breaches

    Business Access to and Use of Personal Information
    8. Social Security Number Use Limitation
    9. Access and Use Restrictions for Public Records
    10. Curbing Excessive Uses of Background Checks
    11. Private Investigators

    Government Access to and Use of Personal Data
    12. Limiting Government Access to Business and Financial Records
    13. Government Data Mining
    14. Control of Government Maintenance of Personal Information

    Privacy Innovation and Enforcement
    15. Preserving the Innovative Role of the States
    16. Effective Enforcement of Privacy Rights "

    Thanks to PrivacvSpot for the pointer: Draft of a Model Privacy Regime (Part One) | - Privacy Law and Data Protection.

    Labels: ,

    Incident: Hacker Accesses Thousands of Personal Data Files at CSU Chico 

    Yet another university security incident involving personal information, this time from CSU Chico:

    Hacker Accesses Thousands of Personal Data Files at CSU Chico:

    "Officials at CSU Chico are notifying thousands of current, former and prospective students, faculty and staff that a computer hacker accessed their names and Social Security numbers.

    The letters detailing the personal information breach are going out now. The university's computer monitoring system caught some unauthorized software on the network in early February and determined that someone had broken into a computer server at the university's housing and food service center last July. The hacker had installed software to store files on the server. The individual also attempted to break into other computers.

    In the eight months since the breach, university officials said it doesn't appear the hacker actually accessed personal data. 'Even though we didn't find proof that the data had been compromised, because the person had access to the system we wanted to send out the notification as a precaution,' said CSUC Information Security Officer Brooke Banks...."

    Labels: ,

    Thursday, March 17, 2005

    Westlaw Agrees to Stop Selling Social Security Numbers, Schumer Urges Other Companies to Follow Suit 

    Thanks to Sabrina at beSpacific (beSpacific: Westlaw Announces Restricted Access to Personal Data) for pointing me to the following press release by Senator Schurmer, who is announcing that Westlaw has agreed to limit access to social security numbers in its databases:

    Westlaw Agrees to Stop Selling Social Security Numbers, Schumer Urges Other Companies to Follow Suit:

    "FOR IMMEDIATE RELEASE: March 17, 2005

    Westlaw Ends SSN Sales to Private Companies, Greatly Limits Sale to Law Enforcement, Other Public Agencies

    Senator Introducing Comprehensive Privacy Legislation Soon, Westlaw Supports Provisions in Schumer ID Theft Prevention Bill

    After meeting with top executives last night, Sen. Charles Schumer (NY) announced today that Westlaw would be taking major steps to close large loopholes in its data search systems which previously allowed access to millions of Social Security numbers and other personal information. Peter Warwick, the head of Westlaw, thanked Sen. Schumer for raising important questions about privacy, and he has directed his company to take decisive action to close the privacy loopholes Schumer highlighted in letters and conversations. Westlaw undertook a complete review of its systems and made significant changes in its dealings with its clients.

    Schumer said, “The steps that Westlaw has taken to close privacy loopholes and protect consumers from identity theft are a model for the rest of the data broker industry. This is a victory for consumers and big loss for criminals who want to steal your Social Security number and your identity. Identity theft costs consumers and businesses an estimated $5 billion per year and I’m happy that we’re making progress reduce that financial burden on American families.”

    In their meeting on Wednesday night, Westlaw informed Sen. Schumer that:

    • 85% of those who had access to Social Security numbers on Westlaw’s database do not anymore.
    • No corporate clients have access to Social Security numbers anymore.
    • Eliminated government clients’ access for full Soc. Sec. numbers, including the U.S. Senate, and are working to restrict access to non-law enforcement personnel at other government agencies.
    • Will not sign new contracts that would allow full access to Soc. Sec. numbers.
    • Individuals who still have access will be screened by Westlaw, and are working towards individualized password access for those who have been screened.

    Westlaw also expressed its support for Schumer’s efforts to enact legislation addressing ID theft, including the distribution and sale of Social Security numbers except to law enforcement; support regulation of data brokering."

    Labels: ,

    Incident: Boston College alumni database breached 

    Not only another one to add to the incident list (PIPEDA and Canadian Privacy Law: Summaries of incidents cataloged on PIPEDA and Canadian Privacy Law), but yet another university incident:

    Boston College reveals alumni data breach | Tech News on ZDNet: "Boston College is fighting against an attack on its fund-raising databases, which may have exposed the personal data of more than 100,000 alumni.

    College representatives said Thursday that the school was the target of a virus attack on a computer housed in a campus calling center used by students to solicit donations from alumni. According to Boston College spokesman Jack Dunn, the machine in question is managed by a third-party IT service, which the school has chosen not to publicly identify.

    Dunn said the company noticed a spike in the computer's activity during a routine maintenance operation and discovered a virus on the device that was attempting to use the database to launch attacks on other systems. The machine was then taken offline and examined in order to determine the extent of the attack.

    No other computers were found to be affected by the virus, he said...."

    Labels: ,

    Wednesday, March 16, 2005

    Letters to HIV positive Palm Beach County residents come as a surprise following e-mail gaffe 

    A little while ago, I blogged about the accidental e-mailing of a list of HIV positive residents of Palm Beach County in Florida (see PIPEDA and Canadian Privacy Law: E-mail gaffe reveals HIV, AIDS names). Now, a number of HIV patients in the same county have received anonymous letters indicating their names had appeared on a list of HIV/AIDS patients in the county. County officials say the incidents are unrelated, but the coincidence is puzzling:

    Letters a shock to HIV positive:

    "Palm Beach County's health chief says an anonymous mailing is separate from the e-mail leak.

    By Jane Daugherty
    Palm Beach Post Staff Writer

    Wednesday, March 16, 2005

    WEST PALM BEACH — Three law enforcement agencies have launched a criminal investigation to find out who is sending letters threatening the privacy of the 4,500 AIDS patients and 2,000 people who are HIV-positive in Palm Beach County.

    One of the recipients of a letter postmarked March 8 told The Palm Beach Post Tuesday, "I'm very upset about this. I've been HIV-positive for a long time and, thankfully, I'm OK, but I'm looking for a job. Who is going to hire me if someone reveals my HIV status? This is a terrible thing."

    He gave his name and phone number but asked that he not be identified in print because of the stigma associated with AIDS.

    The otherwise innocuous letter with no return address that he and others received at their homes last week said, "Your name appeared on a list of HIV/AIDS patients for Palm Beach County."

    A list of patients was inadvertently e-mailed last month to 800 Palm Beach County Health Department employees, but health officials do not believe the recent mailing used the same list because it did not include addresses.

    "This is a separate incident, and I regard this as terrorism," department Director Dr. Jean Malecki said Tuesday. She confirmed that she turned two of the letters over to law enforcement investigators Tuesday and asked for a criminal investigation...."

    Labels: ,

    NYT: How Billions of Pieces of Information Are Bought and Sold 

    The New York Times is continuing their coverage of the Senate hearings on the ChoicePoint/BofA/Lexis incidents with an article on what information is bought and sold, and where it comes from:

    The New York Times > Business > How Billions of Pieces of Information Are Bought and Sold (reg'n req'd):

    "How much data on how many Americans are they dealing with?' Sen. Richard C. Shelby, the Alabama Republican, asked the head of the Federal Trade Commission last Thursday, during a hearing on identity theft and the data broker industry.

    The F.T.C.'s chairwoman, Deborah Platt Majoras, explained that the industry's scope was difficult to gauge. But individual data brokers 'can have billions of pieces of data regarding consumers,' she said.

    'A treasure trove of all the financial privacy information, in a sense, isn't it?' Mr. Shelby asked.

    'Yes, indeed,' said Ms. Platt Majoras, who delivered similar testimony before a House subcommittee on Tuesday of this week..."

    Labels: , ,

    Conference: The PIPEDA Project 

    On Friday, the University of Toronto is hosting a conference entitled Implementing PIPEDA: A review of Internet privacy statements and on-line practices. It looks like a good program. I'm particularly looking forward to the session about the meaning of the Englander v Telus decision, which includes Mathew Englander himself and Telus' privacy officer.

    I am also informed that it will be available the the world at large via webcast. Go to Conference Webcast Information for info on how to hook up via Real Player and how to post questions for the panelists via the public forum.

    Labels: ,

    The root causes of identity theft 

    Dennis Bailey in the Open Society Paradox raises a very interesting question about the root causes of identity theft. In his view, it is not the fault of the organization that leaks personal information to identity thieves. Rather, he says, it is the credit grantors who provide credit facilities to the impostors.

    The Open Society Paradox: Tonight's Reflection on ChoicePoint:

    "ChoicePoint is being crucified for not having done due diligence to verify the identity of the individuals who stole data. Why aren't financial institutions being held to the same standard when it is their giving of accounts to identity thieves which is at the core of the problem. Don't they also have a responsibility to verify the identity of their customers? Fix that part of the equation with improved identification and biometrics and ChoicePoint's data becomes a non-issue. Can't anyone see the waterfall for the river that Congress is heading down? If I've said it once, I've said it a million times, you can't lock down data in the information age. You can only prevent its misuse."

    It does take two to tango ...

    Labels: , ,

    What's the root of identity theft 

    Dennis Bailey in the Open Society Paradox raises a very interesting question about the root causes of identity theft. In his view, it is not the fault of the organization that leaks personal information to identity thieves. Rather, he says, it is the credit grantors who provide credit facilities to the impostors.

    The Open Society Paradox: Tonight's Reflection on ChoicePoint:

    "ChoicePoint is being crucified for not having done due diligence to verify the identity of the individuals who stole data. Why aren't financial institutions being held to the same standard when it is their giving of accounts to identity thieves which is at the core of the problem. Don't they also have a responsibility to verify the identity of their customers? Fix that part of the equation with improved identification and biometrics and ChoicePoint's data becomes a non-issue. Can't anyone see the waterfall for the river that Congress is heading down? If I've said it once, I've said it a million times, you can't lock down data in the information age. You can only prevent its misuse."

    It does take two to tango ...

    Labels: , ,

    Tuesday, March 15, 2005

    ChoicePoint CEO on the hot seat in Senate Committee Hearings 

    As reported last week, the US Senate Banking Committee is holding hearings to investigate the recent rash of incidents involving personal information (See: PIPEDA and Canadian Privacy Law: Senate Banking Committee to hold hearings on security of sensitive consumer information and PIPEDA and Canadian Privacy Law: Senate Banking Committee hearings on recent privacy incidents).

    The CEO of ChoicePoint was scheduled to appear last week, but the committee ran out of time. Well, he appeared today and, according to MSNBC, he was put on the hot seat by the members of the committee:

    MSNBC - ChoicePoint CEO grilled by Congress:

    "Members of Congress grilled ChoicePoint CEO Derek Smith on Tuesday, demanding the company do more to protect customers in the wake of the massive information leak at the database giant.

    'The incident has caused us to go through some serious soul searching,' Smith said, testifying at a hearing held by the House Subcommittee on Commerce, Trade, and Consumer Protection."

    I expect that the prepared statements and transcripts will soon be available from the Committee's website: U.S. Senate Committee on Banking, Housing, and Urban Affairs.

    Update: The New York Times has coverage of the hearing here: The New York Times > Business > Data Broker Executives Agree Security Laws May Be Needed

    Labels: , ,

    New PIPEDA finding: Collection of health information by employer 

    The first summary finding of 2005 has been released by the Canadian Privacy Commissioner. In it, the Commissioner concludes that the complainant's employer did not violate PIPEDA by seeking medical information about the employee who occupies a "safety sensitive" position. The complainant also alleged that the employer collected information directly from his/her physician without consent, a complaint that was well-founded.

    Commissioner's Findings - PIPEDA Case Summary #287: Request for medical information deemed reasonable, but consent procedures not properly followed - January 5, 2005 - Privacy Commissioner of Canada:

    "...An employee of a transportation company made two allegations against his employer: (1) that his employer was requiring him to provide more medical information than necessary and would not allow him to return to his position until he supplied the information; and (2) that the company obtained medical information about him from his doctor without his consent...."

    I am informed by a colleague who made an inquiry of the Office of the Privacy Commissioner that finding summaries are going to be published less frequently than in the past. This is unfortunate. Desipte their serious shortcomings, these findings provide the only insight into the Commissoner's thought process and also make good case studies to teach companies how to deal with PIPEDA.

    Labels: , , ,

    Monday, March 14, 2005

    AOL goes back to the drafting board on its AIM Privacy Policy 

    CNET News is reporting that AOL is planning to redraft its "inartfully drafted" privacy statement to clarify that they do not require users to waive their rights to privacy. Or, depending upon whom you believe, to back off from their original plan to have users waive their rights to privacy.

    AOL clarifies IM privacy guarantee | CNET

    "America Online said late Monday that it plans to revise its user agreement in response to concerns that instant messages sent through the company's service could be monitored.

    The new policy for AOL Instant Messenger, or AIM, will stress that the company does not eavesdrop on customer's conversations except in unusual circumstances such as a court order, an AOL spokesman said..."

    I bet there's a room full of lawyers busily redrafting the policy while I write this.

    As a more than casual observer of privacy incidents and damage control, it will be interesting to see what the blogsphere will have to say about this. Many, I am sure, will be waiting for the final re-draft before cutting AOL any slack. My next prediction: The mainstream media will pick up on the original story for tomorrow's papers. To AOL's distress, I predict that many will not cover the proposed re-draft, resulting in more adverse publicity and greater damage control efforts.

    Labels: ,

    Rob Hyndman wades into the AOL debate 

    Fellow Canadian blogger and technology lawyer, Rob Hyndman, is quoted in eWeek discussing the AOL Terms of Service that have caused such a stir recently. I have to say that I agree with his observations about how easy it is to draft something heavily in favour of your client which may not be entirely appropriate given the circumstances. Read his contributions here:

    AOL: AIM Conversations Are Safe:

    "....Rob Hyndman, a technology lawyer based in Ontario, pointed out that the terms of service covers the entire AIM product and does not explicitly exclude instant messaging.

    'I think the AOLs of the world don't take the impact their TOS [terms of service] have on users seriously enough, generally because they have market power and the customer doesn't,' Hyndman told, arguing that the AIM terms of service appears all-encompassing."

    Labels: ,

    eLegal Canton: RFID in schools 

    David Canton's most recent technology law column for the London Free Press focuses on RFID in schools and a controversial pilot project that took place in California: Program a privacy concern (subtitle: RFID - A New Type of Tag at School).

    Labels: ,

    Experiment: Tracking an anticipated privacy backlash 

    This is just an experiment. I predicted in an earlier post that the mainstream media will likely pick up on the AOL Instant Messenger Terms of Use controversey that is ripping through the geek scene and the blogosphere (See: PIPEDA and Canadian Privacy Law: AOL makes users waive privacy and purports to own users' instant messages). I may be wrong, but I'm going to do an experiment. I'll try to stay on top of the story to see if the ordinary media pick up on it, if there is a backlash and to see how AOL handles it.

    At the moment, the story is mostly confined to the Slashdot, FARK and blog scene. Google News search is showing at least nine stories on the sites it regularly spiders:

    AOL Instant messenger users `waive right to privacy
    PC Pro, UK - 25 minutes ago
    AOL has raised some eyebrows - to say the least - over licence changes to its AIM instant messaging service. Under the revised terms ...

    AOL's Terms of Service Update for AIM Raises Eyebrows
    eWeek - Mar 12, 2005
    America Online, Inc. has quietly updated the terms of service for its AIM instant messaging application, making several changes ...

    N0 privacy 4 u, LOL!!!!!
    Houston Chronicle - Mar 12, 2005

    By DWIGHT SILVERMAN. . . . .by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents ...

    America Online updated TOS raises Privacy Issues
    TechWhack, India - 9 hours ago
    America Online quietly updated their terms of usage of the AOL Instant Messenger which included many changes big enough to upset privacy advocates. ...

    AOL's TOS Change Sparks PR Crisis
    WebProNews, KY - 21 hours ago
    The blogosphere is buzzing this morning over a major privacy change to AOL Instant Messenger's ... The change is sparking outrage because of this quote... ...

    No More Privacy For AOL Instant Messenger Users
    Gear Live, WA - Mar 12, 2005
    At a time when privacy on the Internet is of the utmost importance to many people, AOL has added a new provision to their AIM Terms of Service contract. ...

    AIM's New Terms Of Service
    Slashdot - Mar 11, 2005
    acaben writes "AOL has posted new terms of service for AIM, that include the right for AOL to use anything and everything you send through AIM in any way they ...

    AOL kills AIM privacy, Canada - 12 hours ago News:- You no longer have any right to privacy if you use America Online's AIM software downloaded on or after February 5 last year. ...

    AOL's TOS Update for AIM hackles privacy advocates
    GameSHOUT - Mar 12, 2005
    The revamped terms of service, which apply only to users who downloaded the free AIM software on or after Feb. 5, 2004, gives AOL ...

    AOL is already feeling the heat. The author of the Houston Chronicle Techblog, Dwight Silverman, had a bit of a back and forth with AOL over the topic: - AOL explains its privacy policy:

    "America Online spokesman Andrew Weinstein responded to a request for more information about AOL Instant Messenger's terms of service, which I wrote about Saturday after spotting it on Slashdot.

    The terms would appear to indicate that anything generated using AIM is fair game for AOL to use, which would mean private IM communications are not so private.

    But Weinstein said that's not the case.

    The clause in question specifically refers to something an AIM user might post in a public forum, Weinstein says. He writes:

    The related section of the Terms of Service is called "Content You Post" and, as such, logically and legally it relates only to content a user posts in a public area of the service.

    If a user posts content in a public area of the service, like a chat room, message board, or other public forum, that information may be used by AOL for other purposes. One example of this might be a user who posts a "Rate a Buddy" photo and thus allows AIM to post it for other AIM users to vote on it. Another might be AOL taking an excerpt from a message board posting on a current news issue and highlighting it in a different area of the service.


    Update: Looks like Weinstein spent his Sunday afternoon hittin' the phones & e-mail, trying to put out this fire. His comments have shown up in several other places, including Steve Rubel's MicroPersuasion blog. Note that a Rubel reader responds there, and remains dubious:

    Andrew I'm glad you posted here but what you are saying makes no sense. By using AIM it is implied I agree to the TOS. The TOS specifically state:
    1) I waive my rights to privacy.
    2) AOL can make money off of the content.

    Content is defined as: Content - Information, software, games, communications, photos, video, graphics, music, sound and other materials provided by or through the AOL Services.

    Communications includes email, does it not?"

    This issue is already causing some problems for AOL. I'll keep you posted on where it goes next ...

    Labels: , , ,

    Sunday, March 13, 2005

    Identity Theft / Privacy / ChoicePoint Cartoons 

    Cagle's professional cartoon index on Slate is highlighting a series of editorial cartoons on Identity Theft. Worth checking out ...

    Labels: , , ,

    Communities Adjust to Medical Privacy Laws 

    The Associated Press, via Yahoo! news, is running a story about how health privacy laws mark the end of an era in small town America:

    Yahoo! News - Communities Adjust to Medical Privacy Laws:

    "NELIGH, Neb. - Practices which helped neighbors stay connected in this community of 1,200 and others like it across the country are largely gone - partly because of the nation's new medical privacy laws under the Health Insurance and Portability and Accountability Act.

    It used to be easy for Hope Weaver to comfort friends when they were in the hospital. If she didn't hear that someone needed a visit by word-of-mouth, she'd simply pick up the newspaper, tune in her radio or look at the patient list posted in the hospital's front lobby. 'You like to send people a card or keep in touch with them,' the 79-year-old resident notes...."

    If the communities are so keen on broadcasting the names of those in hospital, why don't they just ask everyone, upon admission, if they want their information spread "the old fashioned way"?

    Labels: ,

    Debate about MATRIX and its creator 

    I've started following The Open Society Paradox, a blog by Dennis Bailey, which offers an alternative to much of the debate on privacy that one sees around the 'net. In one of his latest postings, Dennis discusses an article in Vanity Fair profiling Hank Asher and the very controvertial MATRIX system. MATRIX stands for "Multi-State Anti-Terrorism Information Exchange" designed to mine vast databases to pick out potential terrorists.

    In The Open Society Paradox: A Balanced Article on Privacy, Bailey praises the article for its balance and engages in some blog-to-blog combat with Adam Shostack of Emergent Chaos. I'm not going to wade into the debate but suggest you check out the Vanity Fair article, Dennis' post and Adam's post.


    Saturday, March 12, 2005

    AOL makes users waive privacy and purports to own users' instant messages  

    It pays to read the fine print. AOL's Instant Messenger software (AIM) is one of the more popoular IM platforms. Privacy Digest just pointed a reference to AIM's new Terms of Service, which purport to give AOL a blanket right to do whatever they want with users' private messages and require the user to waive all rights to privacy with respect to those messages.

    AIM Terms of Service:

    "...Although you or the owner of the Content retain ownership of all right, title and interest in Content that you post to any AIM Product, AOL owns all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this Content. In addition, by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this Content in any medium. You waive any right to privacy. You waive any right to inspect or approve uses of the Content or to be compensated for any such uses...."

    This is exactly the sort of thing that will backfire on a company. It was posted to Slashdot early yesterday (Slashdot | AIM's New Terms Of Service) and it is getting pretty wide coverage. The above terms will make people think that AOL is a proxy for "big brother" or that it is heavy handed or both. I don't think it'll be long before it gets to the conventional media (it's already referred to in the Houston Chronicle Techblog: - N0 privacy 4 u, LOL!!!!!), which will threaten AOL's proposed move into VOIP services. "If they eavesdrop on my instant messages, can I trust them with my phone calls?."

    It'll be interesting to see how this plays out.

    Labels: ,

    What's in a name? When it's "Spamalot" perhaps you should expect alottaspam 

    Today's New York Times has an interesting and slightly amusing article about a computer glitch on the Spamalot (the Broadway musical) website that may have exposed more than 31,000 to alottaspam.

    The New York Times > Theater > News & Features > What to Expect of 'Spamalot'? A Lot of Spam:

    "'Spamalot' fans who signed up for a newsletter on the Broadway musical's official Web site may end up getting, well, spammed a lot. 'Movin' Out' devotees may have the same problem. A security glitch - now fixed - exposed the names and postal and e-mail addresses of more than 31,000 people to savvy computer users.

    Up until Thursday evening, when a reporter from The New York Times pointed out the problem to the Web sites' developer, visiting a specific address on the shows' sites produced a long page with mailing-list data. The security hole was not obvious to casual Web surfers because the address was buried in the site's code. But it could have been discovered by someone deliberately seeking the list data, or by a kind of program used by spammers to scour the Web for new e-mail addresses to bombard.

    Both, where 19,000 people had signed up for a newsletter, and, where 14,000 had, were built by Mark Stevenson, a designer in Croton-on-Hudson, N.Y...."

    I'm not sure if this qualifies as an incident as the article only refers to the glitch's potential to expose addresses. I suppose the site maintainer would be able to look at their logs to find out if the page with all the names was ever viewed.

    So many privacy incidents are caused by simple human error, whcih I expect is the cause of this one. I'm on the board of an industry association that recenly allowed the local economic development agency to send an e-mail to its members announcing a very specific event. Unfortunately, someone thought that using a "distribution list" in Outlook would shield all the addresses. Not quite. Every single address was in the "To:" field. So far nobody has complained, but I expect we'll hear more of it. One minor misunderstanding of the technology and it had the potential to upset quite a few people.

    Thanks to Rob Hyndman for reminding me about the article. I saw it very early this morning but forgot to bookmark it for later blogging.

    Labels: ,

    MSN implements shortened, layered privacy notices on its sites 

    According to CNet News, Microsoft has just moved to a shortened privacy statement on all the MSN sites. These provide a high-level overview of the information collected from a specific site and allow you to click for more detail. The window below contains the general MSN Summary Privacy Statement:

    MSN sites get easy-to-read privacy label | CNET

    "... A standard notice contains six sections covering the scope, information collected, use of the information, consumer choices and company contact information. It also includes a section for important notices to the consumer.

    While their appearance is much simpler, the notices are difficult to write in plain language, McDade said.

    'It was a very hard challenge to summarize (our practices) into a short snapshot and to write it in such a way that people thought it was a fair representation,' she said.

    Microsoft has not yet implemented the shorter form on its main Web site. "

    I usually recommend that my clients use privacy notices that are as reader-friendly as possible. One of the key elements is to make sure the reader does not have to wade through a bunch of stuff to get their questions answered. Once you figure out what most customers who read the notices want to know, put it in a summary at the beginning or somehow highlight those sections in the text. Customers read privacy notices because they are suspicious or have a question. You want to answer the question and alleviate their suspicions. Notices like those implemented by MSN look like they'll do a good job at communicating their policies and practices.


    Incident: Personal information taken in Nevada DMV office break-in 

    Thieves made off with a computer from a Nevada DMV office that contained sensitive personal information of 8,900 individuals who had applied for drivers' licenses between November 25 and March 4. The DMV originally said that the drives were encrypted (which would render the information inaccessible to the thieves), but this was not the case. From the Las Vegas Sun:

    Las Vegas SUN: Personal information taken in Nevada DMV office break-in:

    "NORTH LAS VEGAS, Nev. (AP) - Personal information from more than 8,900 people was stolen when thieves broke into a Nevada Department of Motor Vehicles office, officials said Friday.

    A computer taken during the break-in contained names, ages, dates of birth, Social Security numbers, photographs and signatures of southern Nevada residents who obtained driver's licenses between Nov. 25 and March 4 at the North Las Vegas office, state DMV chief Ginny Lewis said...."

    Thanks to PrivacySpot for the pointer: Nevada DMV Thieves Get Personal Information | - Privacy Law and Data Protection.


    Friday, March 11, 2005

    What to do if patient information is stolen 

    Doctors Nova Scotia (formerly the Medical Society of Nova Scotia) this week asked me to write a brief article for their website and magazine about what physicians should do if the security of patient information is compromised. The question arises most often in the form of "what if my computer [or PDA] is stolen?"

    I was happy to help since DoctorsNS has been extremely proactive in helping its members to address PIPEDA. In fact, it was for DoctorsNS that I originally wrote the Physician's Privacy Manual (e-mail me - david.fraser at - if you are interested in purchasing a copy).

    Q. With the new privacy law now in force, what measures do physicians have to take to prevent the theft of computers and the like containing confidential patient information and what should physicians do if something like this were to happen?

    A. Since January 1, 2004, the collection, use and disclosure of personal information by private practice physicians in Nova Scotia has been regulated by the Personal Information Protection and Electronic Documents Act, commonly know by its acronym “PIPEDA”. The law covers all aspects of physicians’ responsibilities with respect to patient information and specifically includes an obligation to safeguard personal information against a wide range of risks. Among those risks are loss, theft and inappropriate access. The law does not dictate what specific technological or security measures must employ but it does provide say that the safeguards must be proportional to the sensitivity of the information in question. Because medical records are among the most sensitive, a physician’s responsibilities in this area are proportionately high.

    While PIPEDA is a new law, it does not replace the obligations that physicians have always had to exercise due care to protect their patients from harm caused by the physician’s actions or omissions. The inappropriate disclosure of personal information can undoubtedly cause harm, particularly in this age of identify theft. In addition, individuals entrust their physicians with very sensitive information that may have significant consequences if it is disclosed to others. For example, a patient’s record may contain information about a particular condition that, if disclosed to the individual’s employer, could result in the individual being fired. The inappropriate disclosure of information about a battered spouse may have severe safety repercussions for that patient.

    These rules apply to all patient information, regardless of whether it is written on paper or stored in a computer. Use of electronic systems pose additional risks, simply because large amounts of information may be stored in an easily stolen form. Also, external hackers might access an under-protected system, leaving very little sign that the information has been compromised. Physicians should take all reasonable measures to protect this information against the sorts of threats that may exist, depending upon the circumstances. Locks on doors, virus scanners and computer firewalls immediately come to mind. The encryption of electronic data may also be the last line of defence, meaning that data stored on a stolen hard drive still cannot be accessed by a thief who does not have the password.

    So what should a physician do if he or she believes that patient information may have been compromised? PIPEDA does not specifically say, unlike Ontario’s new Personal Health Information Protection Act which requires all health information custodians to inform an individual at the first reasonable opportunity if that individual’s personal information is stolen, lost, or accessed by unauthorized persons. While physicians likely should contact all affected patients to inform them of a breach or possible breach, whether they are under a legal obligation to do so is unclear. Because the unauthorized access to personal information may put individual patients at risk, the only way that this risk may be mitigated is to inform the patients so that steps can be taken to minimize the harm. The following checklist may be helpful to assist with a physician who believes that patient information may have been lost, stolen or inappropriately accessed:

    • If the incident relates to a theft or malicious intrusion attempt, the police should be notified as soon as possible.
    • The College of Physicians and Surgeons should be notified.
    • Your liability insurer and/or the Canadian Medical Protective Association should be notified.
    • Immediate steps should be taken to prevent the recurrence of the loss; for example, computer servers should be immediately disconnected from potential avenues for intrusion, such as external networks and modems; locks should be changed on the doors if the incident relates to a physical break-in.
    • Carefully consider whether patients should be contacted to allow them to mitigate the effects of the incident.

    Physicians should not attempt to cover up or gloss over any of these incidents, as such actions tend to compound the problem and undermine patient confidence in physicians generally.

    If you have any concerns about the way that personal information is safeguarded in your practice, Doctors Nova Scotia is able to help by referring you to information and specialists that can help minimize the risk to the security of your patient information.

    I note that this article is not legal advice and only pertains to provinces where private practice physicians are governed solely by the Personal Information Protection and Electronic Documents Act (NS, NL, PE, NB and not BC, AB, SK, MB, QC, ON).

    Labels: , , ,

    Incident: "Disgruntled" employee said to have posted confidential personal health information of insureds online 

    The San Jose Mercury News is reporting on an interested development. HMO Kaiser Permanente is informing 140 of their insureds that a former employee posted confidential medial information on her blog. She says that it is Kaiser Permanente's fault, but that's beside the point to the 140 people involved. See the Mercury News (registration req'd): | 03/11/2005 | Patients' private data put online:

    "In a troubling episode involving medical privacy in the digital age, Kaiser Permanente is notifying 140 patients that a disgruntled former employee posted confidential information about them on her Weblog.

    The woman, who calls herself the ``Diva of Disgruntled,'' claims it was Kaiser Permanente that included private patient information on systems diagrams posted on the Web, and that she pointed it out.

    The health care giant learned of the breach from the federal Office of Civil Rights in January, said Kaiser spokesman Matthew Schiffgens. Kaiser has been investigating ever since, Schiffgens said, but it wasn't until Wednesday that it asked the Internet service provider hosting the blog to remove the information...."

    Jeff Drummond at HIPAA Blog has some interesting things to say about the incident:

    HIPAA Blog:

    "...The article indicates that the blogger could be subject to HIPAA penalties for the disclosure. One of my fellow HIPAAcrats on the AHLA HIT list noted that the article is wrong in this regard, since Kaiser will be the one subject to the penalties. Rightly or wrongly, in light of the Gibson case, I disagree. The blogger would certainly be subject to a HIPAA enforcement action if the Department of Justice were so inclined to take that route. Kaiser would also be subject to an enforcement action for the original posting on the techincal Web site, but their defense would be one of inadvertence. It would be hard for the blogger to make that cliam for her intentional posting."

    Update: The former employee at issue has her blog still up and running. Not only that, but she's posted a comment on the publicity surrounding this incident:

    corphq: Kaiser Trying to Rile Up Patients?:

    "Kaiser Trying to Rile Up Patients?

    Just read the Mercury News story:

    It looks like Kaiser is now informing patients of the 'unlawful disclosure'. The only reason why I can think they would do this now is that Kaiser hopes to whip up people against me. If Kaiser really thought people should know about the patient information, they would have informed people months ago when they quietly took the Systems Diagrams *they* posted offline.

    Kaiser had the patient information posted online since *2002* at Here is my blog post from July 2004 where I first pointed it out:

    Kaiser did not respond to my complaints or inform the patients at that time, and they did not take the Systems Diagrams down until September. Still not a word to the patients.

    I also find it interesting that I couldn't get the press to cover it when I contacted everybody and their grandmothers to show what Kaiser had done. Now that Kaiser wants to hound me, however, the press is interested...."

    Thanks to Health Care Blog Law for the above link: Health Care Blog Law : Private Patient Data Posted Online Blog by Disgruntled Former Kaiser Employee

    Labels: ,

    EPIC: Industry Self-Regulation of Privacy Protection Has Failed 

    The Electronic Privacy Information Center has released a report that claims that self-regulation has failed in the information industry. I was going to post a summary here, but PrivacySpot beat me to it:

    EPIC: Industry Self-Regulation of Privacy Protection Has Failed | - Privacy Law and Data Protection:

    "EPIC has published a scathing report, Privacy Self Regulation: A Decade of Disappointment, on the failure of businesses to effectively self-regulate their privacy protection practices. The report challenges the Federal Trade Commission's conclusion that self-regulation is 'the least intrusive and most efficient means to ensure fair information practices online, given the rapidly evolving nature of the Internet and computer technology.'

    The report begins by noting that 'notice is not enough.' Although many websites now post their privacy policies online, EPIC contends that this should provide cold comfort to anyone surveying the current state of electronic privacy. The real problems range will be much more difficult to solve...."

    The EPIC report is available here: Privacy Self-regulation: A Decade of Disappointment.


    ChoicePoint, BofA and Lexis fallout hits Canada 

    This is likely only the beginning of the effects in Canada of the recent privacy-related problems in the United States. A private members bill (the kind that usually die a silent death) has been introduced in the Ontario legislature to require credit-reporting agencies to advise individuals immediately of any theft of their data. From the Toronto Star: - Changes proposed for credit agencies:

    "In the wake of massive privacy breaches involving two U.S. information brokers, a Liberal MPP from Toronto wants Queen's Park to crack down on identity theft by holding credit bureaus more accountable.

    Tony Ruprecht (L-Davenport) has introduced a private member's bill that would require credit-reporting agencies such as Equifax Canada Inc. and TransUnion of Canada Inc. to 'immediately' inform consumers who are linked to a theft of credit data.

    Bill 174, which will be debated in the Legislature on April 7, includes a number of amendments to the Credit Reporting Act that would help consumers better protect their credit rating and minimize their risk of becoming a victim of identity theft.

    'This issue is hotter now than ever,' said Ruprecht, pointing to recent privacy mishaps south of the border.

    On Wednesday, Seisint Inc., a unit of Ohio-based information giant LexisNexis, revealed that hackers had broken into its database and gained access to personal information of more than 32,000 U.S. consumers...."

    Labels: , ,

    Thursday, March 10, 2005

    Senate Banking Committee hearings on recent privacy incidents 

    The most interesting part (I expect) of the Senate Banking Commission hearings on recent privacy incidents (see PIPEDA and Canadian Privacy Law: Senate Banking Committee to hold hearings on security of sensitive consumer information) had to be held over until next week because they ran out of time. The following folks should be back in the hearing room sometime next week:

    • Mr. Don McGuffey , Vice President, ChoicePoint Services, Inc.
    • Mr. Evan Hendricks , Editor, Privacy Times
    • Ms. Barbara J. Desoer , Executive Vice President, Global Technology, Service and Fulfillment Executive, Bank of America Corporate Center

    The Committee heard today from a few Senators, government and law-enforcement folks, whose prepared statements are available on the Committee's website:

    Panel 1

    Panel 2

    Panel 3

    • Mr. Larry Johnson, Special Agent in Charge - Criminal Investigative Division, United States Secret Service
    • Ms. Amy S. Friend, Assistant Chief Counsel, Office of the Comptroller of the Currency

    Check out the Committee's web page on this hearing for updates.

    Update: See Wired News' coverage of the hearing and testimony of the FTC Chair, suggesting that stronger regulation is required: Wired News: Data Brokers Face Regulation.

    Labels: , ,

    Schneier on Security: ChoicePoint Says "Please Regulate Me" 

    Schneier on Security has posted an extract from ChoicePoint's most recent 8K filing with the SEC and suggests that the company is just crying out to be regulated. The post itself is worth reading, but there are also a wide range of comments posted that are also worth a look: Schneier on Security: ChoicePoint Says "Please Regulate Me".

    Labels: , ,

    Wednesday, March 09, 2005

    Summaries of incidents cataloged on PIPEDA and Canadian Privacy Law 

    Senate Banking Committee to hold hearings on security of sensitive consumer information 

    Tomorrow, 10 March 2005, the Banking Committee of the United States Senate is holding hearings on "recent developments" related to the security of consumer information. By recent developments, they are referring to the ChoicePoint, Bank of America and LexisNexis incidents. Here is the notice of hearing, with the list of who is testifying (including the VP of ChoicePoint):

    U.S. Senate Committee on Banking, Housing, and Urban Affairs:

    "US Senator Richard Shelby

    US Senator Paul Sarbanes
    Ranking Member

    Committee: US Senate Committee on Banking, Housing, and Urban Affairs
    Title: Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information
    Date: 3/10/05
    Time: 2:30 PM
    Place: 538 Dirksen Senate Office Building
    Agenda: The Committee will meet in OPEN SESSION to conduct a hearing on "Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information."

    Publication: Printable Hearing not available at this time


    Panel 1

    • Honorable Patrick J. Leahy (D-VT) , Unites States Senator

    Panel 2

    • Honorable Deborah Platt Majoras , Chairman, Federal Trade Commission

    Panel 3

    • Mr. Larry Johnson , Special Agent in Charge - Criminal Investigative Division, United States Secret Service
    • Ms. Amy S. Friend , Assistant Chief Counsel, Office of the Comptroller of the Currency
    • Mr. Don McGuffey , Vice President, ChoicePoint Services, Inc.
    • Mr. Evan Hendricks , Editor, Privacy Times
    • Ms. Barbara J. Desoer , Executive Vice President, Global Technology, Service and Fulfillment Executive, Bank of America Corporate Center

    Labels: , ,

    Consumers Union: "LEXISNEXIS Security Breach Underscores Need To ReinIn Loosely Regulated Information Broker Industry..." 

    Consumers Union is calling for legislative action to regulate the information industry in the wake of the LexisNexit breach (and the ChoicePoint breach and the Bank of America lapse):

    U.S. Newswire : Releases : "LEXISNEXIS Security Breach Underscores Need To ReinIn Loosely Regulated Information Broker Industry...":

    "WASHINGTON, March 9 /U.S. Newswire/ -- Today's announcement by LEXIS-NEXIS that a database recently purchased by the company with sensitive personal data has been compromised, underscores the need to enact new rules to impose strict security practices on the information broker industry. Consumers Union, the nonprofit publisher of Consumer Reports (r) , is calling on Congress to pass the Information Practices & Security Act so that consumer data maintained by information brokers doesn't fall into the hands of identity thieves...."

    Labels: ,

    Incident: Shoe chain says customer data stolen 

    A shoe store chain in the US is reporting that their systems were compromised, resulting in the theft of customer credit card information, according to MSNBC:

    MSNBC - Shoe chain says customer data stolen:

    "COLUMBUS, Ohio - Credit card information from customers of more than 100 DSW Shoe Warehouse stores was stolen from a company computer's database over the last three months, a lawyer for the national chain said Tuesday.

    The company discovered the theft of credit card and personal shopping information on Friday and reported it to federal authorities, said Julie Davis, general counsel for the chain's parent, Retail Ventures Inc. The Secret Service is investigating, she said...."

    Labels: , ,

    In never rains, it pours: ChoicePoint files found riddled with errors 

    Nobody seems to be cutting ChoicePoint any slack these days. MSNBC is reporting on supposed problems with data quality in the information amassed by ChoicePoint:

    MSNBC - ChoicePoint files found riddled with errors:

    "Deborah Pierce held a rare and precious document in her hands. It was the story of her life, as told by ChoicePoint Inc. She wasn't supposed to see it; an anonymous source had smuggled the report to her. But there it was, her 'National Comprehensive Report,' 20 pages long, a complete dossier of all the digital breadcrumbs she's left behind during her adult life.

    At least, that's what it was supposed to be.

    Pierce said she felt an uneasy twinge in her stomach as she began to flip the pages. A dozen former addresses were listed, along with neighbors and their phone numbers. Almost 20 people were listed as relatives -- and their neighbors were listed, too. There were cars she supposedly owned, businesses she supposedly worked for.

    But the more closely she looked, the more alarmed she became: The report was littered with mistakes...."

    Labels: ,

    Resource: CDT releases handy tables of US privacy laws 

    The Center for Democracy and Technology has released two handy tables that illustrate the privacy law patchwork that exists in the United States. The first covers Commercial Access and Use while the second deals with Government Access and Use.

    Privacy Rules For Access To Personal Data:

    "....CDT has been researching the federal privacy laws and how they might affect data access and analysis by government agencies for counter-terrorism purposes. We have compiled this resource to present these laws in a way that will be readily accessible to non-lawyers but also have depth, reflecting the complexities and nuances of the existing 'patchwork' approach to privacy...."


    Incident: Personal information of 32,000 stolen from LexisNexis 

    Hot on the heels of the huge fraudulent theft of personal information from ChoicePoint, LexisNexis is reporting that a stolen ID and password has resulted in the theft of personal information of 32,000 people. From Reuters, via Yahoo! News:

    Yahoo! News - Consumer Data Stolen from Reed Elsevier U.S. Unit:

    "By Jeffrey Goldfarb

    LONDON (Reuters) - Hackers illegally gained access to sensitive personal information of about 32,000 people stored on databases owned by Reed Elsevier, the second company to reveal a major breach in the past month.

    The U.S. Federal Bureau of Investigation and the Secret Service arm of the U.S. Treasury Department are investigating, a company spokeswoman said on Wednesday.

    Anglo-Dutch publisher Reed Elsevier said the breach at its Seisint unit was found after a customer's billing complaint some time in the last week led to the discovery that an ID and password had been misappropriated.

    The information accessed included names, addresses, social security and drivers' license numbers, but not credit history, medical records or financial information.

    Reed Elsevier said it is in the process of contacting the 32,000 people affected and offering them ongoing credit monitoring and other support to detect any identity theft.

    'Law enforcement officials have asked us to keep all this information close because they're hoping to catch up with some of these people,' the spokeswoman said...."

    Labels: , ,

    Tuesday, March 08, 2005

    Hospitals may put patients at risk for identity theft 

    WISTV of South Carolina is reporting that hosptials that use social security numbers are patient ID numbers are putting patients at risk of identity theft: Columbia, SC: Consumer Alert: Hospitals may put patients at risk for identity theft:

    "...While identity theft is nothing new, thieves are finding new ways of getting your private information. And with social security numbers displayed on ID bracelets and medical charts, hospitals have become a breeding ground for id theft...."

    Labels: ,

    The top 10 states for privacy protection 

    MSN Money is running an article listing the top ten states with legislation to protect consumer privacy:

    MSN Money - The top 10 states for privacy protection:

    "Many states are way ahead of Uncle Sam, putting the power to say yes or no back in your hands and forcing businesses to guard your personal information."


    ChoicePoint appoints first privacy officer 

    ChoicePoint has appointed a big name former TSA official to be its new privacy officer, according to Forbes: Smith: ChoicePoint Names TSA Big As Chief Privacy Officer:

    Faces In The News Smith: ChoicePoint Names TSA Big As Chief Privacy Officer Greg Levine, 03.08.05, 5:13 PM ET NEW YORK - Doers and doings in business, entertainment and technology: It's a start. Data dealer ChoicePoint (nyse: CPS - news - people ) on Tuesday announced it hired a U.S. Transportation Security Administration big to batten its info hatches. Helmed by Chief Executive Derek Smith, the firm has recently suffered an incursion by identity thieves. (Related note: On Feb. 25, Bank of America (nyse: BAC - news - people ) too suffered a security compromise.) ChoicePoint said its new employee, TSA Deputy Administrator Carol A. DiBattiste, has been named chief credentialing, compliance and privacy officer. She will lead an independent office to oversee improvements to ChoicePoint's screening process, and its enacting of procedures to streamline how incidents are reported. The TSA oversees airport screening in the U.S. Any such moves to regain the public's trust are vital at this juncture: After the CEO stated that the recent incident was the only such major security compromise of which he was aware, Assistant U.S. Attorney Mark Krause in Los Angeles claimed he'd dug up evidence of to the contrary, viz.: A sizable identity theft in 2002. Then, on March 4, the firm said the U.S. Securities and Exchange Commission is investigating stock sales by Smith and by Chief Operating Officer Douglas Curling. So it couldn't hurt ChoicePoint's image--not to mention its operations--to bring in "untouchables" like DiBattiste. More...

    It is somewhat surprising that a company that deals in personal information never had an officer responsible for privacy. Perhaps that's why the original breaches never came to the attention of the executives.

    Labels: , , , ,

    HIPAA faces court challenge 

    According to KYW News Radio, the Health Insurance Portability and Accountability Act is being challenged by a Delaware psychiatrist:

    KYW Newsradio 1060 - News:

    "Judges on the Third Curcuit [sic] Court of Appeals in Philadelphia today hear a challenge to HIPPA [sic], which among other things is supposed to safeguard patient privacy. But the petitioners say it does just the opposite.

    Most of us have filled out forms saying we have been apprised of health care provider privacy policies, but Delaware psychiatrist Janis Chester says there's really no privacy at all. Your information goes from doctor to insuror [sic]to who knows where in the blink of an eye. She hopes the appeals judges are more sympathetic than the district judge who dismissed the case, but she recognizes success would be a big deal:

    'Can you imagine if all of a sudden they go, you know what, we have to go backk [sic] from the way the Bush Administration ammended [sic] it to the way the Clinton Administration wrote it and every hospital and pharmacy has to redo all their paperwork and their policies.' ..."

    Labels: ,

    ChoicePoint fraudster sentenced on Monday 

    Adadayo Benson, convicted of commiting the fraud on ChoicePoint, was sentenced on Monday to 66 months in prison:

    Los Angeles Business Journal Online:

    "A federal judge sentenced an Encino man on Monday to 66 months in prison for stealing the identities of thousands of customers in the earlier of two cases involving ChoicePoint Inc., a public records database firm...."

    Labels: ,

    Monday, March 07, 2005

    Geist: What do you want the internet to be? 

    Michael Geist's regular column comments upon various trends that he finds worrying, including the Lawful Access Initiative, which will require telcos to make the Canadian Internet wiretap-friendly.

    What do you want the Internet to be?

    ".... Notwithstanding the Internet’s remarkable potential, there are dark clouds on the horizon. There are some who see a very differing Internet. Theirs is an Internet with ubiquitous surveillance featuring real-time capabilities to monitor online activities. It is an Internet that views third party applications such as Vonage’s Voice-over-IP service as parasitic. It is an Internet in which virtually all content should come at a price, even when that content has been made freely available. It is an Internet that would seek to cut off subscriber access based on mere allegations of wrongdoing, without due process or oversight from a judge or jury.This disturbing vision of the Internet is not fantasy. It is based on real policy proposals being considered by the Canadian government today.

    Leading the way is the federal government’s “lawful access” initiative. While the term lawful access sounds innocuous, the program, which dates back to 2002, represents law enforcement’s desire to re-make Canada’s networks to allow for lawful interception of private communications. If lawful access becomes reality, Canada’s telecommunications service providers (TSPs) will be required to refit their networks to allow for real-time interception of communications, to have the capability of simultaneously intercepting multiple transmissions, and to provide detailed subscriber information to law enforcement authorities without a court order within 72 hours.

    Moreover, Canada’s TSPs will be subject to inspections and required to provide the government with reports on the technical capabilities of their networks. All of these activities will be shrouded in secrecy with TSPs facing fines of up to $500,000 or sentences of up to five years in jail for failing to keep the data collection confidential.All of these changes come at an enormous cost – both financially (hundreds of millions of dollars in new technology) and to our personal privacy. While some changes may be needed for security purposes, the government has yet to make the case for why the current set of powers, which include cybercrime and wiretapping provisions, are insufficient. Moreover, there has been no evidence provided that this approach is the least privacy invasive alternative...."

    Labels: , ,

    US Federal ID requirements relaxed 

    The National Institute of Standards and Technology has relaxed some of its previous requirements in implementing the new federal ID standards for US government employees and contractors. The amount of information to be collected and stored on the RFID card has been scaled back. RFID tracking has been addressed by requiring that cards be stored in an "electronically opaque sleeve" when not in use.

    Common ID standards relax some requirements:

    Bush administration officials in charge of beefing up security for government-issued identification cards relaxed some technical requirements and enhanced some privacy measures to address critics of the draft standards...."

    The new standards are at

    Labels: ,

    Sunday, March 06, 2005

    Bailey: Confirm identity, don't legislate privacy 

    Dennis Bailey, author of the Open Society Paradox, has an op-ed piece in today's Washington Times (Rethinking personal data woes - The Washington Times: Commentary - March 06, 2005). In this essay and a complimentary blog posting (quoted and cited below), he argues forcefully that the answer to recent privacy scandals is not privacy laws but a system that would provide clear identification of individuals:

    The Open Society Paradox: Time for A Paradigm Shift in Personal Data:

    "... For a second, let's imagine what would happen in a world with 100% perfect identification. First ChoicePoint wouldn't be scammed through social engineering techniques into giving over personal data because they would instantly realize the false identies of the individuals posing as real businesses. Secondly, if these individuals obtained personal data through another route, such as hacking ChoicePoint's databases, they wouldn't be able to use it fraudently to obtain credit or to commit crimes in another person's name because institutions on the receiving end, be it a bank or a police officer would know their true identity..."

    Privacy activitsts are not keen on this idea, fearing that it would lead to the end of the right to be anonymous in many of our daily interactions. Both sides have good points to make and I hope to see an informed debate develop on this idea.

    Labels: ,

    Personal information is a powder keg -- or an underground storage tank 

    When giving presentations to companies on managing privacy risks, I often describe customer databases as akin to underground storage tanks. If something goes wrong with them, the results can be absolutely disastrous. If you really need the data and its value outweighs the risks, you can keep it in the ground but make sure it is taken care of. If you don't need the information, rid of it. Customer data is either an asset or a liability. If it ain't an asset, at best it is a potential liability. If something goes wrong, it is a huge liability. A couple of drips from your underground tank will taint your property. One leak of customer data can taint your company.

    Until PIPEDA came along, there was no law in Canada that restricted what information a company could collect and how long it could be maintained. (PIPEDA says you can only retain information as long as is reasonably necessary for the purposes for which it was collected, which also assumes that it was collected with the knowledge and consent of the individual.) Many businesses routinely keep customer data they don't use, thinking that it may be useful some day. Some businesses kept it because it is cheaper to buy bigger hard drives than to think about how long to keep it. My local video store, I am sure, could tell you what I rented years ago. Why did they keep it? No idea. I never got a call saying "we noticed that you rented Terminator I in 1989 and Terminator II in 1994, and thought you'd like to know that we now have Terminator III." They had no reason to keep the info, but probably did in any event. Keeping that info lying around can put customers at risk and can ruin your customers' chances of becoming a member of the Supreme Court (see EPIC Video Privacy Protection Act Page).

    A headline writer at the Washington Post, via Yahoo! News, refers to ChoicePoint's databases as having become a "powder keg" (Yahoo! News - ChoicePoint Data Cache Became a Powder Keg). I'd say that it didn't become a powder keg, it always was one. Blasting powder is obviously useful, but it needs to be protected and maintained. Handle with extreme care. And you shouldn't be keeping it in the shed unless you need it. ChoicePoint obviously thought they needed it (afterall, their business was built on that database), but hindsight says it wasn't adequately protected and it ultimately blew up.

    Labels: , ,

    Conference blogger from Concealed I: Anonymity, Idenity and the Prospect of Identity 

    Last week, the University of Ottawa hosted a conference entitled "Concealed I: Anonymity, Idenity and the Prospect of Identity". I had hoped to get out there for it, but wasn't able to manage the trip. For those who also missed it, Alex Cameron blogged the proceedings, which are available from blog*on*nymity - bloggin On the Identity Trail.


    ID required to log in at Indian cybercafes 

    According to an article circulated by the Associated Press, a new "rule" (its legal basis is unclear from the article) has been put in place requring that the identity of individuals be confirmed before they are allowed to log on at Internet cafes in India.

    CANOE -- CNEWS - Tech News: Internet Cybercafe privacy in India questioned:

    "... Police in Bangalore sent hundreds of letters in the past month asking cybercafes to keep records of visitors in case police want to investigate virus attacks, online fraud and terrorism. Under the rule, a visitor must produce a photo identity card before beginning to browse. Login and log-out times will also be noted..."

    I have dealt with this issue in advising libraries here in Canada. Because the public internet terminals are in high demand, most libraries use a sign up sheet so that people can book time on the computers. I don't know of any that ask for government-issued ID in this process, though some do use patrons' library cards for this purpose. Often, police ask to look at the sign up sheets, presumably to investigate offences like those listed above. Public libraries in many Canadian provinces fall outside the purview of privacy laws, but librarians as a group are generally sensitive to privacy issues and are hesitant to be proxies for law enforcement.

    Like any sort of log, if you retain it, it can be compelled under a subpoena or using a warrant. As a result, some libraries have opted to not keep their logs, some shred them at the end of the day and others have limited what information they ask for on these sheets.


    Basic steps to protect your customers from identity theft 

    The Tennessean has a somewhat misleadingly titled article in today's edition, Technology can make identity theft more difficult. It is about what some companies are doing to protect personal information to make customers less vulnerable to identity theft. In reality, it outlines some very basic protection measures that have been implemented by these companies, like shielding social insurance numbers from accidental disclosure, vetting employees, using technological safeguards to protect premises and securely disposing of personal information.

    Labels: ,

    Studies at UVic funded under the OPC's contribution program 

    The Ring, the University of Victoria community paper, has an article describing two of the projects being funded there by the Office of the Privacy Commissioner under its contribution program. The first relates to privacy and mobile services and the second is about medical records privacy. See Grants Fund Studies of Privacy Issues.


    Saturday, March 05, 2005

    What your cellular phone can tell the police and how it can be tricked 

    A short while ago, I blogged about how a cell phone reveals its location, even if no calls are made (see PIPEDA and Canadian Privacy Law: Interesting: How Do Cell Phones Reveal Your Location?). Today, blog*on*nymity - bloggin On the Identity Trail pointed me to an brief posting about the use of cell phone records by law enforcement and how cell phones are being used to create fake alibis. Interesting stuff.

    TheFeature :: Phoning For Forensics: What Your Mobile Phone Company Tells The Police:

    "It's not new, but these days, one of the first places the police call for evidence in criminal cases is the mobile phone company to find out where the suspect was at the time of the crime.

    If you're planning on committing a crime, you might want to leave your phone at home -- or, maybe, give it to someone else for the day. While it's been used before, police increasingly know that one of the first place to go in checking up on criminal suspects is to their mobile phone records. While many are worried about giving up information in exchange for location-based services, the police are making use of phone records in quite detailed ways, whether or not subscribers have agreed to provide information. The operators are somewhat secretive about it, but appear to have teams who handle forensics requests from law enforcement agencies...."

    Labels: ,

    Your security (and your company's reputation) rests in the hands of your employees 

    I've blogged on this topic before (Better develop a "culture of privacy", Edmonton cops investigated for misusing law enforcement databases and Sorry, but implementing privacy laws may upset some customers.), but it bears repeating again and again and again.

    You can have the right privacy policies. You can harden your network and your systems to ward off hackers. All this effort will be lost if your employees are not sesitized to think about privacy and security all the time. Train them to think about how they hold business and customer information in trust ... and to trust their instincts if anything feels weird.

    CNet is reporting on a presentation given by Kevin Mitnick who knows first hand how easily exploited employees can be.

    Mitnick: Security depends on workers' habits CNET

    "Famed ex-hacker Kevin Mitnick is warning against security strategies that focus on technology. Rather, teaching your staff to say no will help keep your network secure, he says.


    Many companies invest heavily in technologies to protect their networks, but Mitnick was quick to point out that even the tightest technological barriers never stopped him. Rather, some carefully planned social engineering--or even a bit of dumpster diving in one's spare time--can often be far more effective at penetrating the weakest security link at most companies: their people.

    "What you can find in the trash is simply amazing," Mitnick said. "People throw out notes, drafts of letters, printouts of source code, printouts of project documentation they're working on. In some cases, they even write down passwords and access information, or calendars that list every person that person has talked to or met with."

    This information provides invaluable assistance to hackers keen to worming their way into a company by, say, impersonating an employee and calling the internal help desk, or dropping in and pretending to be a business associate. Because people hate to say no, even when they're suspicious of a well-presented stranger, Mitnick says, smooth talking has gotten many a hacker far closer to a target company's network than brute-force technological attacks.


    The solution to such security vulnerabilities is easy to understand but often hard to implement: Develop clear security policies for issues such as treatment of strangers, handling of information and access to physical facilities by visitors. Teach employees to fall back on those policies when they're in suspicious circumstances rather than trying to ad-lib their response or give in to their natural inclination to accommodate the hacker's requests.

    Even a simple request for contact details, so that a company employee might call back the person requesting assistance, can be enough to make many hackers turn tail and run.

    "We can't expect our employees to be human lie detectors," Mitnick said. "One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.

    "Social psychology has found that people should generally pay attention to their own discomfort. If something doesn't feel right, or it's nagging at their gut, they'd better check it out. They're not always going to remember a security policy, but what you want is to come up with some very simple protocols that will trigger employees to refer to security policy. The only people who are going to object to this are the bad guys."

    David Braue reports for ZDNet Australia."

    Labels: ,

    Shredding your documents protect your privacy ... shredding your washing machine is just cool 

    Shredding is a good and economical way of securely disposing of personal information. Everyone knows that. Thanks to Boing Boing (via Engadget) for posting a link to SSI, a shredding company that can shred just about anything. The company has posted videos on their site of their industrial grade equipment in action. From electronic media and documents (good for privacy) to washing machines and fridges (cool to watch), there appears to be nothing that can't be shredded.

    A gallery of all their demos is here: SSI Shredding Demonstrations


    The Need for ChoicePoint 

    I've recently started following the Open Society Paradox, written by Dennis Bailey. Compared to most discussions of privacy on the internet, he's a contrarian advocating more openness and greater access to personal information. While this position may not be very prevalent in the blogosphere, his is a perspective that must be listened to. In one of his most recent postings (The Open Society Paradox: The Need for ChoicePoint) he argues that the recent decision made by ChoicePoint to cut off their criminal records check service may place people in danger, particularly those who hire people to work in their homes.

    Labels: ,

    UC Researcher finds out how to uniquely identify a PC on the net 

    A University of California researcher has developed a technique to uniquely identify a PC anywhere on the internet, even if it is hidden behind a firewall or shares its IP address with other computers:

    How to track a PC anywhere it connects to the Net: ZDNet Australia: News: Security:

    "Anonymous Internet access is now a thing of the past. A doctoral student at the University of California has conclusively fingerprinted computer hardware remotely, allowing it to be tracked wherever it is on the Internet.

    In a paper on his research, primary author and Ph.D. student Tadayoshi Kohno said: 'There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting ... without the fingerprinted device's known cooperation.' "

    Thanks to Privacy Digest for the pointer to this story.

    Labels: ,

    Friday, March 04, 2005

    ChoicePoint exits small business sales; CEO says he wasn't aware of breach 

    The CEO of ChoicePoint has spoken out in response to the recent incident involving the personal information of 145,000 Americans. He says that the company should have done things differently and that they are no longer providing services to small business because of "the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them." (I wonder if consumers see a direct benefit by their selling information to large business.)

    Interestingly, he says he did not become aware of the incident until months after it occurred. This highlights a problem I blogged about a while ago (PIPEDA and Canadian Privacy Law: Handling customer complaints under PIPEDA). Too often, when incidents occur, they are dealt with by lower level employees. Senior management and the directors, who are ultimately responsible for safeguarding personal information, are kept in the dark. What might start as a minor, one-off incident snowballs as further incidents are able to pile up. As we have seen, incidents such as this can have severe repercussions for a company, undermining shareholder value (see the chart on the right, showing CPS share price) and destroying confidence of consumers. Companies that handle personal information need to make sure that all incidents are appropriately escalated to someone who has overall responsibility for the big picture. From Canadian Business magazine:

    Canadian Business | News | ChoicePoint exits small business sales; CEO says he wasn't aware of breach: "

    March 4, 2005 - 15:53

    ATLANTA (AP) - The embattled data broker ChoicePoint Inc. said Friday that it was suspending sales of consumer information to small businesses, and the company's chief executive said he did not learn of a major breach until several months after it was discovered.


    CEO Smith told The Associated Press in an interview Friday that he did not personally learn of the breach until late January, though Los Angeles County detectives made their first arrest in the case in October.

    "There is no way that a CEO can know everything that is going on as it relates to an operation," Smith said. "I am not involved in the day-to-day operations of the business."

    Smith claimed ChoicePoint didn't grasp the magnitude of the breach until this year.

    Asked if he would resign over the matter, Smith said, "I have no intention of leaving the company."


    In an AP interview last week, Smith said "we voluntarily found the breach (in October) and notified law enforcement." He said Friday that he didn't mean to include himself in that reference.

    Smith said the decision to halt sales to small businesses follows "the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them."

    ChoicePoint's 17,000 small business customers accounted for about five per cent of annual revenue of $900 million. As a result of suspending sales to them, ChoicePoint said it expects a decline in core revenue this year of $15 million to $20 million.

    "Clearly what we did over the last week was take a very hard look at our business," Smith said. "To the extent you could rewrite history, we wish we had would have done things differently."


    A similar breach involving 7,000 to 10,000 ChoicePoint records occurred in 2002 but did not become public until reported by the Los Angeles Times earlier this week.


    Labels: , ,

    Domain Owners Lose Privacy 

    According to Wired News, owners of domain names under the ".us" TLD will no longer be able to shield their identities:

    Wired News: Domain Owners Lose Privacy:

    "The U.S. Commerce Department has ordered companies that administer internet addresses to stop allowing customers to register .us domain names anonymously using proxy services.

    The move does not affect owners of .com and .net domains. But it means website owners with .us domains will no longer be able to shield their name and contact information from public eyes.

    The Electronic Privacy Information Center said the move violates First Amendment rights to anonymous free speech. And the representative of one of the largest domain-registration companies is concerned that customers who have been victims of stalkers won't be able to protect their privacy without changing their web address to a domain that offers anonymity...."


    Be cautious when changing your online privacy policy 

    Thanks to Rob Hyndman for pointing me to the following article on Findlaw.

    A recent FTC consent order may have significant repurcussions for those in the United States who may want to change their online privacy policies to allow them to use information in new ways.

    Modern Practice - Privacy Policies: Beware of Changes:

    "By Justine Young Gotshall
    March 2005

    If you operate a web site, you should take note of a recent Federal Trade Commission ("FTC") consent order, In re Gateway Learning Corp., which is the first FTC case to challenge deceptive and unfair practices in connection with material changes to an online privacy policy.

    Specifically, the FTC's complaint charged Gateway Learning Corporation ("Gateway Learning") deceived consumers by materially changing its already established privacy practices, revising its privacy policy to reflect these revisions, and retroactively applying the materially different privacy terms to personal information that was collected from consumers under the original privacy policy.


    In the settlement agreement, Gateway Learning is barred from: (1) making misrepresentations about how it will use consumer data, (2) sharing any personal information it collected under the earlier privacy policy without express consent from consumers, and (3) applying future material changes to its privacy policy retroactively without consumer consent. Gateway Learning was also required to give up the money earned from the rental of consumers' information.

    The lessons learned are that a web site must take steps to ensure that it fully complies with each promise set forth in its posted policy privacy and elsewhere on the web site, and that a web site cannot change its privacy practices without consumer consent. A mere statement in a privacy policy that the web site may change its policies and post those changes on the web site does not give the web site the right to retroactively apply the changes to data previously collected. Web sites should also evaluate how they notify consumers when a privacy policy is revised.


    © 2004 Wildman, Harrold, Allen & Dixon LLP"

    Canadians will want to take a look at Kanitz v. Rogers Cable Inc. (2002), 58 O.R. (3d) 299 (S.C.J.), which gives more latitude when changing online contracts, as long as you have given notice that you may do so from time to time.


    Judge dismisses spam conviction 

    The first felony conviction for spamming in the United States has been onverturned, CNN is reporting: - Judge dismisses spam conviction - Mar 2, 2005:

    "LEESBURG, Virginia (AP) -- A judge dismissed a felony spamming conviction that had been called one of the first of its kind, saying he found no 'rational basis' for the verdict and wondering if jurors were confused by technical evidence...."

    Labels: ,

    Conference: Privacy: Are people ready to fight back? 

    The Centre for for Information Security and Cryptography is holding a privacy conference in Calgary on April 21. Mathew Englander and David Loukidelis, among others, are panelists.

    Conference - Privacy: Are People Ready to Fight Back? :

    "Focusing on the Western Canadian experience and practical knowledge for privacy practitioners.
    April 21, 2005
    Location: IBM Building, 227 11th Avenue SW, Calgary, Alberta"

    Labels: , ,

    Thursday, March 03, 2005

    Can We Get Some Privacy, Please? :: Internet World 

    I'm having a tough time keeping up with all the commentary related to privacy that has accompanied the ChoicePoint and Bank of America incidents. I may just post pointers and snippets until I clear up the backlog:

    Can We Get Some Privacy, Please? :: Internet World:

    "...But wait a second - just what is a 'data broker,' anyway? It's a company that makes money by compiling, storing and selling information about you and me - which carries with it some grave responsibilities. I have to admit that the whole industry makes me a little uncomfortable. Sure, companies like ChoicePoint and Westlaw may find our 'personal information' in a quasi-legitimate manner, but when that data is stolen, already pre-wrapped in nice convenient little data packets, it is potentially very dangerous. The work is already done for the identity thief, and leaks the size of the ChoicePoint breach have the potential to efficiently fuel a seedy industry of 'identity brokers.' Some Oregon politico called the incident the 'Exxon Valdez of privacy,' which I thought was apropos. The problem is, we've had other oil spills, and you can bet that we'll see more data leaks - and they're just as difficult to clean up.

    One final thought: Although new laws are obviously necessary, making things TOO difficult for private data aggregators may not be the answer, because then the burden of maintaining and protecting personal information might logically be placed on THE GOVERNMENT, and that's a road I'd rather not go down...."

    Labels: ,

    Police may have cracked the BTK case by covertly acquiring tissue sample from healthcare provider 

    Declan McCullagh's politechbot has a posting suggesting that BTK serial killer case may have been cracked by covertly acquiring a tissue sample for DNA testing:

    Cops covertly acquired tissue of BTK suspect's relative -- from medical lab [Politech]:

    "In developments straight out of GATTACA's handshake scene, A Kansas City Star report indicates that the suspected 'BTK' killer was tentatively linked to crime scene evidence by acquiring genetic material from the suspect's daughter's medical records - the tissue samples being taken without her knowledge.

    The article goes on to give a brief but factually accurate explanation of how a request for 'medical records' is entirely within the framework of the federal medical privacy laws (HIPAA), and also gives a likely source of the tissue - a routine pap smear. The article suggests that a judge issued a secret order for the records, though the article does not state if it was a formal 4th Amendment 'probable cause' warrant, or some lesser standard subpoena, or even go into whether the police were required to acquire an order under HIPAA (there are circumstances where agents can just the recordholder.)..."

    Thanks to Rob Hyndman for the pointer.


    Underground market for stolen IDs thrives 

    USA Today is running a feature length story on ID theft and recent privacy/security incidents. Worth reading:

    Yahoo! News - Underground market for stolen IDs thrives:

    "...The incident underscores the trove of personal digital data floating in cyberspace and the thriving underground market for stolen IDs, law-enforcement officials and security experts say. It also highlights the conundrum of data brokers, who collect and sell personal information about virtually every U.S. resident but are not federally regulated.

    'Crooks are getting better at hacking, scamming and breaking down doors,' says privacy expert Linda Goldman-Foley. 'And one of their biggest targets are data brokers.'

    That has complicated the jobs of privacy advocates and security experts, who already face a rise in profit-motivated hackers and sophisticated computer viruses designed to filch personal information. Now, they must increasingly cope with paper records stolen from offices and dumpsters that are quickly spread over the Internet...."


    How to build trust among a cynical customer base (and how not to...) 

    Rob Hyndman has a good post in his blog about how simple things can do a lot to build trust. He received an e-mail from a hotel chain where he had stayed. They asked, in a one-time only e-mail, if he wanted to opt-in to receive any special offers by e-mail. A very simple thing, but Presto! Instant trust: Starwood Hotels and Privacy.

    Companies can easily destroy trust by doing things that they think are "good for the customer." Case in point: I regularly travel to Ottawa. I reguarly stay at a particular hotel. One time, I had to go to Ottawa and my first choice was full. So I called a second hotel where I had stayed two years before and had pretty good service. When I called to make a reservation, I asked if they wanted a credit card to hold my room. "No thanks," said the reservation clerk, "we still have your card on file from the last time you stayed here." Two years ago. I immediately wondered where that had been stored? How did they know it was me and my card. There are at least 42 David Frasers listed in the Ontario phone books. Did every teenaged reservation clerk have access to my credit card for two years? Was it on he same computer that houses their online reservation system? I am not paranoid, but I now avoid that hotel.

    One additional thing to highlight the quirkiness of customers: I am a member of the loyalty program for the hotel where I usually stay in Ottawa. They have my credit card number, know what size bed I like and that I prefer a view of Parliament Hill. Why did I give that info to them? Because they told me what they do with it and they promised to keep it safe. Is that 100% fool-proof? No, but I have never seen them treat my information casually. So I trust them.

    Rob and I may be more privacy aware than most customers, but there is a growing minority of customers who notice things like this and it makes a difference. Companies need to cater to the "privacy demographic" as much as the 24-35 year olds.

    Labels: ,

    Privacy in the Stanford Encyclopedia of Philosophy 

    I just happened upon the essay entitled "Privacy" in the Stanford Encyclopedia of Philosophy. I have always said that the definition of privacy is elusive, as it means many different things to different people, primarily based upon their background. For physicians, privacy equals confidentiality in which there is a trusted group within which information can be freely shared and used. For IT-types, privacy equals security: making sure that the bad guys don't get access to personal information. Privacy is all that and then some. In the context of more recent privacy laws (particularly Canadian ones), privacy is about confidentiality, security and -- as importantly -- giving people control over their personal information.

    For a more philosophical and historical view, take a look at the Stanford essay:


    "The term "privacy" is used frequently in ordinary language as well as in philosophical, political and legal discussions, yet there is no single definition or analysis or meaning of the term. The concept of privacy has broad historical roots in sociological and anthropological discussions about how extensively it is valued and preserved in various cultures. Moreover, the concept has historical origins in well known philosophical discussions, most notably Aristotle's distinction between the public sphere of political activity and the private sphere associated with family and domestic life. Yet historical use of the term is not uniform, and there remains confusion over the meaning, value and scope of the concept of privacy...."


    Wednesday, March 02, 2005

    The hidden costs of security (and privacy) incidents 

    A Forrester Research reports considers the costs often associated with security and privacy breaches:

    Analyst: Hidden costs in security breaches:

    "As consumers lose confidence in the security of online transactions, companies are missing the mark in understanding how customers' concerns will come back to haunt them, a Forrester Research analyst said Tuesday.

    Businesses often fail to realize that security breaches to their Web sites, disclosure of sensitive customer information or identity theft can result in secondary costs such as spikes in customer support calls and additional marketing costs to repair damaged reputations, Jonathan Penn, a Forrester security analyst, said at a presentation in San Mateo, Calif. The event was sponsored by online-enterprise risk management company Watchfire...."

    I didn't find the report on either the Forrester or Watchfire sites, so we'll have to take CNet News' word on it.

    Labels: , ,

    Data aggregators pose a terrorism risk? 

    On one hand, some say that data aggregators can help in the fight against terrorism by "leveraging the power of information". On the other hand, they may help terrorists. Or at least some Democrat congressmen think they may and the Congress should investigate:

    Democrats lambaste ChoicePoint data leak | CNET

    "ChoicePoint's recent privacy snafu has raised the hackles of some Democrats in Congress, who are demanding an investigation into the 'terrorism risk' posed by information brokers. On Thursday, Sen. Bill Nelson of Florida and Rep. Bennie Thompson of Mississippi said they are planning to ask the Department of Homeland Security and the Government Accounting Office to look into how terrorists could use ChoicePoint and similar companies to sneak into the United States and maintain their cover...."

    Labels: ,

    The other side of ChoicePoint 

    A blog I hadn't seen before (but which I'll likely blogroll), the Open Society Paradox, considers the benefits or organizations like ChoicePoint:
    The Open Society Paradox: The Stampede Continues:
    • "Employment verification to help with child support collection. Their web site claims that they have helped agencies collect millions of dollars for children.
    • Screening of vendors that companies may choose to conduct business with.
    • Background screening for employers so that former criminals aren't hired into jobs where they might put people at risk.
    • Identity verification to help with the issuing of driver's licenses, something that can help reduce identity theft.
    • Information to help the government prevent fraud in publicly funded programs such as food stamps, welfare, taxation, low-income housing, government loans.
    • Information to help the government determine eligibility levels for benefits.
    • Information to help investigators locate potential criminal or terrorist suspects.
    • I'd like to know the savings that accrue because of the availability of ChoicePoint's information and it's ability to reduce friction in various types of economic transactions. "

    Labels: , ,

    Privacy: we must do better 

    David Canton, in his blog eLegal Canton, urges custodians of personal information to do a better job protecting it ...

    eLegal Canton: March 2005 Archives:

    "... We - and by that I mean any person, business, or government that touches personal information in any way - must do a better job of keeping information secured, allow access only to those who rightfully need it, and keep only the bare minimum information necessary..."


    Dear Abby: Hospitals must follow wishes of patients who want privacy 

    Monterey County Herald | 03/02/2005 | Hospitals must follow wishes of patients who want privacy:

    "Dear Abby: I am a nursing supervisor in a large hospital. There is a policy in hospitals that the public does not understand, and it has caused more than a few problems.

    Because of privacy laws, all patients admitted to the hospital must be asked if they want to be a 'privacy patient' or a 'no publicity patient.' If they answer yes to that question, it means that if anyone calls, or comes to the hospital, we cannot even acknowledge that the patient is here. We must say, 'I don't have a patient listed by that name.'

    Not surprisingly, this often upsets friends and family members. So please, Abby, remind your readers about the privacy laws. We are not purposely lying to anyone; we are just following the patient's instructions and obeying the rules. Thank you. -- Frustrated Nurse in Ironton, Ohio

    Dear Frustrated: Thank YOU for injecting an important dose of reality. While some patients may welcome visitors, many more do not. One solution is to assign a particular relative or friend to be the 'minister of information.' That way, there is less emotional wear and tear on all concerned."


    LA Times reports that ChoicePoint Had Earlier Data Leak 

    The LA Times, via Yahoo! News, is reporting that ChoicePoint's data was compromised before 2002 in a very similar way, with virtually no publicity:

    Yahoo! News - ChoicePoint Had Earlier Data Leak:

    "Scammers penetrated ChoicePoint Inc.'s vast online database of personal records five years ago in an operation similar to a more recent case that has triggered a national furor over privacy, court records show.

    Two Nigerian-born fraud artists were arrested in Los Angeles in 2002 by federal officials who charged that the pair used ChoicePoint to gain access to confidential information about at least 7,000 people and possibly many more, resulting in at least $1 million in losses...."

    Labels: ,

    Tuesday, March 01, 2005

    Public records search tables are turned on ChoicePoint 

    Intrepid reporters from MSNBC have scanned the public records to reveal a number of lawsuits involving ChoicePoint. Interesting reading ...

    MSNBC - Not the first time for ChoicePoint:

    "A review of public records across the country reveals the Alpharetta-based company has been involved in at least 11 lawsuits since 2000 involving possible misappropriation of information. "

    Labels: ,

    No such thing as bad publicity 

    Interestingly, the T-Mobile incident involving Paris Hilton appears to have increased sales of the company's Sidekick II phone/pda/camera:

    Technology News: Technology: Hacked Hilton a Boon for Telco:

    "A socialite's nightmare is a cell phone company's dream.

    T-Mobile stores in New York are selling out of Sidekicks (a handheld device that stores information online) despite or, more likely, because of that fact that celebrity phone numbers and naughty pictures were stolen off one belonging to bad-girl heiress Paris Hilton.

    'We had an unusually high demand this week,' said one Manhattan store employee...."


    Time Magazine on the ChoicePoint incident 

    Time Magazine is running a good story on the ChoicePoint incident, delving into the details of the recent security incident and exploring the background of this hitherto unknown company: Are Your Secrets Safe? -- Mar. 07, 2005

    Labels: ,

    Schneier on Security: Choicepoint's CISO Speaks 

    Bruce Schneier has some interesting comments flowing from an interview with the CISO of ChoicePoint that appeared in

    Schneier on Security: Choicepoint's CISO Speaks: "Choicepoint's CISO Speaks Richard Baich, Choicepoint's CISO, is interviewed on
    This is not an information security issue. My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren't. This type of fraud happens every day.

    Nice spin job, but it just doesn't make sense. This isn't a computer hack in the traditional sense, but it's a social engineering hack of their system. Information security controls were compromised, and confidential information was leaked.

    It's created a media frenzy; this has been mislabeled a hack and a security breach. That's such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don't.

    So, Choicepoint believes that providing adequate protection doesn't include preventing this kind of attack. I'm sure he's exaggerating when he says that 'this type of fraud happens every day' and 'frauds happens every day,' but if it's true then Choicepoint has a huge information security problem."

    The article and interview are worth reading on their own, as well.

    Labels: , ,

    This page is powered by Blogger. Isn't yours? Creative Commons License
    The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs