education new york online education new york online education new york online
NYS & NATIONAL Education Data Management & Information Policy
Today's Info Policy News
Weekly Archive
Information Policy
FERPA
Protecting your children's privacy: The Facts
Parents 4 Privacy
WHO'S WATCHING YOUR CHILDREN?
about
contact us
site map

Tweet This!:

Search

Privacy

compiled by education new york online

Scroll down to read entries organized by topic alphabetically OR use the topic links at the right to jump to categories of interest.

Updated Saturday October 06, 2012 01:30 PM

Biometrics

Upgraded Biometric Technology Facilitates Visitors' Entry to the United States
Date CapturedThursday January 15, 2009 07:41 PM
For nearly five years, U.S. Department of State (State) consular officers and U.S. Customs and Border Protection (CBP) officers have collected biometric information—digital fingerprints and a photograph—from all non-U.S. citizens between the ages of 14 and 79, with some exceptions, when they apply for visas or arrive at major U.S. ports of entry. State consular officers began collecting 10 fingerprints from visa applicants in 2007. Collecting 10 fingerprints increases fingerprint matching accuracy and reduces the possibility that the system will misidentify an international visitor. It also strengthens DHS's capability to check visitors' fingerprints against the Federal Bureau of Investigation's (FBI) criminal data and enables DHS to check visitors' fingerprints against latent fingerprints collected by Department of Defense (DOD) and the FBI from known and unknown terrorists around the world.

Blogs

Privacy Lives
Date CapturedFriday December 12, 2008 06:15 PM
Melissa Ngo -- more than a blog -- lots of policy and topic specific archives.

Breaches

A Facebook ‘Bug’ Revealed Personal E-mail Addresses
Date CapturedThursday May 07, 2009 07:12 PM
NY Times -- Gadget -- Riva Richmond [“In the course of one day I had Facebook go through over 10,000 e-mail addresses; ranging from reporters of prominent newspapers and CNN, to board of directors of Microsoft, Google, and Gates Foundation, and even the entire staff directories of government organizations and the World Bank,” Mr. Sheppard said in an e-mail message to a New York Times editor. “Of those it did find on Facebook, over 30% had their personal email addresses listed, which Facebook gladly gave me, without any of [the Facebook users] knowing.”]
Data Breaches: Ignorance Is Dangerous
Date CapturedMonday December 15, 2008 06:41 PM
Pam Greenberg State Legislatures writes [As states continue to work on improving data breach laws, Congress also has been considering legislation. Some bills have made it out of committee, but none have had a floor vote. Federal legislation is a mixed blessing," says Simitian. "If we end up with a weaker set of provisions that also preempts the more rigorous state laws, that's not going to benefit consumers." Cate thinks Congress will act, and he's surprised it hasn't already. "It's probably because they found it a lot more complicated than they thought." The way data are collected, used and transferred across states, it's likely many companies will opt to comply with the most stringent provisions in state laws, Cate says. "One way or another, we'll have national preemption -- either from the state that adopts the toughest law or from Congress. But it's a classic case of states leading the way." ]

CDT

Browser Privacy Features: A Work In Progress
Date CapturedSunday August 09, 2009 03:39 PM
CDT Releases Updated Report on Privacy Controls for Web Browsers. The report compares browser offerings in three key areas: privacy mode, cookie controls and object controls. Each of those, when used correctly, can greatly reduce the amount of personal information users transmit online. August 05, 2009
Response to the 2008 NAI Principles: The Network Advertising Initiative’s Self-Regulatory Code of Conduct for Online Behavioral Advertising
Date CapturedThursday February 12, 2009 06:43 PM
[CDT believes the 2008 NAI Principles, while late in addressing new trends in the industry, demonstrate clear progress over the original code of conduct adopted in 2000. The transparency of the NAI’s revision and compliance process, the approach to sensitive information, and the coverage of advertising practices beyond behavioral advertising all represent important steps forward. While robust self-regulation in the behavioral advertising space does not obviate the need for a baseline federal privacy law covering data collection and usage of all kinds, the NAI has made advances in several areas, yielding what we hope will be better protections for consumer privacy. However, the 2008 NAI Principles still come up short in crucial respects including the opt-out choice requirement, the notice standard, the NAI member accountability model, the failure to address ISP behavioral advertising, the lack of a choice requirement for multi-site advertising, and the data retention principle. Some of these are outstanding issues that have existed within the NAI framework since its inception, while others are new concerns raised by the updates to the principles.]

Cloud Computing

Cloud Standards Effort Could Turn into a Dustup
Date CapturedMonday May 04, 2009 04:32 PM
Digits - Technology News and Insights -- By Ben Worthen - [The Open Cloud Standards Incubator is part of an organization called Distributed Management Task Force. The DMTF was founded in 1992 and has developed standards for managing computers and sharing information on the Web in the past. Its members are a who’s who of the tech industry’s old guard—in addition to IBM and Microsoft they include EMC, H-P, Intel and many others. It’s too early to call the absence of Internet companies a rift, but it’s a split reminiscent of the one that occurred when IBM tried to get companies to sign up for its “Open Cloud Manifesto” a few weeks ago. At the time companies that didn’t participate in IBM’s effort were quick to dismiss the manifesto as meaningless marketing.]

Consumer Privacy

Predatory Marketing Law Opposed By AOL, News Corp., Yahoo, Others
Date CapturedSunday August 30, 2009 08:59 PM
A new privacy law in Maine is facing a court challenge from media organizations as well as a coalition of online companies including AOL, News Corp. and Yahoo. [The new law, officially titled "An Act To Prevent Predatory Marketing Practices against Minors," prohibits companies from knowingly collecting personal information or health-related information from minors under 18 without their parents' consent. The measure also bans companies from selling or transferring health information about minors that identifies them, regardless of how the data was collected. ] [Privacy advocate Jeff Chester said the law's basic premise is valid, but that it "likely needs to be revised to accommodate concerns about its impact on educational and other non-profit uses." ]

COPPA

Children's Online Privacy Protection Act of 1998
Date CapturedTuesday March 03, 2009 03:14 PM
TITLE XIII-CHILDREN'S ONLINE PRIVACY PROTECTION ***NOTE INCONSISTENCY BETWEEN DEFINITIONS OF PERSONAL INFORMATION AND PARENTAL CONSENT BETWEEN COPPA AND FERPA COPPA DEFINITION (LINK HAS FULL COPPA TEXT) (8) PERSONAL INFORMATION.—The term "personal information" means individually identifiable information about an individual collected online, including— (A) a first and last name; (B) a home or other physical address including street name and name of a city or town; (C) an e-mail address; (D) a telephone number; (E) a Social Security number; (F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or (G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph. (9) VERIFIABLE PARENTAL CONSENT.—The term "verifiable parental consent" means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator's personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.

Cyber Security

When Hackers Attack: Practicing Cybersecurity at Home
Date CapturedFriday December 12, 2008 02:01 PM
Brian Krebs writes [While Barack Obama has selected key members of his national security team—Defense Secretary, National Security Adviser and Secretary of State—there are calls for the president-elect to make another security appointment. The bipartisan Commission on Cybersecurity for the 44th Presidency suggests that there is a dire need to create a National Office for Cyberspace to protect our nation’s most sensitive computer networks. The need for national cyberspace security is a no-brainer, but who is going to protect us from the digital devices that organize our lives and leaves personal information vulnerable to theft? Here, a behind-the-scenes look at how hackers are unearthing the private details of our lives by attacking our web browsers, cell phones, and personal electronics.]

Data Mining

Google Becomes Default Location Provider For Firefox
Date CapturedThursday April 30, 2009 06:47 PM
TechCrunch.com -- Jason Kincaid -- [Google says that the data isn't currently being used for advertising purposes (at least for now), and that this is really about getting location-based functionality deployed to the web. But even without the advertising dollars, there is one very major upside: Google is going to be able to perfect its location database, with millions of users tapping into it on a daily basis. And that database is going to be extremely valuable going forward. ]
Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
Date CapturedWednesday December 03, 2008 04:02 PM
National Academies Press - [All U.S. agencies with counterterrorism programs that collect or "mine" personal data -- such as phone records or Web sites visited -- should be required to evaluate the programs' effectiveness, lawfulness, and impacts on privacy. A framework is offered that agencies can use to evaluate such information-based programs, both classified and unclassified. The book urges Congress to re-examine existing privacy law to assess how privacy can be protected in current and future programs and recommends that any individuals harmed by violations of privacy be given a meaningful form of redress.]

DHS

Testimony of Secretary Janet Napolitano before the House Committee on Homeland Security on DHS, The Path Forward
Date CapturedWednesday February 25, 2009 03:13 PM
Release Date: February 25, 2009 - The Committee’s platform items: [Improving the governance, functionality, and accountability of the Department of Homeland Security; enhancing security for all modes of transportation; strengthening our Nation: response, resilience, and recovery; shielding the Nation’s critical infrastructure from attacks; securing the homeland and preserving privacy, civil rights, and civil liberties; connecting the dots: intelligence, information sharing, and interoperability; implementing common-sense border and port security; and inspiring minds and developing technology – the future of homeland security. ]
Data Privacy & Integrity Advisory Committee
Date CapturedTuesday February 03, 2009 05:45 PM
This letter (to Janet Napolitano and John W. Kropf) reflects the consensus recommendations provided by the Data Privacy and Integrity Advisory Committee to the Secretary and Acting Chief Privacy Officer of the Department of Homeland Security (DHS). The Committee’s charter under the Federal Advisory Committee Act is to provide advice on programmatic, policy, operational, administrative, and technological issues relevant to DHS that affect individual privacy, data integrity and other privacy-related issues. The Committee deliberated on and adopted the recommendations set forth below during a public meeting held by teleconference on February 3, 2009. This letter outlines certain key privacy issues currently facing the Department of Homeland Security that the Committee believes the new Administration should review. We recognize that efforts are underway on many of these issues and our intention is to highlight their importance. The letter reflects the consensus view of the members of the Committee.
Upgraded Biometric Technology Facilitates Visitors' Entry to the United States
Date CapturedThursday January 15, 2009 07:41 PM
For nearly five years, U.S. Department of State (State) consular officers and U.S. Customs and Border Protection (CBP) officers have collected biometric information—digital fingerprints and a photograph—from all non-U.S. citizens between the ages of 14 and 79, with some exceptions, when they apply for visas or arrive at major U.S. ports of entry. State consular officers began collecting 10 fingerprints from visa applicants in 2007. Collecting 10 fingerprints increases fingerprint matching accuracy and reduces the possibility that the system will misidentify an international visitor. It also strengthens DHS's capability to check visitors' fingerprints against the Federal Bureau of Investigation's (FBI) criminal data and enables DHS to check visitors' fingerprints against latent fingerprints collected by Department of Defense (DOD) and the FBI from known and unknown terrorists around the world.
Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
Date CapturedWednesday December 03, 2008 04:02 PM
National Academies Press - [All U.S. agencies with counterterrorism programs that collect or "mine" personal data -- such as phone records or Web sites visited -- should be required to evaluate the programs' effectiveness, lawfulness, and impacts on privacy. A framework is offered that agencies can use to evaluate such information-based programs, both classified and unclassified. The book urges Congress to re-examine existing privacy law to assess how privacy can be protected in current and future programs and recommends that any individuals harmed by violations of privacy be given a meaningful form of redress.]

DNA

F.B.I. and States Vastly Expand DNA Databases
Date CapturedSunday April 19, 2009 05:40 PM
NY Times By SOLOMON MOORE -- Published: April 18, 2009 -- [Minors are required to provide DNA samples in 35 states upon conviction, and in some states upon arrest. Three juvenile suspects in November filed the only current constitutional challenge against taking DNA at the time of arrest. The judge temporarily stopped DNA collection from the three youths, and the case is continuing. Sixteen states now take DNA from some who have been found guilty of misdemeanors. As more police agencies take DNA for a greater variety of lesser and suspected crimes, civil rights advocates say the government’s power is becoming too broadly applied. “What we object to — and what the Constitution prohibits — is the indiscriminate taking of DNA for things like writing an insufficient funds check, shoplifting, drug convictions,” said Michael Risher, a lawyer for the American Civil Liberties Union.]
Minnesota Department of Health Continues to Violate State Law and Individual Privacy
Date CapturedSaturday December 13, 2008 04:29 PM
St. Paul/Minneapolis – Concerned parents and the Citizens’ Council on Health Care (CCHC) called on Governor Tim Pawlenty to require his Commissioner of Health to cease and desist the warehousing of newborn blood and baby DNA without informed, written parent consent.

eBehavioral Advertising

Americans Reject Tailored Advertising and Three Activities that Enable It
Date CapturedMonday October 05, 2009 07:01 PM
[First, federal legislation ought to require all websites to integrate the P3P protocols into their privacy policies. That will provide a web-wide computerreadable standard for websites to communicate their privacy policies automatically to people’s computers. Visitors can know immediately when they get to a site whether they feel comfortable with its information policy. An added advantage of mandating P3P is that the propositional logic that makes it work will force companies to be straightforward in presenting their positions about using data. It will greatly reduce ambiguities and obfuscations about whether and where personal information is taken. · Second, federal legislation ought to mandate data-flow disclosure for any entity that represents an organization online. The law would work this way: When an internet user begins an online encounter with a website or commercial email, that site or email should prominently notify the person of an immediately accessible place that will straightforwardly present (1) exactly what information the organization collected about that specific individual during their last encounter, if there was one; (2) whether and how that information was linked to other information; (3) specifically what other organizations, if any, received the information; and (4) what the entity expects will happen to the specific individual’s data during this new (or first) encounter. Some organizations may then choose to allow the individuals to negotiate which of forthcoming data-extraction, manipulation and sharing activities they will or won’t allow for that visit. · Third, the government should assign auditing organizations to verify through random tests that both forms of disclosure are correct—and to reveal the results at the start of each encounter. The organizations that collect the data should bear the expense of the audits. Inaccuracies should be considered deceptive practices by the Federal Trade Commission. The three proposals follow the widely recognized Federal Trade Commission goals of providing users with access, notice, choice, and security over their information. Companies will undoubtedly protest that these activities might scare people from allowing them to track information and raise the cost of maintaining databases about people online. One response is that people, not the companies, own their personal information. Another response is that perhaps consumers’ new analyses of the situation will lead them to conclude that such sharing is not often in their benefit. If that happens, it might lead companies that want to retain customers to change their information tracking-and-sharing approaches. The issues raised here about citizen understanding of privacy policies and data flow are already reaching beyond the web to the larger digital interactive world of personal video recorders (such as TiVo), cell phones, and personal digital assistants. At a time when technologies to extract and manipulate consumer information are becoming ever-more complex, citizens’ ability to control their personal information must be both more straightforward and yet more wide-ranging than previously contemplated.]Turow, Joseph, King, Jennifer, Hoofnagle, Chris Jay, Bleakley, Amy and Hennessy, Michael, Americans Reject Tailored Advertising and Three Activities that Enable It (September 29, 2009). Available at SSRN: http://ssrn.com/abstract=1478214
In the garden of Google and evil
Date CapturedMonday May 11, 2009 05:55 PM
Computer World - Robert L. Mitchell -- [As the focus by regulators and privacy advocates intensifies, Google should take a leadership role in developing pro-consumer privacy laws and best practices. If it doesn't, Google could eventually lose the good will it has with its users, and regulators could make it the poster boy for privacy on the Web. Google need look no further than Microsoft to see how quickly public opinion can change for a defacto monopoly. ]
Google Becomes Default Location Provider For Firefox
Date CapturedThursday April 30, 2009 06:47 PM
TechCrunch.com -- Jason Kincaid -- [Google says that the data isn't currently being used for advertising purposes (at least for now), and that this is really about getting location-based functionality deployed to the web. But even without the advertising dollars, there is one very major upside: Google is going to be able to perfect its location database, with millions of users tapping into it on a daily basis. And that database is going to be extremely valuable going forward. ]
Advertisers Get a Trove of Clues in Smartphones
Date CapturedWednesday March 11, 2009 03:05 PM
NY Times STEPHANIE CLIFFORD writes [The capability for collecting information has alarmed privacy advocates. “It’s potentially a portable, personal spy,” said Jeff Chester, the executive director of the Center for Digital Democracy, who will appear before Federal Trade Commission staff members this month to brief them on privacy and mobile marketing. He is particularly concerned about data breaches, advertisers’ access to sensitive health or financial information, and a lack of transparency about how advertisers are collecting data. “Users are going to be inclined to say, sure, what’s harmful about a click, not realizing that they’ve consented to give up their information.”]
Google to Offer Ads Based on Interests
Date CapturedWednesday March 11, 2009 03:00 PM
NY Times MIGUEL HELFT writes [Google will use a cookie, a small piece of text that resides inside a Web browser, to track users as they visit one of the hundreds of thousands of sites that show ads through its AdSense program. Google will assign those users to categories based on the content of the pages they visit. For example, a user may be pegged as a potential car buyer, sports enthusiast or expectant mother. Google will then use that information to show people ads that are relevant to their interests, regardless of what sites they are visiting. An expectant mother may see an ad about baby products not only on a parenting site but also, for example, on a sports or fashion site that uses AdSense or on YouTube, which is owned by Google.]
PRIVACY AND DATA PROTECTION
Date CapturedWednesday March 11, 2009 02:42 PM
The Business Forum for Consumer Privacy (BFCP)--a coalition of companies including Microsoft, Google and HP released a whitepaper intended to start a discussion about governing information collection and use. The BFCP says the current U.S. approach, which holds consumers responsible for how their private information is used, is not sufficient in the information economy. In the whitepaper, the forum proposes an alternative approach toward securing private data: a "use-and-obligations" model. This model, the authors say, draws upon the OECD Guidelines and the APEC Privacy Framework, and outlines five categories of data use: fulfillment, marketing, internal business operations, antifraud and authentication, and external legal and public good. Forum members say a use-and-obligations model will better address ways in which information is collected and used in the twenty-first century.
Behavioral Targeting: Not that Bad?! TRUSTe Survey Shows Decline in Concern for Behavioral Targeting
Date CapturedWednesday March 04, 2009 03:05 PM
Behavioral advertising still represents un-charted territory, without clearly applicable laws or regulations. In February, the Federal Trade Commission (FTC) published a set of guidelines (titled “Self-Regulatory Principles for Online Behavioral Advertising”) for companies collecting information on the actions of Internet users for the purpose of providing targeted advertising to them. The principles encourage self-regulatory action on the part of the companies themselves, specifically encouraging transparency and customer control, reasonable security and limited data retention for customer data. These principles have been criticized by privacy advocates, who assert that government should impose stricter laws rather than relying on companies to self regulate.
Cable Companies Target Commercials to Audience
Date CapturedWednesday March 04, 2009 02:53 PM
NY Times STEPHANIE CLIFFORD [Cablevision matches households to demographic data to divide its customers, using the data-collection company Experian. Experian has data on individuals that it collects through public records, registries and other sources. It matches the name and address of the subscriber to what it knows about them, and assigns demographic characteristics to households. (The match is a blind one: advertisers do not know what name and address they are advertising to, Cablevision executives said.) Advertisers can also give their existing customer lists to Experian, and Experian can make matches — so G.M., for example, could direct an ad based on who already owns a G.M. car. Advertisers are willing to pay premiums for ads that go only to audiences they have selected.]
YouTube's new 'nocookie' feature continues to serve cookies
Date CapturedTuesday March 03, 2009 03:20 PM
CNET -- Chris Soghoian says [ Those in the privacy community will likely pounce on this as evidence of Google's hypocrisy, while Google will likely respond by carefully parsing the definition of the phrase "non-session cookie" to not include Flash-cookie objects. Google might even even argue that its Flash-based cookies do not contain unique tracking information (something this blogger is unable to verify, since the Adobe Flash Manager only allows you to delete, but not view the contents of a Flash cookie). One thing is clear. YouTube has advertised a new delayed cookie feature, and stated that it "does not send a cookie until the visitor plays the video." That message is further reinforced by the fact that the new cookie-lite embedded video players are served from a different domain name, youtube-nocookie.com. Yet a user visiting a page that includes one of these "delayed cookie" videos still ends up with a long term, non-session Flash cookie hidden away in the depths of their browser. Technical definitions of "cookie" versus "Flash cookie" aside, YouTube's "delayed cookie" feature simply fails to deliver on the company's promises.] ]
Response to the 2008 NAI Principles: The Network Advertising Initiative’s Self-Regulatory Code of Conduct for Online Behavioral Advertising
Date CapturedThursday February 12, 2009 06:43 PM
[CDT believes the 2008 NAI Principles, while late in addressing new trends in the industry, demonstrate clear progress over the original code of conduct adopted in 2000. The transparency of the NAI’s revision and compliance process, the approach to sensitive information, and the coverage of advertising practices beyond behavioral advertising all represent important steps forward. While robust self-regulation in the behavioral advertising space does not obviate the need for a baseline federal privacy law covering data collection and usage of all kinds, the NAI has made advances in several areas, yielding what we hope will be better protections for consumer privacy. However, the 2008 NAI Principles still come up short in crucial respects including the opt-out choice requirement, the notice standard, the NAI member accountability model, the failure to address ISP behavioral advertising, the lack of a choice requirement for multi-site advertising, and the data retention principle. Some of these are outstanding issues that have existed within the NAI framework since its inception, while others are new concerns raised by the updates to the principles.]
FTC Staff Revises Online Behavioral Advertising Principles
Date CapturedThursday February 12, 2009 06:19 PM
The report discusses the potential benefits of behavioral advertising to consumers, including the free online content that advertising generally supports and personalization that many consumers appear to value. It also discusses the privacy concerns that the practice raises, including the invisibility of the data collection to consumers and the risk that the information collected – including sensitive information regarding health, finances, or children – could fall into the wrong hands or be used for unanticipated purposes. Consistent with the FTC’s overall approach to consumer privacy, the report seeks to balance the potential benefits of behavioral advertising against the privacy concerns it raises, and to encourage privacy protections while maintaining a competitive marketplace.
Ad groups to develop voluntary marketing privacy guidelines
Date CapturedWednesday January 14, 2009 07:46 PM
Daily News Alert - [The announcement of the joint effort took place on the same day that two consumer advocacy groups, the Center for Digital Democracy and the U.S. Public Interest Research Group, asked the FTC to investigate behavioral targeting practices aimed at users of mobile phones and requested regulations to make it easier for mobile phone users to control how information about them is used.]
"Cleaning Up After Cookies"
Date CapturedTuesday January 06, 2009 03:26 PM
Kate McKinley, a researcher at iSec Partners writes [Modern web browsers and plugins are rapidly expanding web developers’ ability to store data on users’ systems, while simultaneously adding features which allow users the perception of more control over that data. Users need to be confident that their perceptions match reality. Unfortunately, the privacy modes offered by browsers are still evolving (several are only available as betas), and none remove all the tracking data users might expect them to block. A tool was created to set and report on different data stores. This paper presents the findings from running this tool using several major browsers with two plug-ins across three common operating systems. We find current browsers are unable to extend tracking protection to third party plug-ins such as Google Gears and Adobe Flash. Some of these require no user prompting under common configurations and even expose tracking data saved with one browser sites visited by a different browser. We also recommend approaches for solving these problems.]
Privacy: On Doing No Harm
Date CapturedFriday December 12, 2008 01:22 PM
Privacy: On Doing No Harm -- by Steve Smith -- [The launch of the AT&T-backed Future of Privacy Forum last month (see our own interview with principal Joel Polonetsky here ) sparked discussion about how digital media should best address the debate. Matthew Wise, CEO, Q Interactive and former senior vice president of account services at Draft, is a member of the Interactive Advertising Bureau board who takes issue with some of the early statement by FPF members. Rather than start the debate over whether data is or should be collected, Wise argues here that the argument really should surround data's proper use.]

Electronic Health Records (EHR)

HHS Names David Blumenthal As National Coordinator for Health Information Technology
Date CapturedSaturday March 21, 2009 01:00 PM
The American Recovery and Reinvestment Act includes a $19.5 billion investment in health information technology, which will save money, improve quality of care for patients, and make our health care system more efficient. Dr. Blumenthal will lead the effort at HHS to modernize the health care system by catalyzing the adoption of interoperable health information technology by 2014 thereby reducing health costs for the federal government by an estimated $12 billion over 10 years.
E P I C A l e r t - Volume 16.02 - February 10, 2009
Date CapturedThursday February 12, 2009 11:42 PM
[1] Medical Privacy Moves Forward in Congress - [2] Civil Society Launches Campaign for Privacy Convention - [3] National Academies Report Calls for New Approach to Medical -Privacy - [4] President Obama Promotes Open Government [5] Report - Google Latitude Poses Significant Privacy Risks [6] News in Brief [7] EPIC Bookstore: "The Dark Side" [8] Upcoming Conferences and Events
U.S. stimulus bill pushes e-health records for all
Date CapturedThursday February 12, 2009 07:29 PM
Declan McCullagh - [The U.S. Senate on Tuesday approved an $838 billion "stimulus" bill by a 61-37 vote, capping more than a week of political sparring between critics of the measure and President Obama, who claimed during a press conference that an "economic emergency" made it necessary. What didn't come up during the president's first press conference was how one section of the convoluted legislation--it's approximately 800 pages total--is intended to radically reshape the nation's medical system by having the government establish computerized medical records that would follow each American from birth to death. Billions will be handed to companies creating these databases. Billions will be handed to universities to incorporate patient databases "into the initial and ongoing training of health professionals." There's a mention of future "smart card functionality." Yet nowhere in this 140-page portion of the legislation does the government anticipate that some Americans may not want their medical histories electronically stored, shared, and searchable. Although a single paragraph promises that data-sharing will "be voluntary," there's no obvious way to opt out. "Without those protections, Americans' electronic health records could be shared--without their consent--with over 600,000 covered entities through the forthcoming nationally linked electronic health records network," said Sue Blevins, president of the Institute for Health Freedom, a nonprofit group that advocates health care privacy.]
Obama adds health IT to economic stimulus package
Date CapturedFriday December 19, 2008 07:34 PM
Published on December 8, 2008 -- Government Health IT Paul McCloskey writes [The Wired bill, which failed to pass the Senate this summer, created incentives for health IT adoption and addressed several privacy problems that had long delayed the bill. Obama’s address followed remarks a day earlier by Sen. Tom Daschle, the designated Secretary of the Department of Health and Human Services. The transition team will manage a series of “health care community discussions,” to run from Dec. 15 to Dec. 30, that will solicit opinions on health care reform directly from the public. The meetings will be modeled on the Obama election campaign, which took advantage of the Internet to solicit support directly from the public. Obama's Internet site asks people to submit ideas for how to improve the health care system.]
The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information
Date CapturedThursday December 18, 2008 04:56 PM
The principles of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information below establish a single, consistent approach to address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization. The goal of this effort is to establish a policy framework for electronic health information exchange that can help guide the Nation’s adoption of health information technologies and help improve the availability of health information and health care quality. The principles have been designed to establish the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a netwo

Electronic Records

Lost Cellphone? Your Carrier Has Your Backup
Date CapturedWednesday February 25, 2009 08:28 PM
Wall Street Journal - Mossberg Solution - KATHERINE BOEHRET [By the time you've left your cellphone in a taxi or dropped it into a pot of soup, it's too late. All those phone numbers you had at your finger tips -- your best friend, your boss, your mom -- are gone. (Well, maybe you'll remember Mom's.) Some companies have tried to soothe backup concerns with gadgets like the $50 Backup-Pal from Advanced Wireless Solutions LLC, or wireless services like Skydeck. But for many for people, it's just as easy to ignore the risk.]

Enhanced DL

Video: Hacker war drives San Francisco cloning RFID passports
Date CapturedTuesday February 03, 2009 07:21 PM
Thomas Ricker - [Chris recently drove around San Francisco reading RFID tags from passports, driver licenses, and other identity documents. In just 20 minutes, he found and cloned the passports of two very unaware US citizens.]
Obama administration to inherit a real mess on Real ID
Date CapturedFriday December 12, 2008 07:35 PM
Computerworld Jaikumar Vijayan writes -- [According to Dixon, the one public comment that Obama has made about Real ID came during a primary campaign debate, when he voiced his opposition to the way the law was being implemented and the burdens it imposed on states. A perusal of Obama's Senate voting record on the Project Vote Smart Web site shows that as a senator from Illinois, Obama didn't vote on a proposal relating to Real ID funding. But whatever position the new administration takes, the fact remains that many of the standards required under Real ID are already being implemented by states as part of their own efforts to improve security, Dixon said. As a result, he noted, moving the Real ID program forward may require little more than a willingness on the part of the DHS to see if those efforts are enough to qualify as complying with the law. Dixon noted that Napolitano's experience as the governor of a state that is fighting against the Real ID initiative should have given her insight into the issues being faced by the other states as well. If she's confirmed to head the DHS, he said, "Napolitano could sit down with the governors and try to find a way out of this impasse."]

Fair Information Practice

Advertisers Get a Trove of Clues in Smartphones
Date CapturedWednesday March 11, 2009 03:05 PM
NY Times STEPHANIE CLIFFORD writes [The capability for collecting information has alarmed privacy advocates. “It’s potentially a portable, personal spy,” said Jeff Chester, the executive director of the Center for Digital Democracy, who will appear before Federal Trade Commission staff members this month to brief them on privacy and mobile marketing. He is particularly concerned about data breaches, advertisers’ access to sensitive health or financial information, and a lack of transparency about how advertisers are collecting data. “Users are going to be inclined to say, sure, what’s harmful about a click, not realizing that they’ve consented to give up their information.”]
PRIVACY AND DATA PROTECTION
Date CapturedWednesday March 11, 2009 02:42 PM
The Business Forum for Consumer Privacy (BFCP)--a coalition of companies including Microsoft, Google and HP released a whitepaper intended to start a discussion about governing information collection and use. The BFCP says the current U.S. approach, which holds consumers responsible for how their private information is used, is not sufficient in the information economy. In the whitepaper, the forum proposes an alternative approach toward securing private data: a "use-and-obligations" model. This model, the authors say, draws upon the OECD Guidelines and the APEC Privacy Framework, and outlines five categories of data use: fulfillment, marketing, internal business operations, antifraud and authentication, and external legal and public good. Forum members say a use-and-obligations model will better address ways in which information is collected and used in the twenty-first century.

FERPA

Personal school data not always private
Date CapturedTuesday November 03, 2009 08:15 PM
SCOTT WALDMAN Staff Writer Section: Capital Region, Page: B1 Date: Saturday, February 9, 2008 [GUILDERLAND - Last year, the Guilderland Teachers Association got the address of every local family and sent those with school-age children postcards promoting the union's picks in the May school board election. But trying to get that kind of personal information from other school districts won't work. The issue shines a light on how school districts interpret a federal law that permits the disclosure of "directory" information - including student and parent names, addresses and phone numbers - without consent. The law leaves it up to individual districts to define what is considered directory information. The statute also stipulates that schools must tell residents they have the right to withhold the information.]
Use of parental list is faulted
Date CapturedTuesday November 03, 2009 08:06 PM
March 17, 2008 by Scott Waldman - [GUILDERLAND - Guilderland School District violated federal law when it provided the names and addresses of parents to the teachers union, according to the state's authority on open government. Last year, Guilderland Teachers Association used those names and addresses to send parents of school-aged children postcards promoting the union's picks in a school board election. School officials deny that any law was broken, but the district recently imposed a moratorium on releasing "directory" information after complaints by school board members and news coverage of the controversy.]
In-Depth Summary of Changes to FERPA Rules
Date CapturedThursday December 11, 2008 07:54 PM

First Amendment

Brandeis in Italy: The Privacy Issues in the Google Video Case
Date CapturedWednesday March 10, 2010 03:59 PM
Huffington Post - Marc Rotenberg writes [I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established in the United States. The video at the center of this case was very popular in Italy and drove lots of users to the Google Video site. This boosted advertising and support for other Google services. As a consequence, Google actually had an incentive not to respond to the many requests it received before it actually took down the video. Back in the U.S., here is the relevant history: after Brandeis and Warren published their famous article on the right to privacy in 1890, state courts struggled with its application. In a New York state case in 1902, a court rejected the newly proposed right. In a second case, a Georgia state court in 1905 endorsed it.] Marc Rotenberg is the Executive Director, Electronic Privacy Information Center (EPIC).

Fourth Amendment

U.S. Constitution: Fourth Amendment
Date CapturedThursday January 01, 2009 07:07 PM
Linked page includes Findlaw annotations [The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.]
You Have Near-Zero Expectation of Privacy in Your Cell Phone Records [Part I]
Date CapturedThursday January 01, 2009 07:01 PM
Journalist Mark Nestmann -- [The calling records on your cell phone have "no expectation of privacy," according to a court decision issued by a federal court in Kansas. And under the court's reasoning, it's possible that other data stored on modern cell phones have no expectation of privacy, either.]
2009 Media & Tech Priorities -- A Public Interest Agenda
Date CapturedMonday December 22, 2008 03:48 PM
Free Press Action Fund -- [Obama’s FCC should act quickly to adopt rules preserving Net Neutrality that mirror the legislative effort. These rules should pertain to all wired and wireless networks and should enshrine the FCC’s established four openness principles alongside a necessary fifth principle that prohibits discrimination and pay-for-priority tolls. The FCC should establish an expedited complaint process for violations of the rules and stiff penalties for violators. Finally, the FCC should move to require extensive disclosure of Internet providers’ network management techniques as well as specific information about the quality of the Internet service being purchased by consumers.]

FTC

FTC Settles with Six Companies Claiming to Comply with International Privacy Framework
Date CapturedWednesday October 07, 2009 09:28 PM
[For Release: 10/06/2009 - Six U.S. businesses have agreed to settle Federal Trade Commission charges that they deceived consumers by falsely claiming they were abiding by an international privacy framework that provides a means for U.S. companies to transfer data from the European Union to the United States in keeping with EU and U.S. law. According to six separate complaints filed by the FTC, the six companies deceptively claimed they held current certifications under the EU/U.S. Safe Harbor framework. The framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The FTC complaints charge World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive Gaitways LLC with representing that they held current certifications to the Safe Harbor program, even though the companies had allowed their certifications to lapse. Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. Consumers who want to know whether a U.S. company is a participant in the Safe Harbor program can go to http://export.gov/safeharbor to see if the company holds a current self-certification. These cases are being brought with the invaluable assistance of the U.S. Department of Commerce. The Commission vote to approve the administrative complaints and proposed settlement agreements was 4-0. The FTC will publish an announcement regarding the agreements in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through November 5, 2009, after which the Commission will decide whether to make them final. To file a public comment, please click on the following hyperlink: http://www.ftc.gov/os/2009/10/sixcasespubliccomment.pdf and follow the instructions at that site. Copies of the complaints, the proposed settlement agreements, and the analyses of the agreements to aid in public comment are available from both the FTC’s Web site http://www.ftc.gov and the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580.]
Behavioral Targeting: Not that Bad?! TRUSTe Survey Shows Decline in Concern for Behavioral Targeting
Date CapturedWednesday March 04, 2009 03:05 PM
Behavioral advertising still represents un-charted territory, without clearly applicable laws or regulations. In February, the Federal Trade Commission (FTC) published a set of guidelines (titled “Self-Regulatory Principles for Online Behavioral Advertising”) for companies collecting information on the actions of Internet users for the purpose of providing targeted advertising to them. The principles encourage self-regulatory action on the part of the companies themselves, specifically encouraging transparency and customer control, reasonable security and limited data retention for customer data. These principles have been criticized by privacy advocates, who assert that government should impose stricter laws rather than relying on companies to self regulate.
YouTube's new 'nocookie' feature continues to serve cookies
Date CapturedTuesday March 03, 2009 03:20 PM
CNET -- Chris Soghoian says [ Those in the privacy community will likely pounce on this as evidence of Google's hypocrisy, while Google will likely respond by carefully parsing the definition of the phrase "non-session cookie" to not include Flash-cookie objects. Google might even even argue that its Flash-based cookies do not contain unique tracking information (something this blogger is unable to verify, since the Adobe Flash Manager only allows you to delete, but not view the contents of a Flash cookie). One thing is clear. YouTube has advertised a new delayed cookie feature, and stated that it "does not send a cookie until the visitor plays the video." That message is further reinforced by the fact that the new cookie-lite embedded video players are served from a different domain name, youtube-nocookie.com. Yet a user visiting a page that includes one of these "delayed cookie" videos still ends up with a long term, non-session Flash cookie hidden away in the depths of their browser. Technical definitions of "cookie" versus "Flash cookie" aside, YouTube's "delayed cookie" feature simply fails to deliver on the company's promises.] ]
Children's Online Privacy Protection Act of 1998
Date CapturedTuesday March 03, 2009 03:14 PM
TITLE XIII-CHILDREN'S ONLINE PRIVACY PROTECTION ***NOTE INCONSISTENCY BETWEEN DEFINITIONS OF PERSONAL INFORMATION AND PARENTAL CONSENT BETWEEN COPPA AND FERPA COPPA DEFINITION (LINK HAS FULL COPPA TEXT) (8) PERSONAL INFORMATION.—The term "personal information" means individually identifiable information about an individual collected online, including— (A) a first and last name; (B) a home or other physical address including street name and name of a city or town; (C) an e-mail address; (D) a telephone number; (E) a Social Security number; (F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or (G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph. (9) VERIFIABLE PARENTAL CONSENT.—The term "verifiable parental consent" means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator's personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.
Response to the 2008 NAI Principles: The Network Advertising Initiative’s Self-Regulatory Code of Conduct for Online Behavioral Advertising
Date CapturedThursday February 12, 2009 06:43 PM
[CDT believes the 2008 NAI Principles, while late in addressing new trends in the industry, demonstrate clear progress over the original code of conduct adopted in 2000. The transparency of the NAI’s revision and compliance process, the approach to sensitive information, and the coverage of advertising practices beyond behavioral advertising all represent important steps forward. While robust self-regulation in the behavioral advertising space does not obviate the need for a baseline federal privacy law covering data collection and usage of all kinds, the NAI has made advances in several areas, yielding what we hope will be better protections for consumer privacy. However, the 2008 NAI Principles still come up short in crucial respects including the opt-out choice requirement, the notice standard, the NAI member accountability model, the failure to address ISP behavioral advertising, the lack of a choice requirement for multi-site advertising, and the data retention principle. Some of these are outstanding issues that have existed within the NAI framework since its inception, while others are new concerns raised by the updates to the principles.]
FTC Staff Revises Online Behavioral Advertising Principles
Date CapturedThursday February 12, 2009 06:19 PM
The report discusses the potential benefits of behavioral advertising to consumers, including the free online content that advertising generally supports and personalization that many consumers appear to value. It also discusses the privacy concerns that the practice raises, including the invisibility of the data collection to consumers and the risk that the information collected – including sensitive information regarding health, finances, or children – could fall into the wrong hands or be used for unanticipated purposes. Consistent with the FTC’s overall approach to consumer privacy, the report seeks to balance the potential benefits of behavioral advertising against the privacy concerns it raises, and to encourage privacy protections while maintaining a competitive marketplace.

Health

CDT Testimony before House Health Subcommittee, June 04, 2008
Date CapturedWednesday June 04, 2008 04:20 PM
CDT Testimony Supports Draft Health Health Information Legislation -- We need a comprehensive privacy and security framework that is based on fair information practices (i.e., the Markle Foundation Common Framework) and sets clear guidelines for use and disclosure of electronic health information. The framework should build on HIPAA and incorporate protections for health information held by non-health care entities.CDT today testified before the House Health Subcommittee in support of draft legislation regarding health information technology and privacy legislation. CDT supports the draft language because it takes critical steps toward the goal of a comprehensive privacy and security framework, and targets many of the key issues raised by the new e-health environment. CDT urged the Subcommittee to develop this framework by building on the HIPAA Privacy and Security Rules. CDT also recommended including strong protections for health information held, or managed on behalf of consumers, by employers and companies not part of the traditional health care system

Healthcare

Health care meets social networking
Date CapturedThursday January 22, 2009 03:59 PM
Jacksonville Business Journal - Kimberly Morrison -- [Mayo Clinic, which has a campus in Jacksonville, has come a long way in just a few years, since adding a Facebook page with more than 3,000 friends, a YouTube channel with videos of doctors talking about illness, treatments and research, a health blog for consumers and another for media to improve the process of medical reporting. It’s also creating “secret groups” on Facebook to connect patients to others with similar illnesses, an area it hopes to expand in the future. But that’s just the tip of the iceberg in the brave new world of Health 2.0.]

HIPAA

Health care meets social networking
Date CapturedThursday January 22, 2009 03:59 PM
Jacksonville Business Journal - Kimberly Morrison -- [Mayo Clinic, which has a campus in Jacksonville, has come a long way in just a few years, since adding a Facebook page with more than 3,000 friends, a YouTube channel with videos of doctors talking about illness, treatments and research, a health blog for consumers and another for media to improve the process of medical reporting. It’s also creating “secret groups” on Facebook to connect patients to others with similar illnesses, an area it hopes to expand in the future. But that’s just the tip of the iceberg in the brave new world of Health 2.0.]
The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information
Date CapturedThursday December 18, 2008 04:56 PM
The principles of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information below establish a single, consistent approach to address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization. The goal of this effort is to establish a policy framework for electronic health information exchange that can help guide the Nation’s adoption of health information technologies and help improve the availability of health information and health care quality. The principles have been designed to establish the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a netwo
CDT Testimony before House Health Subcommittee, June 04, 2008
Date CapturedWednesday June 04, 2008 04:20 PM
CDT Testimony Supports Draft Health Health Information Legislation -- We need a comprehensive privacy and security framework that is based on fair information practices (i.e., the Markle Foundation Common Framework) and sets clear guidelines for use and disclosure of electronic health information. The framework should build on HIPAA and incorporate protections for health information held by non-health care entities.CDT today testified before the House Health Subcommittee in support of draft legislation regarding health information technology and privacy legislation. CDT supports the draft language because it takes critical steps toward the goal of a comprehensive privacy and security framework, and targets many of the key issues raised by the new e-health environment. CDT urged the Subcommittee to develop this framework by building on the HIPAA Privacy and Security Rules. CDT also recommended including strong protections for health information held, or managed on behalf of consumers, by employers and companies not part of the traditional health care system

Information Policy

Cisco 2008 Annual Security Report -- Highlighting Global Security Threats and Trends
Date CapturedMonday December 15, 2008 04:21 PM
[This year's report reveals that online and data security threats continue to increase in number and sophistication. They propagate faster and are more difficult to detect. Key report findings include: Spam accounts for nearly 200 billion messages each day, which is approximately 90 percent of email sent worldwide. The overall number of disclosed vulnerabilities grew by 11.5 percent over 2007. Vulnerabilities in virtualization products tripled to 103 in 2008 from 35 in 2007, as more organizations embraced virtualization technologies to increase cost-efficiency and productivity Over the course of 2008, Cisco saw a 90 percent growth rate in threats originating from legitimate domains; nearly double what the company saw in 2007. Spam due to email reputation hijacking from the top three webmail providers accounted for just under 1 percent of all spam worldwide, but constituted 7.6 percent of all these providers' mail. Fortunately, responses to these threats and trends are improving. Advances in attack response stem from the increased collaboration between vendors and security researchers to review, identify, and combat vulnerabilities.]

International

Canadian airlines plead with government to solve U.S. security dilemma
Date CapturedThursday January 07, 2010 08:04 PM
C Jim Bronskill (CP) -- [OTTAWA — Canada's major airlines say they will be forced either to break privacy laws or to ignore new American air security rules unless the federal government comes up with a response to U.S. demands for passenger information.]

Legislation

Predatory Marketing Law Opposed By AOL, News Corp., Yahoo, Others
Date CapturedSunday August 30, 2009 08:59 PM
A new privacy law in Maine is facing a court challenge from media organizations as well as a coalition of online companies including AOL, News Corp. and Yahoo. [The new law, officially titled "An Act To Prevent Predatory Marketing Practices against Minors," prohibits companies from knowingly collecting personal information or health-related information from minors under 18 without their parents' consent. The measure also bans companies from selling or transferring health information about minors that identifies them, regardless of how the data was collected. ] [Privacy advocate Jeff Chester said the law's basic premise is valid, but that it "likely needs to be revised to accommodate concerns about its impact on educational and other non-profit uses." ]
Washington State HB 1005 - 2009-10
Date CapturedMonday December 15, 2008 06:41 PM
Requiring a commercial web site that collects personally identifiable information to post a privacy policy.

Location Based Services

Location-based service
Date CapturedThursday April 30, 2009 10:12 PM
Wiki - [A location-based service (LBS) is an information and entertainment service, accessible with mobile devices through the mobile network and utilizing the ability to make use of the geographical position of the mobile device]
Google Becomes Default Location Provider For Firefox
Date CapturedThursday April 30, 2009 06:47 PM
TechCrunch.com -- Jason Kincaid -- [Google says that the data isn't currently being used for advertising purposes (at least for now), and that this is really about getting location-based functionality deployed to the web. But even without the advertising dollars, there is one very major upside: Google is going to be able to perfect its location database, with millions of users tapping into it on a daily basis. And that database is going to be extremely valuable going forward. ]

National Security

Canadian airlines plead with government to solve U.S. security dilemma
Date CapturedThursday January 07, 2010 08:04 PM
C Jim Bronskill (CP) -- [OTTAWA — Canada's major airlines say they will be forced either to break privacy laws or to ignore new American air security rules unless the federal government comes up with a response to U.S. demands for passenger information.]
Testimony of Secretary Janet Napolitano before the House Committee on Homeland Security on DHS, The Path Forward
Date CapturedWednesday February 25, 2009 03:13 PM
Release Date: February 25, 2009 - The Committee’s platform items: [Improving the governance, functionality, and accountability of the Department of Homeland Security; enhancing security for all modes of transportation; strengthening our Nation: response, resilience, and recovery; shielding the Nation’s critical infrastructure from attacks; securing the homeland and preserving privacy, civil rights, and civil liberties; connecting the dots: intelligence, information sharing, and interoperability; implementing common-sense border and port security; and inspiring minds and developing technology – the future of homeland security. ]

News

Get Cocoon Daily Privacy News
Date CapturedSaturday October 06, 2012 01:30 PM
Great resource.

Real ID

Bill Introduced To Repeal Failed Real ID Act (7/31/2009) Bill Would Protect Civil Liberties And Drivers' License Security
Date CapturedSunday August 09, 2009 05:13 PM
WASHINGTON – In a welcome move today, legislation was introduced in the House of Representatives to repeal the discredited Real ID Act of 2005. The REAL ID Repeal and Identification Security Enhancement Act of 2009, introduced by Representative Steve Cohen (D-TN), would repeal Real ID and replace it with the original negotiated rulemaking process passed by Congress as part of the 9/11 Commission recommendations. Twenty-five states have already rejected Real ID, citing its high cost, invasiveness and the bureaucratic hassles it creates for citizens. The Real ID Act of 2005 directs states to issue a federally-approved driver's license or other form of ID that would be necessary for airline travel and become part of a national database. Like state governments from coast to coast, the American Civil Liberties Union has long opposed the Act as too invasive, too much red tape and too expensive.

Records Management

Privacy: On Doing No Harm
Date CapturedFriday December 12, 2008 01:22 PM
Privacy: On Doing No Harm -- by Steve Smith -- [The launch of the AT&T-backed Future of Privacy Forum last month (see our own interview with principal Joel Polonetsky here ) sparked discussion about how digital media should best address the debate. Matthew Wise, CEO, Q Interactive and former senior vice president of account services at Draft, is a member of the Interactive Advertising Bureau board who takes issue with some of the early statement by FPF members. Rather than start the debate over whether data is or should be collected, Wise argues here that the argument really should surround data's proper use.]

Regulation

In the garden of Google and evil
Date CapturedMonday May 11, 2009 05:55 PM
Computer World - Robert L. Mitchell -- [As the focus by regulators and privacy advocates intensifies, Google should take a leadership role in developing pro-consumer privacy laws and best practices. If it doesn't, Google could eventually lose the good will it has with its users, and regulators could make it the poster boy for privacy on the Web. Google need look no further than Microsoft to see how quickly public opinion can change for a defacto monopoly. ]

Research

Americans Reject Tailored Advertising and Three Activities that Enable It
Date CapturedMonday October 05, 2009 07:01 PM
[First, federal legislation ought to require all websites to integrate the P3P protocols into their privacy policies. That will provide a web-wide computerreadable standard for websites to communicate their privacy policies automatically to people’s computers. Visitors can know immediately when they get to a site whether they feel comfortable with its information policy. An added advantage of mandating P3P is that the propositional logic that makes it work will force companies to be straightforward in presenting their positions about using data. It will greatly reduce ambiguities and obfuscations about whether and where personal information is taken. · Second, federal legislation ought to mandate data-flow disclosure for any entity that represents an organization online. The law would work this way: When an internet user begins an online encounter with a website or commercial email, that site or email should prominently notify the person of an immediately accessible place that will straightforwardly present (1) exactly what information the organization collected about that specific individual during their last encounter, if there was one; (2) whether and how that information was linked to other information; (3) specifically what other organizations, if any, received the information; and (4) what the entity expects will happen to the specific individual’s data during this new (or first) encounter. Some organizations may then choose to allow the individuals to negotiate which of forthcoming data-extraction, manipulation and sharing activities they will or won’t allow for that visit. · Third, the government should assign auditing organizations to verify through random tests that both forms of disclosure are correct—and to reveal the results at the start of each encounter. The organizations that collect the data should bear the expense of the audits. Inaccuracies should be considered deceptive practices by the Federal Trade Commission. The three proposals follow the widely recognized Federal Trade Commission goals of providing users with access, notice, choice, and security over their information. Companies will undoubtedly protest that these activities might scare people from allowing them to track information and raise the cost of maintaining databases about people online. One response is that people, not the companies, own their personal information. Another response is that perhaps consumers’ new analyses of the situation will lead them to conclude that such sharing is not often in their benefit. If that happens, it might lead companies that want to retain customers to change their information tracking-and-sharing approaches. The issues raised here about citizen understanding of privacy policies and data flow are already reaching beyond the web to the larger digital interactive world of personal video recorders (such as TiVo), cell phones, and personal digital assistants. At a time when technologies to extract and manipulate consumer information are becoming ever-more complex, citizens’ ability to control their personal information must be both more straightforward and yet more wide-ranging than previously contemplated.]Turow, Joseph, King, Jennifer, Hoofnagle, Chris Jay, Bleakley, Amy and Hennessy, Michael, Americans Reject Tailored Advertising and Three Activities that Enable It (September 29, 2009). Available at SSRN: http://ssrn.com/abstract=1478214
In-Depth Summary of Changes to FERPA Rules
Date CapturedThursday December 11, 2008 07:54 PM

RFID

Video: Hacker war drives San Francisco cloning RFID passports
Date CapturedTuesday February 03, 2009 07:21 PM
Thomas Ricker - [Chris recently drove around San Francisco reading RFID tags from passports, driver licenses, and other identity documents. In just 20 minutes, he found and cloned the passports of two very unaware US citizens.]

Safe Harbor

Safe Harbor
Date CapturedFriday November 13, 2009 06:44 PM
[Since 2005, the United States, the European Commission and the Article 29 Working Party on Data Protection have convened annually to review the progress made on the U.S.-EU Safe Harbor Framework and examine the latest developments in compliance, data protection and privacy that have occurred nationally, regionally and globally. This year’s conference continues the commitment between the United States and the European Union regarding the agreement concluded in 2000 on transfers of personal data from the European Union to the United States for commercial purposes. The EU’s Data Protection Directive, implemented in 1998, provides member states with the authority to block such transfers to countries whose privacy enforcement regime does not meet the directive’s requirements. Under the US-EU Safe Harbor Framework, the United States received an “adequacy” determination from the European Commission limited to those U.S. organizations that self-certified to Safe Harbor which allows data transfers to take place without prior approval.]
FTC Settles with Six Companies Claiming to Comply with International Privacy Framework
Date CapturedWednesday October 07, 2009 09:28 PM
[For Release: 10/06/2009 - Six U.S. businesses have agreed to settle Federal Trade Commission charges that they deceived consumers by falsely claiming they were abiding by an international privacy framework that provides a means for U.S. companies to transfer data from the European Union to the United States in keeping with EU and U.S. law. According to six separate complaints filed by the FTC, the six companies deceptively claimed they held current certifications under the EU/U.S. Safe Harbor framework. The framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The FTC complaints charge World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive Gaitways LLC with representing that they held current certifications to the Safe Harbor program, even though the companies had allowed their certifications to lapse. Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. Consumers who want to know whether a U.S. company is a participant in the Safe Harbor program can go to http://export.gov/safeharbor to see if the company holds a current self-certification. These cases are being brought with the invaluable assistance of the U.S. Department of Commerce. The Commission vote to approve the administrative complaints and proposed settlement agreements was 4-0. The FTC will publish an announcement regarding the agreements in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through November 5, 2009, after which the Commission will decide whether to make them final. To file a public comment, please click on the following hyperlink: http://www.ftc.gov/os/2009/10/sixcasespubliccomment.pdf and follow the instructions at that site. Copies of the complaints, the proposed settlement agreements, and the analyses of the agreements to aid in public comment are available from both the FTC’s Web site http://www.ftc.gov and the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580.]

Smart Grid

The Smart Grid and Privacy
Date CapturedSunday February 21, 2010 07:14 PM
Concerning Privacy and Smart Grid Technology

Social Networking

Facebook to modify its privacy guidelines
Date CapturedSaturday August 22, 2009 06:55 PM
By Matt Hartley, Financial Post [Facebook Inc. says it's on the same page as Canada's top privacy watchdog and plans to tweak its privacy and security policies to bring the world's largest social network in line with Canadian privacy law.]
A Facebook ‘Bug’ Revealed Personal E-mail Addresses
Date CapturedThursday May 07, 2009 07:12 PM
NY Times -- Gadget -- Riva Richmond [“In the course of one day I had Facebook go through over 10,000 e-mail addresses; ranging from reporters of prominent newspapers and CNN, to board of directors of Microsoft, Google, and Gates Foundation, and even the entire staff directories of government organizations and the World Bank,” Mr. Sheppard said in an e-mail message to a New York Times editor. “Of those it did find on Facebook, over 30% had their personal email addresses listed, which Facebook gladly gave me, without any of [the Facebook users] knowing.”]
Facebook Makes Another Privacy Blooper
Date CapturedThursday May 07, 2009 06:58 PM
Daily Examiner -- Wendy Davis - [Regardless of whether Facebook broke the law, users likely aren't going to be thrilled to learn that the site believes it can censor messages. If the company wants to be taken seriously as a communications platform, executives are going to have to start giving more consideration to users' privacy rights. ]
Health care meets social networking
Date CapturedThursday January 22, 2009 03:59 PM
Jacksonville Business Journal - Kimberly Morrison -- [Mayo Clinic, which has a campus in Jacksonville, has come a long way in just a few years, since adding a Facebook page with more than 3,000 friends, a YouTube channel with videos of doctors talking about illness, treatments and research, a health blog for consumers and another for media to improve the process of medical reporting. It’s also creating “secret groups” on Facebook to connect patients to others with similar illnesses, an area it hopes to expand in the future. But that’s just the tip of the iceberg in the brave new world of Health 2.0.]
- Adults and Social Network Websites
Date CapturedWednesday January 14, 2009 06:20 PM
Pew Internet, Amanda Lenhart -- [When users do use social networks for professional and personal reasons, they will often maintain multiple profiles, generally on different sites. Most, but not all adult social network users are privacy conscious; 60% of adult social network users restrict access to their profiles so that only their friends can see it, and 58% of adult social network users restrict access to certain content within their profile.]

TSA

Canadian airlines plead with government to solve U.S. security dilemma
Date CapturedThursday January 07, 2010 08:04 PM
C Jim Bronskill (CP) -- [OTTAWA — Canada's major airlines say they will be forced either to break privacy laws or to ignore new American air security rules unless the federal government comes up with a response to U.S. demands for passenger information.]

WHTI

Video: Hacker war drives San Francisco cloning RFID passports
Date CapturedTuesday February 03, 2009 07:21 PM
Thomas Ricker - [Chris recently drove around San Francisco reading RFID tags from passports, driver licenses, and other identity documents. In just 20 minutes, he found and cloned the passports of two very unaware US citizens.]

Back to Top of Page


Protecting Children's Privacy | Information Policy News | FERPA | Learning Links | Attendance | about | contact edny | site map