States Busy With New Laws
- From the June 2014 issue
State legislators have been extraordinarily busy in the past 14 months enacting privacy protective legislation. During the same period, Congress did not pass any notable pro-privacy reforms.
PRIVACY JOURNAL has counted more than 60 important laws on privacy enacted by state legislators in the 12 months since publication of its 2013 Compilation of State and Federal Prvacy Laws. The new laws are described with legal citations in the 2014 Supplement, available in hard copy or pdf email attachment for $16.
The 2013 book with the supplement included is $40 (postage included) and the digital version is $28.50.
The book and supplement describe each law, grouped by states and by categories, and include the legal citation of each state law.
A total of 17 states, 12 of them in the past year, have passed laws restricting employers from demanding social-media passwords or access to personal sites belonging to applicants or employees. In recent months ten states have extended these protections to students in higher education. Louisiana, Michigan, New Mexico, Oregon, Utah, and Washington State have extended this protection to students in high schools and secondary schools as well. Wisconsin includes landlords in the prohibition.
Surveillance by Drones
Lawmakers in blue and red states alike have turned their attention to regulating law enforcement’s use of unmanned aircraft for surveillance (drones). New laws in nine states require the government to have court approval before using drones for surveillance or for capturing images. North Carolina and Virginia have enacted moratoria on drone use by the government, both expiring in mid-2015. Oregon requires state registration of all drones and bans their uses as weapons.
Access to Metadata
Montana is apparently the first state to limit government agencies from getting access to location information from telephone providers (metadata) unless there is consent, an emergency, a search warrant, or a report of a stolen device. Texas seems to be the first state to require by statute a court warrant for law enforcement to procure email content. The law is written in such a way as to authorize access to email as much as to restrict it. The statute claims that Texas authorities may seize email content outside of Texas.
There has been a significant campaign throughout the U.S. to “ban-the-box.” That is the box found on many job applications asking whether Applicants have ever been arrested or convicted. Many applicants have said that checking the box virtually assures that an application will be ditched.
Therefore, reformers have asked state legislators to enact “ban-the-box” laws. The laws require elimination of the inquiry, whether it is in writing or verbally, until an applicant has been determined to meet the minimum requirements for a position and moves to the second stage of consideration for a job, usually an interview.
Hawaii passed the first “ban-the-box” law in the nation, in 1998. In the past 18 months, ten states have followed suit. Some laws cover government employment; others cover public and private employment. In addition, Georgia and Illinois have banned the box administratively.
Employers’ Electronic Monitoring
Connecticut and Delaware now prohibit electronic monitoring of employees without advance notice.
California legislators continue to occupy themselves with advancing the pro-privacy laws in their state. In the past 12 months, they required Web sites to notify the public that they are forbidden from using personal data about minors in marketing. Kids now have rights to remove some data about themselves from Web sites.
‘Smart Grid’ Restrictions
Utilities in California are restricted in secondary uses of customer data in so-called “smart grid” technology, which allows precise pricing based on usage. This is the first such law in the nation.
The 2014 supplement shows the varied dimensions of PRIVACY in this decade.
Schools May Not Require SSNs
- From the May 2014 issue
The federal government has again instructed school districts that they may not require Social Security numbers of students or parents. The guidance came in a memo from the Department of Justice and Department of Education in May emphasizing previously issued prohibitions against rejecting immigrant children, whether or not they came to this country illegally.
Canadian Internet Traffic Monitored in U.S.?
- From the May 2014 issue
The revelation in June 2013 about widespread surveillance by the National Security Agency has led to an effort in Canada to stop Internet service providers there from routing Canadians’ communications through the U.S.
"Twenty-five percent of Internet traffic that originates and terminates in Canada travels via the U.S., where unprotected by either Canadian or U.S. legal systems, it is subject to NSA surveillance. We call this ‘boomerang’ traffic," says a research team at the University of Toronto. In the process the group determined that no ISP in Canada fully complies with the nation's privacy law, PIPEDA. In response, they created IVmaps.ca, a mapping tool that displays the routing of personal data of Canadians through the U.S.
Get the full story by asking for a sample of our May 2014 issue.
A Guide for the Frugal Privacy Seeker
By Publisher Robert Ellis Smith
From the March 2014 edition
A Washington author used up space in The New York Times early this month telling readers that protecting your privacy is expensive. “Last year, I spent more than $2200 and countless hours to protect my privacy,” she wrote.
I didn’t. In my 40 years in this business, it has cost me less than $50 a year and only a few hours a year to provide myself a strong sense of privacy.
Some strategies are essential:
1. Protect your Social Security number at all times. Don’t give it out even though it seems that you may be penalized for it.
2. Avoid “credit monitoring services,” paper shredders, apps, “identity-theft protection,” anti-eavesdropping experts, Internet filters, unless you want to spend a lot of money.
3. Think of Noah’s Ark. To protect your privacy, think in twos. Rip in half any documents with vital personal information on them, including Social Security numbers, bank-account figures, or credit-card numbers. Deposit them in separate side-by-side trash containers. Empty each trash can at alternating times. Or use a paper shredder if you still want to spend money.
Use two personal phone numbers, one for your friends and another for commercial transactions and public circulation. Use a personal mailing address and a “public” mailing address, which can be a post office box, a commercial mail-receiving firm, an office address, or a landlord’s address. This second address will not disclose your physical whereabouts, or that of your children.
Have two Internet service providers and electronic-mail providers, one for sensitive uses and the other for “public” uses. Have two credit cards, one for point-of-sale use and one for online use. If something goes wrong online, you can promptly cancel that credit card with no inconvenience at all.
Use a second, out-of-town doctor to disguise certain sensitive treatments, if necessary.
There are many more tips in this article in the March 2014 issue. Ask for a free copy at email@example.com.
And many more tips on this Web site, at Privacy Tips.
PRIVACY JOURNAL publisher Robert Ellis Smith has expanded his interest in personal privacy and solitude to explore the lure that islands hold for all of us, as places to live or places to escape. He has published "The Magnetism of Islands," an eBook that takes you to real and literary islands to discover how much alike they are, whether urban or rural, New England or South Pacific. "The Magnetism of Islands" is available from Kindle.com to download to your electronic reading device or directly from PRIVACY JOURNAL, firstname.lastname@example.org. The price is $9.50.
- From the January 2014 issue
Drones and the Current Law
By Brian Stern and Matthias Rubekeil
Many UAVs [drones] can carry sensors and cameras that produce quality real-time imagery, making them ideal vehicles for surveillance tasks. Combining sensor capabilities with facial or biometric recognition software would make UAVs even more appealing for such purposes and allow potentially significant intrusions and threats to the constitutional right to privacy. . . . .
While the U. S. Supreme Court has not yet addressed the use of drones in conducting domestic surveillance, there are cases that could be instructive.
First, there are cases pertaining to surveillance by manned aircraft, where police have attempted to investigate marijuana-growing operations based on information obtained from tipsters. . . . .
Under current regulations, it is easier for private citizens to fly a drone than to obtain a license to operate a car. . . . Get the full story by asking for a sample copy of our December 2013 issue.
Hackers Get into Consumer Data
- From the November 2013 issue
A shady service that sells Social Security numbers and drivers license numbers – as well as bank-account and credit-card data on millions of Americans – purchased much of its data from a company owned by Experian, one of the three major credit bureaus, according to a story in the November 2013 issue.
An information broker that sells Social Security numbers, dates of birth, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to an accompanying article in the same issue..
The Web site ssndob.ms (sometimes referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, dates of birth, and other personal data on nearly all U.S. residents.
Portable Police Device to ID Suspects Instantly
-- From the October 2013 issue - Ask for a free copy
Within seconds of the fatal shooting of the gunman in the Washington Navy Yard massacre Sept. 16, law enforcement personnel on the scene were able to apply a hand-held device to his hand and determine his identity and possible encounters with police.
The prints gathered by the device are run through an electronic database, usually operated by individual states, creating a rapid search for identities and outstanding warrants.
In this case, the instant identification of Aaron Alexis, the presumed gunman, was probably not crucial. He was carrying an identity document permitting access to the naval complex and employees within the complex were browsing the Internet on their office computers to determine his identity within moments of when the shooting began.
The New York City Police Department has had this high-tech capability for more than five years.
The NYPD has about 20 of the MorphoTrak readers, at a cost of about $5,000 each. . . .
'Something Else to Worry About'
-- From the September 2013 issue
It is the curse – or the responsibility – of this publication to greet readers each month with Something Else to Worry About.
This month it is “The Internet of Things.” The Oxford English Dictionary, often the arbiter of acceptable current language, added the phrase to its definitions last month, at the same time that The National Geographic magazine took notice.
This month, as a prelude to a workshop in Washington on the concept, the Federal Trade Commission presented what is perhaps a garden-variety deceptive-advertising case involving providers of home-security services as its first “Internet of Things” enforcement action. Ask for a sample copy of our September 2013 issue for the full story.
“The recent news about the extent to which the U.S. government is monitoring the communications, online interactions and activities of American citizens brings into question our ethical responsibilities as privacy professionals,” writes Mozilla Chief Privacy Officer Alex Fowler in an open letter to his colleagues, corporate privacy officers. Keep up with this important stuff. Subscribe to the newsletter and stay current each month.
Shouldn't Equifax Be Ineligible for Federal Money?
-- From the August 2013 issue [Ask for a free copy.]
The U.S. Department of Health and Human Services has extended a lucrative contract to the discredited national credit-reporting company Equifax to check whether low-income applicants qualify for government subsidies for health-insurance coverage in the new Obamacare program.
Since the Fair Credit Reporting Act was enacted in 1971, the Atlanta-based company has been under Federal Trade Commission orders to comply with the act. The FTC has forced Equifax to submit to regular compliance audits. Normally businesses subject to such federal sanctions are placed on a list of non-responsible bidders and therefore ineligible for federal contracts.
Letter to the Editor
- From the July 2013 issue
From Florida: How do you respond to people who say that nabbing the Boston Marathon bombers and the potential for catching other criminals justifies the blizzard of camera installations around the country?
What methods have you found to be effective in persuading people to care about privacy and its preservation?
Response: We urge our readers and Web-site visitors to submit responses to these queries.
Our response is that we should not include the NSA surveillance, the anti-terrorist law enforcement activity in the U.S. including camera surveillance, and commercial snooping in the same all-inclusive eulogy for the death of privacy. They have different roots and different motivations.
We should remember that it was an eyewitness identification of one suspect that led to the solution of the Boston Marathon case. Camera suveillance tapes were then used to notify the wider community of the suspects’ identities.
Law enforcement will tell you that TV cameras all over town rarely deter crime; they lead to the capture of suspects. But even that use will have diminishing effectiveness, as the equipment rusts, gets blown off target by weather, gets vandalized and broken. And perhaps as Americans get annoyed with it.
Further, most Americans give up more of their own privacy than is taken away from them by government or business. And they give it up for mere convenience, without regard to the sacrifices made by our American forebears to assure a right to privacy.
What’s important is that we not resign ourselves to a life without privacy and individualism, that we do not take a bemused attitude towards what is essentially a betrayal of American values.
Even if you yourself are not interested in privacy, there are many persons for whom privacy is essential and worth fighting for. A sense of privacy and autonomy is essential for sound mental health. Without it, there is no originality of thought, no intellectual risk taking, no willingness to challenge conventional wisdom.
The great danger is that we become a nation of sheep, mindlessly exchanging trivial comments over communications systems that we subconsciously no longer trust. Individuals in this decade have under their control an unprecedented array of communications technology; yet we use it for silly purposes.
By David Lee Dallas
--- From the April 2013 edition
What my experience with nudity in a student theater production taught me was the significance of earning the nudity within the context of the story being told. If the nudity exists fully and fluidly within the narrative and thematic realm of the piece, it becomes inseparable from the piece, and not an entity itself. Audiences understood why the character is naked, and thus they had no concern for, or even cognizance of, the actor’s nudity. Ultimately, what matters, what is permanent for the audience, is the why of the nudity, not the body or the memory of the body.
. . . The fact of my naked body standing on that stage remains in the privacy of the play's theatrical space, a space cleaved open when the house lights dimmed and closed shut when they came back on.
-- From the April 2013 edition
Compelled by a court order sought by the Electronic Privacy Information Center 18 months ago, the Transportation Security Administration has launched an opportunity for citizens to comment on airport screening procedures. TSA has a policy of declining to admit that the procedures capture images of the nude human body; they use the euphemism “advanced image technology.” Travelers have a right to opt out of these scanners, but this is not always clearly announced and the alternative may be less palatable for many – a shockingly intrusive pat-down. It’s not clear that the scanners detect explosives. The public comment process will end June 24. To submit comments, go to http://www.regulations.gov/. To find recom-mendations on commenting by EPIC, go to http://epic.org/.
Protections From Domestic Drones Overhead?
-- From the March 2013 issue; ask for a free copy
After a full year of acting as if no privacy safeguards protect against spying by drones flying overhead in the U.S. or are necessary, the federal government now says that it will develop privacy protections in a rule-making process.
The Federal Aviation Administration Modernization and Reform Act passed in February 2012 gave the go-ahead to drone use within the U.S., and several privacy groups, including the American Civil Liberties Union, Center for Democracy and Technology, Electronic Frontier Foundation, and Electronic Privacy Information Center wrote to the FAA urging privacy protections. Last month, the FAA wrote back, saying that it would develop them.
Letter to the Editor From a Security Specialist
I recommend that Facebook users perform a self-audit of their profiles at least annually. Chances are this audit will reveal that you are sharing way more information about yourself than you understood. And with the new Facebook Graph Search [see PJ Feb 13], more people than you ever intended will be able to find this information. To conduct a self-audit, download your expanded Facebook archive (important to chose this option) by following the directions at http://readwrite.com/ 2013/02/01/how-to-backup-your-facebook-data-in-5-easy-steps. As well, you may find this article from TIME Tech helpful in reviewing your privacy settings on Facebook: http://techland. time.com/2013/02/15/how-to-check-your-face book-privacy-settings/.
Evidence of Intrusive Spying on Muslims in U.S.
-- From the February 2013 issue
Shocking assertions of police surveillance in the anti-terrorism age against law-abiding citizens, most of them Muslims, came from two different sources this month.
Both sources said that the spying was expensive, excessive, invasive, unconstitutional, and ultimately ineffective in identifying terrorism suspects.
Lawyers representing the New York Civil Liberties Union filed papers in federal court in Manhattan Feb. 4 seeking to stop the N.Y. Police Department from creating dossiers on innocent Muslim New Yorkers and to end the police department’s ability to initiate investigations into Muslims when there is no belief that they have engaged or are about to engage in unlawful activity or an act of terrorism.
Secondly, a book published this month asserts, “Since 9/11 the FBI has built the largest net-work of spies ever to exist in the United States – with ten times as many informants on the streets today as there were during the infamous Cointelpro operations under FBI Director J. Edgar Hoover – with the majority of these spies focused on ferreting out terrorism in Muslim communities. Agents
provocateurs were behind most of the scary terrorist plots you’ve heard about since 9/11.”
The author of the expose, The Terror Factory, is Trevor Aaronson, a highly recognized investigative journalist who has amassed information about the FBI’s activities and expenditures over the past ten years (http://trevoraaronson.com). He writes that he discovered “how the government has exaggerated the threat of Islamic terrorism in the U.S.”
Get the full story in the February 2013 issue, available without charge if you request by email or telephone.
Privacy Advocates Counteract Corporate Lobbying in Europe
Public-interest advocates in Washington have taken the unusual step of packing their bags and traveling to Europe to counteract corporate lobbying to diminish data-protection legislation in the European Parliament. One organization has taken the unprecedented step of hiring a new staff person specifically to lobby for privacy protections in Europe.
The group met with Members of the European Parliament in Brussels last month.
In California, App Must Have Policy and Live By It
- From the January 2013 issue of Privacy Journal
FTC's Privacy Compliance Powers Challenged
When the Wyndham hotel chain was sued by the Federal Trade Commission last summer after experiencing three serious hacking incidents involving theft of customer billing data, the corporation struck back, filing a motion to dismiss, saying that the FTC had no authority to do what it was doing. Most businesses have accepted the commission's authority in this area. The U.S. Chamber of Commerce and other business interests immediately jumped to the defense of the company.
Get the full stories and more, by getting a sample copy of the January 2013 issue of PRIVACY JOURNAL.
Federal Trade Commission Steps Up Enforcement
In its December 2012 issue, Privacy Journal described sanctions and penalties issued in the past 12 months by the federal government's prime agency for enforcing requirements that companies abide by their promises to keep information secure, accurate, and timely.
Among the companies that faced monetary penalties and requirements that they open their books to regular audits by the FTC are:
MySpace; Facebook, Equifax Information Services, Inc., one of the three major consumer reporting agencies; Direct Lending Source, Inc., one of Equifax' partners in a list-rental scheme; Google, for bamboozling customers of the Google Buzz social-media product in 2010.
Spokeo of Pasadena, Calif., which aggregates postal and email addresses and telephone numbers from public records and social-media sites and sells them to employment recruiters; HireRight Solutions, an Irvine, Calif. firm that does background checks for employers.
Compete.com of Boston; DesignerWare, a software supplier; RockYou, developer of social games; EPN, Inc., a Utah debt collector; Franklin Toyota in Statesboro, Ga.; Upromise, an online rebate service; ScanScout, a broker on online video ads.
The FTC had to order Google to appoint a privacy officer. In January, the same agency ordered Google to change some practices that the agency said were monopolistic.
Only Privacy Journal compiled this detailed listing and published it.
Kids Creating Own Online Schoolhouses
By Michael Levin
-- from the November 2012 issue
The Internet affords children endless oppor¬tun¬i-ties to get into serious trouble, downloading what they shouldn’t download, looking at what they shouldn’t be looking at, and getting ideas about what they shouldn’t be getting ideas about.
But the good news is that if your kids are like mine, they may be doing some or all of those things, but there’s another use for the Internet that’s attracting their time and attention.
It’s called teaching. . . .
May Companies Control Facebook Use at Work?
The staff of the National Labor Relations Board, which investigates unfair labor practices, has considered several cases involving possible or actual discipline of employees using social media like YouTube, blogs, and Facebook. In at least six cases, Acting General Counsel Lafe E. Solomon found the company policies on use of social media by employees “overbroad and thus unlawful under the National Labor Relations Act.”
[In the November issue: the text of what the NLRB considers a lawful company policy on Facebook use. Ask us for a free copy.]
Important Items From our October issue:
“A bipartisan Senate investigation shows that fusion spying centers do not keep us safe but, instead, waste billions of tax dollars, violate civil liberties of ordinary Americans, and utterly fail to stop terrorists,” according to Carol Rose, executive director of the American Civil Liberties Union of Massachusetts.
Rose has been alerting the public to the dangers of these federally funded centers of federal, state, and local law-enforcement intelligence officers since they were created after the 2001 terrorist attacks. They were a reaction to the revelations that intelligence officers at different levels were not “connecting the dots” by sharing terrorism clues they had in their possession.
* * *
The health-care compliance office in the U.S. Department of Health and Human Services has finally approached collecting a $4.3 million fine it assessed in February 2011 against Cignet Health, a clinic in suburban Washington, for major violations of the HIPAA rule.
* * *
Despite deep ideological divisions, Democrats and Republicans in Congress still can find common ground on one thing: their frustration with Medicare. Five years after being told to look at taking Social Security numbers off Medicare cards, Medicare officials told lawmakers at a tense House hearing this summer that they still need six more months to figure out how much it will cost.
* * *
New high-definition cameras are being rolled out across United Kingdom cities without public consultation into the intrusion they pose, the United Kingdom’s first “surveillance commissioner” has told "The Independent."
Andrew Rennison said that the increasing sophistication of surveillance technology is becoming so serious that Britain may be in breach of its own human rights laws. There are an estimated 1.85 million CCTV (closed-circuit) cameras in the U.K., but no one really knows.
* * *
California Gov. Jerry Brown has signed two bills prohibiting employers and educational institutions from requiring or coercing disclosure of passwords or other means to access personal information on social-media sites. Gov. Brown vetoed a bill that would have required law enforcement officers to get a search warrant in order to obtain location information generated by a cell phone, tablet computer or automobile navigation system (GPS).
* * *
Do You Have Klout, or Merely Clout?
By Lini S. Kadaba - From the July 2012 issue
What’s Your Klout Score?
Increasingly, that’s the question asked during job interviews, before first dates and for the chance to win cool trips.
For the clueless, Klout is the four-year-old, controversial grandaddy of social scoring, in which a top-secret algorithm distills the ability to influence online action into a single number between 0 and 100. Think of it as a credit score for the social Net.
Get the full story; ask for a free copy of our July 2012 issue.
The Eavesdropping Fanatic
- From the July 2012 issue
Nanette and Norman had an intimate relationship from 2001 to 2007. Then things went sour. Very sour.
In February 2007 they quit seeing each other. In July 2007, a plumber informed Nanette (not her real name) that he found suspicious equipment between the floor jousts in the small crawl space beneath her house in central Connecticut. The woman, a medical assistant, promptly called the local police and asked Norman whether he had installed the listening equipment. Norman admitted that he had, according to Nanette. He further admitted that he had been viewing video from her bedroom and, in his car, listening to audio coming through devices he had installed in her home.
What happened next? Call or write for a sample copy of the July 2012 issue.
Taming ID Theft Through Credit Bureau Restrictions
- From the July 2012 issue
Rhode Island has enacted a new law that, for the first time in any state, strikes at the heart of the epidemic of theft of identity. Effective immediately, it requires any credit bureau to rely on more identifiers than solely a Social Security number when it furnishes a credit report to a credit grantor on a particular consumer.
Since the mid-1990s, credit bureaus have furnished a credit report on a consumer when merely the Social Security in the credit report matches the Social Security number listed on a credit application. The Federal Trade Commission staff at the time actually encouraged credit bureaus to do this.
Sixty percent or more of theft of identity arises when an imposter takes another person’s Social Security number and applies for credit, using a different address from the victim’s and possibly a different name. Still, credit bureaus furnish the victim’s credit report to the credit grantor, whether retailers, employers, landlords, or insurance companies. The imposter relies on the victim’s good credit and the consumer is left to clear up the confusion caused by what is called “a mixed file.”
Now, in Rhode Island at least, credit bureaus must also make sure that the name and at least one other identifier in addition to an SSN match, like address, date of birth, place of employment, or lines of credit. Presumably an imposter would have to possess name, SSN, and one other identifier in order effectively to misappropriate a consumer’s credit record.
What Do We Think of Others' Conduct?
- From the June 2012 issue. Ask for a free copy, by email or postal mail
Americans have changed hardly at all in the past 11 years in most of their ideas about what is morally acceptable. . . . according our front-page story. In that period have come terrorism threats, increased availability of pornography online, breakthroughs in cloning human beings, campaigns to fund research into stem-cell usage, popularity of gaming casinos, politicians’’ disapproval of the use of birth control and abortion, and continuing incidence of divorce and “living together.”
Yet in each of these areas, about the same number of Americans views the activities as morally acceptable as they did in 2001.
By exception respondents to a Gallup poll in May showed more acceptance of homosexuality and less acceptance of the death penalty.
College Admissions Offices Too Busy to Snoop FB
As students – and their parents – fret over social networks and what all they convey, college admissions officers allow that they are not spending hours hunting for blush-worthy tweets or photos of drunken high school students. It is partly an issue of invading what some consider a private space. But it is also very much a matter of hours in a day, writes Lini S. Kadaba in the June issue.
“We don’t go fishing,” said Jim Bock, vice president and dean of admissions at Swarthmore College in Pennsylvania. “It’s a time issue. We have a lot of information to review, and it’s a privacy issue as well. . . . What we ask for is enough.”
Compelling perspectives from the May 2012 issue:* * *
"The goal of the World Conference on International Telecommunications this December is to re-negotiate and re-draft the 1988 global treaty in order to give the ITU jurisdiction over the Internet. While the draft proposals will seem 'innocuous and small at first, there’s going to be a big line crossed, and that will be from the U.N. not regulating the Internet to it having jurisdiction over the Internet. That would be just the first stage of an incremental [U.N. takeover of the Internet].'”
"Though the U.S. Supreme Court decision says only that the practice of strip-searching is permitted, not required, a vast discretion is now placed in the hands of any and 'every petty official' who for no reason other than a desire to humiliate and intimidate can order a strip search of political protesters, minority persons, women, gays, etc. There is a solution at hand, however. States are free to enact legislation mirroring that of the ten states that already ban strip searches of arrestees for misdemeanors unless an officer has reason to believe the person is concealing weapons or contraband. "
* * *
"With a surge in the final days of the 2011 session, the California legislature enacted several new privacy protections that clearly keep the state at the top of our list of the privacy-protecting states in the U.S. California has ranked first and Minnesota a close second since this newsletter began ranking the states in 1999. "
* * *
"Terrorists can do only so much. They cannot take away our freedoms. They cannot reduce our liberties. They cannot, by themselves, cause that much terror. It’s our reaction to terrorism that determines whether or not their actions are ultimately successful. That we allow governments to do these things to us – to effectively do the terrorists’ job for them – is the greatest harm of all."
It's a Lousy Word
- From April 2012 issue
"We often say that the word privacy is inadequate. It is vague, subject to outrageous degrees of modification, is mauled by arbitrary interpretation and its meaning and context constantly shift. However we may not have considered how the word itself – in its nature and form – is wholly inadequate and even detrimental."
Why is this man so upset? Find out by reading Simon Davies' complete rant against the word privacy in our April 2012 issue. Free sample available upon your request.
Highlights From the February 2012 issue
Publisher Robert Ellis Smith projects a course of action after the Jones decision on GPS tracking
Ontario's Privacy Commissioner gives her constituents urgent homework.
An author sees a difference between men's and women's reactions to eavesdropping.
A tech-savvy reader provides a great bar-code oriented solution to unwanted mail.
Another reader sees nothing wrong with demanding ID documents at the polling place.
And a third reader tells you how to keep track of the online marketers tracking you.
Ask for a sample copy of the February 2011 issue to get all this and more.
The Decade of Facial Recognition
- From the January 2012 issue
Will the years between 2011 and 2020 be the decade of facial recognition?
New software can measure spatial relationships among facial features in a photo or drawing of a person, convert the data into an algorithm (or mathematical ‘map’ of the face) and then compare it with the same elements in a person captured by a Web camera in a crowd.
Investigators need not develop a database or even facial-re¬cognition applications on their own. A fledgling business is doing it for them.
It is called Facebook. The social-media giant, founded by college kids just eight and a half years ago, has made facial recognition a top priority. And Apple and Google are not far behind.
Researchers at Carnegie Mellon University in Pittsburgh have identified anonymous persons merely by searching Facebook’s photo collection.
“The face is the conduit between you (your life) and the online world, between offline data and the online world,” says one. Next: Facial recognition capability in eye glasses; police in Brazil will use them to patrol the World Cup soccer crowds this summer. Next, after that: Face recognition capability in contact lens. No kidding.
Get a copy of our January 2011 newsletter for the whole story. email@example.com.
Federal Agency Timid About Collecting Fine
- from December 2011 issue
When the Department of Health and Human Services assessed a fine of $4.3 million on a suburban Washington health provider for its refusal to give patients copies of their medical records, it ordered the company, Cignet Health, to pay up immediately.
After all, Congress in 2009 had amended the HIPAA health confidentiality law to force HHS to enforce the law, at least more than it had in the recent past.
“We’re serious about this,” said HHS Secretary Kathleen Sibelius.
That was Feb. 4. The fine has yet to been paid. The department has no plan to collect it. Its Office for Civil Rights has rebuffed PRIVACY JOURNAL’s regular requests for information about the hold-up and the government’s apparent timidity to collect the fine. Collecting unpaid fines is not exactly a novel governmental func¬tion but, OCR tells PRIVACY JOURNAL, it doesn’t want to talk about the Cignet indebtedness. The health-care provider refused to give patients copies of their medical records, as required by federal law, and then much later gave them to the wrong people.
Voter ID Requirements Will Slow the Process
-From November 2011 issue
. . . Voter-identification requirements will surely alter the balance in voting in the 2012 election because they will certainly slow down the process in neighborhoods that traditionally have had significant waiting lines to vote. They will allow poll workers to send some voters away without voting and allow some poll workers to pick and choose voters for strict application of the law. Some minority-group community workers feel that the ID requirements will deter many voters from even showing up at the polls, especially Hispanic residents worried about their status.
For all citizens, the push for identification will diminish their freedom by inducing them to believe that they must carry ID at other times and must disclose personal information in order to secure an acceptable piece of plastic.
For more on this and a list of states with new ID requirements for voting, ask for a free copy of our November issue, in hard copy or the pdf email version.
Wear the Web on Your Sleeve
- From October 2011 issue
New fangled bar codes now allow strangers with a scanning device to access your personal profiles on social-media sites and other kinds of Web-related information you have posted online.
Wearing the so-called QR (quick response) code allows you to “wear the Web,” according to one distributor of the scanners, Skanz. You become a walking Web site. QR codes can store far more data than traditional bar codes with vertical black lines. Because they are easily readable and have huge storage capacity, the two-dimensional codes have become the latest thing in the fashion industry, retailing, periodicals, and automotive manufacturing. Models often have the codes as part of the clothing they display so that interested persons may simply access a Web site with online product information.
Scan a QR code in an advertisement or news article and go immediately to a relevant Web page. Pass by a military recruiting office and scan the QR code in the window. Scan the code (in 2013 anyway) on the window sticker of a new automobile and learn lots more about the fuel usage and environmental impact of the vehicle.
Learn more by asking for a copy of the October 2011 newsletter (no charge).
PRIVACY'S ESSENTIAL FOR ME, BUT NOT FOR YOU
- from the September 2011 issue
. . . Examining the actions of those behind the social networking boom, as opposed to their rhetoric, reveals that they, much more so than their customers, scrupulously protect personal information about themselves.
It’s no secret that Mark Zuckerberg, founder of Facebook, is in the business of encouraging people to share more of their personal information online. The company’s business model relies on revenues from targeted advertisements, which means it requires not only a constant increase in users, but also a constant increase in the amount of personal information users share. Therefore, it should be no surprise that Zuckerberg’s public statements tend to downplay privacy concerns and encourage users to feel comfortable posting their personal information online for the world, including Facebook’s advertising partners, to see.
. . . . If, as he claims, the current social norm is to post all our personal information publicly for anyone to see, then Zuckerberg’s own social networking pages show that he must be behind the times. While any Facebook member can view the 27-year-old entrepreneur’s basic Facebook page, he rarely posts anything that is publicly viewable [He's not the only social-networking exec to prize his own privacy and belittle others. Ask for a free copy of the September 2011 PJ for the full story by Andrew P. Smith.]
WE HAVE TURNED SECURITY AGAINST OURSELVES
Since 2001, we have allowed angry surveillance and intrusive questioning to be turned against our own people, spending billions of dollars in bogus technology and identity schemes, most of it to create what policy makers will admit is “security theater.” They will say that that is what the American public wants, not carefully targeted security precautions directed towards the likely perpetrators of the September 11 terrorist attacks and their progeny.
Americans, the victims of the attacks, are subjected to delays at airports and outrageous pokes at their private parts, viewed by networked cameras everywhere, required to carry photo IDs in order to travel or to vote or attend school; their personal data is collected and manipulated and stored in gigantic database that seem to show no relevance to the current threat.
Read the whole editorial retrospective in the September 2011 issue, available for free -
Our email address: firstname.lastname@example.org
No Big Secret
- From the August 2011 issue of Privacy Journal, available now
It’s not hard at all to figure out who is male and who is female by looking at the language used on Twitter, according to an analysis by four researchers at the Mitre Corp. "Discriminating Gender on Twitter," www.mitre.org/work/tech_papers/2011/11_0170/11_0170.pdf. A similar analysis at Johns Hopkins University in 2010 claimed to identify political parties, place of residence and age from the words used on Twitter, www.cs.jhu.edu/~delip/smuc.pdf.
The Chief Judge of Silicon Valley
From the July 2011 issue
The center of gravity in the Internet legal world is the courtroom of the chief judge of the federal court for the Northern District of California, located in San Jose, the heart of Silicon Valley.
Because the Silicon Valley area south of San Francisco is home to Google, Facebook, PayPal and other Internet giants, class actions and other lawsuits over privacy, intellectual property, and other hi-tech issues end up in the federal court there, and usually on the calendar of the chief judge, James Ware. His decisions will re-define several aspects of law in the Internet age.
The 65-year-old judge has little in the way of high-tech training or experience to make him particularly well suited to preside over these influential cases, but he is no stranger to high-profile cases or the media spotlight that comes with them.
Read the full story by requesting a sample copy of the July 2011 issue.
Police Now Have Device for Sweeping All Cell Data
From the July 2011 issue
With all their new functionality, smartphones can make almost everybody’s job easier – including law enforcement. A new industry has emerged making and marketing both devices and software that can extract sensitive data from cell phones and other mobile technology. With all the information that can potentially pass through a cell phone, these devices could lead to a paradigm shift in evidence gathering for law enforcement.
One such device, the Cellebrite UFED, has been produced since 2007 and marketed to “military, law enforcement and government agencies around the world,” according to PJ correspondent Andrew P. Smith.
The UFED has the ability to extract virtually every bit of data (past and present) from cell phones and other mobile devices.
For the full story ask for a free copy of our July 2011 issue.
MY 17-MONTH SKIRMISH WITH STREET VIEW
All I wanted to do was have Google's Street View remove the image of my personal residence from its Web site, as it promises to do. In the June 2011 issue of PRIVACY JOURNAL, read the logs of my email messages back and forth to Google; 17 months later I still do not have a resolution, in violation of federal privacy standards and Google's own promises. Publisher Robert Ellis Smith
Student Records and Student Rights
The U.S. Department of Education proposes making pupil records more widely available to states for tracking progress. A parent balks at "biometric finger scanning identification" of elementary students in New Jersey. Kids use a new app called Foursquare to keep in touch - and expose themselves to stalking. "Youths are facing a fishbowl existence and have to chose between "excessive caution or foolhardy fearlessness," says a new collection of essays. All of this in the May 2011 issue of Privacy Journal.
Last Four Digits? Careful!
Providing only the last four digits of your Social Security number – once a fall-back position – does not provide adequate protection against theft of identity. In our April issue, we explain why.
And we report that Google, Inc., may have succeeded in locking out the most activist of privacy groups from receiving grants under an $8.5 million fund created in a settlement of a class-action lawsuit over the company’s violation of the privacy of customers of its Google Buzz product. The grants were intended for Internet privacy education efforts.
Does Eric Schmidt Mean It All?
By Chisheng Li
In September, Eric Schmidt, the chief executive officer of the search giant Google, was satirized as a “privacy pervert” by Consumer Watchdog, an investigative Web site attacking “injustice.” As part of its “Do Not Track Me” advertising campaign, the group paid for a billboard in Times Square depicting Schmidt as a data-thirsty person who stealthily spies on others.
This unflattering portrayal came following a year full of public objections, lawsuits and bad publicity concerning Google‟s massive collection of personal data from users‟ search choices and their unsecured residential WiFi networks and its disclosure of private Gmail contact information on Google Buzz, a social media site. . . .
If there is one consistent factor in Google‟s rough year of privacy miscues, it is its chief executive's ability to make seemingly rash comments that tend to underline the company‟s insensitivity towards users' individual rights.
At the Washington Ideas Forum in October, Schmidt labeled Google an omniscient Web product, saying, “We don‟t need you to type at all. We know where you are. We know where you've been. We can more or less know what you‟re thinking about.” Ironically, this comment came after he reassured his audience at the same forum that Google is against consumer intrusions. “The Google policy on a lot of things is to get right up to the creepy line and not cross it.” Unfortunately, his demonstration of Google‟s sophisticated tracking technology crossed over the “creepy line,” in the eyes of many. His undiplomatic PR effort was unpersuasive that the company truly cares for its users.
For the full story of privacy gems from Google's CEO, ask us for a sample copy of the January 2011 PRIVACY JOURNAL.
Who Has to Make Notifications of Company Losses
of Personal Data? When? How? And to Whom?
Each state law is different. Get the complete story in the February 2011 issue of PRIVACY JOURNAL. Ask for a sample copy now.
A Concept for Persons, Not Corporations
Virtually everybody agrees that privacy, by definition, is uniquely a personal right. Artificial persons, as opposed to natural persons, do not enjoy a right to privacy. [See "The Law of Privacy" by David Elder, 1991.] The law of privacy was “designed primarily to protect the feelings and sensibilities of human beings, rather than to safeguard property, business or other pecuniary interests,” according to the Kentucky Supreme Court in 1943. The reason for this is that a corporation of “a fictitious person and has no ‘feelings’ which may be injured,” according to a California state appeals court in 1980.
This is not to say that laws, regulations, and social policy do not recognize that corporations and other organizations have interests in confidentiality. This is distinct from a right to privacy. The law of trade secrets and the law of copyright are examples of interests in confidentiality by organizations; so are laws permitting certain government agencies to keep secret certain businesses information in their possession.
From "The Law of Privacy Explained" by Robert Ellis Smith
In view of this history, it is strange that the U.S. Supreme Court has agreed to hear a case in the new year that recognizes a right to privacy for corporations. [Get the full story by getting a copy of our December 2010 issue free by emailing or calling us, 401/274-7861.] Subsequently, on Mar. 1, 2011, the Supreme Court ruled unanimously that a corporation may not make use of the "personal privacy" exemption in the Freedom of Information Act.
Our email address: email@example.com
What Is Happening with Street View?
For a scorecard on the investigations around the world of the collection of WiFi information from residences by Google's Street View camera cars, see the November 2010 issue of PRIVACY JOURNAL. Ask for a copy.
The Most Brutal Intrusion
From the October 2010 issue
It was the most humiliating and brutal invasion of privacy to afflict someone.
It was, in fact, the type of invasion of privacy that most persons conjure when imagining the most obviously outrageous example of a privacy intrusion. But it is usually invoked as a hypothetical example.
An 18-year-old male freshman at Rutgers University in New Jersey covertly took camera images of his 18-year-old roommate in a male-to-male encounter in their dormitory room and aired them live throughout the global Internet.
The victim, Tyler Clementi, after discovering the exposure, tried desperately to get advice from friends on the Internet as to how to stop the camera stalking, whether to report it, or how to ignore it. The perpetrator, Dharun Ravi, then invited online friends a second time to view Tyler in a gay encounter the privacy of his dorm room.
What are the criminal and civil-lawsuit consequences of the apparent act? Only Publisher Robert Ellis Smith can answer this intelligently, and he does do in the October 2010 issue of PRIVACY JOURNAL. Send us an email for a free sample copy and a discount off your ultimate subscription.
Efforts to Curb Blackberry Use Overseas
-- From the August 2010 issue
UAE is the second country after Saudi Arabia to issue a ban on BlackBerry service. China, India and Kuwait are contemplating similar acts for the same reason. Amid concerns about RIM’s encryption protocol, the European Commission earlier this month said it would replace the BlackBerry with the iPhone and HTC as the organization’s smartphone choices.
RIM, maker of Blackberry devices, currently operates in at least 175 countries world-wide. Although RIM remained vague on the company’s next step, it is possible that the firm would accommodate the requests from the UAE to some extent. Technology companies have increasingly found it challenging to maintain a high standard of consumer data protection.
Read the full account by Chisheng Li of PRIVACY JOURNAL by asking for a free sample copy of our August 2010 issue.
Social Security to Employ Experian
- From the July 2010 issue
The Social Security Administration has contracted with the Experian nationwide credit bureau to verify or authenticate the identity of persons applying for benefits. Experian has been cited by another arm of the federal government, the Federal Trade Commission, and courts for inaccuracy in its data systems since passage of the Fair Credit Reporting Act in 1970.
The Social Security Administration believes that its own records are not accurate enough to do this.
The new procedure is part of a capability to apply for benefits online, said to be about one year away. verify or authenticate individuals. SSA would provide name, address, date of birth, and a phone number supplied with the online application and Experian will generate a few questions that the applicant to answer, to verify identity. Non- online applicants and current recipients will not be affected by the change, the agency said.
In 2000, a federal appeals court cited Experian for shoddy handling of matches based on Social Security numbers, and anecdotal evidence since then shows persistent failures by the company.
States Regulate Auto 'Black Boxes'
- From May 2010 issue
Thirteen states have now enacted similar laws placing restrictions on the use of data in event data recorders, the “black boxes” that record a motor vehicle’s speed, steering, use of brakes and seat belts, and other characteristics for analysis after a collision.
The first generation of laws, like those in Arkansas and Texas, say that the owner of the vehicle owns the data and that it may not be retrieved or used without consent. Connecticut’s law, like others, permits access by a police officer or pursuant to a search warrant or if “The data is used for the purpose of improving motor vehicle safety.” In California, manufacturers must notify owners of the presence of the devices; Nevada requires the consent of owners.
The trend has been pushed by IEEE, the world’s leading professional association for the advancement of technology, through its so-called P1616a Working Group.
- For the rest of this story and an account of security-breach notification laws now in 44 states, write for a sample copy of the May 2010 issue.
One Man's Success Resisting a Universal Identifier
- From the April 2010 issue of PJ
Richard Lindsey, a plumbing contractor in Stuart, Fla., has lived much of his life without a Social Security number. That's 75 years.
Or so he thought until he challenged a requirement that he provide
an SSN to the county real-estate appraiser. The county wanted the number, it said, to match local taxpayers with identities of property owners in other states to see whether a local resident is claiming a homestead exemption in more than one jurisdiction. The exemption saves lots of tax money for those who reside full time in their own properties.
Only Florida seems to have this requirement; property-tax records generally do not have Social Security numbers appended to them, and so a true interstate matching system seems unattainable right now.
In the course of a lawsuit by Lindsey, the county discovered that there was in fact a Social Security number issued to Richard Lindsey, apparently secured by his parents long ago without his knowledge. And so, in a settlement of the lawsuit last month, Lindsay consented to use of the long-lost SSN - even though he disavowed it - and the county agreed to grant the homestead exemption.
PRIVACY JOURNAL Publisher Robert Ellis Smith was engaged as an expert witness in the case. Lindsey v. Kelly, 06-349-CA (Fla. 19th Cir. Ct. Martin County).
Richard Lindsey explains: "What really convinced me to file suit against the tax assessor was the rapid escalation of my property value and the county's nwillingness to offer any compromise or alternate for someone with no SSN. Most of my life I have been self-employed, which had something to do with operating minus an SSN, but the real secret was that there are no laws that require an American to have an SSN, and/or operate under the Social Security system. The IRS provides alternatives for one who is opposed to the SSN.
"Most people do not know this but there are thousands, maybe millions of Americans who have strong feelings about the effects of government and the SSN universal identifier. Yes, I do have a drivers license. Yes, I do file taxes. The instructions from the IRS are to mark your return 'religious objector.' Yes I do have a passport - same strategy - where called for SSN you mark it 'religious objector.'"
-- from the March 2010 Privacy Journal
“News organizations increasingly seem to be treating their access to 911 recordings as what I would call ‘911 Porn’ -- playing these materials to their audiences in most cases solely for their prurient ratings value,” says privacy/cyber¬rights activist Lauren Weinstein of Woodland Hills, Calif.
Weinstein says that it is time to stop releasing 911 materials on demand for publication or broadcast, absent clear and demonstrated necessity for the public good in any specific case.
“In specific situations where 911 conversations have probative value in courts, for other legal proceedings, or in related investigations, the recordings (and/or associated transcripts) should obviously be made available to the relevant parties.”
Legislators in some states agree with him. Missouri, Pennsylvania, Rhode Island and Wyoming already keep such recordings private. Proposals to do so in Alabama, Ohio, and Wisconsin have been presented in state legislatures.
For the full story, ask for a free copy of our March 2010 issue, in pdf by email or hard copy.
Advice on the Census
-- From the February 2010 issue
The census form to be circulated in April has ten questions: number of persons living in the structure; additional persons “staying there”; type of residence and type of financing; telephone number; and the gender, age, date of birth, ethnicity, race, and alternative residence of each person in the household. The Census form does not require Social Security numbers, salary, credit-card or banking information, marital information, or sexual identity.
Census workers will carry government ID badges and will not ask to enter the house. Federal law provides a fine of $100 for failure to answer and $500 for answering untruthfully. But this is rarely enforced and courts have not been clear that answering the Census is required.
Personal data held by the Bureau of Census is confidential by law, with stiff penalties for violations, and the bureau has a longtime reputation for vigorously protecting data in its possession.
Has TV Surveillance Peaked?
-- From the February 2010 issue
Great Britain is experiencing TV surveillance fatigue, says a young scholar who has studied the inner workings of cameras (CCTV) in England.
“We may be seeing a diminution,” said Gavin J.D. Smith, a lecturer in sociology at City University in London who spent long hours with the operators and observers of the cameras and wrote his PhD thesis on the effects of the operation on observers, not the observed. One
operator told him, “It's over. TV surveillance is dead.”
Smith's findings? “It's a screwed-up work culture,” bringing to mind William Faulkner's recurrent literary theme that victimizers often become victims and oppressors experience more mental anguish than the oppressed.
For a full report on the latest in camera surveillance in the U.S., Canada, and Great Britain, ask us for a sample copy of the February 2010 issue.
Ralph Nader Takes on Nude Scanners
-- From the February 2010 issue
Ralph Nader, the long-time consumer activist,has turned his sights to the “backscatter” nude screening devices and other technology at airports.
“Multi-million dollar investments in intelligence failed to do its job,” Nader told a group of privacy advocates gathered in Washington by the Electronic Privacy Information Center in January, and so the government is turning to untested technological fixes. He said the government was “sold a bill of goods” with regard to devices that puff air at a traveler to dislodge and detect explosive powders.
“There‟s a commercial motivation. Vendors persuade government security agencies to purchase this stuff. I wonder if you could get a court injunction holding up procurement?” Nader questioned whether the nude screening machines emit harmful radiation to frequent travelers.
“Dragnet surveillance is the last resort of people who haven‟t done their jobs. Our entire homeland-security operation is made up of ad hoc responses to the last failure.” For the full story, ask us for a sample copy of our February 2010 issue.
HINT: Find "Eric Blair" in the text below for a free offer you cannot refuse.
Passwords Are Like Underwear
-- From the January 2010 issue
The Office of Policy Development and Education (since discontinued) in the Information Technology Division at the University of Michigan (www.itd.umich.edu/education) created a password protection campaign with five posters intended to alert students to the importance of computer security.
The theme of the posters was “passwords are like your underwear”:
The longer the better.
Don’t share them with friends.
Change yours often.
Don’t leave yours lying around.
Hi-Tech Labeling of Kids OK, Governor Says
-- From the December 2009 issue
Governor Donald Carcieri of Rhode Island not only vetoed a bill that would have restricted the use of radio-frequency identity chips (RFID) on school children, he proclaimed in his veto message that tracking children is a great idea.
[The R.I. legislature overrode the veto Jan. 5 so that this bill will become law.}
“Why would the General Assembly therefore place restrictions on the use of this technology as an option for all students?” Carcieri, a Republican, wrote. “In certain circumstances, it may be helpful for schools to have the ability to quickly identify where each of their students is located. Such circumstances may include weather-related natural disasters, terrorist or criminal events or even a need for use during field trips and outside school activities.”
This is the third time that Carcieri has vetoed a version of RFID privacy legislation. In 2006, lawmakers passed a bill that would have prohibited state and local government from using RFID to track their employees and school children in addition to restricting the use of high¬way-toll transponder information using RFID technology.
“Originally developed to track cattle and commerce, RFID technology allows a person’s identity and movement to be monitored electronically,” Steven Brown of the Rhode Island branch of the American Civil Liberties Union explained. “When the Middletown school district last year began a pilot program that placed RFID chips on the backpacks of elementary school children, purportedly to make sure they got on the right school bus, the need for this legislation became more apparent than ever.”
For more on these stories, ask for a free copy of our December 2009 issue.
Devices That Pinpoint Your Location:
Do They Worry You?
-- From November 2009 issue
Massive numbers of Americans are carrying around on their persons electronic devices that permit tracking of their locations. They are concerned about the drawbacks, but apparently not concerned enough to curtail their usage, according to a study by the privacy-oriented researchers at Carnegie Mellon University in Pittsburgh.
The four scholars listed technologies that allow for pinpointing one’s location:
Global Positioning Systems when they are a part of a cell phone – not yet common – or a laptop. Currently GPS are the most accurate way of pinpointing location.
Wireless positioning when a laptop user makes use of public WiFi access points. Unlike GPS, the tracking can be indoors.
Cellular identification: “A mobile phone is [usually within signal range] of upwards of three cell phone towers, allowing a location to be triangulated if the locations of the cell towers are known.” Loopt, a location-sharing service, uses its partnership with AT&T to provide always-on location information.
The Carnegie-Mellon team reported that in their survey of nearly 600 persons, “We find that although the majority of our respondents had heard of location-sharing technologies (72.4 percent), they do not yet understand the potential value of these applications, and they have concerns about sharing their location information online. Most importantly, participants are extremely concerned about controlling who has access to their location.”
For a copy of the full story, ask for a copy of the November 2009 issue, hardcopy by mail or pdf by email. That includes a link to the original study.
FTC Reevaluates Privacy Enforcement
-- From November 2009 issue
The Federal Trade Commission is undertaking what seems the most fundamental reexamination of its compliance program since it first acquired jurisdiction over privacy practices with passage of the Fair Credit Reporting Act in 1970.
It begins with a “fundamentals’ roundtable discussion at the FTC headquarters in Washington Dec. 7. Information about participation and the content is at firstname.lastname@example.org or www.ftc.gov/bcp/workshops/privacyround tables/index.shtml#participate.
An additional session is planned tentatively for Jan. 29, 2010, at University of California Berkeley Law School and a third in mid-March in Washington. The new guard at the Bureau of Consumer Protection wants to move beyond the “harms-based” enforcement effort [see PJ Aug 09].
Privacy Officer - It's a Risky Job
-- From October 2009 issue
Being a chief privacy officer can be dicey – balancing the interests of management, consumers, courts, regulators, and advocacy groups.
Peter Fleischer, Google’s American-educated, European-based privacy officer, has found an additional, serious risk to the job. He has found himself this month in a non-English speaking courtroom facing criminal charges.
Fleischer and three colleagues at Google are accused of violating the data-protection law in Italy by allowing YouTube, which is owned by Google, to display a three-minute mobile-phone video of a teenager with Down's syndrome being bullied at school.
For the complete story, ask us for a sample copy of the October 2009 issue
A Tennessee Court of Appeals has said that a statewide policy of courts including an “overnight paramour clause” in custody cases need not be followed in every case; it is the interests of the child that must come first. Get the full story. email@example.com
Should the Identity of Your Computer
Be Protected as 'Personal Information'?
-- From September 2009 issue
* * * What about an IP address? Is that personal information that should be protected?
That's the number that identifies a computer connected to the Internet through an Internet Protocol (IP). It doesn't identify the owner of the computer necessarily, nor the current user. And Internet providers often switch the IP addresses of users. But knowing the IP address may serve to identify the user, especially in instances - very common, of course - when one person habitually uses one computer.
European authorities have said an IP address is personal information, entitled to protection under European privacy laws. The New Jersey Supreme Court in 2008 said it is protected information. But a federal court in Seattle, Microsoft's backyard, ruled in June that an IP address is not entitled to protection. * * *
To know exactly where you stand, you need to see the September 2009 issue of PRIVACY JOURNAL. Send us an email and ask for a free sample.
Tolerance for ‘Street View’ in U.S.
- From the July 2009 issue
Americans seem not to mind that photos of their residences are posted on a Web site without their consent. There has been little objection here to Google's Street View Web site.
But in Canada, public sentiment forced the company to agree permanently to blur and anonymize images of individuals captured among the myriad of views of private residences. Greece’s data protection agency has told Google to suspend its Street View product there until the company clarifies its practices on retention of the images and on individuals’ right to get them deleted. The data protection authority in Hamburg, Germany’s second largest city, threatened sanctions if Google did not comply with the city and federal privacy laws.
By contrast, a judge in Pittsburgh has dismissed the only known legal challenge to Street View, filed by a couple with a secluded residence that is pictured on Street View without their consent.
How Did the Massive Leak
At Heartland Systems Happen?
Do You Know About Two Important
Changes at Airport Security Gates?
To read each of these stories, ask us for a free copy of our May 2009 issue
PUZZLER From the April issue
Q: What does “Attack of the Killer Tomatoes” have to do with the worldwide trend to require notification to affected persons when there is a leak of personal information from a computer system?
A: Ask for a sample copy of our April 2009 issue and you will find out.
NEW PROTECTIONS FOR MEDICAL RECORDS
- From the March 2009 edition
You have to wade through the complex small print to discover exactly what the privacy provisions accomplish in the Health Information Technology for Economic and Clinical Health Act, part of the stimulus package, now Public Law 111-5. PRIVACY JOURNAL does this.
The new act amends the existing regulations on the confidentiality of medical records under the 1996 Health Insurance Portability and Administration Act (HIPAA).
The act establishes a federal requirement that patients must be notified if there is a breach of security of their health information, if it were not encrypted or otherwise made indecipherable to outsiders. Vendors who deal in health information must notify the Federal Trade Commission, which heretofore has had no involvement or expertise in medical information.
The act provides transparency to patients by allowing them to request an audit trail showing all disclosures of their health information made through an electronic record in the prior three years, including disclosures to treat a patient. Still, tracking secondary disclosures by receivers of patient information would be difficult.
The act ensures that new entities that were not contemplated when the federal privacy rules were enacted in 2001, as well as those entities that do work on behalf of health-care providers (“business associates”) are subject to the same HIPAA privacy and security rules as providers and health insurers (“covered entities”).
The act seems to allow a patient to bar individually identifiable disclosures to a health network if paying out of pocket for medical services.
The act affects the sales and mining of patient information by limiting (but not totally eliminating) the sale of an individual’s health information without the individual’s authorization. This provision may not cover barter and rental arrangements or use of a third party.
The act requires that health-care providers like doctors, hospitals, and nursing homes not use patient information for marketing without consent and not use it for fundraising without an opportunity for individuals to opt-out.
The act strengthens enforcement of federal privacy and security rules by increasing penalties for violations, providing greater resources for enforcement and oversight activities, creating new training, enforcement, and monitoring capability in the regional offices of HHS. State attorneys general may pursue HIPAA violations.
The act makes clear that those who furnish records or receive them in violation of the law may face criminal prosecution.
Get the full story by asking for a free sample copy of the March 2009 issue. firstname.lastname@example.org
Automated Health Records to Stimulate Economy?
- From February 2009 edition
One of the lynchpins of the Obama Administration plan to stimulate the national economy is creating a nationwide network to exchange patient records among health-care providers.
The stimulus program passed by Congress includes from $20 to $22 billion for the elusive goal, one that many members of the medical community have sought for more than 15 years. As part of this, the so-called American Recovery and Reinvestment Act, HR 1, includes a patient confidentiality provision that privacy and patient advocates have endorsed.
Subtitle D includes a ban on the sale of health information, audit trails to keep track of disclosures from the electronic network, encryption of certain health information, enhanced rights of patient access to one’s own data, improved enforcement mechanisms, and support for advocacy groups to participate in the regulatory process that will follow passage of the bill.
Get the full story by asking for a sample copy of the February 2009 issue.
Quest to be Popular
Drives Facebook Users
to Post Personal Information
- From January 2009 issue
It’s the need for popularity that is driving young adults to disclose more personal information on Facebook than they normally would reveal, according to a new study by two psychology researchers at the University of Guelph in Ontario, Canada.
“There is something different about how people interact in online environments,” said Emily Christofides, one of the graduate-student researchers. “They share and show more about themselves than they might in other social settings. We wanted to find out if different psychological factors are involved in that behavior.”
Christofides and Amy Muise surveyed 343 Facebook users, all university students between the ages of 17 and 24. Participants were asked about personality factors such as self-esteem, need for popularity, levels of trust and overall tendency to disclose personal information.
The study found that the majority of persons (76 percent) are concerned about privacy and information control, yet they still disclose a great deal of personal information on Facebook. This includes details like birthdays, email addresses, hometowns, school and degree majors, and intimate photographs.
The pair asked how likely were the students, on a scale of one to seven, to post various types of pictures. The responses:
A profile portrait – 6.60 mean
With friends – 6.41
With boyfriend or girlfriend – 5.91
At parties or a bar – 5.85
With friends drinking – 5.62
Kissing someone – 4.37
In bikini or bathing suit – 4.23
In a bedroom – 3.60
“Making out” with someone – 2.52
Doing something illegal – 2.45
Doing drugs – 1.99
Naked or partially naked – 1.49
For the full story, ask us for a sample copy of our January 2009 issue.
Data-Mining to Look for Voters
- From the December 2008 issue
Both national political parties are purchasing individual consumer-choice data and manipulating it in their quest for funds and voters.
Immediately after the election, in a joint appearance with his Republican counterpart, Democratic National Committee Chair Howard Dean said in reference to the Republicans, “We now can do what they can do. We have your credit card data like they do. They’ve been for years doing something that we, until 2006, weren’t able to do. We can predict with 85 percent accuracy how you’re going to vote based on your credit card data without bothering to see what party you’re in – [through] the Secretary of State’s office.”
“They’ve been doing it for a long time,” Gov. Dean said of Republicans. “No wonder we’ve been throwing rocks at the bottom of the well. These guys – we can argue about how well they run the country, but they certainly know how to run elections.”
“The model for party building was the Republican National Committee,” Dean says. “We copied almost everything and improved on it. We got technology that predicted with 85 percent certainty how someone would vote." FOR THE FULL STORY, ASK FOR A FREE COPY OF OUR DECEMBER 2008 ISSUE.
Privacy Officer a Huckster Too
It’s a novel role for a chief privacy officer.
Acxiom, one of the largest collectors and sellers of consumer data in the U.S., uses its longtime privacy officer to promote publicly its sale of databases reflecting consumers’ personal preferences.
Privacy officer Jennifer Barrett, in a video on Acxiom’s Web page promoting sales of its data about consumers’ use of their credit cards, even endorses use of financial and health information about individuals in the marketing process.
Barrett, who joined the company back in 1974 before it emerged as an aggressive user of new technology and of merging of disparate individual data, was named chief privacy officer in 1991, one of the first in the nation in the corporate world. FOR THE FULL STORY, ASK FOR A FREE COPY OF OUR DECEMBER 2008 ISSUE.
NEW: Government Permission to Travel in U.S.
- From November 2008 issue
For the first time in U.S. history, Americans will have to get the permission of their government to travel from state to state.
The U.S. Transportation Security Administration has issued a final rule requiring passengers to provide name, gender, and date of birth when making a domestic airline reservation. This information will be reported to the TSA, which will report back to the airline whether the individual is cleared to board an airplane. If TSA reports back that the individual is on its Watch List or “inhibited status,” the passenger must present a government ID to the airline and then may fly if TSA reports back with permission. If no permission is granted, the airline may not board the passenger. The regulation seems to say that individuals not on the Watch List need not show an identity document to the airline.
The rule also seems to say that a photo-identity document issued by a local governmental agency is no longer acceptable, only IDs issued by federal, state, or tribal governments.
For the complete story, ask for a free copy of our November 2008 issue.
Find a typo, spelling error or other mistake on this Web site and win a free book of your choice.
That's What Friends Are For
- From October 2008 issue
Many marketers are now persuaded that online data showing whom people associate with are more predictable indicators of consumer preferences than standard demographics or even evidence of prior purchases. And that explains why they want to harvest data from “social-networking” sites like MySpace, Facebook, and Flixster.
Blogs, in which birds of a feather tend to flock together, are another source.
In order to participate in such sites, users generally identify acquaintances – “friends” – who may have access to their social-networking sites and with whom they keep in regular contact.
“People are more like their friends than they are like other people that fit their demographic or psychographic makeup. Social psychology has shown that people tend to develop relationships with those that have similar interests to them, transcending demographics and psycho-graphics,” says one of the prime practitioners of this new art, 30-something Auren Hoffman, head of Rapleaf. “And those that have a strong relationship with each other have the capacity to influence each others’ behavior.”
Hoffman cites research by Shawndra Hill, a junior faculty member at the University of Pennsylvania, showing “A firm can benefit from the use of social networks to predict the likelihood of purchasing. Taking the network data into account improves significantly and substantially [on a company’s customary marketing and on target marketing].” [For the full story, ask us for a free copy of our October 2008 issue.]
The Background on This
In 1991 or thereabouts, marketing specialists discovered “target marketing” or “database marketing” to zero in on potential customers based on aggregated computer data reflecting tastes in publications, automobiles, and consumer products, combined with demographic data available from the Census Bureau and other sources.
Five years later, they began exploiting Internet data (“cookies”) that revealed consumers’ interests in different Web sites. Then a couple of years ago came “ehavioral” marketing, using manipulative online advertising based on data from a person’s online searches and consumer choices.
Now comes the next best thing: “socialgraphic targeting” (described on this page, above), based on the friendships and relationships that one forms online.
- Chris Slane, www.slane.co.nz
PJ's Current Reading List
- From the August 2008 issue:
A reader asked us to recommend the best current books on privacy. Here are our choices:
Trust and Risk in Internet Commerce, L. Jean Camp, 2000.
Privacy & Human Rights, An International Survey of Privacy Laws and Developments, Electronic Privacy Information Center, updated yearly.
Ben Franklin’s Web Site: Privacy and Curiosity from Plymouth Rock to the Internet, Robert Ellis Smith, 2004.
“RFID and Privacy: Guidance for Health-Care
Providers,” Information and Privacy Commissioner of Ontario, Toronto, Canada, 2008.
“Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation,” Information and Privacy Commissioner of Ontario, Canada, 2008.
The Privacy Advocates by Colin Bennett, describing the efforts of the eccentric and often effective band of brothers and sisters who work for privacy protections in the U.S. and abroad, 2008.
Compilation of State and Federal Privacy Laws, Privacy Journal, updated yearly.
Privacy Torts, David A. Elder, 2002.
Privacy on the Line, Whitfield Diffie and Susan Landau, 2007.
Secrets & Lies: Digital Security in a Networked World, Bruce Schneir, 2000.
“A Guide to the Privacy Profession,” International Association of Privacy Professionals, 2007.
Are the Paparazzi Winning?
Hollywood finally had its revenge on the tabloid press in 1998. The Screen Actors Guild lobbied the California legislature successfully for a new law limiting the ability of paparazzi photographers to intrude into personal activities. The law allows celebrities to sue photographers or news organizations if they trespass or use telephoto lenses to capture images of persons in personal or family activities.
The law, a response to the death of Princess Diana in Paris in 1997, provides rights also to victims of crimes who feel they are put upon by intrusive photographers.
The California Press Association and the major networks opposed the bill in the legislature, saying it unconstitutionally restricts their First Amendment rights to gather the news In 2005 Gov. Arnold Schwarzenegger, himself a huge Hollywood celebrity, approved legislation allowing treble damages for paparazzi victims and limiting the profits that photographers could reap from photographs involving altercations.
And last winter, after even more chaotic scenes where photographers confronted famous film and music personalities, a member of the Los Angeles City Council, Dennis Zine, proposed tightening law enforcement at the locations. Zine, who represents the district adjoining Beverly Hills to the west, also proposed creation of a city-enforced “personal safety zone.” Some call it “Britney’s Law.” Actors showed up at a task force meeting on the subject held July 31.
The photographers themselves now feel threatened in the frenzy, and many support tougher enforcement practices.
For the rest of the story, email us and ask for a sample copy of our August 2008 issue.
What's in Public Can Be Private
- From July 2008 issue
It has been conventional wisdom that nothing can be done legally about ubiquitous camera surveillance in our communities, that it does not violate any law or constitutional principle. Part of that accepted wisdom is the mistaken idea that because an activity takes place in public view, it is not protected by any expectation of privacy.
In fact, there are many activities in public that are entitled to privacy protection, according to previous federal court holdings: going to and from a house of worship, an abortion clinic, or a medical facility; holding hands or embracing affectionately in public; participating in a political demonstration or wearing political symbols; reading a book or a magazine; meditating or praying, and perhaps even chatting on a cell phone in an audible way. The right to vote may be interpreted to prohibit videotaping citizens as they visit a polling place. “The Fourth Amendment protects people, not places,” said the U.S. Supreme Court 1967, in an opinion that restricted law enforcement’s use of audio evidence from a public phone booth. And the Fourth Amendment protects not merely homes, but also citizens’ “persons, houses, papers, and effects.”
For the rest of the story, ask us for a sample copy of our July 2008 issue.
This regular feature provides ways to use 20 minutes of your life each month to protect your privacy.
The state laws on placing a “credit freeze” or “security freeze” on your credit report vary widely. You must check the specifics of your law.
Most states require a paper request by mail. Email is okay in Delaware. But in the District of Columbia, certified mail and ID are required, although Web registration must be available by 2009. Kansas requires a police report proving victimization of identity theft, but most state laws allow anyone to get a freeze. For Connecticut residents, a credit bureau must place the freeze within five business days and notify the consumer within ten days and provide a unique ID number or password for future communications.
A freeze is a notification in a credit file that no credit report shall be provided to a retailer or, in many states, no credit report shall be provided without the consumer’s consent.
A consumer may request a temporary, specific, or permanent lift of the freeze. There is usually no fee. But North Carolina and Oregon authorize a $10 fee. In New Hampshire victims of ID theft may not be charged a fee. In New Hampshire, New Mexico, New Jersey, and New York, credit bureaus must notify residents of all of this.
The Consumer Federation of America, 202/387-612, www.consumerfed.org, can direct you to the text of your state’s law.
The 35 state laws are described and cited in PRIVACY JOURNAL’s Compilation of State and Federal Privacy Laws. Federal law requires nationwide credit bureaus to accept “fraud alerts” only for victims of ID theft.
- From March 2008 newsletter
The death of conservative commentator William F. Buckley, Jr., in February recalls this story he told about himself in 1978, when the moderator of a panel asked him and others whether they had ever been victims of an invasion of privacy.
On a recent trip, Buckley said, a hefty woman at airport security was rummaging through his carry-on baggage. She pulled out a package of Preparation H, a tonic for hemorrhoids, and held it up. Within hearing range of several fellow passengers, she bellowed to the urbane Buckley, “Do these work?”
TV Monitoring in Public Places:
Effectiveness Not Determined
- From the March 2008 issue
Does installation of video surveillance in public places work? There has been a dearth of studies in the U.S. addressing that crucial question. The federal government and hundreds of local governments simply assume that the answer is yes, aided by hundreds of vendors who insist that high-tech equipment will indeed reduce or deter crime.
A report entitled "Video Surveillance of Public Places" issued in 2006 by the Office of Community Oriented Policing of the U.S. Department of Justice “notes that while there is a general perception among system managers and the public that video surveillance cameras are effective in preventing crime, actual evidence of crime reduction is more difficult to find,” according to a review of the literature by the Office of the Information and Privacy Commissioner in Ontario, Canada.
The Ontario report, "Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation," “found numerous studies on the effectiveness of video surveillance on crime, in a broad range of settings. These studies varied substantially, however, in terms of their methodological rigor.”
The report cited only two from the U.S.: The Department of Justice study, conducted by criminologist Jerry Ratcliffe at Temple University, and one conducted by Marcus Nieto of the California Research Bureau in 1997. . .
For the full story, ask for a sample copy of our March 2008 issue.
Order back issues. Ask for our discounted rates.
Need a speaker or an expert witness on privacy, surveillance, ID theft, medical confidentiality, credit reporting? Call us, 401/274-7861.
"What about LifeLock? Is it worth it?" asks a reader.
- From the February issue
LifeLock is the “identity-theft protection service” whose chief executive, Todd Davis, announces his own Social Security number just to show how confident he is that his company will protect him and others from identity theft.
For a monthly fee, these companies merely monitor your credit record to look for abnormal activity and place a “security freeze” (or “fraud alert”) on your credit record. That means that the credit bureau must check with you before issuing a credit report.
Abnormal activity on your credit file is often a sign of identity theft, but some forms of ID theft do not alter your credit record. In some forms of identity theft, an undocumented immigrant uses the victim’s SSN to get a drivers license or birth certificate. In other forms, a stranger uses the victim’s ID when committing a crime. Checking credit reports will not detect these forms. And, the companies like LifeLock that monitor credit activity are known to miss signs of ID theft in credit reports.
By federal law, you are entitled to one look at your credit report per year without charge; after that the fee is nominal. And in most instances you can get a fraud alert without charge.
No company can guarantee against ID theft, as LifeLock claims it can.
LifeLock admitted that a crook has used Davis’ Social Security number to obtain a $500 check-cashing loan from a business in Ft. Worth, Tex. Davis said that the check-cashing company didn’t pull a credit check and therefore LifeLock’s methodology didn’t prevent this theft of identity.
Similarly, the host of “Top Gear” on British Broadcasting System TV, Jeremy Clarkson, wrote a newspaper column dismissing the threat of identity theft after the British government admitted losing two compact discs with personal data on more than 25 million persons. He published his bank account information and hinted at his home address, defying anyone to abuse it. The most anyone can do, he wrote, is put funds into my account. A week later, a hacker set up a $1000 monthly debit from his account to a diabetes charity, and Barclay’s Bank isn’t sure that it can stop it. “I was wrong and I was punished,” Clarkson said afterwards
Our email address: email@example.com
LOOK: From a Surveillance Camera Viewpoint
- From the December 2007 issue
Citizens have been accepting of surveillance cameras everywhere, but there are signs of intolerance. Attitudes may be shaped in the most significant ways by an innovative Hollywood film set for release in December.
Writer and director Adam Rifkin shot the entire new film Look from the perspective of security cameras. “That’s what makes Rifkin’s acclaimed new film so shocking,” said Newsweek. The scenes in the film seem at first to be intrusive, but random shots – now commonplace in our surveillance society. But in the end they form a chilling tale about real peoples’ lives.
“We’re not taking sides,” the co-producer of the film Barry Schuler told PRIVACY JOURNAL. “Privacy and security are far too complex. But the cameras are everywhere, and it’s not just government surveillance; there is ‘citizen video’ everywhere.” Schuler, a former chief executive of America Online and framer of many of its early traits, added, “This is just not on people’s radar screen yet. And the default position is it keeps growing.”
Call or send an email for a free copy of the full story in our December 2007 issue.
Passport Office Gets FBI Access
- From the November 2007 issue
Since the inception of the National Crime Information Center in 1967, the FBI’s automated database of wanted persons and multiple offenders, the bureau has insisted that the data would be available only to law-enforcement agencies. Gradually that assurance has been chipped away.
The latest non-law enforcement agency to have access is the Passport Services Office in the U.S. Department of State.
Still, the FBI in its required notice about the NCIC system states, “Data stored in the NCIC is documented criminal justice agency information and access to that data is restricted to duly authorized criminal justice agencies.” With access only to the wanted persons sector of NCIC, the passport office will be required to confirm any “hit” with the originating police department, which must send a substantive response promptly or send back a “negative confirmation” The system is plagued with a rate of errors or incomplete records far in excess of 33 percent.
(For more, ask us for a copy of our November 2007 issue.)
ID Theft Precaution: Free 'Shredathon'
- From November 2007 issue
As part of his campaign against identity theft, Rob McKenna, the attorney general of the State of Washington, has organized a series of "shredathons" around the state. A private company in the shredding business provides the community shredder and a local organization provides the publicity. Citizens are invited to bring boxes of their sensitive documents to the site for secure shredding.
Lost or stolen mail and other documents with Social Security numbers and credit-card data on them are one source for identity thieves to get the information they need to co-opt someone’s credit accounts, but they are probably not the predominant source.
The first shredathon was held last April 18 at 29 locations around Washington State.
(For more, ask us for a copy of our November 2007 issue.)
Scary Stuff - Excerpts
-- From the October 2007 issue
As the government officials responsible for enforcing privacy laws worldwide met in September in Montreal, there was little of the traditional talk about the nuts and bolts of data protection like opt-in, transparency, or transborder data flows.
Instead, there were urgent and distressed discussions about uberveillance, ambient technology, ubiquitous computing, ingestible bugs, and nanotechnology.
The terms may be overlapping and may in fact be somewhat synonymous. They all refer to an environment in which electronic media are everywhere, gathering and processing information in a seamless way, beyond the control of each human being.
The discussions began a few years ago with recognition of a coming Internet of things, much as public awareness of the Internet began in the 1980s with talk of an information super highway. . . .
One prime speaker, Ian Kerr, Canada Research Chair in Ethics, Law and Technology at the University of Ottawa, noted that the Canadian Supreme Court had established a hierarchy of privacy values: bodily or personal privacy (highest level of protection), territorial privacy, and informational privacy (less protection).
The technology, as well as the law, has “smudged” the traditional hierarchy, said Kerr. He cited as evidence new human-area networking technology that permits the human body to be the conduit for electronic transmissions – of information, instructions, behavior and a lot more. See www.redtacton.com.
A co-panelist with Kerr cited Eastman-Kodak’s announcement this year that it has developed an RFID identifying chip that may be swallowed by humans – an ingestible bug. The patent filing suggested potential uses, including monitoring “bodily events,” tracking how a person’s digestive track is absorbing medicine, or verifying how a specific medicine is interacting with other drugs in one’s body. The RFID tag would disintegrate eventually, the company said.
Other futurists used the terms ubiquitous computing and pervasive or invasive computing. Some European privacy officers believe that that ambient intelligence is an even greater challenge to European privacy enforcers than terrorism. Ambient intelligence refers to an environment in which electronic devices support human beings in their daily activities.
Michael G. Michael, a theologian and technology historian at the University of Wollongong, in New South Wales, Australia, warned that uberveillance, a term he is said to have created, will lead to increased cases of insanity and mental distress. “Mental illness will become an increasingly confronting factor as these issues develop,” he frowned.
Another threatening term often used in these contexts is nanotechnology, which refers to a miniaturization of technology allowing applications originally deemed impossible. Still another term is biobanking, which, in the words of an IBM developer, aims to empower researchers to have access within the human body to a chip that has data on a person's clinical records combined with his or her molecular make-up.
For more on this, including current practices of manipulating children on commercial Web sites primarily of interest to kids, ask us for a sample copy of our October 2007 issue. 401/274-7861.
- From August 2007
This regular feature provides ways to use 20 minutes of your life each month to protect your privacy or the privacy of others.
The Federal Trade Commission is seeking comments on uses of Social Security numbers in the private sector that may contribute to the epidemic of identity theft. The FTC also plans to host one or more public forums on the issue in the coming months. It is following up on a report by the President’s Identity Theft Task Force, led by Attorney General Alberto Gonzales and FTC Chair Deborah Platt Majoras.
Include this information: “SSNs in The Private Sector – Comment, Project No. P075414.” Need more information? Call the FTC at 877/382-4357. Need suggestions, ask us.
Is Googling Fair?
-- From June 2007 issue (excerpt)
A well-known psychotherapist in western Canada has been permanently denied entry to the U.S., where his two grown children live. Why? Because of Google.
The man was detained at a border crossing in the State of Washington when the guard took his passport, turned to his computer, and Googled the traveler's name, “Andrew Feldmar.”
Google produced a link to an article that Feldmar wrote in a journal called Janus Head in 2001, which mentioned his use of LSD almost 40 years ago.
Feldmar had crossed the U.S.-Canadian border many times, but this crossing turned quickly into a nightmare. And he is no stranger to harsh treatment by security guards. . . .
Is Googling fair? The main unfairness is that Google does not vouch for the accuracy of the information it uncovers, nor does the Web site that displays the material. A new generation has come of age thinking that if it’s on a computer, it’s true. They rely on what they read on untested Web sites. Employers – and law enforcement – increasingly use search engines and social-networking sites to check out persons of interest.
On the other hand, getting information by a search engine is little different than stumbling upon it in a daily newspaper – just a lot easier and a lot more inclusive.
A year ago an informal hearing officer in the U.S. Department of Commerce Googled an employee facing termination for repeated and admitted misuse of government vehicles and expense accounts. On appeal, David Mullins complained, “She Google-searched my name. . . and came across my alleged prior removal from the Air Force.” He appealed again, saying among other things that his firing was based on information from an ex parte Google search. The Court of Appeals for the Federal Circuit in the District of Columbia ruled May 4, 2007, that there was plenty of other evidence – admitted by Mullins – to support the firing and that the information from Googling did not influence the firing decision because it had been revealed earlier.
For the full story, ask for a sample copy of our June 2007 issue.
'Fusion Centers' Now Consolidate
Data - With No Accountability
- From July 2007 issue
"In developing our country's response to the threat of terrorism, public safety leaders from all disciplines have recognized the need to improve the sharing of information and intelligence across agency borders. Every law enforcement, public safety, and private sector official involved in information and intelligence sharing has a stake in this initiative. Leaders must move forward with a new paradigm on the exchange of information and intelligence."
From this statement in a report by the grantsmaking office of the U.S. Department of Justice came the impetus for creation of “fusion centers” in urban regions.
"What Is a Fusion Center?" asks the same document. “A fusion center is an effective and efficient mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to fight crime and terrorism by merging data from a variety of sources."
Fusion centers are also a consolidation of personal information in the hands of federal, state, and local law enforcement agencies and even private-sector security with often no oversight, no accountability, and no guidelines concerning the accuracy of and the use of personal information in its possession.
When the governor established such a fusion center in Massachusetts in 2005, Carol Rose, executive director of the American Civil Liberties Union there, wrote, "[The problem with the idea] could be that it provides one-stop shopping for identity theft. Or that it diverts millions from community policing, while Boston struggles with a rising homicide rate and 239 fewer cops on the beat than six years ago. Or maybe that history and the 9/11 Commission showed that gathering piles of data doesn’t equal sound law enforcement.
"No, the biggest problem with the Commonwealth Fusion Center is that Governor Romney's system has no accountability, at a time the feds are abusing their power by spying on progressive U.S. activists." There have been similar complaints in Texas, where the fusion center will amass lots of personal information under the control of the governor. "In the fusion center, the governor will have at his disposal both public and private databases on Texans. This could potentially include everything from what magazines you read to traffic tickets and arrests," wrote Jake Bernstein, executive editor of the progressive watchdog publication The Texas Observer.
There are fusion centers in an estimated 38 states plus a half-dozen at the regional level like the widely heralded Joint Regional Intelligence Center (or "Jay-Rick") in Los Angeles. Fusion centers were designed as a mechanism to share information, maximize resources, streamline operations, and improve the ability to fight crime and terrorism by merging data from a variety of sources, including anonymous tips.
Thomas E. McNamara, of the National Intelligence Office, appears to be spearheading the effort, although the Department of Justice funds the centers.
Justice has made noises about requiring privacy-protection standards but without specifics, according to Carol Rose.
"We just met with Governor Deval Patrick with an eye towards developing privacy protections," she told PRIVACY JOURNAL. "Perhaps what Massachusetts develops can be a model for the other fusion centers around the country."
For more on "fusion center," ask for a sample copy of our June 2007 issue.
It's Gonna Costa Ya'
- Excerpt from a longer story chronicling Federal Trade Commission fines for privacy violations
From the April 2007 issue
Microsoft helped the FTC nail a tech-savvy Hawaii couple sending hard-to-trace pornography over the Internet; the FTC secured an order freezing the assets of their operation, called Net Everyone. Another company, ICE.com, had to give up $6,500, roughly $1 per email sent to persons who had requested to receive no more. In January the FTC staff announced that it would collect a total of $1.624 million from five small online porn operations for not labeling their electronic mail as “sexually explicit.”
After complaining to a court that an online marketer named Jumpstart offered free movie tickets to consumers in exchange for the names and email addresses of five or more of their friends, the FTC secured a penalty of $900,000 a year ago. The problem with the marketing plan, the FTC alleged, was that Jumpstart disguised its commercial email messages as personal messages, and that is a deceptive trade practice.
Kodak Imaging Network, formerly Ofoto, Inc., paid a modest $32,000 penalty to the FTC, for the modest transgression of not providing an opt-out mechanism in its commercial emails. The amount represented the estimated proceeds from the mailings. In November a small outfit called Yesmail, Inc., operating as @Once Corp. forfeited $50,717.
A credible commercial book club called Bookspan, a Doubleday affiliate, forfeited $680,000 last year after the trade commission staff caught it dialing sales calls to persons who had already said, “No thanks” on the national do-not-call list.
Credit Foundation of America Inc., a debt-management firm marketing to consumers, paid up even more last year, nearly $1 million, for making deceptive pre-recorded calls to residents. And last June a seller of discount health and prescription drug cards and its telemarketer agreed to pay civil penalties of $300,000 and $50,000 to settle Federal Trade Commission charges that they have been violating the do-not-call law. A Southern California-based mort-gage broker forked over $50,000, and a similar operation was originally assessed nearly $500,000.
For the full story, ask for a free sample copy of our April 2007 issue. Specify hard copy or email edition. firstname.lastname@example.org. 401/274-7861
The Case of the Telltale Foreheads
- From February 2007 issue
All is fair in politics – at least to the staff of a TV program in Italy called Le Iene (The Hyenas).
The program, which satirizes personalities of the establishment, found a way to poke fun at Members of Parliament who had sponsored Europe’s most restrictive national anti-drug law last February. Here is what they did:
A “reporter” from the program invited 50 members of the Lower House to discuss the budget on camera. At a break in the taping, an assistant would pat the forehead of each interviewee, presumably to replenish make-up.
In fact, the staff was gathering perspiration samples. They tested the sweat samples for drug use in the past 32 hours.
Le Iene announced that its upcoming program would show that a third of the members tested positive; 12 out of the 50 would show marijuana use and four cocaine. “One MP in three enjoys a spliff or a snort,” chortled one staff member.
There was outrage immediately. One Member of Parliament sued and demanded the immediate seizure of his sample (yet insisting he “had nothing to hide”). The staff vouched for the reliability of the sweat test. FOR THE REST OF THE STORY, ASK FOR A FREE COPY OF OUR FEBRUARY 2007 ISSUE.
New Federal Law Bans Pretexting
To Get Phone-Call Information
- From the January 2007 issue
Congress at the end of its 2006 session approved a bill to punish anyone who through fraud buys or acquires or receives or sells or attempts to sell “confidential telephone information” about customers.
The new law defines protected "confidential telephone information" as data concerning the type or destination of calls or data “contained in any bill, itemization, or account statement provided to a customer.” It protects calling information in Internet Protocol-enabled voice services.
The law will not preempt 15 state laws that already punish acquiring telephone-calling records by pretext (pretending to be someone else). [See PJ Dec 06.]
Find this law, Public Law 109-476, already listed in the 2006 Supplement to our Compilation of State and Federal Privacy Laws. Essential for anyone who follows privacy happenings.
Do You Believe in Redemption?
In the Privacy Field, You Must.
-- Take, for example, these examples from our December 2006 issue:
* In 2004, ChoicePoint, which sells personal data on consumers, discovered that thieves posing as legitimate businesses were able to access ChoicePoint profiles that include Social Security numbers, credit histories, criminal records and other sensitive personal information. It paid $15 million in penalties.
In 2006, ChoicePoint appointed a chief privacy officer and a consumer advocate office under its vice president and chief public and consumer affairs officer as “another great enhancement to our privacy and information security portfolio.” This month, it sent its president, Doug Curling, out to sit down with privacy advocates. * * *
* Throughout most of the Twentieth Century Russia trampled on the privacy and autonomy of its citizens. In July 2006, Russia joined the European data protection club of nations by enacting a European-style data-privacy protection law and another law permitting access to government documents.
* The Electronic Privacy Information Center filed a privacy complaint in 2001 with the Federal Trade Commission about Microsoft’s Passport scheme, which permits users to enter personal information into a packet on their PCs and thereby allow them to complete application forms later easily (and mindlessly). In 2006, Microsoft Chief Privacy Strategist Peter Cullen unveiled a “global online identity system” [see PJ Nov 06] that generally won praise from privacy activists, including EPIC.
* In May 2006, the Department of Veterans Affairs experienced a huge scare when a laptop with sensitive data on 26.5 million veterans and active military personnel was stolen from a staff member at home. As penance, the department has embarked on a bold campaign pushed by its secretary to create what it calls “the Gold Standard for data protection.”
For the full stories, ask for a sample copy of our December 2006 issue.
States Prohibit Pretext to Get Phone Records
- From the October 2006 issue
California is the latest of 15 states to prohibit using pretext or deceit to get a list of the telephone numbers you have dialed or a list of the telephone numbers dialing into your telephone.
Each of these laws has come in 2006, prior to the revelations about Hewlett-Packard's corporate snooping. Ask us for a copy of our October issue for the full story and to see whether your state is included. Call 401/274-7861. Fax 401/274-4747.
Rules for Uniform Drivers License Coming
- From the September 2006 issue
State officials – not to mention privacy lobbyists – are dreading the imminent publication of draft regulations to implement the REAL ID Act.
The law, part of the intelligence reform law in December 2004, requires precise identity documents and personal information to be presented to state motor vehicle departments in order to get a driver’s license that will be accepted for federal purposes. It requires date of birth, physical address, and signature on all such licenses, but leaves other required items to a negotiated rulemaking.
The law creates a de facto national identity card. Strictly speaking it would be required only to enter federal buildings, hold a federal job, or get federal benefits; but law enforcement, state and local governments and businesses are likely to insist on the card.
The Department of Homeland Security was designated to draw up regulations, which reportedly have been approved by the department’s privacy officer and legal counsel. The Office of Management and Budget and the Homeland Security policy office must also sign off on them before they are published for comments by the public.
Those who have seen the draft say that Homeland Security officials did not welcome the task. They are three months past their deadline. They are proposing “a federated system” in which a task force will be appointed to arbitrate the hard questions, like exceptions to the general requirements, the precision of ID documents needed, the data required on the license itself, and costs of implementation. At present the DHS drafters are promising to have civil liberties and business representatives on the arbitration body.
Some states, like Arizona, embraced the idea of a uniform driver’s license and moved to implement the law, which goes into effect in 2008. Others find it outrageously expensive and have resisted it. Elected officials in New Hampshire went so far as to vote nearly to ignore the federal mandate totally, and risk having its citizens object when their state drivers license is not accepted for federal purposes.
The National Governors Association, National Conference of State Legislators, and American Association of Motor Vehicle Administrators have completed a study of the costs and will release it Sept 21. Bonnie Rutledge, DMV commissioner in Vermont, heads the motor vehicle administrator’s REAL ID steering group. FOR MORE, ask for a free copy of our September issue, by email or phone.
Do You Still Have an Expectation of Privacy?
By Robert Ellis Smith
From Privacy Journal June 2006
Do you have a reasonable expectation of privacy? In the identity of the phone calls you make and receive? In your bank records? In your travels from place to place? In your medical records? Your phone conversations? Your Social Security number? Your Internet browsing? (Careful, it’s a trap question.)
What if the government or a private agency begins getting access to personal information that you previously assumed was reasonably confidential? Does that obliterate your “reasonable expectation of privacy”?
It took a Canadian to raise the question. At a conference on privacy at Carleton University in Ottawa last fall, Stephanie Perrin, now with the federal Privacy Commissioner’s office, rose to say that talking about an expectation of privacy in these times is a trap. “We should be talking about a reasonable need for privacy.” She went on to point out that we have a need for privacy in many areas even though that privacy has been eroded. In other words, governmental and business practices ought not eliminate a “reasonable expectation of privacy” on the part of the individual.
Other Needs, Not Expectations
Can’t the same be true about environmental protection? We may not expect clean air and clean water, but we do need them and are entitled to them. Or consider personal safety. We may not expect safe neighborhoods and cities, but we need them.
In 1967, when the U.S. Supreme Court ruled that the Constitution protects “people, not places” a lot of people and a lot of judges came to believe that the court had set a standard that the Constitution protects “a reasonable expectation of privacy” – and apparently only a reasonable expectation of privacy. But there is no basis for this in case law over the years.
The term never appeared in the court’s opinion in Katz v. U.S. (The court spoke of “the privacy upon which he justifiably relied.”) The idea of “reasonableness” comes from the concurring opinion by Justice John Marshall Harlan. He was characterizing the majority opinion saying that for a Constitutional violation “first, that a person must have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable.’”
What the majority opinion actually said was that notions of private property and trespass were not really relevant in protecting the Constitutional right to privacy. What matters is what a person “seeks to preserve as private, even in an area accessible to the public.”
It is important in these times to recall that the Supreme Court in its 1967 decision invalidated the kind of government wiretapping that had been unchecked virtually since the invention of the telephone system. In the Katz decision, the court found a privacy interest against a practice that had been commonplace until then.
Yet, privacy advocates are constantly confronted with proclamations from government and corporate lawyers that there can be no reasonable expectation of privacy against practices that we have known about for years. Sometime this is morphed into a “legitimate expectation.”
Under that reasoning, we had a reasonable expectation of privacy in our bank transactions only until the Bank Secrecy Act was enacted in 1970, or only since passage of the Gramm Leach Bliley Act in 1999.
We had a reasonable expectation that credit bureaus wouldn’t sell information in our credit reports without protections of the Fair Credit Reporting Act until they began to do so in the early 1990s.
We had an expectation that credit bureaus would not use Social Security numbers to confirm the identity of credit applicants until they began to do so in the early 1990s (and gave rise to an epidemic of identity theft).
We had a reasonable expectation of privacy in the contents of our medical files until a regulation under a 1996 law, HIPAA, removed much of that.
We had a reasonable expectation in the confidentiality of our records held by libraries, travel agents, real-estate agents, brokerages, retail stores, and private clubs. Did that disappear with Section 215 of the PATRIOT ACT, enacted in 2001 and renewed in 2006? (Much of that act requires that a terrorism investigation be a predicate for governmental demands into these files, but not all of it.)
We had a reasonable expectation of privacy in overseas phone conversations – at least if there was no probable cause of criminal activity or a need to gather foreign intelligence – until that was taken away by the Bush Administration.
We had a reasonable expectation of privacy in the numbers we dialed and the numbers of persons who phoned us – at least if we didn’t create any suspicion in our activities – until that was taken away by the Bush Administration.
We had an expectation that our Internet browsings would be confidential until the Department of Justice decided in 2006 that it would be a fine idea for Internet service providers to preserve that information for later government access.
A Loser for Citizens
What’s left? Under the “reasonableness” formulation (a loser every time for individual rights), we still have an expectation of privacy that our transactions at automatic bank teller machines in our neighborhoods and around the world will not be used to track our movements and prevent our making withdrawals. But do we forfeit that as soon as the government decides that it needs to use the ATM network for that purpose? Will it be said, “Americans cannot really expect that their ATM transactions won’t become known to investigators when this capability has existed for years and when the transactions take place in public”? (The Right to Financial Privacy Act of 1978 seems to require that customers get advance notice when federal agents get such access, but the PATRIOT Act may override that.)
Under the “reasonableness” formulation, we still have an expectation of privacy in a secret ballot. But where does that come from?
No law requires a secret ballot, no Constitutional provision, no court decision. And the secrecy of the ballot has been compromised from time to time when courts are investigating allegations of fraud. Yet we rely on it. Will the Bush Administration discover that this element of democracy is protected only by tradition, thereby allowing it to probe into the way each of us votes? The wedge has already been provided in the Help America Vote Act, which requires a driver’s license or portion of a Social Security number in order to vote. It creates state databases to keep track of voters and their identifying numbers. Experts testified just last month that the creation of these databases significantly increases the possibilities that hackers will be able to penetrate voting records.
If the government regarded a resolution to “fight terrorism in Iraq” as authority to monitor overseas telephone calls without regard to the federal law already on the books (as it did), will it regard the PATRIOT Act as authority to track citizens through their ATM usage? Will it regard the Help America Vote Act as authority to probe into the way we are voting? Will we then say collectively, “Gee, we thought that information was private. We had a reasonable expectation of privacy in that information.” And the government will say, paraphrasing Justice Harlan, “That was not an expectation that society is prepared to recognize as ‘reasonable’ under this administration. Just last month experts testified that hackers can get into voting information.”
Copyright © 2006 Robert Ellis Smith
Medical Theft of Identity
- From July 2006 issue
The World Privacy Forum warns about the emergence of theft of medical identity. Fraud artists are getting medical treatment in the name of a victim. The victim has no knowledge of the transaction until he or she discovers in the patient record mysterious entries for medical procedures he or she did not have.
Sometimes only insurance or payments information is used, not names or Social Security numbers.
One victim was told that he couldn’t have access to the information in his own medical file because it doesn’t pertain to him, it pertains to an impostor.
It is said that the former wife of Rep. Joe Barton, R-Tex., has had a stranger get medical treatment under her name in their hometown of Ennis, Tex. Barton is chair of the House Energy and Commerce Committee, which held hearings on theft of identity (the original version) in March.
The University of Connecticut Health Center reports a dozen attempts each week of persons trying to impersonate beneficiaries, sometimes to secure prescription drugs. Across the nation, this has resulted in additional requirements for patients to show identification documents before getting treatment. Blue Cross has begun warning its subscribers about medical ID theft.
For the full story, ask for a sample of our July 2006 issue.
Our June 2006 issue included an article (see above) pointing out how some ill-informed lawyers' notions about "an expectation of privacy" actually diminish your privacy.
Don’t Believe the Number
Of Laptop Losses of Personal Data?
See page three of our July 2006 issue for a complete listing of the losses of laptops with personal data in them.
Ask for a sample copy.
Another Credit Score to Decipher
- From May 2006
Just when you got used to figuring out your “FICO score” and its importance to determining your credit-worthiness, the Big Three credit bureaus want to change all that.
For years the benchmark for rating consumer-credit applicants has been the FICO score developed by Fair Isaac from data supplied by each of the Big Three. Each of the credit bureaus used its own data and formulas to score consumers and each credit grantor had different criteria for assessing a FICO score.
After a long battle [by PRIVACY JOURNAL and others], consumers finally got access to their own scores, which range from 300 to 850, with 720 generally regarded as the cut-off for acceptable risk. About 80 percent of the major lenders use the FICO score.
But Experian, Equifax, and Trans Union, which are supposed to be competing with each other, got together and did an end-run around Fair Isaac. They created their own credit score, based on a lettering system, A through F. The new product is to be called VantageScore. (The letter grades are backed by a numbering system roughly equivalent to academic grades; 901 or higher equals an A, 801 to 900 equals a B, etc. This means that a 720 as a VantageScore is so-so, but from Fair Isaac is a respectable credit score.)
“This will only cause confusion in the marketplace,” said Travis Plunkett, legislative director for the Consumer Federation of America. The three separate national credit bureaus will use the same methodology but will issue different scores for the same person. They will charge perhaps $5 for a consumer to see his or her own score, beginning next month. By federal law, consumers are entitled to see their own credit scores.
One analyst of the industry, Bill Hardekopf of LowCards.com, said that this scheme is a way for the major credit bureaus to recoup revenue
that they lost when Congress in 2003 required free credit reports for any consumers who ask.
“This isn’t about making credit easier for the little guy,” writes Liz Pulliam Weston, personal finance columnist for MSN Money. “This is business.”
For more about credit reports, ask us for a sample copy of PRIVACY JOURNAL with information about credit bureaus. email@example.com
Most Trusted Federal Agencies
- From March 2006
Ponemon Institute asked respondents in a survey which federal agencies they trust the most in handling personal information. Some of the results, showing the percentage of persons with confidence in the agency:
U.S. Postal Service 78 percent
Department of Veteran Affairs 76
Internal Revenue Service 75
Social Security Administration 70
Federal Trade Commission (FTC) 70
Bureau of Consumer Protection 68
National Institutes of Health 68
Federal Court System 67
Census Bureau 66
Military (Army, Navy, Air Force, Marines) 62
Bureau of Labor Statistics 62
Federal Emergency Management Agency 58
Department of Commerce 57
Department of Health & Human Services 56
Small Business Administration 55
Department of Education 55 * * *
GOVERNMENT AVERAGE 52 * * *
Federal Bureau of Investigation (FBI) 42
Immigration and Customs Enforcement 40
Bureau of Citizenship & Immigration 39
Drug Enforcement Agency (DEA) 38
Transportation Security Administration 30
National Security Administration (NSA) 29
Department of Homeland Security 27
Central Intelligence Agency (CIA) 27
Department of Justice 24
Office of the Attorney General 22
ASK FOR A FREE SAMPLE OF OUR MARCH 2006 ISSUE FOR THE REST OF THE STORY
Personal Phone Number for ID
- From February 2006
Presenting a Social Security number is offensive to many people and it’s a publicly known number. It was never intended as an all-purpose ID. Microchip implants and tattooed bar codes may finally stretch the acceptability of the American public to the breaking point. (But who’s to say?)
Industry apologists herald “biometrics” as the best method for establishing identity. They regard matching of fingerprints, voices, eye characteristics, or facial geometry as impeccable methods for confirming a person’s identity. But every biometric identifier has false positives, sometimes 10 percent or more.
Latanya Sweeney has a better idea. Why not issue an individualized “identity telephone” to everyone?
She stresses that the idea is no more than an “academic exercise,” not a pragmatic proposal.
She and her computer science students at Carnegie Mellon University in Pittsburgh have been studying the possibility of issuing a tiny cell phone at birth that would combine elements of a camera, a fingerprint reader, geographical positioning (GPS), perhaps recognition software, and wireless technology.
To charge a purchase or enter a secure facility, a person would provide his or her “ID number/phone number.” The person seeking verification would call the number and the holder of the phone would acknowledge the call by pressing a key. That return signal would also verify the location where the person is at the present time.
Credit-card companies would bill directly to the phone number, perhaps with the use of an additional PIN. “There’s no extra information floating around,” says Sweeney; “the phone really just packages the needed information for a particular transaction. It separates people from the information about them. There’s no need for a central database.”
If the phone is lost, it is simply deactivated. Sweeney’s scheme would allow a government office to disable phones and reissue new phones.
For more on this story, ask us for a free copy of the February 2006 issue.
Cell Phone Numbers Called - Get 'Em Online
- From December 2005 issue
A mother of two children living in central Massachusetts was shocked to discover that her estranged husband could easily get a list of the telephone numbers she had dialed form her cell phone. “I’m sure he wanted to make sure I wasn’t seeing anyone,” says the woman. “He found a cell phone number that he didn’t recognize, called it and left threatening messages.”
For about $100 at several Internet sites, the husband and many others like him can purchase lists of numbers dialed from a targeted person’s cell phone. The same is true of land-line phone calls.
Is it legal? No state or federal laws restrict telephone companies from disclosing such information about customers, although most have policies against disclosure. How do the Internet brokers get the information? It’s possible that they pay a person within the phone company to provide the data – a disgruntled employee, a former detective now in the company security department, or a clerk who applied for a job precisely to feed the data brokers and make some extra money. Or perhaps it’s simpler than that: A security consultant in Quebec City reported that he was able to get call records faxed to him from major phone companies merely by knowing the targeted person’s postal code. Another method: Hackers can use special software to make their own number appear on call displays regardless of where they are calling from. Phone companies rely on the call display as confirmation of the caller’s identity and then provide the information to the imposter, according to the Quebec consultant. . . . ASK US FOR A FREE SAMPLE OF THE DECEMBER 2005 ISSUE, FOR THE FULL STORY.
Rosa Parks of Privacy Protection?
A 50-year-old mother of four children living in Denver faces minor federal charges this month for declining to provide personal identification while on a city bus on her way to work. One of her kids is soldiering in Iraq.
The RTD (Regional Transportation District) bus that Deborah Davis took to work in September happens to pass through the Denver Federal Center in Lakewood, Col. As she was sitting reading a book, a federal guard climbed aboard and demanded to see her identification. . . . what happened to her? ASK FOR THE JANUARY 2006 ISSUE FREE.
- From November 2005 issue
“Fifty million consumers have had their data compromised this year, though I don’t think the sky is falling.”
- Michael Turner, president of the Information Privacy Institute (whatever that is).
Credit References for Renters
- From November 2005 issue
The Federal Trade Commission has identified three new credit bureaus that attempt to provide credit information on tenants and low-income consumers whose present credit transactions don’t show up in the credit reports of the major bureaus, Equifax, Trans Union, and Experian.
One is PayRentBuildCredit based in Annapolis, Md., www.prbc.com. The founder concedes that getting credit data from millions of landlords is formidable, and so he has “verification partners” like mortgage brokers and insurance companies report the data.
At no cost, consumers may take receipts, cancelled checks, and utility bills to one of these “partners” to verify rent or utility payments. The
businesses then report the information to Pay-RentBuildCredit, to create a record of the person’s credit history.
Fair Isaac, which creates credit scores from traditional credit-bureau data, has another score for those with thin credit. "The FICO Expansion" score gathers information from non-traditional sources. www.ficoexpansionscore.com/Lender
Value.aspx. But among the sources are “payday loans,” intended to bridge the borrower’s cash-flow gap between paydays. Consumer advocates disapprove of using pay-day loan information because they believe this type of borrowing is not in a consumer’s best interests.)
First American Credco, which first offered consolidated credit reports (“Instant Merge”) based on reports from the Big Three, has begun selling a supplement called NTReport, which includes data from non-traditional sources like rent and utility payments. www.credco.com/emerging
For the full story, ask us for a free copy of our November 2005 issue.
Spend 20 Minutes for Your Kids
- From October 2005 issue
You may have thought that personal information possessed by your child’s school is protected, but that is not always so. The Department of Defense has a pervasive program for harvesting 4.5 million students’ addresses, dates of birth, even cell-phone numbers and e-mail addresses. The data file also includes Social Security numbers, in apparent violation of the federal Privacy Act. This is part of the Joint Advertising, Market Research and Studies program (JAMRS) in the Pentagon.
The infamous No Child Left Behind law, 20 U.S. Code 7908(a)(1), requires schools to turn over this data to military recruiters. It also provides parents with a chance to opt-out and demand that schools not disclose the information. But parents have to act to make this happen.
It is best to make a request in writing, and be sure to state whether you want your option to apply only to military recruiting or to all requests for directory information about your child (name, grade level, etc.).
Parents and students may also take advantage of the Defense Department’s own “name-suppression” database. Write JAMRS Opt-Out, 4040 N. Fairfax Dr., Suite 200, Arlington, Va. 22203. For more information, go to www.pta.org/documents/military.pdf.
The Pentagon has contracted with a marketing company named BeNow in Wakefield, Mass., to collect and massage the data. The system also collects similar data on 4.6 million college students and data on other young people from other sources. Two of the sources are American Student List, which has long compiled marketing lists on students, and Student Marketing Group. The Federal Trade Commission has cited the first company for deception in its data collection, and the New York State Attorney General has cited the second company for collecting data on students through phony survey forms.
Best advice: Insist that your child bring home any survey form before filling it out. Under the No Child Left Behind Act, ask that your school not release data on your children. Complain to 703/601-4722, Records Management Section, Pentagon 1155, Washington D.C. 20301-1155, that you think that the Defense Department’s operation of this information collection violates the federal Privacy Act.
Entire contents of this Web site:
Copyright © 2010 Robert Ellis Smith
Letter to the Editor
- From August 2005 issue
From St. Paul, Minn.: Awesome articles on the cover and on page three of the July issue [RFID tags required of elementary students in California and parallel efforts to impose a national ID card]. “Scarifying,” as usual.
Would you provide a discussion of, or references to, solid and specific information about privacy implications (if any) of switching phone service to Voice Over Internet Protocol (VOIP)? Specifically, privacy implications for employees when the employer makes the change to VOIP?
For example, I assume that a record of outgoing calls (date, time, destination, length) is captured “in-house” and thus more easily accessible to the employer than records kept by a phone service provider – especially for local calls. Is the source of an incoming calls recorded anywhere other than on the telephone set (called ID, etc.)? As computer keystrokes can be recorded, can phone set “pulses” be tracked also? And what is the system’s ability (if any) to record or monitor the content of the calls as voices are “digitized” and sent over the Internet?
Response: Employers and others indeed have the capability of monitoring, logging, and tracking conversations transmitted via VOIP, as they do over existing telecommunications technologies. Your inquiry is timely. Phil Zimmermann, the man behind the popular and accessible Pretty Good Privacy encryption program for e-mail, has just announced that he is launching a new program that aims to provide the same security for Internet phone calls.
Like PGP and PGPfone, which he created as human rights tools for people around the world to communicate without fear of eavesdropping, Zimmermann’s new program, zfone, is intended for everyday users and for businesses seeking to combat corporate espionage. Whether employees will be permitted to use the product at work is another question.
VOIP, or Internet telephony, allows people to speak to each other through Internet connections. VOIP uses broadband networks, making conversations vulnerable to eavesdropping.
If you look out the windows of the downtown Boston offices of the American Civil Liberties Union of Massachusetts, you see surveillance systems closing in on you.
“Even in Massachusetts – the nation’s historic ‘cradle of liberty’ – civil liberties are under threat in ways that don’t necessarily make us more secure,” says Carol Rose, executive director of the Massachusetts ACLU. The surveillance cameras and other high-tech devices installed for the Democratic National Convention in August have found a permanent home in Boston.
One of the greatest threats, in Rose’s mind, is a new automated fare collection system on the subway line that has no anonymous option if transit riders purchase their fare cards with a credit card or debit card. The purchase is linked to an individual’s identity, as is use of the Fast Lane toll option on the Massachusetts Turnpike and on most toll roads in the U.S.
In Boston senior citizens, students, or those who are disabled must now show identification documents and have personal information linked to their fare cards to get discounted rates.
The transit system (called “The T” or the MBTA) will document the identity of riders and time, date and location where they board a bus or trolley or pass through a subway turnstile. Because of the vagaries of Boston’s aging system, there are no card-reading devices or turnstiles at many disembarking points, and so the system doesn’t always record when a person leaves.
The new “smart card” is called a “Charlie Card,” named after “the man who never returned” when he got lost on the Boston subway, in the political song of the 1940s popularized by The Kingston Trio in 1959. (Charlie got lost be-cause of a complicated fare system.)
MBTA officials see the Charlie Card as allowing it to track riders and ridership, cut down on fare evasion, and create a more efficient transit operation.
"It will be a magnet for identity thieves seeking to get this information, and the worst thing is that consumers have no idea this is going to happen to them,” said State Senator Jarrett T. Barrios of Cambridge, who has been urging the transit authority to strengthen its privacy protections.
For the complete story, e-mail or call 401/274-7861 and ask for a free sample of the June 2005 issue.
Careless Record Keeping: The Cumulative Effect
- From May 2005
To appreciate THE CUMULATIVE EFFECT, Privacy Journal newsletter compiled the following list of breaches of sensitive personal information, disclosed just since January. It's not an atypical list for a three-month period, but breaches are obviously getting more press attention.
* Tepper School of Business at Carnegie Mellon University reported that a hacker had access to Social Security numbers and other sensitive personal information relating to 5000 or more students, staff, and alumni.
* Tufts University notified 106,000 alumni, warning of "abnormal activity" on its fund-raising computer system listing names, addresses, phone
numbers, and, in some cases, Social Security numbers and credit-card account numbers.
* ChoicePoint, the "information broker" based in Georgia, sold personal data on 100,000 or more persons to fraud artists posing as legitimate businesses.
* DSW Shoe Warehouse experienced a hacking incident involving access to an estimated 1.4 million credit-card numbers and names, 10 times more than investigators estimated at first.
* HSBC North America, which issues GM's MasterCard, urged all customers to replace their cards as quickly as possible because personal data was compromised. The customer records of Polo Ralph Lauren Corp., were involved.
* Ameritrade Holding Corp., the online discount broker, informed about 200,000 current and former customers that a back-up computer tape was lost during shipping.
* Canadian Imperial Bank of Commerce, CIBC, one of Canada's leading banks, misdirected confidential faxes sent to outside parties over a three-year period. Bank of Montreal, Royal Bank of Canada, Scotiabank, TD Bank, and National Bank have also misdirected faxes with customer information.
* Motor vehicle departments in four states have lost personal data. The Texas Department of Public Safety mailed to 500 to 600 licensed drivers renewal documents that pertained to other persons. In March, burglars rammed a vehicle through a back wall at a Nevada Department of Motor Vehicles and drove off with files on about 9000 people, including Social Security numbers. In April police arrested 52 people, including three examiners at the Florida Department of Motor Vehicles, in a scheme involving the sale of more than 2000 fake driver's licenses. Also, Maryland police arrested three people, including a DMW worker there, in a plot to sell about 150 fake licenses.
* A Boston-based storage company named Iron Mountain Inc., lost Time Warner Inc.'s computer back-up tapes with Social Security numbers and names of 600,000 employees and dependents. This is the fourth time this year that Iron Mountain has lost tapes during delivery to a storage facility, according to The Wall Street Journal.
* Someone gained access to the personal information of 59,000 students at California State University, Chico, the university revealed in March.
* A laptop that contains about 100,000 Social Security numbers of students and personnel at the University of California, Berkeley was stolen from the school's campus.
* Someone hacked into a database at the Kellogg School of Management at Northwestern University, possibly exposing data pertaining to 21,000 individuals.
* More than 1600 parents discovered in January that records in the Colorado State Health Department relating to an autism study were lost.
* * *A free copy of the current issue of Privacy Journal is available through firstname.lastname@example.org. Specify e-mail copy or hard copy (and include a mailing address).
A press interview
with Publisher Robert Ellis Smith
- From April 2005 issue
1. Issuing your special report on ChoicePoint is interesting timing. Do you really think it’s a good idea to kick a good company like ChoicePoint when it’s down? In football, piling on draws a penalty.
Robert Ellis Smith: I’m a journalist. Everybody needs to know about this company. It has been in the headlines but people do not realize that it grew out of Equifax, that it has been out of compliance with FTC orders for years, and that it is closely allied with the voter-list purge in Florida in 2000 and the development of “Matrix.” If mere words can crumble a company, it deserves not to survive. [To download the report on ChoicePoint, click below.]
2. Did you decide to issue your special report before the revelations about the loss of data made earlier this year?
Response: I issued it because of the many inquiries I have received wanting to know about the company and its nature. No one has covered Equifax more than I have.
3. What were some of its problems when it was Equifax? How did the company respond to privacy concerns before it became Equifax?
Response: When ChoicePoint was the insurance reporting division of Equifax, the FTC found it out of compliance with Fair Credit Reporting Act accuracy and correction requirements. Continually. ChoicePoint acquired an “information broker” that was known to be in-accurate, irresponsible and out of compliance with the FCRA (CDB Infotek).
Equifax was formerly known as Retail Credit
Co. It was abuses in the insurance and employment “consumer investigation” part of Retail Credit Co. that alone led to passage of the Fair Credit Reporting Act. That, in short, is why an act with “credit” in the title also regulates consumer investigations for insurance and employment purposes. See my book Ben Franklin’s Web Site for documentation of this. Within three years after the FCRA was enacted, the part of Retail Credit Co. now known as ChoicePoint was found by the FTC and a federal court to be out of compliance with the act in serious ways.
For the rest of the story, ask for a free sample of our April 2005 issue.
ID Theft Mainly in America. Why?
- From March 2005 Privacy Journal
Theft of identity is largely an American phenomenon.
There are reasons for that. Other nations don’t rely on an identifying number – like a number to keep track of pension accounts or government benefits – for other purposes, like identifying consumers in credit reports.
Since the early 1990s credit bureaus in the U.S. have been collecting Social Security numbers and relying on the numbers to confirm a match when a lender requests a credit report on an applicant. By the same token, credit bureaus usually ask a consumer who wants to see his or her own credit report, as permitted by law, to provide a Social Security number to confirm his or her identity. The Federal Trade Commission, which regulates credit bureaus, actually encouraged this in the 1990s.
Strangers can get Social Security numbers from payroll records or buy them from Internet sites.
Thus, it’s not hard to see why theft of identity is easy in the U.S. A stranger need only get a Social Security number to match a name and then ask a credit bureau to provide a copy of “his” credit report. The impostor changes addresses on the credit accounts listed on the credit report.
For the full story, ask us for a sample copy of our March 2005 issue.
Choicepoint, A Corporate History
- From March 2005 Privacy Journal
In our March 2005 issue, we published a timeline of the ignoble history of ChoicePoint, a former division of Equifax that is now known mainly for massive sales of personal information in its files to ID thieves. Here is an excerpt:
1996 CDB Infotek advertises that it will sell information at the top of a credit report – “header information” like Social Security number, date of birth, phone number, and “a/k/a’s.” It offers access to Social Security account information, the change-of-address lists of the Postal Service, lists of registered voters (in violation of state laws in California and elsewhere), and data on personal assets. It sells criminal and civil-court records, demographics of a target’s closest neighbors, California driving records, employment reports, and much more. In 1992 CDB had been cited by the FTC for major violations of the credit-reporting law. CDB did not challenge the FTC findings.
1996 Seven months after CDB’s ad appears, Equifax purchases 70 percent of CDB Infotek and folds it into its Insurance and Special Services unit.
1997 An Equifax shareholder, in a formal demand for due diligence by the parent company, cites “law-breaking, fraud and unethical conduct” by CDB.
1997 Alarmed by its negative reputation with the acquisition of Infotek, its FTC cease-and-desist orders, and consumer lawsuits, Equifax spins off its Insurance and Special Services unit and calls it ChoicePoint. The new unit absorbs CDB’s files. It also takes in driver and motor-vehicle, divorce, marriage, corporate, property-ownership, and other data of questionable reliability owned by a company called Database Technologies, Inc., in Boca Raton, Fla. ChoicePoint’s independence is questionable. The chair of Equifax, Inc.is chair of the executive committee of ChoicePoint’s board of directors. ChoicePoint’s new president was executive vice president of Equifax.
For the full story of ChoicePoint from 1970 to the present, ask for a sample copy of our March 2005 issue.
For a report collecting all of Privacy Journal's past stories about this company (13 pages, $8.50),
Uniform Drivers License = National ID Card
- From January 2005 issue
Tucked away in the intelligence reform act enacted in December is Section 7212, requiring federal standards for state drivers licenses and identification cards.
While previous Congresses and Administrations flatly rejected similar proposals because implementation amounts to a national identification system, the 108th Congress overwhelmingly passed the bill containing this provision.
After the standards are finalized through regulations, states must certify they are in compliance, and the Secretary of Transportation may conduct audits to guarantee compliance. After a specified date, no state drivers license that fails to conform to the minimum standards may be used for any federal “official purpose.” This means a nonconforming license may not be used for such things as boarding an airplane, buying a firearm, obtaining federal benefits, or entering a federal building.
Section 7212 specifies some items that must be on a drivers license (name, date of birth, gender, drivers license number, digital photograph, physical address of principal residence, signature) but leaves other items to a negotiated rulemaking. The final requirements will be set forth in a regulation that must be published within 18 months.
From a privacy perspective, placing your physical address on a license or identification card advertises that information to anyone viewing the license. FOR THE REST OF THE STORY, ask for a free copy of our January 2005 issue.
Can Software Defeat 'Phishing'?
- From October 2004
New software tools to combat the intrusive on-line practice of “phishing” may require monitoring your Internet traffic in a way that is possibly more intrusive than the scourge of phishing itself.
Phishing accounted for an estimated $500 million in fraud in the past year, according to TRUSTe, a non-profit privacy group. TRUSTe’s new study also found that three-quarters of online users had experienced an increase in incidents in the past few months.
Phishing is the sending of an e-mail falsely claiming to be a legitimate enterprise, even using the logos of the enterprise, to tempt a user into visiting a site and surrendering personal information, which can then be used for identity theft and fraud.
Prominent victims include Bank of America, Best Buy, Citigroup, eBay, and their customers.
People are directed to Web pages that look identical to the companies' sites. Most ignore the “fishing” bait, but many bite. The practice is also called brand spoofing or carding.
The Securities and Exchange Commission warned this month about a scam in which phony e-mails purportedly sent by Smith Barney [pictured in our hard copy edition], a stock-brokerage unit of Citigroup, Inc., seek recipients’ account information.
In response, developers have created new forms of anti-phishing software; Microsoft has pro-posed new security standards directed at stop-ping the phenomenon. But are the new tools also intrusive? The first line of defense that companies such as MasterCard have used against phishing is simple, “intelligent” online monitoring. The electronic asset protection company NameProtect, for example, offers a service to MasterCard and others that scours millions of Web pages, domain names, chat rooms, and the like for indicators of online fraudulent activity.
For the REST OF THE STORY, call or write for a free sample of our October 2004 issue.
The ABCs of RFID
By Mikhail Zolikoff
- From August 2004
Beginning next year, observant consumers will notice an additional logo stamped on the products they purchase from retailers. This logo will indicate that the product carries an RFID (or “radio frequency identification”) tag.
RFID electronic chips are capable of storing unique identifying information about a product and then remotely transmitting that information to a tag reader by use of radio waves. Manufacturers will be using these miniature embedded tags to keep track of materials in production and distribution. Retailers are implementing this technology with the hope that the checkout experience will be shortened, inventory costs will reduced, and product theft and shrinkage (the loss of product between the manufacturer and the shelf) will be eliminated.
Eventually these tags, also known as “Electronic Product Codes” (EPCs), will replace the familiar but outdated UPC, the Universal Product Code, or bar code. Distinct RFID tags would be assigned to each individual item; by contrast, a bar code is assigned to all identical items. RFID tags identify a particular item purchased at a particular time; bar codes merely identify a category of individual items. RFID tags have the capacity to transmit large amounts of data about an individual item. Bar codes, by contrast, can reflect only the identity of the generic product, brand, size, and pricing.
Privacy activists have repeatedly expressed their concerns that the RFID labels in consumer goods could potentially be used for tracking the possessor of the item without consent. While the electronic chip embedded within each tag has the capability of being “killed” or deactivated and therefore no longer able to transmit its identifying information, this has not been established as a default when consumers purchase their items and leave the store. As such, anyone with a tag reader – the devices are readily available on the Internet and the price is quickly dropping – could scan you, your car, or your home without your permission to determine which products you’ve purchased and have in your possession.
Hewlett-Packard, one of the corporate sponsors of the 27-mile Boston Marathon, sponsored a project in which RFID tags were embedded in the shoelaces of each runner in the event last April. As the runner ran across special mats placed along the route to Boston the transponder reported each competitor’s place and the running time to a Web site. Family members and news reporters could then access the information in real time.
Privacy critics of the technology ask us to imagine the consequences when the highly personal items we carry around day to day are identifiable without our consent.
For the full text of this story, ask us for a sample copy of our August 2004 issue.
Why Are Fingerprints Demeaning?
- From June 2004
Letter to the Editor
From Minneapolis: How can we explain, in a language the average American can understand, why fingerprinting foreigners is a bad idea? I have lots of theoretical arguments, but nothing visceral.
Response: We are familiar with fingerprints in a criminal context. That’s why it is an indignity to be asked for a fingerprint, in order to cash a check, cross a border, get public assistance, or hold a job. Getting fingerprinted is stigmatizing. It connotes suspicion. In addition, in the electronic age, the print image goes beyond the control of the individual who provides it, and probably beyond the control of the organization gathering it.
There is a real possibility that the electronic image could be affixed to a crime scene, to a piece of evidence, or other object, either maliciously or in error. The same is true of electronically stored signatures. Wise citizens know to refrain from providing such sensitive biometric bits of themselves before the technology has been fully tested for reliability and trustworthiness.
Further, providing a fingerprint in a law-abiding context increases the chances that an individual’s prints will be stored in the databases that are checked when latent prints are found at a crime scene - like the National Crime Information Center or the FBI’s automated fingerprint database. This increases the chances that the innocent individual will be identified by an erroneous match. These false positives are not frequent, but persons whose prints are not in the database have a zero chance of being the victim of a false match.
A component of privacy is autonomy – the ability to make personal choices – and to control sensitive personal information, even if it is accurate. Within that definition, the collection of fingerprints from masses of law-abiding individuals is a loss of privacy.
Video Voyeurism Bill Advances
The House of Representatives is expected to pass a bill making it a federal crime to capture an “improper image” of an individual nude or in undergarments without consent, where there is “a reasonable expectation of privacy.” The so-called “video voyeurism” bill, S 1301, matches laws enacted in 32 states in the past five years but does not preempt or invalidate them. The federal bill, approved by unanimous consent by the Senate last September, exempts law enforcement and intelligence. Michael DeWine, R-Ohio, introduced the bill a year ago; in his home state prosecutors had difficulties trying to charge or convict a man accused of using a hid-den video camera in his home to record unsuspecting female cheerleaders changing clothes to use his swimming pool.
For the complete story, ask for a sample copy of our June 2004 issue.
Nearly Half of Us Add Content
- From March 2004
About 44 percent of Americans who access the Internet have contributed content to it, in the form of photographs on Web sites (21 percent), or text (17 percent), like blogs or personal on-line journals. Thirteen percent have their own personal Web sites and 15 percent contribute to sites operated by their businesses or volunteer organizations. Users in their twenties are the most active, according to a new survey and re-port from the Pew Internet & American Life Project called “Content Creation Online,” www.pewinternet.org/reports/toc.asp?Report=113.
Among 3300 adults surveyed this year, 91 per cent were aware of the federal Do-Not-Call list and 57 per cent had registered with it; 25 per cent of those registered said that cold calling had stopped completely, while 53 per cent said they had received fewer calls. Humphrey Taylor, the chair of Harris Interactive, which conducted the survey, said: “It is rare to find so many people benefiting from a relatively inexpensive government program. This successful initiative now raises questions about the desirability of [permissive do-not-spam legislation enacted last December] when, according to other surveys by Harris Interactive, the overwhelming majority of those online find spam very annoying.”
Privacy Journal publishes up-to-the-minute news on meetings, new publications, polling, and legislative proposals each month. Write us for a free sample.
- From January 2004 issue
This monthly feature advises you how to protect your own privacy, by taking 20 minutes a month.
Dispose of any documents or correspondence that show your Social Security number, credit-card numbers, or other sensitive personal information only after shredding, either by hand or machine. If you tear off the portion with account numbers by hand, dispose of the pieces in a separate trash can and place it for collection on a separate day.
Or you can purchase a shredder, now a necessity in most homes.
The Man Who Just Said 'No'
- From December 2003 issue
He’s been called an “unemployed cowboy with no assets beyond a few head of cattle and a pickup truck.”
A newspaper article called him a grouchy farm hand. An article on the Web site of the Clark County (Las Vegas) Bar Association, which should know the libel laws, calls him “a drunk in rural Nevada.”
A national newspaper columnist said that his name should be Obstinate.
And that’s the whole point. Dudley Hiibel declined to give his name when approached by a police officer just outside the limits of his hometown of Winnemucca, Nev. (pop. 9400). A witness had reported to the deputy seeing a man strike a woman with whom he was riding in a pickup truck. The deputy found Hiibel standing by his vehicle at the side of the road. He assumed that Hiibel had been drinking. Eleven times the officer asked Hiibel to identify himself, and 11 times Hiibel declined. And so the officer arrested him on charges of violating a state law that requires a person to identify himself when police stop him or her with reasonable suspicion of criminal activity. The woman he was with was his daughter.
Hiibel engaged the public defender in Humboldt County, Robert Dolan, to defend him. Hiibel – known as Larry D. Hiibel in court documents – was convicted of obstructing and delaying a police officer, a misdemeanor worth a $250 fine.
When a higher court affirmed the conviction, Hiibel immediately turned to his lawyer and said, “I’m being treated like I’m in a communist country.”
Dolan sued the court on his client’s behalf, and the case of Hiibel v. Sixth Judicial District Court soon came before the State Supreme Court of Nevada. Hiibel, 54, was not seen at the oral arguments, but he managed to get three of the seven members of the high court to agree with him. But a four-person majority ruled against him. Now the U.S. Supreme Court has scheduled oral arguments for January in his appeal to the highest court in the land.
For the full story, and to learn what this has to do with personal privacy, send an e-mail or call us for a free sample copy of our December 2003 issue.
- From October 2003 issue
Credit-card company rules require merchants to accept a card charge without demanding additional ID or other information as long as the signature on the back of the card bears a "reasonable likeness" to the signature you provide on the credit slip. If you encounter a merchant requiring additional ID (or setting a minimum charge), report this to MasterCard at www.mastercard.com. (However, American Express allows some firms like WalMart and K-Mart to require you to provide your billing address Zip code in a digital key pad). In CA, DE, DC, FL, GA, KA, MD, MA, MN, NJ, NY, ND, PA, RI, and WI, it is illegal for merchants to record any extra information on credit slips like phone numbers, addresses, or ID numbers. For more on this tip for protecting your privacy, ask us for a sample copy of the October 2003 issue.
Federal Regulations for Ferry Travel
- From September 2003 issue:
All ferry companies in the U.S. must develop security plans by the end of the year that may lead some of them to demand photo IDs for passengers.
An interim Coast Guard regulation requiring new security precautions on maritime vessels does not require or even suggest demanding IDs; in fact, it says that a ticket is adequate proof that a person belongs on a vessel. But any ferry company is free to use the regulation to initiate a photo ID requirement for passengers, and the regulation recognizes the seagoing tradition that a boat captain may deny passage to anyone for any reason.
On a separate matter, the authority to search passengers, the interim regulation requires boat companies to “conspicuously post signs that describe security measures currently in effect and clearly state that . . . boarding the vessel is deemed valid consent to screening or inspection; and failure to consent or submit to screening or inspection will result in denial or revocation of authorization to board.”
However, the vessel operator must also “ensure vessel personnel are not required to engage in or be subjected to screening, of the person or of personal effects, by other vessel personnel, unless security clearly requires it. Any such screening must be conducted in a way that takes into full account individual human rights and preserves the individual’s basic human dignity.”
On IDs, the same section of the rule says that vessel operators must “check the identification of any person seeking to board the vessel, including vessel passengers and crew, facility employees, vendors, . . and visitors. This check includes confirming the reason for boarding by examining at least one of the following: (i) joining instructions; (ii) passenger tickets; (iii) boarding passes; (iv) work orders, pilot orders, or surveyor orders; (v) government identification; or (vi) visitor badges issued in accordance with an identification system required [by the regulation].” Further, the vessel operator must, “deny or revoke a person’s authorization to be on board if the person is unable or unwilling, upon the request of vessel personnel, to establish his or her identity.” * * *
For the full story, call or write for a free sample of our September issue.
Complaints Lead to New Air Travel Proposal
- From August 2003 issue
In response to complaints from privacy activists and advocacy groups for Middle Eastern ethnic minorities, the Transportation Security Administration in the U.S. Department of Homeland Security narrowed somewhat its proposal to gather and search out personal data on airline passengers.
The proposed CAPPS II program is to detect passengers who may raise suspicions that require heightened searches at airports. Originally TSA wanted to keep its data for 50 years; that has been curtailed to a day or two after a flight unless there is suspicion. Originally, TSA wanted to query credit records. That element has been left out of the latest, revised proposal. www.tsa.gov/public/display?theme=8&content=631, 68 Federal Register 45265, Aug. 1.
Still, the new proposal now calls for demanding date of birth from airline customers and for passenger records to be “run against commercial databases.” That usually means using ChoicePoint, a discredited database company that has been cited repeatedly for selling erroneous data. ChoicePoint has Social Security numbers, and home addresses, along with phone numbers of millions of individuals and some arrest data. (Attorneys in Florida have filed a class-action lawsuit against ChoicePoint and the parent company of Lexis-Nexis for allegedly obtaining drivers’ records in violation of the Driver’s Privacy Protection Act. Levine v. ChoicePoint, 03-80491 (S.D. Fla. 2003).)
If you object to providing a date of birth every time you make an airline reservation and object to a federal agency promoting use of the dubious databases of ChoicePoint, send comments to the Privacy Office, ATTN: Yvonne L. Coates, U.S. Department of Homeland Security, Washington, DC 20528. You must identify the docket number DHS/TSA-2003-1 at the beginning of your comments, and you should submit two copies. You may also submit comments via e-mail to email@example.com.
Twenty Minutes a Month
- from the May 2003 issue
This monthly feature advises you how you can campaign for privacy protection or protect your own privacy, by taking 20 minutes a month. If you subscribe within the next month, ask us for a copy of all of these tips, and we'll send it to you free.
One simple way to dramatically reduce your risk of identity theft and secondary use of personal information is to opt-out from prescreened credit card offers. These offers are sent to individuals whose credit reports match criteria desired by credit issuers. The problem with these offers is that they can be intercepted in the mail by a fraud artist and then used to obtain credit in your name. Prescreened offers are delivered not only by mail; there is a growing movement to transmit them by e-mail, which implicates even greater security risks.
You can opt-out of prescreening from Experian, Trans Union, and Equifax by calling one phone number: 1-888-5-OPTOUT. Pay careful attention to the options on the phone menu. The first option on the menu will remove your information for only two years. The second option places you back on prescreening lists! The last option is the one that you want – it will remove your information from prescreened list permanently. In order to exercise this last option, you will have to complete a form that will be mailed to you after you complete the telephone call.
Other ways to reduce the risk of identity theft: Provide your Social Security number only when the transaction has tax consequences or involves Medicaid or Medicare. Do not provide it to apply for credit, employment, or insurance. Don’t provide it by telephone to strangers or to anyone by fax. Check your own credit report for accuracy, perhaps once a year. Before disposing of documents with credit-card numbers or Social Security numbers on them, tear them in half, splitting the identifying numbers, and then deposit the pieces in separate trash containers.
From the April 2003 issue
In a new study, the Center for Democracy and Technology advises a couple of tricks to lessen the amount of unwanted e-mail advertising (Spam). List your email address on Web sites and newsgroups as username at isp.com [with spaces before and after the "at"]. Listing your real address, like firstname.lastname@example.org makes it easy for marketers to harvest it automatically and add it to their lists. Another idea: use a second e-mail address as the “public address” that you make available on-line and in commercial transactions.
In each issue, Privacy Journal provides tips like this and a listing of new publications and upcoming events relevant to protection of personal privacy.
-- From the March 2003 edition
This monthly feature in Privacy Journal advises you how you can change the world, or at least one part of it, by taking 20 minutes a month. This suggestion is submitted by Chris Hoofnagle of EPIC.
Customer proprietary network information (CPNI) is data collected by telephone companies about your phone calls. It includes the time, date, duration, and destination number of each local call on your account. Telephone companies wish to sell this information for marketing purposes and have mounted legal challenges to laws that increase privacy protections for your calling information.
Currently, the Federal Communications Commission is allowing telephone companies to use opt-out as a method for allowing consumers to end CPNI sharing. To protect the information about your calls, call your phone company and specifically request that CPNI not be shared. The telephone companies bet that you won’t call. In challenging stronger privacy protections, the Qwest Corporation described consumers as “uneducated, inattentive adults.” Let’s opt-out of CPNI sharing, and prove Qwest wrong!
The next time you receive a phone bill, be sure to call your telephone service provider, and request to opt-out of all CPNI sharing. The opt-out system varies among carriers, and in some cases, depending on the state in which you reside. Also, be warned that one company, Verizon, has established a toll-free opt-out system (866/483-9600), but the process is confusing and Verizon describes your right to opt-out as placing a “restriction” on your account.
A New Fashion Statement?
- From February 2003 edition
There a “ChipMobile” moving about the nation – or at least about communities in Florida. It’s Applied Digital Solutions’ “state-of-the-art, fully equipped mobile unit to spread awareness about the benefits of VeriChip to wide audiences.”
VeriChip, first announced in December 2001, is a miniaturized radio-frequency identification device (RFID) that can be used in “a variety of security, financial, emergency, identification and health-care applications,” according to the company. It now has seven authorized VeriChip centers in Florida, Washington, D.C., and elsewhere in the U. S.
Back in September 1994, PRIVACY JOURNAL reported, “Entrepreneurs in the microchip-implant business who are eager to sell their products to ‘the human market’ have said that implanting identity chips in Alzheimer’s patients would be the most benign and publicly acceptable use of human implants with which to begin.”
Indeed, doctors for Applied Digital Solutions first implanted the tiny VeriChip transponder in a memory-impaired patient on May 10, 2002. Now there are 20 Americans walking around with them, including the company’s public relations consultant, who proudly wears an implant in his upper right arm. The new chips are inert demos right now because the reading devices for them are scarce and because the chips do not locate the individual or store medical information.
For the complete story, ask us for a sample copy of the February 2003 edition:
Virginia Citizen Makes Courts Think Twice
- From January 2003 issue
Court clerks throughout the nation may be moving to post court documents on their Web sites, but in Virginia that trend has skidded to a halt because of the efforts of one woman.
Betty “BJ” Ostergren of Hanover County began her campaign to warn citizens of the invasion of their privacy last August, when a local title searcher told her that the county clerk planned to place court records on-line. The records would include deeds of trust with signature facsimiles and Social Security numbers; certificates of satisfaction/assignments; homestead deeds; final divorce decrees; judgments and liens; wills; lists of heirs; fiduciary reports for estates; and Financing Statements (often called UCC’s).
BJ was infuriated by this prospect. She decided to spend money she had set aside for family Christmas gifts to launch a direct-mail campaign.
BJ Ostergen’s direct-mail approach was effective. She downloaded personal information from Web sites maintained by neighboring counties and mailed it to the individuals involved, along with a letter urging action. She started with King County. “I got the folks riled up over there and the Board of Supervisors eventually voted to kick the clerk off the Web site since he was using the county’s site,” she told FauquierNews, an electronic investigative newsletter on open records in Virginia edited by James Borland. www.fauquiernews.com
Ostergren claims credit for ending Internet publication of citizens’ documents in King William, Scott, and Warren counties. Her home county never went ahead with its plan. At a citizens meeting on general concerns sponsored in Richmond last month by the Virginia Institute, Ostergren energized the people there, got a State Senate candidate fired up by displaying the data on him that she had downloaded, and had a member of the state legislature promise to introduce a bill to limit the kinds of personal data that courts may display on Web sites. This month she’s building her own Web site, not to show personal information about citizens but to inform them of their vulnerability. www.opcva.com/watchdog.
For the full text of the article, send us an e-mail request for a free sample of the January 2003 issue.
If you have gotten this far in our Web site, you deserve a free 6 month subscription! Call us or e-mail us and ask for the free subscription to the "Eric Blair" special. If you identify the significance of that name, we'll add a free month to your 6 free months!
Canada’s Privacy Watchdog Presses On
– From December 2002 issue
The Privacy Commissioner of Canada has had an extraordinarily busy year, and no month has been busier than November. Within just 25 days, George Radwanski took on the Parliament, the Customs Agency, the passport office, and the entire governmental establishment implementing anti-terrorism proposals.
When George Radwanski was appointed in 2000, it was predicted that he would be controversial. He has not disappointed. Back in 2000, Conservatives in the Parliament and some privacy activists sharply attacked the nomination, saying that Radwanski was “unacceptable” because he was too chummy with the Liberal government of Prime Minister Jean Chretien. [See PJ Sep 00.] Indeed, Radwanski had held several partisan offices (like his predecessors as Privacy Commissioner actually).
A year ago, Radwanski was out on a limb with several assertive rulings in favor of protecting privacy. [See PJ Nov 01.]
He fired off more salvos last month:
Nov. 1: The Commissioner criticized the government’s proposal in Parliament to provide the Royal Canadian Mounted Police and the Canadian Security and Intelligence Service with unfettered access to personal information on all Canadian passengers held by airlines. “I have raised no objection to the primary purpose of this provision, which is to enable the RCMP and CSIS to use this passenger information for anti-terrorist ‘transportation security’ and ‘national security’ screening. But my concern is that the RCMP would also be expressly empowered to use this information to seek out persons wanted for criminal offenses that have nothing to do with terrorism, transportation security or national security. In Canada, it is well established that we are not required to identify ourselves to police unless we are being arrested or we are carrying out a licensed activity such as driving. The right to anonymity with regard to the state is a crucial privacy right. Since we are required to identify ourselves to airlines as a condition of air travel and since [the proposed law] would give the RCMP unrestricted access to the passenger information obtained by airlines, this would set the extraordinarily privacy-invasive precedent of effectively requiring compulsory self-identification to the police.”
Nov. 5: He told the foreign ministry to remove “place of birth” from Canadian passports because “We do not have different classes or categories of Canadian citizens depending on their country of birth.”
Nov. 22: The Commissioner, for a second time, termed as illegal a planned expansion of a Customs Agency database to collect personal information on new arrivals in the country and keep it on file for six years. This time he produced two legal opinions provided at his request by a retired Supreme Court justice and by a former deputy attorney general who helped draft the Canadian Charter of Rights and Freedoms. “I have made clear to you and to your most senior officials on numerous occasions my concern that the amassing of dossiers of personal information on all law-abiding Canadians, as is being done by your CCRA database, has no place in a free and democratic society like Canada,” Radwanski said in a sharply worded letter to the Minister of National Revenue. “These concerns have been endorsed by seven provincial and territorial information and privacy com-missioners from across Canada. Now you have it on the authority of two of Canada’s most eminent legal and Charter experts that your ‘Big Brother’ database is in violation of the Canadian Charter of Rights and Freedoms. I cannot imagine what more a reasonable person such as yourself can require to be persuaded that this database initiative is untenable and cannot stand.”
Nov. 25: The Privacy Commissioner told the heads of three ministries that their plan for “lawful access” to citizens’ Internet, cell phone, and e-mail activities was ill-advised. “If Canadians can no longer feel secure that their Web surfing and their electronic communications are in fact private, this will mark a grave, needless and unjustifiable deterioration of privacy rights in our country,” he stated. Radwanski said in a newspaper interview that the Liberal government had lost its moral compass. The ministries replied that they heard Radwanski’s complaint but “our interest in these proposals is public safety.”
For the full story, write us for a free sample of our December 2002 issue.
Letters to the Editor
- From the November 2002 issue
From Boston: I’m gathering information about theft of identity on college campuses. Many schools have students use their Social Security numbers as their student ID#, which frequently gets placed on a student ID card (which can be lost or stolen). That number is used for everything from getting your grades to getting into the cafeteria.
Response: Laws in Arizona, New York, and Wisconsin now prohibit state universities from requiring Social Security numbers as student ID numbers.
From Cyberspace: Can any one tell me the idea and meaning of this question? “Most persons think of the publication of private facts about a person when they think of the right to privacy, yet this variety of the tort has been the least accepted by the courts. Why?” What’s that mean deeply?
Response: Lawyers traditionally have divided the “tort” of invasion of privacy into four branches: disclosure of private facts about a person, commercial appropriation of a person’s likeness or persona, portraying a person in a false light even though “truthfully,” and intruding upon a person’s solitude or personal space. The question says, “People usually think of the disclosure of private facts when they think of privacy, yet of the four branches, courts seem most reluctant to accept it, or approve lawsuits involving it. Why?”
From Van Meter, Iowa: I just recently ordered the Compilation of State and Federal Privacy Laws from Amazon, and I want you to know how helpful I’ve already found the compilation book.
From Cyberspace: Would you consider doing a piece on www.vitalsearch-ca.com? They are publishing birth records on all of the people born in California. And that includes everyone’s mother’s maiden name and DOB. We don’t like to see our children’s names on these Web sites. Maybe if everyone goes to the Web site, and finds their name, they’ll be so disgusted that they’ll get a law passed to stop this nonsense. You might also consider doing a piece on www.anybirthday.com. They get this DOB information from voter registration records. If people knew that when they registered to vote their names and dates of birth were going to be sold to companies such as this one, they’d probably not register again. When we called one of the county offices, even their own employees were unaware that the government sold this information. Luckily, you can remove your name from this Web site, but that does not really solve the problem. The government should stop selling this information.