The Financial Post reports criticism on proposed changes to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). The Public Interest Advocacy Centre says the proposed changes do not go far enough in protecting the privacy of individuals:

As Ottawa mulls whether to update Canada’s existing privacy laws, one consumer rights group argues the proposal doesn’t go far enough.

Bill C-12, which went through first reading in the House of Commons three months ago, would change the Personal Information Protection and Electronic Documents Act (PIPEDA) to require Canadian companies to report incidents involving the theft or loss of personal information. Currently PIPEDA does not require disclosure of data breaches and Alberta is the only province to have mandated such a requirement.

In a report published this week, the Public Interest Advocacy Centre (PIAC) criticized the bill, claiming it provides “excessive discretion to organizations that have had a data breach, allowing them unilaterally to characterize the breach as non‐harmful to consumers.” [...] Read more »

In an opinion column at the National Times in Australia, Kathryn Koromilas makes the case that online and offline individual privacy still exists:

The New York Time’s Nick Bilton announced recently that “privacy is on its deathbed”. This prediction was prompted by the “creepy” ease with which he hunted down the identity of a girl with not much more than his internet connection, the girl’s first name, a few photos, and a Facebook friend list. [...]

Yet what may surprise Bilton and others arguing that privacy is in terminal decline is the fact that many of us already guard our privacy online. For example, the results of an Asia Pacific Privacy Authority social media survey released last month revealed that most of us know how to use a site’s privacy settings. In fact, nine out of ten of us have actually changed a site’s privacy settings. Most of us only share information with people we know and only a few of us are concerned about how our information might be used by third parties. Were our information to be used in a way we had not expected, almost half of us would react rationally and deliberate whether to continue or to stop using the site altogether, before doing anything rash such as immediately deleting a Facebook account. [...] Read more »

Here are a few stories of interest concerning biometrics, social networking and advertising that were posted in the last couple of weeks.

USA Today: Facebook agrees to privacy changes in Europe

BERLIN – Facebook has agreed to make several changes to its services to improve transparency and better protect the personal data of its millions of users outside of the U.S., following an in-depth audit of its international headquarters that was released Wednesday.

The social media company, based in Palo Alto, Calif., agreed to changes including asking European users if they wanted to partake in its Facial Recognition, reworking its policies of retaining and deleting private data, reducing the amount of information collected about people who are not logged into Facebook, the company said in response to a report of the Irish Data Protection Commissioner.

Facebook’s international headquarters are based in Dublin, Ireland, a member of the European Union. This means the company is required to comply with European data privacy laws, which are more stringent than those that apply in the United States, particularly regarding how long data can be retained. [...]

The company has agreed to present its results in a follow-up to the report in July. [...] Read more »

Last year, there were a number of bills introduced in Congress concerning privacy and civil liberties, but most have stalled. Some bills introduced last year: Rep. Jason Chaffetz (R-Utah) and Sen. Ron Wyden (D-Ore.) introduced the “Geolocation Privacy and Surveillance (GPS) Act of 2011″ (archive pdf; THOMAS status link for H.R. 2168); Sen. Jay Rockefeller (D-W. Va.), chairman of the Senate Commerce Committee, introduced the Do-Not-Track Online Act of 2011 (pdf) (Do Not Track proposals would allow consumers to restrict the data gathered by Web sites and marketers on the consumers’ online browsing or purchases); Sen. Patrick Leahy (D-Vermont), chairman of the Judiciary Committee, introduced the Personal Data Privacy and Security Act of 2011 (archive pdf) (Leahy first introduced this legislation in 2005 and had sponsored the legislation three times since); Sen. Al Franken (D-Minn.), chairman of the subcommittee on Privacy, Technology and the Law of the Senate Judiciary Committee, and Sen. Richard Blumenthal (D-Conn.) introduced the Location Privacy Protection Act of 2011 (pdf); and, there has been much discussion of revising the Electronic Communications Privacy Act of 1986 (“ECPA,” also known as Title 18 § 2511 of the United States Code) and several bills have been introduced, which are discussed in this CRS report.

Now, the National Journal reports that privacy will remain a hot topic, even though legislation on the issue has stalled in Congress.

While few expect Congress to pass broad privacy legislation, privacy will still get a lot of attention in 2012, starting with the release in the coming weeks of two highly anticipated federal reports providing guidance on protecting consumer privacy online.

Both the Commerce Department and the Federal Trade Commission are set to release separate final reports with recommendations on how to improve online privacy.

Commerce, which could release its final report the last week of January, will outline the Obama administration’s policy on the issue. Since issuing its draft report in December 2010, the administration has called on Congress to pass legislation that would provide consumers with privacy protections based on the Fair Information Practice Principles embraced by many countries. These include providing consumers with notice about the information being collected about them, choice, access to the information, and security to ensure the data is protected. Read more »

Here are a few stories published over the holidays about hacker attacks in the United States and internationally and how the attacks affect individuals’ privacy.

Update on Ease of Voicemail Hacking

Last year, there was a scandal about the alleged hacking of thousands of British citizens’ phones by the News of the World. USA Today reported on the ease with which a voicemail system can be hacked — especially if the hacker uses applications that can “spoof” Caller ID numbers. With spoofing, the number that shows up on a call recipient’s Caller ID display is different from the actual phone number the dialer is using. Recently, the New York Times reported on a study detailing the lax security surrounding voicemail systems, which can allow for easy hacks to violate a person’s privacy:

But according to a study to be presented Tuesday, cellphone users in Europe and the rest of the world may be just as vulnerable as the actor Hugh Grant and other celebrities to having their personal voice mail hacked — or worse — because of outdated mobile network security.

In a study of 31 mobile operators in Europe, Morocco and Thailand, Karsten Nohl, a Berlin hacker and mobile security expert, found that many operators provided poor or weak defenses to protect consumers from illicit surveillance and identity theft.

Mr. Nohl said he was able to hack into mobile conversations and text messages and could impersonate the account identities of cellphone users in 11 countries using an inexpensive, 7-year-old Motorola cellphone and free decryption software available on the Internet. He has tested each mobile operator more than 100 times, he said, and has ranked the quality of their defenses. [...]

The technique he uses focuses on deciphering the predictable, standard electronic “conversations” that take place between a cellphone and a mobile network at the beginning of each call. Typically, Mr. Nohl said, as many as 40 packets of coded information are sent back and forth, many just simple commands like, “I have a call for you,” or “Wait.” Read more »

In the last year, that has been increasing focus on the use of aerial drones (also known as unmanned aerial vehicles, “UAVs”) to conduct surveillance in the United States. The Washington Post had an in-depth report of possible privacy problems with the domestic use of aerial drones, which are commonly used in military operations. (Be sure to take a look at the Post’s graphic on the specs, abilities and uses of different UAVs.) The issue is also cropping up internationally. A couple of years ago, there were reports that the United Kingdom was considering the use aerial drones for surveillance of the British public. “The miniature aircraft could be fitted with cameras and heat-seeking equipment, allowing police to carry out aerial reconnaissance from a control room,” the Telegraph reported. The UK Home Office (equivalent to the US departments of Justice and Homeland Security) suggested the use of UAVs for domestic law enforcement purposes in its “Science and Innovation Strategy” report (pdf) for 2009-2012, saying “Unmanned Aerial Vehicles are likely to become an increasingly useful tool for the police in the future.”

At some point, UAVs will become very effective, perhaps even including face recognition technology. That will lead to numerous privacy questions. Also, there are legal questions about the use of such technology.

Now, the ACLU has released a report on this technology, “Protecting Privacy From Aerial Surveillance: Recommendations for Government Use of Drone Aircraft” (ACLU pdf; archive pdf). In a news release, the ACLU says, “Next month the Federal Aviation Administration is expected to propose new rules to make it easier for law enforcement agencies to gain permission to use drones in the U.S., and police departments and other government agencies are expected to greatly increase their use. If the FAA is unable to implement the needed privacy reforms, then Congress should act.”

Here’s information from the introduction: Read more »