The Wall Street Journal takes a look at privacy questions that arise from broadcasting one’s location:

As the list of programs that collect users’ location information grows, concern about privacy risks is increasing along with it.

Facebook is set to add location-sharing to its popular site next month. Meanwhile, services such as Foursquare and Loopt have been adding users, and a plethora of smaller tools have sprung up as well. But a study by researchers at Carnegie Mellon University showed that the majority of the more than 80 location services it surveyed either don’t have privacy policy or collect and save all data for an indefinite amount of time. [...]

Lorrie Cranor, an associate professor of computer science and one of the authors of the study, said people also value location-based advertising in some circumstances — a good thing for the companies that are building a business around precisely that. But she said many people just don’t realize what a database of all the locations they’ve been at over time could mean.

“There are a lot of concerns about the government being able to subpoena this information,” Ms. Cranor said in an interview. She also cited divorce proceedings as a possible way in which a person’s location data could be used.

The San Francisco Chronicle has an update on NASA v. Nelson, which I’ve written about before. The case concerns a George W. Bush-era security policy at the Jet Propulsion Laboratory in La Cañada Flintridge, which has raised substantial privacy questions. In an op-ed last year for the Los Angeles Times, Tim Rutten wrote, “NASA demanded that Caltech, which operates JPL on the space agency’s behalf, require all of the lab’s civilian scientists and engineers to sign a waiver allowing federal investigators to ransack their personal lives. The waiver empowered the feds to secretly question ex-husbands and wives, disgruntled neighbors and resentful colleagues about every detail of the subjects’ lives. If the investigators turned up anything they felt disqualified somebody, there was no provision for appeal. Anyone who refused to sign the waiver was to be fired.” Rutten wrote that this was the case though “less than 10% of the work carried out at JPL involves classified science, and the employees working on those projects already are covered by the government’s security clearance system.” The Ninth Circuit Court of Appeals found for the NASA workers, barring implementation of the Bush policy.

Now, the Chronicle reports that the U.S. Supreme Court has “granted the Obama administration’s request to hear an appeal of a lower-court ruling that barred the National Aeronautics and Space Administration from conducting far-reaching inquiries into the lives of 28 workers at the Jet Propulsion Laboratory in Pasadena.” Read more »

The New York Times reports that social-networking site Facebook will soon add broadcasting users’ location data to its services.

Starting next month, the more than 400 million Facebook users could begin seeing a new kind of status update flow through their news feed: the current locations of their friends.

Facebook plans to take the wraps off a new location-based feature in late April at f8, the company’s yearly developer conference, according to several people briefed on the project, who spoke on condition of anonymity because they were not authorized to discuss unannounced services.

In preparation for the introduction, Facebook updated its privacy policy last November. The new policy states: “When you share your location with others or add a location to something you post, we treat that like any other content you post.” Read more »

The Federal Trade Commission announced that LifeLock, an identity theft protection company, will pay $11 million to the FTC and $1 million to a group of 35 state attorneys general “to settle charges that the company used false claims to promote its identity theft protection services.” The FTC will use the settlement money to provide refunds to affected consumers. More information can be found at 202-326-3757 and at www.ftc.gov/lifelock.

Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia participated in this settlement.

In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers. [...] Read more »

The Canadian Press reports on the issue of patients’ medical data privacy and security after the death or retirement of a doctor.

Gary Dickson has seen abandoned medical records turn up in some pretty bizarre places in his time as Saskatchewan’s privacy commissioner – mouldy basements, drafty Quonset huts, vacant buildings.

He argues that more needs to be done to protect sensitive, personal health information left behind when a doctor retires or dies. Increasingly across Canada, he says, no appropriate arrangements have been made to turn records over to another doctor or to an approved archive. [...]

When a doctor dies in Saskatchewan, the representative of the estate – typically a widow or a child – has the same obligations the doctor had when it comes to records. But that person may not know what that entails, especially when it comes to keeping files secure or allowing patients access. [...] Read more »

Ars Technica has an interview with Google’s deputy general counsel Nicole Wong and security/privacy engineer Alma Whitten about privacy issues related to the company’s products and services. “While the “good guy/bad guy” and “don’t be evil” quotes may seem too cute by half to some, Wong and Whitten made a strong pitch for the truth of both slogans. In their view, Google really is fighting the good fight when it comes to your online privacy,” Ars Technica says.

Google logs an astonishing amount of data, including the search logs from its flagship product. It keeps this data indefinitely, so searching for a combination of yourwife’sname and youraddress and “rat poison in her cereal” is not a particularly smart idea (though search users do this sort of thing anyway).

But the company does “anonymize” this data eventually. The last octet of the IP address is wiped after nine months, which means there are 254 possibilities for the IP address in question (.0 and .255 are reserved addresses). After 18 months, Google anonymizes the unique cookie data stored in these logs. Read more »