Group items tagged

The enormous international focus on privacy is growing more urgent in the face of business and government pressure to get the economy moving again and restore trust in our most basic institutions. To help rebuild trust and bolster bottom lines in a down market, it pays to prioritize privacy. The time is right to make smart investments in an organization's privacy professionals-the experts in the eye of the storm that must work collectively to find the right solutions to privacy challenges. The IAPP, which now boasts 6,000 members across 47 countries, is convening its annual Privacy Summit in Washington DC from March 11-13, 2009-the largest and most global privacy event in the world. Attendees will have the unique opportunity to interact with privacy regulators from Canada, France, Spain, Israel, the UK, Italy, the U.S. and the experts who help shape their policies across 60 different educational and networking sessions. Keynote speakers include Frank Abagnale (of Catch Me if You Can fame), one of the world's most respected authorities on forgery, embezzlement and secure documents as well as internationally renowned security technologist Bruce Schneier. The Future of Privacy Forum will be strongly represented at this year's Summit. Jules Polonetsky and Chris Wolf will be co-presenting a session entitled Cheers & Jeers: Who is Doing Privacy Right and Who Deserves Detention. Jules and Chris will also cover Behavioral Advertising Secrets: What Your Marketing and IT Team Didn't Think You Needed to Know. Both topics should be big draws for the expected 1500 attendees at the Summit! It's this sort of event that advances our profession and helps privacy professionals work together to reclaim trust. Registration is open and we look forward to seeing you in DC.

A few weeks ago, I was very relieved to find out I had passed the IAPP exam to be a "Certified Information Privacy Professional" or CIPP. I got this certificate and even a pin, which is more than I ever got for passing the bar exams of New York and California. So what exactly did I need to know to become a CIPP? To be certified in corporate privacy law, you're expected to know what's covered in the CIPP Body of Knowledge, primarily major U.S. privacy laws and regulations and "the legal requirements for the responsible transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions." You're also expected to pass the Certification Foundation, required for all three certifications offered by IAPP. That covers basic privacy law, both in the U.S. and abroad, information security principles and practices, and "online privacy," which includes an overview of the technologies used by online companies to collect information and the particular issues to be considered in this context. So what do you think? Should you be able to pass an all-objective, 180 question, three-hour exam (counting the CIPP and Certification Foundation exams together) on the above topics and be able to call yourself a "privacy professional"?

It's never been easier to get information on the run. Smart devices such as the G1 and Apple iPhone let you put the Internet in your pocket and go - down the block or across the country. But this convenience could cost plenty in lost privacy, consumer advocates and tech analysts say. Once data have been collected and warehoused, you lose control of it forever. "The Big Brother aspect of it is troubling," says Rep. Edward Markey, D-Mass., former chairman of the powerful House Subcommittee on Telecommunications and the Internet. Mobile consumers are especially vulnerable, Markey says. Unlike PCs, cellphones tend to be used by one person exclusively. The information they telegraph - on Web browsing, lifestyle and more - tends to be "highly personalized." That's the main reason mobile data are so prized: The information is incredibly accurate. It's also why Markey and other privacy advocates say the debate about online privacy will become even more intense as advertising migrates to the mobile Web. Mobile advertising is still relatively new - G1 users, for now, get ads only through search results, for instance - but it's clearly a hot spot. The market is expected to reach $2.2 billion by 2012, from about $800 million now, according to JupiterResearch. Ultimately, it could surpass the traditional Web, now a $20 billion ad market. Yahoo, Microsoft and other ad-supported search engines collect information as Google does. But the sheer size and scope of Google's data-mining operation - the Web giant performs more than 80% of all desktop searches worldwide - makes it a uniquely pervasive presence, says Chester. Google and Yahoo, the two biggest players in search advertising, say their self-imposed privacy policies are sufficient to protect consumers, noting that they do not collect or store information in a way that can be directly tracked to an individual. Peter Fleischer, global privacy counsel for Google, says Google tries to make privacy language as

By now, many employees are uncomfortably aware that their every keystroke at work, from email on office computers to text messages on company phones, can be monitored legally by their employers. What employees typically don't expect is for the company to spy on them while on password-protected sites using nonwork computers. But even that privacy could be in jeopardy. A case brewing in federal court in New Jersey pits bosses against two employees who were complaining about their workplace on an invite-only discussion group on MySpace.com, a social-networking site owned by News Corp., publisher of The Wall Street Journal. The case tests whether a supervisor who managed to log into the forum -- and then fired employees who badmouthed supervisors and customers there -- had the right to do so. The case has some legal and privacy experts concerned that companies are intruding into areas that their employees had considered off limits. "The question is whether employees have a right to privacy in their non-work-created communications with each other. And I would think the answer is that they do," said Floyd Abrams, a First Amendment expert and partner at Cahill Gordon & Reindel LLP in New York. The legal landscape is murky. For the most part, employers don't need a reason to fire nonunion workers. But state laws in California, New York and Connecticut protect employees who engage in lawful, off-duty activities from being fired or disciplined, according to a report prepared by attorneys at the firm Proskauer Rose LLP. While private conversations might be covered under those laws, none of the statutes specifically addresses social networking or blogging. Thus, privacy advocates expect to see more of these legal challenges. In February, three police officers in Harrison, N.Y., were suspended after they allegedly made lewd remarks about the town mayor on a Facebook account. The officers mistakenly thought the remarks were protected with a password, but city officials view

Heartland Payment Systems CEO discusses breach, previews speech Not a week had passed after the announcement of what some have described as the largest data breach ever, when the CEO of Heartland Payment Systems, Robert Carr, began calling for better industry cooperation and new efforts directed at preventing future breaches. Recently, Carr announced that trials will begin late this summer on an end end-to-end encryption system Heartland is developing with technology partners. It is expected to be the first system of its kind in the U.S. The company is also pushing for an end-to-end encryption standard. At the upcoming Practical Privacy Series in Silicon Valley, Carr will discuss the Heartland breach and the role industry, including privacy professionals, must play to prevent future breaches. Here's a preview: IAPP: Many companies have experienced breaches. What made yours different? Ours was different because we are a processor and had passed six years of PCI audits with no problems found. Yet, within days of the most recent audit, the damage had begun. IAPP: Did you have a chief privacy office or a privacy professional on staff before your breach? Do you now? Ironically, when we learned of the Hannaford's breach, we hired a Chief Security Officer who started just three weeks before the breach began. IAPP: In the era of mandatory breach reporting, what is the trajectory of consumer reaction? As a processor it is difficult to really know this. Our customers are merchants who accept card payments. IAPP: Do you think consumers will become numb to breach notices? I believe that many are numb to so many intrusion notices. IAPP: Are breach notices good public policy? Do the notices provide an incentive for companies to change or improve practices? I don't think so. Nobody wants to get breached and the damage caused by a breach is sufficient reason for most of us to do everything we can to prevent them. IAPP: What has Heartland done differentl

Online ad industry will probably continue to be a hot-button if FTC Commissioner Jon Leibowitz is named chairman. The Federal Trade Commission may strengthen its focus on online advertising and privacy if, as is expected, current FTC Commissioner Jon Leibowitz is named chairman of the agency. "He would certainly keep privacy and online advertising as a focus of the FTC, so I think [his potential appointment] does matter," said Mike Zaneis, VP of public policy at the Internet Advertising Bureau. Reports indicate Leibowitz will be named as head of the commission, replacing William Kovacic. Kovacic replaced former Chairman Deborah Platt Majoras in March 2008, when she left to join the private sector as VP and general counsel of Procter & Gamble. "A kind of privacy switch is going to go on at the FTC [once the new chairman is named] and they're going to engage in this issue in a much more serious way," said Center for Digital Democracy Executive Director Jeff Chester. "Under a Leibowitz regime we would get the kind of serious industry analysis that so far has been lacking from the Bush era approach." "Leibowitz has been a leader on privacy issues," said Zaneis, who expects a Leibowitz-run FTC to continue along the agency's current path of pushing for industry self-regulation, rather than creating new regulations for online advertisers. As a commissioner, Leibowitz, a Democrat, has not ruled out FTC regulation of things like behavioral targeting. During a two-day FTC forum held in Washington, D.C. in 2007, Leibowitz noted, "The marketplace alone may not be able to solve all problems inherent in behavioral marketing." He revealed his sense of humor, adding, "If we see problems...the commission won't hesitate to bring cases, or even break thumbs."

Burger King, through their insanely creative advertising agency Crispin Porter + Bogusky (see their recent Burger King perfume launch), launches a Facebook application that encourages users to remove Facebook friends. Sacrifice ten of them and you got a free Whopper. 233,906 friends were removed by 82,771 people in less than a week. Facebook is overjoyed, right? What a great example to show the Madison Avenue agencies on how a big brand can get real engagement from users. This is the future of advertising. Or it could have been, if Facebook hadn't shut it down, citing privacy issues: We encourage creativity from developers and brands using Facebook Platform, but we also must ensure that applications follow users' expectations of privacy. This application facilitated activity that ran counter to user privacy by notifying people when a user removes a friend. We have reached out to the developer with suggested solutions. In the meantime, we are taking the necessary steps to assure the trust users have established on Facebook is maintained. Did anyone talk to the sales department before pulling the trigger on this? All that happened is the user being dissed got a message telling them, which helps the application spread virally. Without that feature the app is far less powerful. There is no real privacy issue here, just a policy decision by Facebook that people shouldn't be notified when you remove them as a friend. Facebook consistently tell users they can't do things in the name of privacy, despite the fact that those users know full well what they are up to. Unless investor and partner Microsoft makes them do it, of course.

As the impact of digital advertising on consumer privacy comes under scrutiny, AT&T is taking a stance in support of stricter standards. Rep. Rick Boucher (D., Va.), chairman of the subcommittee, said in an interview Wednesday that a statute is needed to regulate how companies collect, share and use data on consumers' behavior in targeting online advertising. While ad targeting on the Web has been at the forefront of privacy advocates' concerns, worries are growing about other media, ranging from mobile phones to emerging TV technologies. To sell marketers targeted ads, technology and media companies collect data about customers, ranging from the Web sites they visit to the neighborhoods they live in to the TV shows they watch. Marketers often will pay a premium for this form of advertising because it allows them to show their ads to consumers who are likelier to buy their products or services. "Pitfalls arise because behavioral advertising in its current forms is largely invisible to consumers," says Dorothy Attwood, AT&T's senior vice president of public policy and chief privacy officer, in prepared testimony she is expected to deliver at the hearing of the House Subcommittee on Communications, Technology and the Internet. Her statement says consumers don't fully understand that their online activity is used to create detailed profiles of them. Internet and other media companies say the data they use to target ads are anonymous and can't be traced to individual consumers. AT&T plans to argue that consumers should have "full and complete" notice of what information is collected about them and how it is used and protected, and should have tools that let them determine whether their Web activities are being tracked. The company says it won't use consumer information for online behavioral advertising unless it first obtains consent from the consumers involved. AT&T's stance contrasts with the position taken by most big Internet companies and industry trade grou

"If you're concerned about Google retaining your personal data, then you must be doing something you shouldn't be doing. At least that's the word from Google CEO Eric Schmidt. "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," Schmidt tells CNBC, sparking howls of incredulity from the likes of Gawker. But the bigger news may be that Schmidt has actually admitted there are cases where the search giant is forced to release your personal data. "If you really need that kind of privacy, the reality is that search engines - including Google - do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities." There's also the possibility of subpoenas. And hacks. But if any of this bothers you, you should be ashamed of yourself. According to Eric Schmidt. Gawker highlights the irony of Schmidt's typically haughty proclamations. After all, this is the man who banned CNet for a year after the news site published information about him it had gleaned from, yes, Google. But the larger point here is that Schmidt isn't even addressing the issue at hand. Per usual. When the privacy question appears, Google likes to talk about the people asking the questions. But the problem lies elsewhere: with the millions upon millions blissfully unaware of the questions. If you're concerned about your online privacy, you can always put the kibosh on Google's tracking cookies. You can avoid signing in to Google accounts. And, yes, you can avoid using Google for anything Eric Schmidt thinks you shouldn't be doing. But most web users don't even realize Google is hoarding their data. CNBC asks Schmidt: "People are treating Google like their most trusted friend. Should they be?" But he answers by scoffing at those who don't trust Google at all. Not that you'd expect anythin

"Big Brother is watching. That is the message corporations routinely send their employees about using email. But recent cases have shown that employees sometimes have more privacy rights than they might expect when it comes to the corporate email server. Legal experts say that courts in some instances are showing more consideration for employees who feel their employer has violated their privacy electronically. Driving the change in how these cases are treated is a growing national concern about privacy issues in the age of the Internet, where acquiring someone else's personal and financial information is easier than ever. "Courts are more inclined to rule based on arguments presented to them that privacy issues need to be carefully considered," said Katharine Parker, a lawyer at Proskauer Rose who specializes in employment issues. In past years, courts showed sympathy for corporations that monitored personal email accounts accessed over corporate computer networks. Generally, judges treated corporate computers, and anything on them, as company property. Now, courts are increasingly taking into account whether employers have explicitly described how email is monitored to their employees."

OPT-OUT becomes untenable when users have to visit 40 - 50 or more sites to do it.

The online advertising industry and U.S. policy makers need to give online users more control over the collection of personal data and surfing habits beyond the traditional opt-out approach, some privacy advocates said Wednesday. Dozens of online ad networks allow users to opt out of being tracked as a way to deliver behavioral advertising, and in most cases, the opt-out is stored in a cookie that goes away every time the users clear their browser cookies, privacy advocates said during a discussion of online advertising at the Computers, Freedom and Privacy Conference in Washington, D.C. Some advertisers require that people opt out of targeted advertising every month, and some advertisers make the opt-out link difficult to find, said Christopher Soghoian, a fellow at the Berkman Center for Internet & Society at Harvard University. Some opt-out mechanisms aren't even functional, he said. Soghoian, while creating a single opt-out mechanism for the Firefox browser, found more than 40 advertising networks, he said. "How can we expect consumers to visit 40 or 50 different online advertisers, opt out, then revisit these sites every six months or every year, and then, when they delete their cookies, go back again?" he asked.

"In a case that could prove to be one of the most important privacy rights battles of the modern era, the 3rd U.S. Circuit Court of Appeals will hear argument this week on the proper legal standard to apply when prosecutors demand cell phone location data. The data, which are recorded about once every seven seconds whenever a cell phone is turned on, effectively track the whereabouts and the comings and goings of every cell phone user. Justice Department lawyers argue that, by statute, they need only show "reasonable grounds" to believe that such records are "relevant and material to an ongoing criminal investigation." But a federal magistrate judge in Pittsburgh strongly disagreed in February 2008, issuing a 52-page opinion that said the prosecutors must meet the "probable cause" standard. "This court believes that citizens continue to hold a reasonable expectation of privacy in the information the government seeks regarding their physical movements/locations -- even now that such information is routinely produced by their cell phones -- and that, therefore, the government's investigatory search of such information continues to be protected by the Fourth Amendment's warrant requirement," U.S. Magistrate Judge Lisa Pupo Lenihan wrote."

Turn the cell phone off and put on your tin foil hat so the government and aliens can't track you!

Burger King's wildly popular Facebook application "Whopper Sacrifice," which rewards you with a free Whopper when you drop 10 friends, has been shut down. Social networking just got healthier. Last week, Burger King announced it was teaming up with social networking powerhouse Facebook for a special promotion: If you removed 10 people from your network of friends, the fast-food company would reward you with a coupon for a free Whopper. The story became an Internet sensation, but it's only now getting meatier. As it turns out, a notification feature on the "Whopper Sacrifice" application that lets your friends know they have been replaced by a shot at a free hamburger violates Facebook's privacy policy. "We encourage creativity from developers and companies using Facebook platform, but we also must ensure that applications follow users' expectations and privacy," the company said in a statement. "After extensive discussions with the developer, we've made some changes to the application's behavior to assure that users' expectations of privacy are maintained. The application remains active on Facebook."

Guess what? That unlocked rant you put on your MySpace profile is open to the public and can be seen by anyone with a computer. Imagine that! Cynthia Moreno learned this the hard way. A judge ruled earlier this month that it was not an invasion of her privacy when a local newspaper published a rant pulled from her MySpace blog. After a visit to her hometown of Coalinga, Calif., college student Moreno penned a 700-word blog entry titled "An Ode to Coalinga" that opened with "the older I get, the more I realize how much I despise Coalinga." Moreno subsequently deleted the blog entry, but Roger Campbell, principal of Coalinga High School, discovered it before the deletion and handed it over to his friend Pamela Pond, editor of the Coalinga Record newspaper. Pond then published the rant in its entirety as a letter to the editor, printing Cynthia's full name. The Moreno family was met with death threats and shots were fired outside their home. Cynthia's father David was forced to close his 20-year-old family business, and the family moved to another town. The family sued the newspaper and the Coalinga-Huron Unified School District for invasion of privacy and infliction of emotional distress. The case against the newspaper was dismissed on free speech grounds, but the case against Campbell and the school district was allowed to proceed. Campbell did not violate Moreno's rights when he handed over her rant to Pond because Moreno's blog entry was published on the Internet and available for anyone to see, according to the Superior Court of Fresno County.

Yahoo Tuesday announced that has developed a feature that will allow users to opt out of behavioral targeting on mobile devices. "We believe the mobile experience should offer the same privacy protections consumers expect to find on the PC," Yahoo said in a blog post announcing the feature. "Furthermore, management of privacy protections should be available via any mobile device, whether that's an iPhone or a Blackberry." Many companies that track people's Web activity on PCs and send them ads notify users about the practice and allow them to opt out. But it's still unusual for behavioral targeting companies in the mobile space to let people opt out. At least a dozen companies say they offer some form of mobile behavioral targeting. But only two appear to allow users to opt out, according to Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum.

Google, Microsoft, Yahoo support self-regulation in the UK AOL, Google, Microsoft, NebuAd, Phorm, and Yahoo promise to behave. All of these companies - along with a few others - have volunteered to honor the Internet Advertising Bureau's just-announced set of Good Practice Principles. So on to the guts of the agreement. First, companies are supposed to tell users whenever they're collecting data for the sake of behavioral advertising. They're also expected to make sure users understand what the procedure entails. Then comes the key part: users should get the chance to opt out of the collection process. Ad companies are probably hoping that users will either be too lazy to take action or will actually prefer better-targeted ads. If so, the companies will continue to make money and improve their public image. But since privacy advocates may still complain that data collection isn't an opt-in matter, the issue isn't likely to go away. Mark Howe, the country sales director of Google UK, sidestepped the mess, simply stating, "Google believes in two core principles of transparency and choice when it comes to user privacy. That is why we are supportive of these new, self-regulatory principles for online advertising which will enable consumers to increase their understanding of their web surfing options." IAB described the Principles as "the UK's first self-regulatory guidelines to set good practice for companies that collect and use data for online behavioural advertising purposes." The Principles have been approved by the Information Commissioner's Office, which reports directly to Parliament.

Why Google isn't ready to be an Enterprise vendor

At the Google (NSDQ: GOOG) I/O developer conference this week, Google Inc. will host more than 80 technical sessions on all of the Google apps and platforms we've come to know -- Android, Chrome, App Engine, Web Toolkit, AJAX and others. When reviewing the Google I/O Schedule this morning, I was disappointed by what could not be easily found. The conference will run this week, May 28 to 29, in San Francisco, and Google is expecting more than 2,000 attendees. Unfortunately, a long perusal of the schedule shows plenty of tracks with Search, Scale, and Performance in the title -- but only one track with Security. What about Privacy? Well, there's no tracks highlighting data privacy, either. There is a session that covers federated identity management, Practical Standards-based Security and Identity in the Enterprise. And it looks promising, but federated authentication and authorization is more about making sure applications and people can interact securely, not that an application, itself, is inherently secure.

At first glance, Chicago's latest crime-fighting strategy seems to be plucked from a Hollywood screenplay. Someone sees a thief dipping into a Salvation Army kettle in a crowd of shoppers on State Street and dials 911 from a cellphone. Within seconds, a video image of the caller's location is beamed onto a dispatcher's computer screen. An officer arrives and by police radio is directed to the suspect, whose description and precise location are conveyed by the dispatcher watching the video, leading to a quick arrest. That chain of events actually happened in the Loop in December, said Ray Orozco, the executive director of the Chicago Office of Emergency Management and Communications. "We can now immediately take a look at the crime scene if the 911 caller is in a location within 150 feet of one of our surveillance cameras, even before the first responders arrive," Mr. Orozco said. The technology, a computer-aided dispatch system, was paid for with a $6 million grant from the Department of Homeland Security. It has been in use since a trial run in December. "One of the best tools any big city can have is visual indicators like cameras, which can help save lives," Mr. Orozco said. In addition to the city's camera network, Mr. Orozco said, the new system can also connect to cameras at private sites like tourist attractions, office buildings and university campuses. Twenty private companies have agreed to take part in the program, a spokeswoman for Mr. Orozco said, and 17 more are expected to be added soon. Citing security concerns, the city would not say how many cameras were in the system. Mayor Richard M. Daley said this week that the integrated camera network would enhance regional security as well as fight street crime. Still, opponents of Mr. Daley's use of public surveillance cameras described the new system as a potential Big Brother intrusion on privacy rights. "If a 911 caller reports that someone left a backpack on the sidewalk, wil

Personal profiles on Facebook and other social-networking sites are a trove of inappropriate and embarrassing photographs and discomfiting breaches of confidentiality. You might expect that from your friends and even some colleagues - but what about your doctor? A new survey of medical-school deans finds that unprofessional conduct on blogs and social-networking sites is common among medical students. Although med students fully understand patient-confidentiality laws and are indoctrinated in the high ethical standards to which their white-coated profession is held, many of them still use Facebook, YouTube, Twitter, Flickr and other sites to depict and discuss lewd behavior and sexual misconduct, make discriminatory statements and discuss patient cases in violation of confidentiality laws, according to the survey, which was published this week in the Journal of the American Medical Association. Of the 80 medical-school deans questioned, 60% reported incidents involving unprofessional postings and 13% admitted to incidents that violated patient privacy. Some offenses led to expulsion from school.

An Italian judge on Wednesday gave the go-ahead to a case in which Google (GOOG) could be held responsible for content it hosts but does not produce. The case centers on a 2006 video of four Italian youths taunting a child with Down syndrome. In the video, one of the youths incorrectly claims to be part of a small Down syndrome advocacy group called Vivi Down. The video was uploaded to the Google Video site, where it stayed for two months. Prosecutors have filed charges against five Google executives, saying they were in violation of Italian privacy laws and of contributing to the defamation of Vivi Down. At the heart of the case are two main questions: Should sites such as Google Video be held responsible for the content they host? And should such non-brick-and-mortar New Economy companies be subject to the laws in countries where they are not based? "The outcome of this will be to determine how big companies like Google should be expected to act," said Raffaele Zallone, a former chief counsel for IBM's Italian offices and the attorney representing a woman seeking damages in a secondary case tacked onto the main charges. FIND MORE STORIES IN: Italy | Google Inc | International Bus. Machines | Milan | New Economy Zallone, along with Milan prosecutors, the city's ombudsman and an attorney for Vivi Down, the advocacy group, say Google should have become aware of the offending video sooner and removed it sooner. Guglielmo Pisapia, Google's lead attorney in the case, denies any wrongdoing and says Google could not have acted differently. "Google did not produce the video, and when they received an official complaint, they removed it within five hours," said Pisapia, a former member of the Italian parliament. "If the argument is that they should have evaluated the video before it was posted, then that is a dangerous precedent." Oliviero Rossi, an author and commentator on technology issues, says unusual cases that push the limits of the law as this one does are