The Privacy Law Site

TELECOM IMMUNITY BILL PASSES SENATE

2008-02-12T11:46:00.000-08:00

New York Times:

The Senate rejected a series of amendments that would have restricted the government’s surveillance powers and eliminated immunity for the phone carriers, and it voted in convincing fashion — 69 to 29 — to end debate and bring the issue to a final vote. That vote is expected later this afternoon, with the result all but assured.

...supporters of the plan said the phone carriers acted out of patriotism after the Sept. 11 attacks in complying with what they believed in good faith was a legally binding order from the president.

The House has already rejected the idea of immunity for the phone companies, and Democratic leaders reacted angrily to the Senate vote. But Congressional officials said it appeared that the House would ultimately be forced to accept some sort of legal protection for the phone carriers in negotiations between the two chambers this week.

Beyond the immunity provision, the Senate measure would also widen the executive branch’s surveillance powers by allowing the National Security Agency and intelligence agencies to use broad orders — without getting court orders in advance — to eavesdrop on groups of overseas targets, rather than using individualized warrants.
FULL STORY

WACHOVIA EMPLOYEES KNEW OF FRAUD

2008-02-06T18:38:00.000-08:00

Recently released documents strongly suggest employees at Wachovia Bank not only knew that marketers were stealing from accounts at the bank, but that they bank solicited business from those companies. Executives at Wachovia have denied knowledge of the thefts.

From the New York Times:

Papers Show Wachovia Knew of Thefts

By Charles Duhigg

Last spring, Wachovia bank was accused in a lawsuit of allowing fraudulent telemarketers to use the bank’s accounts to steal millions of dollars from unsuspecting victims. When asked about the suit, bank executives said they had been unaware of the thefts.

But newly released documents from that lawsuit now show that Wachovia had long known about allegations of fraud and that the bank, in fact, solicited business from companies it knew had been accused of telemarketing crimes.

Internal Wachovia e-mail, for example, show that high-ranking employees at the nation’s fourth-largest bank frequently warned colleagues about telemarketing frauds routed through its accounts.

Link to the Full Story

Is Privacy Still Privacy?

2007-11-12T13:37:00.000-08:00

Donald Kerr, the U.S. deputy director of national intelligence, is being reported as calling into question the tradition definition of information privacy. In this age of terrorism, Kerr said that individual privacy can no longer can mean anonymity, but should instead mean that government and businesses will properly safeguard people's private communications and financial information.

This redefinition, if one can call it that, has been a long time in the making. Both businesses and governments often seen no difference between privacy their holding close their customer's or citizen's personal information. Of course, the corporate circle has a tendency to expand, to include affiliates, third party affiliates, third parties who are also customers, third parties who really, really need the information, to third parties who promise to keep the information private. Until, of course, someone else needs it.

In the case of HIPAA, sharing medical information with other doctors, within a hospital, with laboratories and even family members and friends makes sense. Sharing financial information, or buying habits with advertisers, less so.

In the business world, it is easy to convince one's self that sharing information is always in the customer's interest, (as is easy access one's credit report). The government, too, no doubt, views itself as having only benign motives. This is the dilemma of privacy. Possession, and even use of, information can often be nearly harmless.

But it is surely a stretch to redefine privacy as every organization merely safeguarding personal information from every other organization, or at least make them promise to safeguard it - until they need to share it.

Congressmen Blasts Yahoo Executives in Chinese Dissident Case

2007-11-06T14:03:00.000-08:00

Yahoo CEO Jerry Yang and Yahoo's General Counsel, Michael Callahan, were harshly criticized today by Congressmen who accused Yahoo of deceiving Congress and of complicity with efforts by the government of China to suppress human rights.

Yahoo initially received an official demand (citing "illegal provision of state secrets") for information they had about a pro-democracy dissident named Shi Tao over to the Chinese government. Yahoo turned the information over to the government. Shi Tao was sentenced to 10 years in prison.

Callahan defended Yahoo’s actions. "I cannot ask our local employees to resist lawful demands and put their own freedom at risk, even if, in my personal view, the local laws are overbroad," he said.

Congressman Tom Lantos said, "I do not believe that America's best and brightest companies should be playing integral roles in China's notorious and brutal political repression apparatus," he said.

He also said, "While technologically and financially you are giants, morally you are pygmies.”

Rep. Chris Smith compared Yahoo's cooperation with the Chinese government to cooperating with Nazi Germany during World War II.

Members also criticized Callahan for not informing Congress of the demand when if occurred. Callahan has issued a statement saying that he learned about it after he testified in February 2006 testimony, and that he regretted not alerting the committee to it once he knew about it.

It is unclear what Yahoo’s policy is now with regard to turning customer information over to host governments.

USING GPS TO TRACK YOUR FRIENDS AND LOVED ONES

2007-10-25T07:47:00.000-07:00

Clearly, one of the next developments in technology and privacy are GPS enabled and other small devices. We've heard about how useful it can be for prisoners, children, and the elderly (not to lump them all together).

Laura M. Holson of CNET address it here.

Holson writes about Loopt, a service by Sprint Nextel. For $2.99 a month, a use can she can see the location of friends who also have the service, represented by dots on a map on the user's phone, with labels identifying their names.

She writes:
"And for teenagers and twentysomethings, who are fond of sharing their comings and goings on the Internet, youth-oriented services like Loopt and Buddy Beacon are a natural next step.

Sam Altman, the 22-year-old co-founder of Loopt, said he came up with the idea in early 2005 when he walked out of a lecture hall at Stanford.

"Two hundred students all pulled out their cell phones, called someone and said, 'Where are you?'" he said. "People want to connect."

"There are massive changes going on in society, particularly among young people who feel comfortable sharing information in a digital society," said Kevin Bankston, a staff lawyer at the Electronic Frontier Foundation based in San Francisco.

"We seem to be getting into a period where people are closely watching each other," he said. "There are privacy risks we haven't begun to grapple with."

For a segment of the younger generation, this may be somewhat compelling.

As the author correctly points out, though, the interesting questions arise when the service is involuntary, or semi-voluntary (Employer-Employee). Who would feel comfortable with anyone, including an employee, knowing where you are at all times?

MICROSOFT BUYS STAKE IN FACEBOOK

2007-10-25T07:43:00.000-07:00

Microsoft has finalized plans to take a $240 million equity stake in Facebook during its next round of financing. Thel deal will give Microsoft a 1.6 percent stake in the Facebook, giving the social networking website a highly theoretical, paper value of somewhere in the neighborhood of $15 billion.

Paper or otherwise, a respectable neighborhood.

AMERIQUEST FILES FOUND IN DUMPSTER

2007-10-19T11:49:00.000-07:00

According to ABC news, "police in Atlanta Georgia are investigating how the personal files of 1,200 Ameriquest Mortgage customers" turned up in a dumpster at an apartment complex.

"Police say the 40 boxes of records contain sensitive financial information, including customers' credit histories, bank account information, tax and salary records and social security numbers."

The boxes appeared last month, but oddly, the three Ameriquest offices in the Atlanta area closed in 2005.

Police say the files involved mortgage customers from a number of different states, including Georgia, Florida and Mississippi.

Authorities plan to alert customers identified from the documents so that they can check their records to confirm they were not fraud victims.

An Ameriquest representative has reviewed some of the documents, and spokesman Chris Orlando says the company believes they were stolen from Ameriquest in late 2002.

According to Orlando, "We take the security of our records very seriously...and have been working to locate the person or persons responsible for the theft. We are pleased that the files have now been secured by authorities in DeKalb County, and we are working with local law enforcement to determine what information is contained in the files and who stole them."

It would be interesting to see if Ameriquest filed a police report for stolen files back in 2002.

Deputy Chief Burrows says so far his department has uncovered no evidence that the files were stolen from Ameriquest.

Deputy Chief Mike Burrows of the DeKalb County Police Department told the Blotter on ABCNews.com that the documents would have been a treasure trove to identity theft criminals."

According to Burrows, "If anyone finds it, they can delve into the files and assume people's identity and obviously open credit accounts and obtain loans on vehicles, mortgages -- the general financial identity fraud situation that the whole country's facing."

LEAHY - SPECTER INTRODUCE ID THEFT BILL

2007-10-17T09:01:00.000-07:00

Leahy and Specter have introduced another ID theft bill.

This bill, The Identity Theft Enforcement and Restitution Act of 2007 would, would:

* Give ID theft victims the right to seek compensation for they time lost and expenses they incur in correcting their credit history.

* Criminalizing the act of threatening to obtain or release information from a protected computer.

* Eliminate a requirement that the loss resulting from damage to a victim's computer must exceed $5,000 for prosecution (violations resulting in less than $5,000 damage would be catergorized as misdemeanors)

* Expand federal computer fraud statutes to cover small businesses and corporations.

* Allowing for federal prosecutions of cases in which both the identify thief's computer and the victim's computer are located in the same state.

* Make it a felony to use spyware or keyloggers to damage 10 or more computers;

* Expand the definition of cybercrime to include extortion schemes that threaten to damage or access confidential information on a computer.

"Cybercriminals are getting smarter and more effective in their online efforts to strip Americans of their privacy and their property.

"Protecting American consumers from identity theft and fraud should be one of the Senate's top priorities. Cyber criminals are getting smarter and more effective in their online efforts to strip Americans of their privacy, and their property," Leahy said in a statement.

"In 2006, some 8.4 million Americans became victims to identity theft. Victims are often left with a bad credit report and must spend months and even years regaining their financial health. In the meantime, victims have difficulty getting credit, obtaining loans, renting apartments, and even getting hired," Arlen Specter said.

COMCAST INTERNAL HANDBOOK SHOWS CONCERN FOR PRIVACY

2007-10-16T08:42:00.000-07:00

DeDeclan McCullagh, writer for CNET, reports that "Comcast's confidential "Law Enforcement Handbook" was publicly disclosed on Monday."

MuCullagh's article is titled: "Secret manual shows Comcast (gasp!) protects customers' privacy."

I haven't read that manual myself, but Declan reports that is demonstates concern for their customer's privacy. This is isn't entirely surprising, and is an interesting development, given what we've recently about other telecoms and their cooperation with the Bush administration's wiretapping.

McCullagh writes:

"It turns out to be a 35-page manual dated September 2007 for police and intelligence agencies to use when they're trying to extract information out of Comcast about subscribers. The company's Internet service, VoIP telephone service and cable TV service are all covered.

What's perhaps most interesting, though, is that the leaked handbook shows that Comcast seems to be trying to protect its customers' privacy. I didn't see anything in the document offering to divulge more information than the law permits. Instead, the company repeatedly stresses that police follow legal requirements, and even attaches the text of two federal privacy laws as appendixes."

For more, click here: Declan McCullagh on Comcast's confidential "Law Enforcement Handbook."

EU WILL TAKE MONTHS ON GOOGLE

2007-10-15T13:04:00.000-07:00

According to Reuters, the EU will take several more months examining whether Google, and other search engines, are violating EU privacy law.

"We have written to Google to say that we are continuing our work, that it is not limited to Google, and that we will adopt an opinion at the beginning of 2008," Reuters quotes an official as saying after, after Article 29 committee met last week.

QWEST CEO CLAIMS RETALIATION FOR REFUSAL TO SPY ON CUSTOMERS

2007-10-11T11:19:00.000-07:00

Sara Burnett and Jeff Smith, report in the Rocky Mountain News that documents suggest that the National Security Agencym and other government agencies, retaliated against Qwest by not giving the company lucrative government contracts because Qwest would not cooperate with the federal government's possibly illegal phone surveillance program.

The documents were under seal until Wednesday, part of the trial of former Qwest CEO Joseph Nacchio for insider trading.

Nacchio, it appears, wanted to raise a defense related to the possibility that in 2001 Qwest was about to get a $100 million contract from the NSA. They didn't get the contract, and as we know, Qwest -- unlike AT&T and Verizon -- refused to track their customers phone calls without a warrant. The suggestion is that the program was raised at the same meeting in which the contract was discussed.

Nacchio also apparently was going to argue that he was in line for a $2 billion contract to build an Internet network which would be safe from terrorist attack, but that never happened.

Google, Yahoo, Microsoft Change Privacy Policies

2007-07-30T14:20:00.000-07:00

Google, Yahoo, and Microsoft have all recently changed their privacy policies due pressure from certain groups, not the least of which is the European Union, which is, among other activities, scrutinizing the possible merger of Google and Doubleclick.

Among the changes:

Yahoo - all search log data will be anonymous after 13 months.

Microsoft - all user search data anonymous after 18 months.

Google - data stored about end users in its server logs anonymous after 18 months.

GONZALEZ TESTIMONY HINTS AT DATA MINING

2007-07-28T14:55:00.001-07:00

AG Alberto Gonzalez testified this week there was dispute about Justice Dept. activities, but that it did not involve what he called the "terrorist surveillance program."

He may have been referring to large scale searches of electronic databases of domestic phone call and e-mail records, or data mining, according an article in the New York Times.

That the government can do this is well-known, utilizing the NSA's ability to intercerpt electronic traffic.

In 2004 there was disagreement within the Department of Justice over a program, but Gonzalez refuses to discuss it, and President Bush will not confirm its existence.

It may have involved Justice Dept. disagreements with the White House over the President's power to access large volumes of domestic records of phone calls and internet usage, looking for specific patterns or combinations of words, rather than usage by a person or group.

****************************************************************************

Raul Touts Work of White House Privacy Board

2007-07-25T13:55:00.000-07:00

The Privacy and Civil Liberties Oversight Board based out of the White House has long been regarded as toothless at best - recall Democrat Lanny Davis quit - and recent remarks by it's vice chair will do nothing to disabuse that impression.

Alan Raul told a House of Representatives Judiciary subcommittee that he opposed pending bill which would give the board more power, and more importantly, separate it from the White House. Davis quit out of concerns that the White House interfered with the Board and edited it's final report.

Raul claimed that the Board meets frequently and evaluated the privacy implications of areas of the federal government such as the NSA, the State Dept., and Treasury.

ChoicePoint Settles Breach Case With 44 States

2007-06-01T12:13:00.000-07:00

ChoicePoint has settled with all 44 states which sued the company over its 2005 security breach.

ChoicePoint agreed to adopt stronger security measures and pay $500,000 to the states, according to Connecticut Attorney General Richard Blumenthal.

Considering the company had 44 state AGs suing it, over a very highly publicized privacy breach, a settlement for $500,000 and tighter security procedures, which they were going to do anyway, is a very good deal for ChoicePoint.

The security measures are designed to make sure that their third party customers are using the personal information ChoicePoint markets for legitimate reasons. This will apparently include getting written certification from their customers, or even onsite visits to those customers by ChoicePoint.

ChoicePoint also agreed to conduct periodic audits of companies getting consumers' personal information to ensure that they are not using the information for illegitmate purposes.

Top Spammer Arrested

2007-05-31T09:31:00.000-07:00

According the Associated Press, the federal government has arrested a man they describe as being one of the top spammers in the world. They even claim users could notice a decrease in spam because of his arrest.

They accuse of 27 year-old Robert Alan Soloway using other people's computers to send out spam without their knowledge - so called "zombie computers". Apparently, a federal grand jury has already indicted him on several charges, including mail fraud, wire fraud, and aggravated identity theft. The government stated that this is the first time the federal government has charged a spammer with violating laws against identity theft.

Soloway has pleaded not guilty to all the charges.

Microsoft, which has been aggressive in going after spammers, won a $7 million civil judgment against him back in 2005, and the operator of a small Internet service provider in Oklahoma won a $10 million judgment. The article quotes Tim Cranton of Microsoft saying, "He's one of the top 10 spammers in the world."

NYT: Online Ads vs. Privacy

2007-05-12T04:53:00.000-07:00

The New York Times has an article today titled "Online Ads vs. Privacy" written by Dan Mitchell. It briefly looks at the issue of gathering personal information online.

"For advertisers, and in many ways for consumers, online advertising is a blessing. Customized messages rescue advertisers from the broad reach of traditional media. And consumers can learn about products and services that appeal directly to them.

But there are huge costs, and many dangers, warns Jennifer Granick, the executive director for the Stanford Law School Center for Internet and Society (wired.com). To approach individuals with customized advertising, you have to know who they are. Or at least, you have to gather enough personal information about them that their identity could be easily figured out."

For Full article, go here Online Ads vs. Privacy

Federal Council Recommends Fair Information Practices in U.S. Privacy Law

2007-05-08T08:07:00.000-07:00

The National Research Council has issued a voluminous report calling for sweeping changes in U.S. attitudes and approaches toward information privacy, by businesses and government. Essentially it calls for a more comprehensive, European or Canadian approach to information privacy.

The report is titled "Engaging Privacy and Information Technology in a Digital Age." To read about the report, go here:
To buy a copy of the full report, or read a summary of the report, go here and go to "Download Free":

This may be the most authoritative and respected federal body to issue such recommendations. In fact, given their mandate, and the nature of the issues they were addressing, their their recommendations are not all that surprising.

The report is likely to provoke discussion, and probably prompt some action at the margins. Nevertheless, it is not likely that we are going to see great changes in private sector practices or federal law as result of this report.

My description of their recommendations based on a reading of the Executive Summary:

* Application of Fair Information Practices by businesses when collecting and using personal information.

* Greater individual control over use of their personal information.

* Individual choice and consent of the use of their information.

* Mechanisms for choice and consent which genuinely inform the individual, and genuinely demonstrate their true desires regarding privacy, taking into account then tendency not to opt-out.

* Greater specific federal regulation of businesses which gather personal information on people.

* A Federal Privacy Commissioner or Privacy Commission.

* State and local privacy commissioners.

* Greater government action to protect individual information privacy.

Mental Health Privacy and Guns

2007-05-02T07:39:00.000-07:00

According to a story in the New York Times, Congress is, unsurprisingly, looking at revising mental health privacy laws in the wake of the Virginia Tech shooting.

New York Times(By Michael Luo)

"Momentum is building in Congress behind a measure that would push states to report their mental health records to the federal database used to conduct background checks on gun buyers.

But a thicket of obstacles, most notably state privacy laws, have thwarted repeated efforts to improve the reporting of such records in the past and are likely to complicate this latest effort, even after the worst mass shooting in United States history at Virginia Tech last month.

Federal law prohibits anyone who has been adjudicated as a “mental defective,” as well as anyone involuntarily committed to a mental institution, from buying a firearm. But only 22 states now submit any mental health records to the National Instant Criminal Background Check System, against which all would-be gun purchasers must be checked. "

See: http://www.nytimes.com/2007/05/02/us/02guns.html?_r=1&hp=&oref=slogin&pagewanted=print

Connecticut Sues Telemarketers for Violating Do-Not-Call law

2007-04-27T11:46:00.000-07:00

The Attorney General of Connecticut is suing three companies for violating the state Do Not Call law. According the AG’s press release, “Tri-State Home Improvement, LLC, of Branford, First National Mortgage Group, Inc., of Orange and Craftmasters Windows and Siding, LLC, of East Hartford called consumers on the do-not-call list and, in some instances, continued calling even after recipients said they were on the list.”

Blumenthal filed the suit charging violations of the Connecticut Unfair Trade Practices Act. He can seek up to a $5,000 fine per violation, disgorgement of any ill-gotten gains and reimbursement of the state's litigation expenses. Blumenthal is also seeking orders allowing consumers to void contracts they signed as a result of the illegal phone solicitations.

Attorney General Richard Blumenthal is quoted as saying:

"These companies harassed consumers with unwanted and unwelcome sales pitches - effectively breaking into their homes - exactly what the do-not-call list statute should stop. Even when told numbers were on the do-not-call list, the companies continued calling them, invading consumers' privacy and wasting their time."

"The message to telemarketers: Do not call means do not call. What part of 'no' don't you understand? We will fight intrusive, infuriating calls at home - still all too common. Consumers have legal rights to stop unsolicited telemarketing calls. Companies must be held accountable for flagrant, frequent violations of the state's telemarketing safeguards. Remedies should enable consumers to collect money and void unwanted contracts when these telemarketers break into their homes."

See: Connecticut Attorney General Sues Telemarketers

Google Buys Doubleclick for $3.1 Billion

2007-04-14T12:49:00.000-07:00

Google has agreed to buy Doubleclick for $3.1 billion, one of many recent big purchases for Google, as they seek to expand their operations. Doubleclick is the major online advertiser which became one of the first businesses to appoint a Chief Privacy Officer, as a result questions arising from their own purchase of an offline target maketer. In early 2000 Doublclick bought an offline marketer, Abacus Direct. The company compiled information on consumers such as names and addresses, which Doubleclick planned on combining with information it had learned about consumers web surfing habits. There was an outcry, and Doubleclick dropped its plans.

Google is clearly trying to beef its advertising, which is a major source of income.

Randall Rothenberg, is quoted in the New York Times as saying: “You can dive deep into that data and say who were those people, where do they live, what were they doing when they looked at those ads? You can protect privacy and provide great insights for advertisers.”

The investigation began in February 2000 after the company announced plans to combine consumer information collected online with personally identifiable customer data from its newly merged subsidiary, Abacus Direct. The point of compiling such dossiers is to better target advertisements to consumers as they surf the Web.

The government agency issued a letter Monday to DoubleClick's lawyers notifying them of the investigation's end. The investigation was launched primarily to determine whether DoubleClick, in its collection of online consumer habits, or "clickstream data," merged sensitive information from its subsidiary in violation of its privacy policy.

"The issue that triggered the investigation was a report that they were planning to combine offline information from Abacus with their clickstream data. However, this never took place," said FTC spokesman Eric London. "As a result, there was no violation of their privacy policy."

Google Buys an Online Ad Firm for $3.1 Billion

By LOUISE STORY and MIGUEL HELFT

Google agreed to its largest acquisition yesterday, reaching a deal to purchase DoubleClick, the online advertising company, from two private equity firms for $3.1 billion in cash, almost double what it paid for YouTube last year. And perhaps just as important, the deal kept DoubleClick from the hands of Microsoft.

***************************************************************************

TJX Reveals Even More Information Exposed

2007-03-29T17:17:00.000-07:00

TJX has stated in a regulatory filing yesterday that another 455,000 of their customers had their personal data taken by hackers. TJX first revealed the massive breach earlier in the year.

Reportedly 45.7 million credit and debit card numbers have been by hackers from TJX over a period of years.

CHARGES AGAINST PATRICIA DUNN DISMISSED

2007-03-15T05:14:00.000-07:00

A California state judge has dismissed all the charges against Patricia Dunn in the Hewlett Packard pretexting scandal. Dunn, the former Chairman of the Board, had been charged with several felonies relating to actions taken at HP to gain access to phone records of members of the Board.

Charges against other HP employees and data brokers were not dismissed.

FTC Investigating TJX Breach

2007-03-14T17:13:00.000-07:00

According to a story in the Boston Globe, the FTC is investigating a reported security breach at TJX, a large retailer which operates more than 2,000 stores, including T.J. Maxx and Marshalls.

In January of 2007, TJX announced that a breach of consumer data occurred in 2006, then later amended that to say that hackers had broken into their computers as early as July 2005.

Link: Boston Globe

Hewlett-Packard Puts New Safeguards in Place

2007-03-07T18:49:00.000-08:00

Hewlett-Packard has put new safeguards to prevent the kinds of problems that developed at the company in its Board of Directors leak investigation.

According to an article by Anne Broache of CNET News, Jonathan Hoak, HP's chief ethics and compliance officer, thoroughly vets outside companies before using them to conduct investigations. Chief Privacy Officer Scott Taylor and CEO Mark Hurd said they are committed to "building a world-class ethics and compliance program."

See: CNET