Category Archives: US and Canada

So what is it that an iPhone can’t do? Because now it can read fingerprints, scan irises and ID your face

Wired published today one of those stories that make me flinch for a couple of seconds and wonder where is technology going to stop, which is its final purpose and does it really have such a purpose?

Apparently, according to Wired, cops and soldiers may soon be able to pull out their iPhones to track the eyes, facial features, voice and fingerprints of suspected criminals and combatants.

In my mind, this story reads like “potentially unlimited small big brothers will roam around the world and will categorize virtually anyone according to their irises, fingerprints and their facial structure, with no obvious purpose”. This piece of news is yet another strong argument to leave aside the consent paradigm in privacy and data protection and to focus on enacting safeguards, strong safeguards so that this sort of categorizing is only made for specific purposes, that those purposes and the use of the data are transparent, that the use of the data is limited in time and that erasure must occur after the said time passes…



The California-based company AOptix rolled out a new hardware and app package that transforms an iPhone into a mobile biometric reader. As first reported by Danger Room in February, AOptix is the recipient of a $3 million research contract from the Pentagon for its on-the-go biometrics technology.

Opting for what it considers ease of use, the company decided to build its latest biometrics package, which it calls Stratus, atop an iPhone. A peripheral covering wraps around the phone — it’s an inch and a half thick, three inches wide and six inches tall — while the AOptix Stratus app presents a user interface familiar to any iOS user. Except you’re not going to be recording Vine videos, you’re going to be recording the most unique physical features of another human being.

“From an end-user perspective, it’s much, much smaller, lighter and easier to use an app-based capability” than the bulky biometrics tools currently in military use, Joey Pritikin, an AOptix vice president, tells Danger Room. “Anyone who’s used an iPhone before can pick this up and use it.” (read the whole story HERE)


Canadian and Dutch DPAs: WhatsApp breaches privacy law

Reuters reports that WhatsApp, one of the most popular apps in the world, contravenes international privacy laws because it forces users to provide access to their entire address book, Canadian and Dutch data protection authorities said.

WhatsApp, which ranks as one of the world’s top five best-selling apps, is an instant-messaging application for smartphones including Apple’s iPhone and Research in Motion’s Blackberry.

The report comes at a time of increased criticism of internet companies, such as Facebook, over the storing and sharing of personal information.

Produced by California-based WhatsApp Inc, it provides a free internet alternative to SMS, or text messaging, sending more than a billion messages every day.

The Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority, in a joint report released on Monday, said the app violated privacy laws because users have to provide access to all phone numbers in their address book, including both users and non-users of the app.

“This lack of choice contravenes (Canadian and Dutch) privacy law. Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp,” said Jacob Kohnstamm, chairman of the Dutch Data Protection Authority.

WhatsApp was not immediately available to comment.

The investigators found that WhatsApp retained the mobile numbers of non-users, contravening privacy laws.

WhatsApp committed to making changes to protect users’ privacy, including allowing the manual addition of contacts, according to the investigators. In September 2012, it introduced encryption for its mobile messaging service, partly in response to concerns raised by the investigation.

The Dutch agency said it would continue to monitor WhatsApp and could impose penalties if privacy continued.

(Reporting by Sara Webb, Editing by Louise Heavens for Reuters)


Facebook created a tool for users which digs into your data writes that Facebook has spent eight years nudging its users to share everything they like and everything they do. Now, the company is betting it has enough data so that people can find whatever they want on Facebook. And on Tuesday, it unveiled a new tool to help them dig for it.

The tool, which the company calls graph search, is Facebook’s most ambitious stab at overturning the Web search business ruled by its chief rival, Google. It is also an effort to elbow aside other Web services designed to unearth specific kinds of information, like LinkedIn for jobs, Match for dates and Yelp for restaurants.

Facebook has spent over a year honing graph search, said Mark Zuckerberg, the company’s co-founder and chief executive, at an event here at Facebook’s headquarters introducing the new product. He said it would enable Facebook users to search their social network for people, places, photos and things that interest them.

That might include, Mr. Zuckerberg offered, Mexican restaurants in Palo Alto that his friends have “liked” on Facebook or checked into. It might be used to find a date, dentist or job, other Facebook executives said.

“Graph search,” Mr. Zuckerberg said, “is a completely new way to get information on Facebook.”

Graph search will be immediately available to a limited number of Facebook users — in the “thousands,” Mr. Zuckerberg said — and gradually extended to the rest.

Every Internet platform company has been interested in conquering search.

But Facebook search differs from other search services because of the mountain of social data the company… (read the rest of the story HERE).

Canada: Privacy commissioner denies Internet surveillance compromise with police

Jesse Brown writes for that Jim Bronskill, of The Canadian Press, has reported a weird story. He filed an access to information request and obtained an internal memo from the privacy commissioner’s office. In his words, it reveals this:

“The federal privacy watchdog is trying to help the Conservative government find a compromise in its contentious bid to bolster Internet surveillance powers.”

How strange. Strange for the Privacy Commissioner to be helping the state “bolster surveillance,” and strange for her to be doing so in the spirit of compromise. Why compromise with Bill C-30? “Lawful Access,”  which was rebranded the “Protecting Children from Internet Predators Act,” but is known widely as the ”Internet Spying Bill,” was pronounced dead the prior spring, in a seeming victory for privacy commissioner Jennifer Stoddart, who opposed it from the start.

So, why cut a deal with a dead foe? Perhaps she didn’t.

“I reject the characterization of this as a compromise outright,” assistant privacy commissioner Chantal Bernier said in a phone interview with me yesterday. “Privacy is a fundamental right. You don’t compromise on fundamental rights.”

Read the rest of the story HERE.


USA: Changes in the 1988 Video Privacy Protection Act writes that President Obama signed Netflix-backed legislation today that makes it easier for people to share their video-viewing habits online.

With his signature on H.R. 6671, Obama approved an amendment to the 1988 Video Privacy Protection Act that allows video rental companies to obtain customer consent to share information about their viewing preferences on social networks such as Facebook. The law was enacted after a weekly newspaper printed the video rental history of Judge Robert H. Bork during his Supreme Court confirmation hearings.

The House bill is similar to a proposal approved last November by the Senate Judiciary Committee, minus language inserted by Sen. Patrick Leahy that would have required police to obtain search warrants before accessing files stored in the cloud, including e-mail. However, Leahy later withdrew the controversial proposal.

Netflix, which had argued that the 25-year-old law was outdated and due for an overhaul, has said it plans to introduce social features for subscribers this year, although a Netflix representative told CNET that it was too early to discuss specifics. Netflix users outside the United States already have the option to link their accounts with Facebook, allowing them frictionless sharing of their video viewing preferences with other member of their online social network.

Student Suspended for Refusing to Wear RFID Tracker Loses Lawsuit

Wired writes that a Texas high school student who claimed her student identification was the “Mark of the Beast” because it was implanted with a radio-frequency identification chip has lost her federal court bid Tuesday challenging her suspension for refusing to wear the card around her neck.

Radio-frequency identification devices are a daily part of the electronic age — found in passports, and library and payment cards. Eventually they’re expected to replace bar-code labels on consumer goods. Now schools across the nation are slowly adopting them as well.

Northside Independent School District in San Antonio began issuing the RFID-chip-laden student-body cards when the semester began in the fall. The ID badge has a bar code associated with a student’s Social Security number, and the RFID chip monitors pupils’ movements on campus, from when they arrive until when they leave.

Sophomore Andrea Hernandez was notified in November by the Northside Independent School District in San Antonio that she won’t be able to continue attending John Jay High School unless she wears the badge around her neck. The district said the girl, who objects largely on religious grounds, would have to attend another high school that does not employ the RFID tags.

She sued, a judge tentatively halted the suspension, but changed course Tuesday after concluding that the 15-year-old’s right of religion was not breached. That’s because the district eventually agreed to accommodate the girl and allow her to remove the RFID chip while still demanding that she wear the identification like the other students.

The Hernandez family claims the badge and its chip signifies Satan, or the “Mark of the Beast” warning in Revelation 13:16-18. The girl refused the district’s offer, sued, and was represented by the Rutherford Institute.

“The accommodation offered by the district is not only reasonable it removes plaintiff’s religious objection from legal scrutiny all together,” (.pdf) U.S. District Judge Orlando Garcia wrote.

The girl’s father, Steven, wrote the school district explaining why removing the chip wasn’t good enough, that the daughter should be free from displaying the card altogether. “‘We must obey the word of God,” the father said, according to court documents. “By asking my daughter and our family to participate and fall in line like the rest of them is asking us to disobey our Lord and Savior.”

The institute, which said it would appeal to the 5th U.S. Circuit Court of Appeals, blasted the decision.

“By declaring Andrea Hernandez’s objections to be a secular choice and not grounded in her religious beliefs, the district court is placing itself as an arbiter of what is and is not religious. This is simply not permissible under our constitutional scheme, and we plan to appeal this immediately,” the institute said in statement.

The district, however, hailed the decision.

“Today’s court ruling affirms NISD’s position that we did make reasonable accommodation to the student by offering to remove the RFID chip from the student’s smart ID badge,” the district said in a statement.

The motive behind the RFID tagging appears largely financial.

Like most state-financed schools, the district’s budget is tied to average daily attendance. If a student is not in his seat during morning roll call, the district doesn’t receive daily funding for that pupil because the school has no way of knowing for sure if the student is there.

But with the RFID tracking, students not at their desks but tracked on campus are counted as being in school that day, and the district receives its daily allotment for that student.

Tagging school children with RFID chips is uncommon, but not new. A federally funded preschool in Richmond, California, began embedding RFID chips in students’ clothing in 2010. And an elementary school outside of Sacramento, California, scrubbed a plan in 2005 amid a parental uproar. And a Houston, Texas, school district began using the chips to monitor students on 13 campuses in 2004 for the same reasons the Northside Independent School District implemented the program. Northside is mulling adopting the program for its other 110 schools.

Judge Garcia gave the girl until the end of the semester, January 18, to say whether she will wear the badge or transfer to another school.


$140k penalty for healthdata breach (paid by firm AND doctors)

The Boston Globe writes that the former owners of a medical billing practice that dumped sensitive health ­records at the Georgetown Transfer Station have agreed, along with doctors involved, to pay $140,000 in a settlement with the Massachusetts attorney general’s office.

A Globe photographer ­noticed the pile of paper ­records when he was tossing out his own trash in July 2010.

The pile consisted of ­records for more than 67,000 people, including names, ­addresses, Social­ Security numbers, pathology reports for people tested for various kinds of cancer, and other test ­results.

The photographer collected some of the documents, and the Globe contacted the hospitals that had contracted with the pathologists who had shared information with the billing company.

State and federal laws ­require health records to be disposed of in ways that ­destroy personal information, such as by shredding or incineration.

‘It is the obligation of all parties involved to ensure that sensitive information is disposed of properly.’

“Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors,” ­Attorney General Martha Coakley said in a press release.

Read the whole story: 140$K penalty for data breach


The other defendants involved in this settlement are Dr. Kevin Dole, former President of Chestnut Pathology Services, P.C.; Milford Pathology Associates, P.C.; Milton Pathology Associates, P.C.; and Pioneer Valley Pathology Associates, P.C.

The AG’s Office alleges that these pathology groups violated HIPAA regulations by failing to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates, and violated state data security regulations by not taking reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.


Dinseyland to introduce RFID bracelets to personalize the customers’ experience

Nowadays Big Brother hops in where you don’t expect him to! The most recent example? Disneyland!

The New York Times reports that Disney plans to begin introducing a vacation management system called MyMagic+, based on RFID technologies, that will drastically change the way Disney World visitors — some 30 million people a year — do just about everything.

Imagine Walt Disney World with no entry turnstiles. Cash? Passé: Visitors would wear rubber bracelets encoded with credit card information, snapping up corn dogs and Mickey Mouse ears with a tap of the wrist. Smartphone alerts would signal when it is time to ride Space Mountain without standing in line.

Fantasyland? Hardly. It happens starting this spring.

Disney in the coming months plans to begin introducing a vacation management system called MyMagic+ that will drastically change the way Disney World visitors — some 30 million people a year — do just about everything.

The initiative is part of a broader effort, estimated by analysts to cost between $800 million and $1 billion, to make visiting Disney parks less daunting and more amenable to modern consumer behavior. Disney is betting that happier guests will spend more money.

“If we can enhance the experience, more people will spend more of their leisure time with us,” said Thomas O. Staggs, chairman of Disney Parks and Resorts.

The ambitious plan moves Disney deeper into the hotly debated terrain of personal data collection. Like most major companies, Disney wants to have as much information about its customers’ preferences as it can get, so it can appeal to them more efficiently. The company already collects data to use in future sales campaigns, but parts of MyMagic+ will allow Disney for the first time to track guest behavior in minute detail.

Read the whole story: At Disney Parks, a Bracelet Meant to Build Loyalty (and Sales)

The result of the piecemeal approach of privacy in the US: Maryland wants a Gun Owner Privacy Bill (!)

The special privacy rules in the US for health data, for children, for costumers of video rental businesses, for social media passwords and so forth could soon be joined by a privacy law dedicated to… gun owners. writes that State Del. Pat McDonough (Maryland) wants to stop newspapers from publishing information about gun owners.

City Paper reports a bill on the subject is one of three that McDonough plans to introduce in the General Assembly session that starts in January.

McDonough, a Middle River Republican who represents parts of Baltimore and Harford counties, told City Paper that the gun owner bill was brought on by current events.

In New York, following the Dec. 14 school shooting in Newtown, CT, The Journal News published an online map of pistol permit holders in three counties.

The map was compiled using public record requests. A blogger retaliated by posting the addresses of Journal News staffers, as CNN reported. One blogger even published the address of the CEO of the paper’s owner, Gannett, as Poynter reports.

“This is really a response to the paper in New York which claimed what they were doing was for the pub­lic good, but what it really is is a mas­sive edi­to­r­ial tak­ing up two pages of the news­pa­per reflect­ing their posi­tion of the news­pa­per,” McDonough told City Paper. “It’s really dis­hon­est to not say it is an editorial.”

Hence, we learn that the initiative is not even privacy driven.

Read the whole story: McDonough to introduce gun owner privacy bill

Read the original map story: Map: Where are the gun permits in your neighborhood?

Read comments on the map story: Outcry over newspaper’s map of handgun permit holders

Also read, if really interested in this matter: Putnam officials refuse to release gun permit data

Advice on new Omnibus rules of HIPAA publishes an interview with attorney Lisa Sotto on the modifications of HIPAA, which are expected to enter into force in the following weeks.

Healthcare organizations need to more closely monitor how their business associates protect the security of patient information and step up risk assessments as they prepare to comply with looming HIPAA modifications, says Sotto.

As proposed, the long-overdue HIPAA modifications, which may be released in the coming weeks, would require business associates and their subcontractors to comply with the HIPAA Security Rule.

“We see a growing number of breaches happen when business associates possess PHI [protected health information],” Sotto says in an interview withHealthcareInfoSecurity. “CISOs and CIOs should look at the HIPAA [modifications that are pending] as an opportunity to improve business associate security. It’s important for healthcare entities to focus their energies on seeking to prevent these sorts of incidents,” says Sotto, who heads the global privacy and data security practice of law firm Hunton & Williams.

A pending omnibus package of regulations includes several components, including modifications to the HIPAA privacy, security and enforcement rules; a final version of the HIPAAbreach notification rule; and a measure spelling out that using genetic information for insurance underwriting purposes is a privacyviolation as well as discriminatory under the Genetic Information Non-Discrimination Act.

In the interview, Sotto points to other pending regulations, including:

  • A final rule that would modify the HIPAA Privacy Rule standard for accounting of disclosures of protected health information that adds new requirements for access reports. The pending regulation was placed on hold when its requirement for detailed reports about who accessed patient records proved controversial. “It’s complex and confusing and would impose a substantial, costly technological burden on covered entities,” she says.
  • State privacy regulations. “There may be additional new state privacy laws enacted,” Sotto says. Texas enacted privacy laws in September that are broader than HIPAA, she notes.

Listen to the interview here: HIPAA modifications: how to prepare