General privacy-related resources
 Protect Your Privacy - How to Protect Your Identity as well as Your Financial, Personal, and Computer Records in an Age of Constant Surveillance (Outwitting) by
Duncan Long (~US$11 from Amazon), a new book on the subject, claims to offer “Everything you need to know about how to protect your computer security,
financial privacy, telephone privacy, identification, freedom of movement, and more!”.
Privacy International publishes an excellent summary of the state of privacy
legislation around the world, with a fascinating map. Privacy International is a human rights pressure group that acts “as a watchdog on surveillance by governments and corporations”.
They have a number of battle fronts including ID cards and wiretapping practices. PogoWasRight is a curiously-named blog with a high privacy content.
Educational Security Incidents (ESI) is a blog listing (mostly privacy related) security incidents reported in the
press. These are intended to be useful fodder for security awareness programs, although users would have to add their own analysis to draw out the learning points.
Two British policemen with jobs-on-the-side as private detectives were convicted of bugging phones and
hacking into computers on behalf of wealthy clients.
The IIA’s Global Technology Audit Guide (GTAG) number 5 covers Managing and Auditing Privacy Risks.
The American Institute of Certified Public Accountants (AICPA)’s Generally Accepted Privacy Principles (GAPP)
cover ten key privacy issues that bear a remarkably similarity to the EU’s data protection principles.
The personal information of “every police officer in Texas” has been compromised through the theft of a laptop from a supplier.
Users of Google Street View get ground-level views of selected city streets. Some of the images may not be entirely appropriate for public viewing. Examples quoted in a NY Times piece [free access, requires
registration] include bikini-clad women, a man scaling a gate, a man entering a porn shop and readable vehicle number plates. This is just one of many privacy concerns raised by Google’s services. Google’s desktop search utility was previously slammed for disclosing details of the contents of users’ C: drives on
the Web and the European Community is deeply concerned about Google’s privacy policies. Other search
engines raise privacy concerns too, of course, but Google is the biggest and hence is bound to make a large target in the firing line.
A Trojan uses two convincing Microsoft Windows Activation screens as the lure to steal victims’ credit card
numbers. Kardphisher launches a blended phishing attack, combining social engineering and malware.
Case notes on children at risk in Essex, England, found their way on to eBay despite the secure data
destruction processes that were supposed to prevent this kind of thing.
The Information Commissioner found 11 big-name UK financial institutions in breach of the Data Protection Act for dumping paperwork containing their valued customers’ personal details in outside waste bins.
The Australian Privacy Foundation maintains a list of privacy laws in about 30 countries and the Global
Internet Liberty Campaign (GILC) periodically surveys privacy laws worldwide.
The UK Freedom of Information Act creates a tension between protection of personal data on one hand, and the need to disclose certain public information on the other. Public bodies have responsibilities to
disclose all sorts of interesting information but there are rules to protect personal data.
The UK Information Commissioner is responsible for overseeing compliance with the Data Protection Act, such as advice on the data protection implications of CCTV. Carnegie Mellon University’s Data Privacy Lab
ran the Surveillance of Surveillance (SOS) project to investigate the use of technology such as CCTV to
track members of the public.
Webcams that allow parents to monitor their children’s kindergartens etc. (“kindycams”) are being
challenged on privacy grounds. Some teachers evidently resent the intrusion into their classrooms, and the
risk of images being viewed by pedophiles is considered significant. Mobile phones with integrated cameras raise numerous confidentiality and privacy issues such as their use in changing/rest rooms. Spies, pedophiles and peeping Toms like miniature wireless cameras for similar reasons.
Canada’s Privacy Act is monitored by the Privacy Commissioner of Canada.
A Canadian bank that repeatedly sent internal FAXes containing confidential client information (supposedly
“for your eyes only”) to a FAX machine belonging to a US scrapyard operator ended up in court.
A citizens’ guide to data protection in the European Union gives an overview of the legislation. Like most
official EU documents, it is available in several languages.
Be careful what you mutter to yourself when you’re ‘on-hold’, especially if the telephone is being recorded.
The article notes that third parties are increasingly being used to monitor calls, including overseas companies.
US-CERT Cyber Security Tip on privacy.
RF identification tags offer great potential for improving supply chain efficiency but at what cost in terms of privacy? CSO Magazine gave a good overview of the issues underlying news stories about a privacy backlash against RF ID tags.
Here’s a detailed ‘strategic overview’ (if that’s not a contradiction) on privacy.
Australian privacy guru Roger Clark defines privacy as “the interest that individuals have in sustaining a
‘personal space’, free from interference by other people and organisations” with several dimensions: privacy
of the person, privacy of personal behavior, privacy of personal communications and privacy of personal data. [The NoticeBored awareness materials on privacy concentrated on the latter two dimensions.]
More than two decades ago, the Council of Europe: Convention For the Protection of Individuals with Regard
to Automatic Processing of Personal Data defined ‘personal data’ as ‘any information relating to an identified
or identifiable individual (“data subject”)’. The convention was the precursor to European data protection
legislation, although the definition subsequently evolved (in some European legislatures if not all) to refer specifically to identifiable living individuals.
The Privacy Forum has a mailing list for discussion of personal privacy and related issues.
CSO magazine noted the differing approaches to privacy taken by the US and Europe. The Federal Trade Commission website has a special section specifically covering privacy issues. The FTC’s Do Not Call Registry provides a mechanism for US consumers to opt-out of marketing/sales calls. A ‘do not spam’
registry is also under discussion.
Privacy of medical records
NIST Special Publication 800-66 is An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Being a NIST product, it is a well-written,
comprehensive document that will no doubt be used as a reference by auditors and information security managers in addition to HIPAA itself.
The need to protect confidentiality of personal medical information whilst allowing medical professionals
legitimate access to the data, is gradually being enshrined in law. The US Health Insurance Portability and Accountability Act (1996) (HIPAA) and UK Data Protection Act (1998), for example, impose standards on
organizations gathering, processing and using medical data. Under HIPAA, Americans have rights to access their own medical records. The US Department of Health medical privacy standards state: “Until now,
virtually no federal rules existed to protect the privacy of health information and guarantee patient access to
such information. This final rule establishes, for the first time, a set of basic national privacy standards and
fair information practices that provides all Americans with a basic level of protection and peace of mind that
is essential to their full participation in their care. The rule sets a floor of ground rules for health care
providers, health plans, and health care clearinghouses to follow, in order to protect patients and encourage them to seek needed care. The rule seeks to balance the needs of the individual with the needs of the
society. It creates a framework of protection that can be strengthened by both the federal government and by states as health information systems continue to evolve.
The UK Data Protection Act is still causing confusion years after it was enacted. It is reported that management at a Welsh hospital ordered the removal of boards in the wards displaying patient names due
to patient confidentiality concerns. However, medical staff felt this decision compromised patient safety and the Information Commissioner disagreed that this is required under the Data Protection Act.
Website privacy policies
The Direct Marketing Association offers a simple point-and-click method of generating a website privacy
policy to suit your requirements. The resulting policy may not be sufficiently comprehensive or accurate (your legal people should probably review it, for example) but is an extremely easy way of creating
something to start with.
See what Google’s privacy policy means in this video.
The Canadian Marketing Association website advises its members on privacy policies and principles they
should adopt, based on the OECD guidelines.
Related NoticeBored links collections
Governance, compliance, database security, identity theft, intellectual property, hacking, accountability, social engineering, Internet security, confidentiality and security awareness.
NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.
|
