education new york online education new york online education new york online
NYS & NATIONAL Education Data Management & Information Policy
Today's Info Policy News
Weekly Archive
Information Policy
FERPA
Protecting your children's privacy: The Facts
Parents 4 Privacy
WHO'S WATCHING YOUR CHILDREN?
about
contact us
site map

Tweet This!:

Search

Information Policy

compiled by education new york online

Scroll down to read entries organized by topic alphabetically OR use the topic links at the right to jump to categories of interest.

Updated Friday November 13, 2015 09:47 AM

A LETTER TO PARENTS

National Opt-Out Campaign Informs Parents How to Protect the Privacy of their Children's School Records
Date CapturedTuesday September 20, 2011 04:53 PM
Parents have rights under the Family Educational Rights Privacy Act (FERPA) to restrict access to their children's personal information.

ACLU

Welcome to The Opt Out of Standardized Tests Site!
Date CapturedSaturday August 04, 2012 07:05 PM
This site was created to collect and share information on state by state rules and experiences related to opting out of standardized tests. This is an open community for any parent, student, or educator interested in finding or sharing opt out information, irrespective of personal decisions regarding political party, religion, or choice of public or non public education.
Parent Right to Opt Out Lawsuit Emerges
Date CapturedSaturday August 04, 2012 07:01 PM
ACLU is interested in supporting any parents whose children received a penalty/threats for opting out of testing. If you want to participate in the complaint please share the following: your story; permission to join in on the ACLU complaint; your return address; a signature on a hard copy.
ACLU: Social Networking, your privacy rights explained
Date CapturedThursday March 08, 2012 09:05 AM
The vast majority of young people living in the United States go online daily and use social networking sites like Twitter, Facebook and YouTube. With all this information-sharing, many questions about ownership of personal information and possible discipline for postings arise. This guide will answer some of those questions so that you can better understand the rights you have when using social networking both in and out of school.
Cloud Computing: Storm Warning for Privacy?
Date CapturedWednesday July 07, 2010 01:20 PM
[Abstract: “Cloud computing” - the ability to create, store, and manipulate data through Web-based services - is growing in popularity. Cloud computing itself may not transform society; for most consumers, it is simply an appealing alternative tool for creating and storing the same records and documents that people have created for years. However, outdated laws and varying corporate practices mean that documents created and stored in the cloud may not have the same protections as the same documents stored in a filing cabinet or on a home computer. Can cloud computing services protect the privacy of their consumers? Do they? And what can we do to improve the situation?] Ozer, Nicole and Conley, Chris, Cloud Computing: Storm Warning for Privacy? (January 29, 2010). Nicole Ozer & Chris Conley, CLOUD COMPUTING: STORM WARNING FOR PRIVACY, ACLU of Northern California, 2010.
Digital Due Process
Date CapturedWednesday March 31, 2010 04:23 PM
[A powerful collection of organizations has formed a new coalition to push for an update to the Electronic Communications Privacy Act (ECPA). Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.]
Bill Introduced To Repeal Failed Real ID Act (7/31/2009) Bill Would Protect Civil Liberties And Drivers' License Security
Date CapturedSunday August 09, 2009 05:13 PM
WASHINGTON – In a welcome move today, legislation was introduced in the House of Representatives to repeal the discredited Real ID Act of 2005. The REAL ID Repeal and Identification Security Enhancement Act of 2009, introduced by Representative Steve Cohen (D-TN), would repeal Real ID and replace it with the original negotiated rulemaking process passed by Congress as part of the 9/11 Commission recommendations. Twenty-five states have already rejected Real ID, citing its high cost, invasiveness and the bureaucratic hassles it creates for citizens. The Real ID Act of 2005 directs states to issue a federally-approved driver's license or other form of ID that would be necessary for airline travel and become part of a national database. Like state governments from coast to coast, the American Civil Liberties Union has long opposed the Act as too invasive, too much red tape and too expensive.
Federal departments fall short on civil liberties
Date CapturedTuesday January 27, 2009 10:14 AM
By Peter Eisler, USA TODAY - [WASHINGTON — The departments of Defense, State, and Health and Human Services have not met legal requirements meant to protect Americans' civil liberties, and a board that's supposed to enforce the mandates has been dormant since 2007, according to federal records. All three departments have failed to comply with a 2007 law directing them to appoint civil liberties protection officers and report regularly to Congress on the safeguards they use to make sure their programs don't undermine the public's rights and privacy, a USA TODAY review of congressional filings shows.]

Agencies

Ohio House Bill Number 648
Date CapturedThursday December 25, 2008 02:23 PM
(127th General Assembly) (Substitute House Bill Number 648) AN ACT -- To amend section 1347.99 and to enact sections 1347.15 and 5703.211 of the Revised Code to require state agencies to adopt rules governing access to the confidential personal information that they keep, to create a civil action for harm resulting from an intentional violation of these rules, to impose a criminal penalty for such an intentional violation, and to require the Department of Taxation to adopt rules to generally require the tracking of searches of any of the Department's databases.

Applications

PRIVACY ON THE GO: RECOMMENDATIONS FOR THE MOBILE ECOSYSTEM
Date CapturedSaturday January 12, 2013 07:18 AM
Kamala D. Harris, Attorney General; California Department of Justice. Privacy on the Go recommends a “surprise minimization” approach. This approach means supplementing the general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information
“Mobile Apps for Kids: Disclosures Still Not Making the Grade"
Date CapturedThursday December 13, 2012 12:18 PM
FTC: The report strongly urges all entities in the mobile app industry – including app stores, app developers, and third parties providing services within the apps – to accelerate efforts to ensure that parents have the key information they need to make decisions about the apps they download for their children. The report also urges industry to implement recommendations in the recent FTC Privacy Report including: Incorporating privacy protections into the design of mobile products and services; Offering parents easy-to-understand choices about the data collection and sharing through kids’ apps; and Providing greater transparency about how data is collected, used, and shared through kids’ apps.
Smartphones and the 2012 Election
Date CapturedTuesday August 14, 2012 10:38 AM
EPIC has released a report, "Smartphones and the 2012 Election," which focuses on the potential risks to voters who download election-related apps to their smartphones and tablets. The report contends that these apps promote greater citizen participation in e-democracy, but also may contain malware, disseminate false information --- or, as was recently reported about an Obama campaign app, compromise voter privacy by making voters' personal and locational information widely available. A recent study by the University of Pennsylvania's Annenberg School for Communication revealed that voters are ambivalent about "personalized" political advertising, a practice likely to increase with the number of election and political apps available for download. EPIC's report also examines the role of federal and state regulation in protecting voters and providing guidance to campaigns, and recommends actions that voters, election administrators, and campaigns can take to better protect voter privacy.
Future of Privacy Forum (FPF) Application Privacy
Date CapturedWednesday January 19, 2011 07:42 PM
Apps resource page
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
Date CapturedFriday October 01, 2010 07:22 PM
To appear at the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI’10) William Enck, Peter Gilbert Byung-Gon Chun,Landon P. Cox , Jaeyeon Jung, Patrick McDaniel Anmol N. Sheth at CONCLUSION: While some mobile phone operating systems allow users to control applications’ access to sensitive informa- tion, such as location sensors, camera images, and con- tact lists, users lack visibility into how applications use their private data. To address this, we present TaintDroid, an ef?cient, system-wide information ?ow tracking tool that can simultaneously track multiple sources of sensi- tive data. A key design goal of TaintDroid is ef?ciency, and TaintDroid achieves this by integrating four gran- ularities of taint propagation (variable-level, message- level, method-level, and ?le-level) to achieve a 14% per- formance overhead on a CPU-bound microbenchmark. We also used our TaintDroid implementation to study the behavior of 30 popular third-party applications, cho- sen at random from the Android Marketplace. Our study revealed that two-thirds of the applications in our study exhibit suspicious handling of sensitive data, and that 15 of the 30 applications reported users’ locations to remote advertising servers. Our ?ndings demonstrate the effec- tiveness and value of enhancing smartphone platforms with monitoring tools such as TaintDroid.

Authentication

Happy Birthday, Internet
Date CapturedFriday October 30, 2009 08:22 PM
NPR interview -- authentication and privacy concerns mentioned. October 30, 2009 [On Oct. 29, 1969, around 10:30 P.M., a message from one computer was sent over a modified phone line to another computer hundreds of miles away. Some say the Internet was born that day. UCLA computer scientist Leonard Kleinrock, who was there, gives his account.] IMPORTANT EXCERPT: [Dr. KLEINROCK: Yes. In fact, in those early days, the culture of the Internet was one of trust, openness, shared ideas. You know, I knew everybody on the Internet in those days and I trusted them all. And everybody behaved well, so we had a very easy, open access. We did not introduce any limitations nor did we introduce what we should have, which was the ability to do strong user authentication and strong file authentication. So I know that if you are communicating with me, it's you, Ira Flatow, and not someone else. And if you send me a file, I receive the file you intended me to receive. We should've installed that in the architecture in the early days. And the first thing we should've done with it is turn it off, because we needed this open, trusted, available, shared environment, which was the culture, the ethics of the early Internet. And then when we approach the late 1980s and the early 1990s and spam, and viruses, and pornography and eventually the identity theft and the fraud, and the botnets and the denial of service we see today, as that began to emerge, we should then slowly have turned on that authentication process, which is part of what your other caller referred to is this IPV6 is an attempt to bring on and patch on some of this authentication capability. But it's very hard now that it's not built deep into the architecture of the Internet.]

Big Data

"Big Data and the Future of Privacy"
Date CapturedMonday April 07, 2014 11:09 AM
EPIC comments to the White House on topic.

Biometrics

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies Privacy Committee Web 2.0/Cloud Computing Subcommittee -- August 2010
Date CapturedThursday September 16, 2010 09:02 PM
bstract: Good privacy practices are a key component of agency governance and accountability. One of the Federal government's key business imperatives today is to maintain the privacy of personally identifiable information (PII) we collect and hold. The Office of Management and Budget (OMB) Memorandum 07-16 defines PII as "information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc." The purpose of this paper, and of privacy interests in general, is not to discourage agencies from using cloud computing; indeed a thoughtfully considered cloud computing solution can enhance privacy and security. Instead, the purpose is to ensure that Federal agencies recognize and consider the privacy rights of individuals, and that agencies identify and address the potential risks when using cloud computing.
Secretary Napolitano Outlines Five Recommendations To Enhance Aviation Security
Date CapturedThursday January 07, 2010 07:53 PM
Secretary Napolitano outlined the following five recommendations: Re-evaluate and modify the criteria and process used to create terrorist watch lists—including adjusting the process by which names are added to the “No-Fly” and “Selectee” lists. Establish a partnership on aviation security between DHS and the Department of Energy and its National Laboratories in order to develop new and more effective technologies to deter and disrupt known threats and proactively anticipate and protect against new ways by which terrorists could seek to board an aircraft. Accelerate deployment of advanced imaging technology to provide greater explosives detection capabilities—and encourage foreign aviation security authorities to do the same—in order to identify materials such as those used in the attempted Dec. 25 attack. The Transportation Security Administration currently has 40 machines deployed throughout the United States, and plans to deploy at least 300 additional units in 2010. Strengthen the presence and capacity of aviation law enforcement—by deploying law enforcement officers from across DHS to serve as Federal Air Marshals to increase security aboard U.S.-bound flights. Work with international partners to strengthen international security measures and standards for aviation security.
Today's Living on 'Today's THV at 5': Real ID Program
Date CapturedTuesday December 01, 2009 03:27 PM
Rebecca Buerkle writes - [Twenty-four states have passed laws or resolutions saying they will not comply. Other states that want an extension on the Dec. 31 deadline had until Tuesday to demonstrate they are making progress. But as many as 12 states may not be able to do so, making 36 states non-compliant.]
F.B.I. and States Vastly Expand DNA Databases
Date CapturedSunday April 19, 2009 05:40 PM
NY Times By SOLOMON MOORE -- Published: April 18, 2009 -- [Minors are required to provide DNA samples in 35 states upon conviction, and in some states upon arrest. Three juvenile suspects in November filed the only current constitutional challenge against taking DNA at the time of arrest. The judge temporarily stopped DNA collection from the three youths, and the case is continuing. Sixteen states now take DNA from some who have been found guilty of misdemeanors. As more police agencies take DNA for a greater variety of lesser and suspected crimes, civil rights advocates say the government’s power is becoming too broadly applied. “What we object to — and what the Constitution prohibits — is the indiscriminate taking of DNA for things like writing an insufficient funds check, shoplifting, drug convictions,” said Michael Risher, a lawyer for the American Civil Liberties Union.]
Upgraded Biometric Technology Facilitates Visitors' Entry to the United States
Date CapturedThursday January 15, 2009 07:41 PM
For nearly five years, U.S. Department of State (State) consular officers and U.S. Customs and Border Protection (CBP) officers have collected biometric information—digital fingerprints and a photograph—from all non-U.S. citizens between the ages of 14 and 79, with some exceptions, when they apply for visas or arrive at major U.S. ports of entry. State consular officers began collecting 10 fingerprints from visa applicants in 2007. Collecting 10 fingerprints increases fingerprint matching accuracy and reduces the possibility that the system will misidentify an international visitor. It also strengthens DHS's capability to check visitors' fingerprints against the Federal Bureau of Investigation's (FBI) criminal data and enables DHS to check visitors' fingerprints against latent fingerprints collected by Department of Defense (DOD) and the FBI from known and unknown terrorists around the world.
Biometric Center of Excellence (BCOE)
Date CapturedWednesday January 14, 2009 07:54 PM
BCOE will enable the FBI to provide enhanced U.S. government services in the global quest to fight crime and terrorism with state of the art biometrics technology. Headquartered in Clarksburg, West Virginia, the BCOE is the FBI’s focal point to foster collaboration, improve information sharing, and advance the adoption of optimal biometric and identity management solutions across the law enforcement and national security communities.
PRIVACY -- Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Information
Date CapturedWednesday June 18, 2008 05:09 PM
In its report GAO identified alternatives that the Congress should consider, including revising the scope of privacy laws to cover all personal information, requiring that the use of such information be limited to a specific purpose, and revising the structure and publication of privacy notices. OMB commented that the Congress should consider these alternatives in the broader context of existing privacy and related statutes.
Report: Feds need better privacy protection for data
Date CapturedWednesday June 18, 2008 05:04 PM
USA reports, "Much of the way personal information is handled today, including being sifted through data-mining systems that search for patterns, is not covered by the Privacy Act of 1974, she says. As states begin collecting information in coming years to produce new secure drivers' licenses, government databases will get even larger. 'The government has no business collecting our personal information if it cannot ensure the American public it will be protected from identity thieves and other prying eyes,' says Caroline Fredrickson of the American Civil Liberties Union."
DHS wants biometric helping hand
Date CapturedTuesday June 17, 2008 01:10 PM
Five years after Congress ordered biometric tracking of foreign visitors leaving the United States by land and after spending millions of dollars on planning and testing that yielded limited results, the Homeland Security Department is now seeking the private sector’s help to address the challenge.
Registry of USG Recommended Biometric Standards
Date CapturedTuesday June 03, 2008 09:55 PM
This Registry of USG Recommended Biometric Standards (Registry) supplements the NSTC Policy for Enabling the Development, Adoption and Use of Biometric Standards, which was developed through a collaborative, interagency process within the Subcommittee on Biometrics and Identity Management and approved by the NSTC Committee on Technology. This Registry is based upon interagency consensus on biometric standards required to enable the interoperability of various Federal biometric applications, and to guide Federal agencies as they develop and implement related biometric programs.
Links to Biometric Technology Websites
Date CapturedTuesday June 03, 2008 09:41 PM
Government Sponsored Biometric Technology Websites
Date CapturedTuesday June 03, 2008 09:17 PM

Blogs

The State of the News Media 2010 i
Date CapturedThursday March 18, 2010 01:24 PM
The State of the News Media 2010 is the seventh edition of our annual report on the health and status of American journalism.
Bloggers Now Eligible For Press Passes In NYC
Date CapturedTuesday March 02, 2010 08:02 PM
Wendy David writes [Under the new proposed policy, the New York Police Department would be able to issue press passes good for two years to any journalist who has personally attended and reported on at least six qualified events in the city in the preceding two years, regardless of whether the reports were published online, in print newspapers, magazines, books or other media. Events that will qualify include city-sponsored activity -- like a press conference or parade -- as well as emergencies where the city has set up do-not-cross lines. The proposal also allows inexperienced journalists to obtain single-use press passes.]
The Smart Grid and Privacy
Date CapturedSunday February 21, 2010 07:14 PM
Concerning Privacy and Smart Grid Technology
Personal Health Information Privacy
Date CapturedSunday January 10, 2010 04:42 PM
News about medical and electronic health privacy risk.
Electronic Privacy Information Center (EPIC)
Date CapturedWednesday February 25, 2009 03:27 PM
EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. EPIC publishes an award-winning e-mail and online newsletter on civil liberties in the information age – the EPIC Alert. EPIC also publishes reports and even books about privacy, open government, free speech, and other important topics related to civil liberties.
Bloggers' Rights
Date CapturedSaturday February 14, 2009 01:58 AM
Electronic Frontier Foundation (EFF)
Legal Guide for Bloggers - Electronic Frontier Foundation - EFF
Date CapturedSaturday February 14, 2009 01:51 AM
EFF- [Like all journalists and publishers, bloggers sometimes publish information that other people don't want published. You might, for example, publish something that someone considers defamatory, republish an AP news story that's under copyright, or write a lengthy piece detailing the alleged crimes of a candidate for public office. The difference between you and the reporter at your local newspaper is that in many cases, you may not have the benefit of training or resources to help you determine whether what you're doing is legal. And on top of that, sometimes knowing the law doesn't help - in many cases it was written for traditional journalists, and the courts haven't yet decided how it applies to bloggers.]
Pogowasright.org
Date CapturedWednesday December 03, 2008 04:37 PM
Privacy news, data breaches, and privacy-related events and resources from around the world.

BMI: Body Mass Index

Applications for New Awards; Carol M. White Physical Education Program
Date CapturedWednesday March 21, 2012 04:55 PM
Federal Register/Vol. 76, No. 60/Tuesday, March 29, 2011/Notices

Breaches

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Date CapturedMonday May 03, 2010 11:04 AM
Recommendations of the National Institute of Standards and Technology - [The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years. Breaches involving PII are hazardous to both individuals and organizations. Individual harms may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or remediation costs. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, "If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds." This document provides guidelines for a risk-based approach to protecting the confidentiality of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies, but other organizations may find portions of the publication useful. Each organization may be subject to a different combination of laws, regulations, and other mandates related to protecting PII, so an organization‘s legal counsel and privacy officer should be consulted to determine the current obligations for PII protection. For example, the Office of Management and Budget (OMB) has issued several memoranda with requirements for how Federal agencies must handle and protect PII. To effectively protect PII, organizations should implement the following recommendations.]
Personal Health Information Privacy
Date CapturedSunday January 10, 2010 04:42 PM
News about medical and electronic health privacy risk.
Federal data breach notification standard must pre-empt state laws
Date CapturedMonday November 16, 2009 08:33 PM
Nextgov Jill R. Aitoro writes -- [The Data Breach Notification Act, introduced in January by Sen. Dianne Feinstein, D-Calif., would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised in a breach and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act, introduced in July by Sen. Patrick Leahy, D-Vt., also would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and would require businesses to implement preventive security standards to guard against threats to their databases.] [Two states are credited for having breach notification laws with the most teeth, said Peter McLaughlin, senior counsel with Foley & Lardner LLP and a member of the law firm's privacy, security and information management practice. Foley & Lardner released a report on Monday that provides in-depth coverage of all major aspects of U.S. and international security breach laws.]
A Facebook ‘Bug’ Revealed Personal E-mail Addresses
Date CapturedThursday May 07, 2009 07:12 PM
NY Times -- Gadget -- Riva Richmond [“In the course of one day I had Facebook go through over 10,000 e-mail addresses; ranging from reporters of prominent newspapers and CNN, to board of directors of Microsoft, Google, and Gates Foundation, and even the entire staff directories of government organizations and the World Bank,” Mr. Sheppard said in an e-mail message to a New York Times editor. “Of those it did find on Facebook, over 30% had their personal email addresses listed, which Facebook gladly gave me, without any of [the Facebook users] knowing.”]
Facebook Bug Reveals Private Photos, Wall Posts
Date CapturedSaturday March 21, 2009 12:52 PM
Washington Post Jason Kincaid (with HT to Anjool) writes [This isn't the first privacy bug to affect Facebook - users have previously been able to access private photos and view private profile information in search results. The error also serves as yet another blemish on the privacy controls of web-based services. Only two weeks ago, Google Docs revealed that it had inadvertently shared thousands of documents with users who should not have had access to them.]
One in four data breaches involves schools
Date CapturedThursday March 12, 2009 03:02 PM
Wednesday, May 14, 2008 --Meris Stansbury, Assistant Editor, eSchool News writes - [One in four data breaches involves schools 'You're losing the cyber security battle,' experts warn during a higher-education computer-security conference near Washington, D.C.]
Privacy Rights Clearinghouse
Date CapturedThursday March 12, 2009 02:45 PM
Chronology of Data Breaches and lots more. Nice upgrade to website.
NYPD CIVILIAN WORKER BUSTED IN MASS COP-ID THEFT
Date CapturedFriday March 06, 2009 04:15 PM
REUVEN BLAU writes [A civilian official of the NYPD's pension fund has been charged with taking computer data that could be used to steal the identities of 80,000 current and retired cops, sources said. Anthony Bonelli allegedly got into a secret backup-data warehouse on Staten Island last month and walked out with eight tapes packed with Social Security numbers, direct-deposit information for bank accounts, and other sensitive material.] ]
Data Breaches: Ignorance Is Dangerous
Date CapturedMonday December 15, 2008 06:41 PM
Pam Greenberg State Legislatures writes [As states continue to work on improving data breach laws, Congress also has been considering legislation. Some bills have made it out of committee, but none have had a floor vote. Federal legislation is a mixed blessing," says Simitian. "If we end up with a weaker set of provisions that also preempts the more rigorous state laws, that's not going to benefit consumers." Cate thinks Congress will act, and he's surprised it hasn't already. "It's probably because they found it a lot more complicated than they thought." The way data are collected, used and transferred across states, it's likely many companies will opt to comply with the most stringent provisions in state laws, Cate says. "One way or another, we'll have national preemption -- either from the state that adopts the toughest law or from Congress. But it's a classic case of states leading the way." ]

Campus Life

Identifying Violence-prone Students
Date CapturedThursday January 13, 2011 02:02 PM
The fine line higher education officials walk in dealing with troubled students is discussed.

CDT

Refocusing the FTC’s Role in Privacy Protection
Date CapturedMonday December 14, 2009 05:31 PM
Comments of the Center for Democracy & Technology (CDT) in regards to the FTC Consumer Privacy Roundtable.
Refocusing the FTC’s Role in Privacy Protection
Date CapturedTuesday November 10, 2009 03:33 PM
Center for Technology in Government (CDT) Policy Post 15.17, November 10, 2009. [ A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology Refocusing the FTC’s Role in Privacy Protection 1) CDT Submits Comments in regards to the FTC Consumer Privacy Roundtable 2) The Significance of a Comprehensive Set of Fair Information Practice Principles 3) Examining FIPs at Work: Recent FTC Enforcement Actions Demonstrate a Path Forward 4) CDT Recommendations for Future FTC Action
Browser Privacy Features: A Work In Progress
Date CapturedSunday August 09, 2009 03:39 PM
CDT Releases Updated Report on Privacy Controls for Web Browsers. The report compares browser offerings in three key areas: privacy mode, cookie controls and object controls. Each of those, when used correctly, can greatly reduce the amount of personal information users transmit online. August 05, 2009
Response to the 2008 NAI Principles: The Network Advertising Initiative’s Self-Regulatory Code of Conduct for Online Behavioral Advertising
Date CapturedThursday February 12, 2009 06:43 PM
[CDT believes the 2008 NAI Principles, while late in addressing new trends in the industry, demonstrate clear progress over the original code of conduct adopted in 2000. The transparency of the NAI’s revision and compliance process, the approach to sensitive information, and the coverage of advertising practices beyond behavioral advertising all represent important steps forward. While robust self-regulation in the behavioral advertising space does not obviate the need for a baseline federal privacy law covering data collection and usage of all kinds, the NAI has made advances in several areas, yielding what we hope will be better protections for consumer privacy. However, the 2008 NAI Principles still come up short in crucial respects including the opt-out choice requirement, the notice standard, the NAI member accountability model, the failure to address ISP behavioral advertising, the lack of a choice requirement for multi-site advertising, and the data retention principle. Some of these are outstanding issues that have existed within the NAI framework since its inception, while others are new concerns raised by the updates to the principles.]
Rethinking the Role of Consent in Protecting Health Information Privacy
Date CapturedTuesday January 27, 2009 09:52 AM
CDT is advocating for the inclusion of privacy protections in the President's economic stimulus bill, which contains at least $20 billion for a national health information technology network. CDT's paper argues that personal health information should easily flow for treatment, payment, and certain core administrative tasks without requiring patient consent, but that stricter limits need to be placed on marketing and other secondary uses. January 26, 2009. This paper advocates for a new generation of privacy protections that allow personal health information to flow among health care entities for treatment, payment, and certain core administrative tasks without first requiring patient consent, as long as there is a comprehensive framework of rules that governs access to and disclosure of health data. Patient consent is one important element of this framework, but relying on consent would do little to protect privacy. This paper also suggests how a framework of protections can provide patients with more meaningful opportunities to make informed choices about sharing their personal health information online.
Center for Democracy & Technology (CDT) Applauds Critical Privacy, Security Provisions in Health IT Stimulus Bill
Date CapturedSunday January 18, 2009 05:59 PM
[The bill's privacy provisions include the following: Stronger protections against the use of personal heath information for marketing purposes; Accountability for all entities that handle personal health information; A federal, individual right to be notified in the event of a breach of identifiable health information; Prohibitions on the sale of valuable patient-identifiable data for inappropriate purposes; Development and implementation of federal privacy and security protections for personal health records; Easy access by patients to electronic copies of their records; and Strengthened enforcement of health privacy rules. The provisions in the bill are similar to those that received bipartisan approval by the House Energy & Commerce Committee in the last Congress.]
Court: Constitution Protects Stored Cell Phone Location Information (CDT Amicus Brief in the Case [PDF], July 31, 2008)
Date CapturedMonday September 29, 2008 10:15 PM
The Electronic Frontier Foundation, joined by CDT, ACLU and the ACLU of Pennsylvania, had argued for the warrant requirement that the court adopted in an amicus curiae brief filed in July. September 11, 2008.

Censorship

Facebook Makes Another Privacy Blooper
Date CapturedThursday May 07, 2009 06:58 PM
Daily Examiner -- Wendy Davis - [Regardless of whether Facebook broke the law, users likely aren't going to be thrilled to learn that the site believes it can censor messages. If the company wants to be taken seriously as a communications platform, executives are going to have to start giving more consideration to users' privacy rights. ]
E P I C A l e r t -- Volume 15.15 -- July 25, 2008
Date CapturedFriday July 25, 2008 10:12 AM
Table of Contents -- [1] Court Rules that Data Breach Violates Fundamental Human Rights [2] Federal Court Strikes Down Internet Censorship Law, Again [3] Google Complies with California Privacy Policy Law After 30 Days [4] First European Privacy Seal Awarded to Search Engine Ixquick [5] DNS Security Standard Implemented into .org Domain [6] News in Brief
Communications Decency Act Tipping Under Cuomo Kid-Porn Accord
Date CapturedWednesday June 11, 2008 01:53 PM
Wired writes, "It's possible that Sprint's, Verizon's and Time Warner's move against kiddie porn is a salvo to head off congressional action that might lead to even broader censorship. We all know that bad facts make bad law, and there's nothing worse than producing and distributing child porn. But the Cuomo deal is an indication that the dynamic that's kept the internet largely free of government intrusion is beginning to crack."

Child identity theft

A Better Start: Clearing Up Credit Records for California Foster Children
Date CapturedTuesday September 13, 2011 01:16 PM
This report summarizes the result of the project team’s work on behalf of over 2,110 foster children in Los Angeles County, and it also recommends new procedures for use in helping this vulnerable population statewide. Key Findings of the Pilot Project • The project team successfully cleared all negative items from the credit reports of 104 foster children. • These 104 children (5% of the pilot project sample) had 247 separate accounts reported in their names, as the result of errors or identity theft. • The average account balance was $1,811, with the largest being a home loan of over $200,000. • The accounts found were two to three years old, opened when the child was 14 years old on average. • 12% of the children had records loosely linked to them by Social Security number only, which while not affecting their credit ratings could nevertheless pose problems for them in the future.

Children Privacy

Database State
Date CapturedWednesday March 19, 2014 04:55 PM
The report assesses 46 databases across the major government departments (UK)

Civil Liberties

Review: Federal program used to hide flights from public
Date CapturedTuesday April 13, 2010 08:22 PM
USA Today -- By Michael Grabell and Sebastian Jones, ProPublica - [Use of the airspace is considered public information because taxpayers fund air-traffic controllers, radars and runways. "It belongs to all of us," said Chuck Collins, who has studied private jet travel at the Institute for Policy Studies, a progressive think tank. "It's not a private preserve." NBAA spokesman Dan Hubbard said privacy is important to business fliers because competitors can learn of potential deals by tracking planes, and that could affect stock prices. "There are certain circumstances where there is a security concern," he said. In 2000, Congress required websites to stop posting flights of certain planes at the FAA's request. The FAA later agreed to let the aviation group be the clearinghouse. FAA spokeswoman Laura Brown said the agency lacks resources to evaluate whether requests to keep flights secret are justified, so the agency lets the NBAA decide each month the flights kept from public view.]
Coalition pushes ECPA update for online privacy in cloud computing age
Date CapturedWednesday March 31, 2010 04:46 PM
[A powerful collection of organizations has formed a new coalition to push for an update to the Electronic Communications Privacy Act (ECPA). Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.]
Digital Due Process
Date CapturedWednesday March 31, 2010 04:23 PM
[A powerful collection of organizations has formed a new coalition to push for an update to the Electronic Communications Privacy Act (ECPA). Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.]
SmartPrivacy for the Smart Grid: Embedding Privacy into the Design of Electricity Conservation
Date CapturedFriday February 19, 2010 03:47 PM
Authors Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario, Canada, Jules Polonetsky and Christopher Wolf -- Co-Chair, Future of Privacy Forum conclude - [The information collected on a Smart Grid will form a library of personal information, the mishandling of which could be highly invasive of consumer privacy. There will be major concerns if consumer-focused principles of transparency and control are not treated as essential design principles from beginning to end. Once energy consumption information flows outside of the home, the following questions may come to the minds of consumers: Who will have access to this intimate data, and for what purposes? Will I be notified? What are the obligations of companies making smart appliances and Smart Grid systems to build in privacy? How will I be able to control the details of my daily life in the future? Organizations involved with the Smart Grid, responsible for the processing of customers’ personal information, must be able to respond to these questions, and the best response is to ensure that privacy is embedded into the design of the Smart Grid, from start to finish —end-to-end.]
Secretary Napolitano Outlines Five Recommendations To Enhance Aviation Security
Date CapturedThursday January 07, 2010 07:53 PM
Secretary Napolitano outlined the following five recommendations: Re-evaluate and modify the criteria and process used to create terrorist watch lists—including adjusting the process by which names are added to the “No-Fly” and “Selectee” lists. Establish a partnership on aviation security between DHS and the Department of Energy and its National Laboratories in order to develop new and more effective technologies to deter and disrupt known threats and proactively anticipate and protect against new ways by which terrorists could seek to board an aircraft. Accelerate deployment of advanced imaging technology to provide greater explosives detection capabilities—and encourage foreign aviation security authorities to do the same—in order to identify materials such as those used in the attempted Dec. 25 attack. The Transportation Security Administration currently has 40 machines deployed throughout the United States, and plans to deploy at least 300 additional units in 2010. Strengthen the presence and capacity of aviation law enforcement—by deploying law enforcement officers from across DHS to serve as Federal Air Marshals to increase security aboard U.S.-bound flights. Work with international partners to strengthen international security measures and standards for aviation security.
Undercover and Sensitive Operations Unit Attorney General's Guidelines on FBI Undercover Operations Revised 11/13/92
Date CapturedSaturday December 26, 2009 09:04 PM
[The following Guidelines on the use of undercover activities and operations by the Federal Bureau of Investigation (FBI) are issued under the authority of the Attorney General provided in Title 28, United States Code, Sections 509, 510, and 533. They apply to all investigations conducted by the FBI, except those conducted pursuant to its foreign counterintelligence and foreign intelligence responsibilities.]
The Smart Grid and Privacy
Date CapturedWednesday December 16, 2009 09:01 PM
EPIC Concerning Privacy and Smart Grid Technology - [A list of potential privacy consequences of Smart Grid systems include: Identity Theft; Determine Personal Behavior Patterns; Determine Specific Appliances Used; Perform Real-Time Surveillance; Reveal Activities Through Residual Data; Targeted Home Invasions (latch key children, elderly, etc.); Provide Accidental Invasions; Activity Censorship; Decisions and Actions Based Upon Inaccurate Data; Profiling; Unwanted Publicity and Embarrassment; Tracking Behavior Of Renters/Leasers; Behavior Tracking (possible combination with Personal Behavior Patterns); Public Aggregated Searches Revealing Individual Behavior. Plans are underway to support smart grid system applications that will monitor any device transmitting a signal, which may include non-energy-consuming end use items that are only fitted with small radio frequency identification devices (RFID) tags may be possible. RFID tags are included in most retail purchases for clothing, household items, packaging for food, and retail items.
Bill Introduced To Repeal Failed Real ID Act (7/31/2009) Bill Would Protect Civil Liberties And Drivers' License Security
Date CapturedSunday August 09, 2009 05:13 PM
WASHINGTON – In a welcome move today, legislation was introduced in the House of Representatives to repeal the discredited Real ID Act of 2005. The REAL ID Repeal and Identification Security Enhancement Act of 2009, introduced by Representative Steve Cohen (D-TN), would repeal Real ID and replace it with the original negotiated rulemaking process passed by Congress as part of the 9/11 Commission recommendations. Twenty-five states have already rejected Real ID, citing its high cost, invasiveness and the bureaucratic hassles it creates for citizens. The Real ID Act of 2005 directs states to issue a federally-approved driver's license or other form of ID that would be necessary for airline travel and become part of a national database. Like state governments from coast to coast, the American Civil Liberties Union has long opposed the Act as too invasive, too much red tape and too expensive.
Browser Privacy Features: A Work In Progress
Date CapturedSunday August 09, 2009 03:39 PM
CDT Releases Updated Report on Privacy Controls for Web Browsers. The report compares browser offerings in three key areas: privacy mode, cookie controls and object controls. Each of those, when used correctly, can greatly reduce the amount of personal information users transmit online. August 05, 2009
Facebook Makes Another Privacy Blooper
Date CapturedThursday May 07, 2009 06:58 PM
Daily Examiner -- Wendy Davis - [Regardless of whether Facebook broke the law, users likely aren't going to be thrilled to learn that the site believes it can censor messages. If the company wants to be taken seriously as a communications platform, executives are going to have to start giving more consideration to users' privacy rights. ]
Federal departments fall short on civil liberties
Date CapturedTuesday January 27, 2009 10:14 AM
By Peter Eisler, USA TODAY - [WASHINGTON — The departments of Defense, State, and Health and Human Services have not met legal requirements meant to protect Americans' civil liberties, and a board that's supposed to enforce the mandates has been dormant since 2007, according to federal records. All three departments have failed to comply with a 2007 law directing them to appoint civil liberties protection officers and report regularly to Congress on the safeguards they use to make sure their programs don't undermine the public's rights and privacy, a USA TODAY review of congressional filings shows.]
HB 38 - Microchip Consent Act of 2009
Date CapturedMonday January 12, 2009 07:29 PM
To amend Chapter 1 of Title 51 of the Official Code of Georgia Annotated, relating to general provisions regarding torts, so as to prohibit requiring a person to be implanted with a microchip; to provide for a short title; to provide for definitions; to provide for penalties; to provide for regulation by the Composite State Board of Medical Examiners; to provide for related matters; to provide for an effective date; to repeal conflicting laws; and for other purposes. BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
Electronic Frontier Foundation (EFF)
Date CapturedTuesday December 16, 2008 06:16 PM
EFF is a leading civil liberties group defending rights in the digital world.
Minnesota Department of Health Continues to Violate State Law and Individual Privacy
Date CapturedSaturday December 13, 2008 04:29 PM
St. Paul/Minneapolis – Concerned parents and the Citizens’ Council on Health Care (CCHC) called on Governor Tim Pawlenty to require his Commissioner of Health to cease and desist the warehousing of newborn blood and baby DNA without informed, written parent consent.
Privacy Lives
Date CapturedFriday December 12, 2008 06:15 PM
Melissa Ngo -- more than a blog -- lots of policy and topic specific archives.
Privacy International
Date CapturedSaturday December 06, 2008 05:23 PM
Privacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance and privacy invasions by governments and corporations. PI is based in London, England, and has an office in Washington, D.C. We have campaigned across the world to protect people against intrusion by governments and corporations that seek to erode this fragile right. We believe that privacy forms part of the bedrock of freedoms, and our goal has always been to use every means to preserve it.
Eric Holder and Privacy: A Preliminary Analysis
Date CapturedFriday December 05, 2008 08:51 PM
The Center for Democracy and Technology
Date CapturedMonday June 02, 2008 03:34 PM
The Center for Democracy and Technology is a non-profit public interest organization working to keep the Internet open, innovative, and free. As a civil liberties group with expertise in law, technology, and policy, CDT works to enhance free expression and privacy in communications technologies by finding practical and innovative solutions to public policy challenges while protecting civil liberties. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media.

Clery

Addressing Emergencies on Campus June 2011
Date CapturedTuesday June 28, 2011 06:32 PM
United States Department of Education (USED) : Summary of two applicable Federal education laws administered by the Department of Education (Department): the Family Educational Rights and Privacy Act (FERPA) and the Higher Education Act of 1965 (HEA), as amended. This Federal component is only one piece of what is necessary to consider in ensuring the safety of our Nation’s students, faculty, and school staff. A comprehensive and effective campus policy must incorporate all Federal and State policies regarding health and safety emergencies, education, student privacy, civil rights, and law enforcement, as well as specific local community needs.
The Handbook for Campus Safety and Security Reporting
Date CapturedFriday March 11, 2011 07:35 PM
FERPA does not preclude an institution’s compliance with the timely warning provision of the campus security regulations. FERPA recognizes that information can, in case of an emergency, be released without consent when needed to protect the health and safety of others. In addition, if institutions utilize information from the records of a campus law enforcement unit to issue a timely warning, FERPA is not implicated as those records are not protected by FERPA. U.S. Department of Education, Office of Postsecondary Education, The Handbook for Campus Safety and Security Reporting, Washington, D.C., 2011.

Cloud Computing

IN THE CLOUD
Date CapturedWednesday February 06, 2013 02:14 PM
News & policy about the CLOUD. Check paper archives. Updated regularly.
SPOTLIGHT ON CLOUD COMPUTING: IF IN THE CLOUD, GET IT ON PAPER: CLOUD COMPUTING CONTRACT ISSUES
Date CapturedFriday February 01, 2013 11:30 PM
SPOTLIGHT ON CLOUD COMPUTING: IF IT'S IN THE CLOUD, GET IT EDUCAUSE WEBINAR ON CLOUD COMPUTING CONTRACT ISSUES Friday, December 10, 2010 Author(s) Thomas Trappler (UCLA) Source(s) EDUCAUSE Live! Webinars, Webinars
FERPA and the Cloud: What FERPA Can Learn from HIPAA
Date CapturedTuesday December 18, 2012 07:01 AM
SOLOVE: Parents need to look at what their schools are doing about student privacy and speak up, because the law isn’t protecting their children’s privacy. School officials who want to develop a more meaningful and robust protection of privacy should talk to government officials who are tasked with complying with HIPAA. They can learn a lot from studying HIPAA and following some of its requirements. Congress should remake FERPA more in the model of HIPAA. If Congress won’t act, state legislatures should pass better education privacy laws. Because FERPA does not provide adequate oversight and enforcement of cloud computing providers, schools must be especially aggressive and assume the responsibility. Otherwise, their students’ data will not be adequately protected. School officials shouldn’t assume that the law is providing regulation of cloud computing providers and that they need not worry. The law isn’t, so right now the schools need to be especially vigilant.
FERPA and the Cloud: Why FERPA Desperately Needs Reform
Date CapturedTuesday December 11, 2012 06:51 AM
SOLOVE: Parents should lobby Congress and their state legislatures to pass laws providing better protections of their children’s data. This is an issue that should be of great concern to parents since educational institutions possess a staggering amount of personal data about students, and this data can currently be outsourced to nearly any company anywhere – even to a cloud computing provider in the most totalitarian country in the world!
Frequently Asked Questions—Cloud Computing
Date CapturedMonday September 24, 2012 10:25 AM
FERPA does not prohibit the use of cloud computing solutions for the purpose of hosting education records; rather, FERPA requires States to use reasonable methods to ensure the security of their information technology (IT) solutions.
Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era
Date CapturedTuesday July 12, 2011 06:12 PM
Christopher Soghoian - [This paper will argue that this doctrine [[third-party doctrine]] becomes moot once encryption is in use and companies no longer have access to their customers’ private data.] [The real threat to privacy lies with the fact that corporations can and have repeatedly been forced to modify their own products in ways that harm end user privacy, such as by circumventing encryption.] Soghoian, Christopher, Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era (August 17, 2009). 8 J. on Telecomm. and High Tech. L. 359; Berkman Center Research Publication No. 2009-07
The NIST Definition of Cloud Computing (Draft)
Date CapturedFriday February 04, 2011 03:57 PM
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Guidelines on Security and Privacy in Public Cloud Computing
Date CapturedFriday February 04, 2011 03:36 PM
Cloud computing can and does mean different things to different people. The common characteristics most share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and dislocation of data from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment. Draft Special Publication 800-144
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Date CapturedThursday November 04, 2010 08:10 PM
Proposed Security Assessment and Authorization for U.S. Government Cloud Computing: Over the past 18 months, an inter-agency team comprised of the National Institute of Standards and Technology (NIST), General Services Administration (GSA), the CIO Council and working bodies such as the Information Security and Identity Management Committee (ISIMC), has worked on developing the Proposed Security Assessment and Authorization for U.S. Government Cloud Computing. This team evaluated security controls and multiple Assessment and Authorization models for U.S. Government Cloud Computing as outlined in this document. The attached document is a product of 18 months of collaboration with State and Local Governments, Private Sector, NGO’s and Academia. This marks an early step toward our goal of deploying secure cloud computing services to improve performance and lower the cost of government operations, but we need to improve this document through your input.
Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies Privacy Committee Web 2.0/Cloud Computing Subcommittee -- August 2010
Date CapturedThursday September 16, 2010 09:02 PM
bstract: Good privacy practices are a key component of agency governance and accountability. One of the Federal government's key business imperatives today is to maintain the privacy of personally identifiable information (PII) we collect and hold. The Office of Management and Budget (OMB) Memorandum 07-16 defines PII as "information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc." The purpose of this paper, and of privacy interests in general, is not to discourage agencies from using cloud computing; indeed a thoughtfully considered cloud computing solution can enhance privacy and security. Instead, the purpose is to ensure that Federal agencies recognize and consider the privacy rights of individuals, and that agencies identify and address the potential risks when using cloud computing.
Cloud Computing: Storm Warning for Privacy?
Date CapturedWednesday July 07, 2010 01:20 PM
[Abstract: “Cloud computing” - the ability to create, store, and manipulate data through Web-based services - is growing in popularity. Cloud computing itself may not transform society; for most consumers, it is simply an appealing alternative tool for creating and storing the same records and documents that people have created for years. However, outdated laws and varying corporate practices mean that documents created and stored in the cloud may not have the same protections as the same documents stored in a filing cabinet or on a home computer. Can cloud computing services protect the privacy of their consumers? Do they? And what can we do to improve the situation?] Ozer, Nicole and Conley, Chris, Cloud Computing: Storm Warning for Privacy? (January 29, 2010). Nicole Ozer & Chris Conley, CLOUD COMPUTING: STORM WARNING FOR PRIVACY, ACLU of Northern California, 2010.
REPORT: FUTURE OF THE INTERNET, CLOUD COMPUTING - The future of cloud computing
Date CapturedTuesday June 15, 2010 10:50 PM
[The future of cloud computing Technology experts and stakeholders say they expect they will ‘live mostly in the cloud’ in 2020 and not on the desktop, working mostly through cyberspace-based applications accessed through networked devices. This will substantially advance mobile connectivity through smartphones and other internet appliances. Many say there will be a cloud-desktop hybrid. Still, cloud computing has many difficult hurdles to overcome, including concerns tied to the availability of broadband spectrum, the ability of diverse systems to work together, security, privacy, and quality of service. ] Janna Quitney Anderson, Elon University; Lee Rainie, Pew Research Center’s Internet & American Life Project
Coalition pushes ECPA update for online privacy in cloud computing age
Date CapturedWednesday March 31, 2010 04:46 PM
[A powerful collection of organizations has formed a new coalition to push for an update to the Electronic Communications Privacy Act (ECPA). Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.]
Digital Due Process
Date CapturedWednesday March 31, 2010 04:23 PM
[A powerful collection of organizations has formed a new coalition to push for an update to the Electronic Communications Privacy Act (ECPA). Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.]
THE BROOKINGS INSTITUTION FALK AUDITORIUM - CLOUD COMPUTING FOR BUSINESS AND SOCIETY
Date CapturedSaturday February 20, 2010 07:05 PM
Washington, D.C. - Wednesday, January 20, 2010 Keynote Speaker: BRAD SMITH - Senior Vice President and General Counsel; Moderator: DARRELL WEST - The Brookings Institution Panelists: MICHAEL NELSON; ROB ATKINSON; JONATHAN ROCHELLE;
Sunguard
Date CapturedSaturday November 21, 2009 01:02 PM
[Student Information Management -- eSchoolPLUS is a student management system that helps educators and parents by providing them direct, real-time access to the most relevant student information available. Teachers and administrators can easily manage day-to-day student information and data such as demographics, scheduling, attendance, discipline, standardized tests, report cards and transcripts. With eSchoolPLUS, parents gain the ability to be more informed as to their child’s grades, attendance, assignments and discipline information. Superintendents, principals and other district administrators and school board members can track daily school status, student performance and progress.]
Cloud Standards Effort Could Turn into a Dustup
Date CapturedMonday May 04, 2009 04:32 PM
Digits - Technology News and Insights -- By Ben Worthen - [The Open Cloud Standards Incubator is part of an organization called Distributed Management Task Force. The DMTF was founded in 1992 and has developed standards for managing computers and sharing information on the Web in the past. Its members are a who’s who of the tech industry’s old guard—in addition to IBM and Microsoft they include EMC, H-P, Intel and many others. It’s too early to call the absence of Internet companies a rift, but it’s a split reminiscent of the one that occurred when IBM tried to get companies to sign up for its “Open Cloud Manifesto” a few weeks ago. At the time companies that didn’t participate in IBM’s effort were quick to dismiss the manifesto as meaningless marketing.]
Google Gives Advice on Cloud Computing
Date CapturedSaturday March 21, 2009 06:17 PM
PC Chloe Albanesius writes[Google has commissioned a report that unsurprisingly touts the benefits of cloud computing, and offers recommendations for policy makers looking at the technology. Google called on lawmakers to embrace full connectivity, open access, security, and privacy when considering cloud-based computing.] REPORT LINKED.
Facebook Bug Reveals Private Photos, Wall Posts
Date CapturedSaturday March 21, 2009 12:52 PM
Washington Post Jason Kincaid (with HT to Anjool) writes [This isn't the first privacy bug to affect Facebook - users have previously been able to access private photos and view private profile information in search results. The error also serves as yet another blemish on the privacy controls of web-based services. Only two weeks ago, Google Docs revealed that it had inadvertently shared thousands of documents with users who should not have had access to them.]
Before the Federal Trade Commission Washington, DC 20580 In the Matter of Google, Inc. and Cloud Computing Services
Date CapturedTuesday March 17, 2009 06:48 PM
EPIC President Marc Rotenberg on Google and Cloud Computing [The recent growth of Cloud Computing Services signals an unprecedented shift of personal information from computers controlled by individuals to networks administered by corporations. Data breaches concerning Cloud Computing Services can result in great harm, which arises from the centralized nature of the services and large volume of information stored "in the cloud." Past data breaches have resulted in serious consumer injury, including identity theft. As a result of the popularity of Cloud Computing Services, data breaches on these services pose a heightened risk of identity theft. The FTC should hold accountable the purveyors of Cloud]
RE: USE OF CLOUD COMPUTING APPLICATIONS AND SERVICES
Date CapturedThursday February 26, 2009 06:07 PM
Associate Director John B. Horrigan (202-419-4500) - September 2008 - Pew/Internet - [Convenience and flexibility are the watchwords for those who engage in cloud computing activities: 51% of internet users who have done a cloud computing activity say a major reason they do this is that it is easy and convenient. 41% of cloud users say a major reason they use these applications is that they like being able to access their data from whatever computer they are using. 39% cite the ease of sharing information as a major reason they use applications in cyberspace or store data there. At the same time, users report high levels of concern when presented with scenarios in which companies may put their data to uses of which they may not be aware. 90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party. 80% say they would be very concerned if companies used their photos or other data in marketing campaigns. 68% of users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.]
Cloud computing takes hold despite privacy fears
Date CapturedThursday February 26, 2009 06:03 PM
Computer Worlds -- Heather Havenstein [Users of online e-mail, storage systems fear the sale of personal data without permission]
Cloud Computing Privacy Tips
Date CapturedWednesday February 25, 2009 04:11 PM
World Privacy Forum -- February 23, 2009 -- By Robert Gellman and Pam Dixon [Cloud Computing Tips for Consumers: Read the Terms of Service before placing any information in the cloud. If you don’t understand the Terms of Service, consider using a different cloud provider. Don’t put anything in the cloud you would not want the government or a private litigant to see. Pay close attention if the cloud provider reserves rights to use, disclose, or make public your information. Read the privacy policy before placing your information in the cloud. If you don’t understand the policy, consider using a different provider. When you remove your data from the cloud provider, does the cloud provider still retain rights to your information? If so, consider whether that makes a difference to you. Will the cloud provider give advance notice of any change of terms in the terms of service or privacy policy? ]
REPORT: Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing
Date CapturedWednesday February 25, 2009 03:59 PM
Released February 23, 2009 - Author: Robert Gellman: [This report discusses the issue of cloud computing and outlines its implications for the privacy of personal information as well as its implications for the confidentiality of business and governmental information. The report finds that for some information and for some business users, sharing may be illegal, may be limited in some ways, or may affect the status or protections of the information shared. The report discusses how even when no laws or obligations block the ability of a user to disclose information to a cloud provider, disclosure may still not be free of consequences. The report finds that information stored by a business or an individual with a third party may have fewer or weaker privacy or other protections than information in the possession of the creator of the information. The report, in its analysis and discussion of relevant laws, finds that both government agencies and private litigants may be able to obtain information from a third party more easily than from the creator of the information. A cloud provider’s terms of service, privacy policy, and location may significantly affect a user’s privacy and confidentiality interests.] see policy recommendations in full report.
Does Cloud Computing Mean More Risks to Privacy?
Date CapturedWednesday February 25, 2009 03:44 PM
NY Times -- Saul Hansell -- [In the United States, information held by a company on your behalf — be it a bank, an e-mail provider or a social network — is often not protected as much as information a person keeps at home or a business stores in computers it owns. Sometimes that means that a government investigator, or even a lawyer in a civil lawsuit, can get access to records by simply using a subpoena rather than a search warrant, which requires more scrutiny by a court.]

Common Core

Race to the Top Reform Flow Chart
Date CapturedSaturday September 29, 2012 10:04 AM
Chairman Gates' GERM warfare
Date CapturedThursday August 16, 2012 11:37 AM
Kris Alman

Common Rule

The Belmont Report
Date CapturedMonday November 24, 2014 10:57 AM
Belmont Report does not make specific recommendations for administrative action by the Secretary of Health, Education, and Welfare. Rather, the Commission recommended that the Belmont Report be adopted in its entirety, as a statement of the Department's policy.
World Privacy Forum comments Big Data Study
Date CapturedThursday November 20, 2014 01:52 PM
The World Privacy Forum’s recent public comments to the White House regarding Big Data focus on using a foundation of Fair Information Principles to address issues connected to bias, error, and privacy regarding big data as applied to vulnerable populations. The comments also discuss large medical research data sets, and stress the importance of applying the Common Rule in any human subjects research, in particular, identifiable data. The benefits of analysis using large data sets need to be maintained while resolving problems raised in analysis of vulnerable populations. Pam Dixon & Bob Gellman

Cómo proteger la información personal de su hijo en la escuela

FTC Alerta para Consumidores: Cómo proteger la información personal de su hijo en la escuela
Date CapturedSunday September 11, 2011 07:37 PM
Pregunte en la escuela de su hijo cuál es la política aplicable al directorio de información de los estudiantes. En el directorio de información de los estudiantes se pueden listar el nombre, domicilio, fecha de nacimiento, número de teléfono, domicilio de email y foto de su hijo. La ley FERPA establece que las escuelas deben notificar a los padres y tutores sus respectivas políticas aplicables al directorio de información de los estudiantes, y darle el derecho de optar por que no se suministre esa información a terceros. Es mejor que presente su solicitud por escrito y que guarde una copia para sus archivos. Si usted no ejerce su derecho de optar por que no se comparta la información de su hijo, los datos listados en el directorio de la escuela pueden estar a disposición no sólo de los compañeros de clase y personal de la escuela de su hijo, sino también del público en general.

Consent

Lettter to IRB
Date CapturedSunday December 07, 2014 08:53 AM
Methodology of the Youth Risk Behavior Surveillance System 2013
Date CapturedSunday November 03, 2013 09:39 PM
The Youth Risk Behavior Surveillance System (YRBSS), established in 1991, monitors six categories of priority health-risk behaviors among youths and young adults: 1) behaviors that contribute to unintentional injuries and violence; 2) sexual behaviors that contribute to human immunodeficiency virus (HIV) infection, other sexually transmitted diseases, and unintended pregnancy; 3) tobacco use; 4) alcohol and other drug use; 5) unhealthy dietary behaviors; and 6) physical inactivity. In addition, YRBSS monitors the prevalence of obesity and asthma among this population. [Certain schools use active permission, meaning that parents must send back to the school a signed form indicating their approval before their child can participate. Other schools use passive permission, meaning that parents send back a signed form only if they do not want their child to participate in the survey.]

Consumer Privacy

Data Brokers – Is Consumers’ Information Secure
Date CapturedFriday November 13, 2015 09:47 AM
Recorded: Subcommittee on Privacy, Technology and the Law Date: Tuesday, November 3, 2015 Time: 02:30 PM Location: Dirksen Senate Office Building 226 Presiding: Chairman Flake
Education New York comments re Student Privacy submitted to FERPA NPRM - May 23, 2011
Date CapturedMonday May 23, 2011 09:22 PM
Document ID: ED-2011-OM-0002-0001: Family Educational Rights and Privacy. The proposed changes to FERPA do not adequately address the capacity of marketers and other commercial enterprises to capture, use, and re-sell student information. Even with privacy controls in place, it is also far too easy for individuals to get a hold of student information and use it for illegal purposes, including identity theft, child abduction in custody battles, and domestic violence. Few parents are aware, for example, that anyone can request -- and receive -- a student directory from a school. Data and information breaches occur every day in Pre-K-20 schools across the country, so that protecting student privacy has become a matter of plugging holes in a dyke rather than advancing a comprehensive policy that makes student privacy protection the priority.
CONSUMER SENTINEL NETWORK \DATA BOOK for January - December 2010
Date CapturedSaturday March 12, 2011 11:39 AM
The 2010 Consumer Sentinel Network Data Book is based on unverified complaints reported by consumers. The data is not based on a consumer survey.
JESSICA PINEDA v. WILLIAMS-SONOMA STORES, INC.,
Date CapturedSaturday February 12, 2011 04:50 PM
The Song-Beverly Credit Card Act of 1971 (Credit Card Act) (Civ. Code, § 1747 et seq.) is “designed to promote consumer protection.” (Florez v. Linens ’N Things, Inc. (2003) 108 Cal.App.4th 447, 450 (Florez).) One of its provisions, section 1747.08, prohibits businesses from requesting that cardholders provide “personal identification information” during credit card transactions, and then recording that information. (Civ. Code, § 1747.08, subd. (a)(2).) We are now asked to resolve whether section 1747.08 is violated when a business requests and records a customer?s ZIP code during a credit card transaction. In light of the statute?s plain language, protective purpose, and legislative history, we conclude a ZIP code constitutes “personal identification information” as that phrase is used in section 1747.08. Thus, requesting and recording a cardholder?s ZIP code, without more, violates the Credit Card Act.
Rush Introduces Online Privacy Bill, H.R. 611, The BEST PRACTICES Act
Date CapturedFriday February 11, 2011 06:04 PM
Ensure that consumers have meaningful choices about the collection, use, and disclosure of their personal information. • Require companies that collect personal information to disclose their practices with respect to the collection, use, disclosure, merging, and retention of personal information, and explain consumers' options regarding those practices. • Require companies to provide disclosures of their practices in concise, meaningful, timely, and easy-to-understand notices, and direct the Federal Trade Commission to establish flexible and reasonable standards and requirements for such notices. • Require companies to obtain "opt-in" consent to disclose information to a third party. In the bill, the term, "third party" would be defined based on consumers' reasonable expectations rather than corporate structure. • Establish a "safe harbor" that would exempt companies from the "opt-in" consent requirement, provided those companies participate in a universal opt-out program operated by self-regulatory bodies and monitored by the FTC. • Require companies to have reasonable procedures to assure the accuracy of the personal information they collect. The bill would also require the companies to provide consumers with reasonable access to, and the ability to correct or amend, certain information. • Require companies to have reasonable procedures to secure information and to retain personal information only as long as it's necessary to fulfill a legitimate business or law enforcement need.
COMMERCIAL DATA PRIVACY AND INNOVATION IN THE INTERNET ECONOMY: A DYNAMIC POLICY FRAMEWORK
Date CapturedThursday December 16, 2010 01:16 PM
US DEPT OF COMMERCE REPORT says the principles "should promote increased transparency through simple notices, clearly articulated purposes for data collection, commitments to limit data uses to fulfill these purposes, and expanded use of robust audit systems to bolster accountability." NO RECOMMENDATIONS REGARDING EDUCATION AND FERPA DIRECTORY INFORMATION.
“Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”
Date CapturedThursday December 09, 2010 04:45 PM
FTC: To reduce the burden on consumers and ensure basic privacy protections, the report first recommends that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices.” Second, the report states, consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find. One method of simplified choice the FTC staff recommends is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes. The report also recommends other measures to improve the transparency of information practices, including consideration of standardized notices that allow the public to compare information practices of competing companies. The report recommends allowing consumers “reasonable access” to the data that companies maintain about them, particularly for non-consumer facing entities such as data brokers. Finally, FTC staff proposes that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them.
html5
Date CapturedWednesday October 20, 2010 07:42 PM
HTML5 is a new version of HTML and XHTML. The HTML5 draft specification defines a single language that can be written in HTML and XML. It attempts to solve issues found in previous iterations of HTML and addresses the needs of Web Applications, an area previously not adequately covered by HTML.
Online Privacy: What Does It Mean to Parents and Kids?
Date CapturedFriday October 08, 2010 02:07 PM
Zogby International conducted a poll for Common Sense Media, asking both teens and parents about their views of online privacy and how they feel their personal information is being used by websites, social networks, and other online platforms.
Letter to: Chairman Boucher and Ranking Member Stearns
Date CapturedMonday June 07, 2010 06:26 PM
Mike Sachoff -- [In response to a discussion draft of a new privacy bill now under consideration by the House Subcommittee on Communications, Technology and the Internet, ten privacy and consumer groups today called for stronger measures to protect consumer privacy both online and off. The organizations including the Consumer Federation of America, Electronic Frontier Foundation, Consumer Watchdog, World Privacy Forum, Consumer Action, USPIRG, Privacy Rights Clearinghouse, Privacy Times, Privacy Lives, and the Center for Digital Democracy, raised their concerns in a letter to Subcommittee Chairman Rick Boucher and Ranking Member Cliff Stearns. The groups recommended the following: *The bill should incorporate the Fair Information Practice Principles that have long served as the bedrock of consumer privacy protection in the U.S., including the principle of not collecting more data than is necessary for the stated purposes, limits on how long data should be retained, and a right to access and correct one's data. *The bill's definitions of what constitutes "sensitive information" need to be expanded; for instance, to include health-related information beyond just "medical records." *The bill should require strict "opt-in" procedures for the collection and use of covered data and should prohibit the collection and use of any sensitive information except for the transactions for which consumers provided it.]
How Unique Is Your Web Browser?
Date CapturedTuesday May 18, 2010 01:32 PM
Peter Eckersley? Electronic Frontier Foundation, pde@eff.org/ -- [Conclusions -- We implemented and tested one particular browser ?ngerprinting method. It appeared, in general, to be very e?ective, though as noted in Section 3.1 there are many measurements that could be added to strengthn it. Browser ?ngerprinting is a powerful technique, and ?ngerprints must be con- sidered alongside cookies, IP addresses and supercookies when we discuss web privacy and user trackability. Although ?ngerprints turn out not to be particu- larly stable, browsers reveal so much version and con?guration information that they remain overwhelmingly trackable. There are implications both for privacy policy and technical design. Policymakers should start treating ?ngerprintable records as potentially per- sonally identi?able, and set limits on the durations for which they can be asso- ciated with identities and sensitive logs like clickstreams and search terms. The Tor pro ject is noteworthy for already considering and designing against ?ngerprintability. Other software that purports to protect web surfers’ privacy should do likewise, and we hope that the test site at panopticlick.eff.org may prove useful for this purpose. Browser developers should also consider what they can do to reduce ?ngerprintability, particularly at the JavaScript API level. We identi?ed only three groups of browser with comparatively good resis- tance to ?ngerprinting: those that block JavaScript, those that use TorButton, and certain types of smartphone. It is possible that other such categories exist in our data. Cloned machines behind ?rewalls are fairly resistant to our algo- rithm, but would not be resistant to ?ngerprints that measure clock skew or other hardware characteristics. ]
FACEBOOK - Complaint, Request for Investigation, Injunction, and Other Relief
Date CapturedMonday May 10, 2010 09:54 AM
[This complaint concerns material changes to privacy settings made by Facebook, the largest social network service in the United States, that adversely impact the users of the service. Facebook now discloses personal information to the public that Facebook users previously restricted. Facebook now discloses personal information to third parties that Facebook users previously did not make available. These changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations. These business practices are Unfair and Deceptive Trade Practices, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of the Federal Trade Commission Act.]
DRAFT - Boucher bill
Date CapturedThursday May 06, 2010 08:34 AM
A BILL : To require notice to and consent of an individual prior to the collection and disclosure of certain personal informa- tion relating to that individual.
Proposed Privacy Legislation Wins Few Fans
Date CapturedThursday May 06, 2010 08:24 AM
WSJ : [ The goal for the legislation is to set a standard for consumer privacy protections and also provide consumers with more transparency and control regarding the collection, use and sharing of their information, said Rep. Rick Boucher (D., Va.). Mr. Boucher released a draft of the bill for discussion on Tuesday along with Rep. Cliff Stearns (R., Fla.). The bill stipulates that as a general rule companies can collect information about consumers unless a person opts out of that data collection — a point of contention among privacy advocates. The regulation also specifies standards for the collection and use of personally identifiable information. Companies must disclose to consumers if they are collecting personally identifiable information and how they are using that data. Consumers must give a company permission to share that personally identifiable information with outside companies. ]
FACEBOOK privacy policy link:
Date CapturedMonday April 26, 2010 08:32 PM
Facebook’s Privacy Policy. This policy contains eight sections: 1. Introduction; 2. Information We Receive; 3. Information You Share With Third Parties; 4. Sharing Information on Facebook; 5. How We Use Your Information; 6. How We Share Information; 7. How You Can View, Change, or Remove Information; 8. How We Protect Information; 9. Other Terms.
FACEBOOK privacy policy link:
Date CapturedMonday April 26, 2010 08:32 PM
Facebook’s Privacy Policy. This policy contains eight sections: 1. Introduction; 2. Information We Receive; 3. Information You Share With Third Parties; 4. Sharing Information on Facebook; 5. How We Use Your Information; 6. How We Share Information; 7. How You Can View, Change, or Remove Information; 8. How We Protect Information; 9. Other Terms.
FACEBOOK: Another Step in Open Site Governance
Date CapturedThursday April 01, 2010 04:42 PM
Michael Richter - Friday, March 26, 2010 at 12:04pm - [We're proposing another set of revisions to our Privacy Policy and Statement of Rights and Responsibilities to make way for some exciting new products we're contemplating. Not all of these products have been finalized and many aren't yet built at all. However, we've definitely identified some interesting opportunities to improve the way you share and connect with the people and things in your life. ]
THE FAILURE OF FAIR INFORMATION PRACTICE PRINCIPLES forthcoming in Consumer Protection in the Age of the ‘Information Economy’
Date CapturedSunday January 31, 2010 10:03 PM
Fred H. Cate - [The key is refocusing FIPPS on substantive tools for protecting privacy, and away from notice and consent; leveling the playing field between information processors and data subjects; and created sufficient, but limited, liability so that data processors will have meaningful incentives, rather than bureaucratic regulations, to motivate appropriate behavior, and that individuals will be compensated when processing results in serious harm. This is only a first step. These proposed Consumer Privacy Protection Principles are undoubtedly incomplete and imperfect, but they are an effort to return to a more meaningful dialogue about the legal regulation of privacy and the value of information flows in the face of explosive growth in technological capabilities in an increasingly global society.]
Subject: EU-US Safe Harbor
Date CapturedSaturday January 23, 2010 09:34 PM
Chris Wolf - [There are three principal methods to legally export data from the EU to the US and overcome the prohibition against export to a country deemed to lack adequate protections. The first two are through so-called "model contracts" and "Binding Corporate Rules". The third is pursuant to a "Safe Harbor" framework that that EU and US agreed upon in 2001. To participate in the Safe Harbor, a U.S. company self-certifies to the U.S. Department of Commerce that it will follow the Safe Harbor Privacy Principles, which contain the core requirements of the EU Data Protection Directive (notice, choice, access, security, protection in onward transfers, data integrity, and enforcement). The company also is to publicize its adherence to the Safe Harbor Principles on its website. The Federal Trade Commission (FTC) is charged with enforcement of the Safe Harbor undertakings under Section 5 of the Federal Trade Commission Act, which governs deceptive and unfair business practices. In other words, a company that commits publicly to adhering to the Safe Harbor principles (and that it has so certified to the Department of Commerce) is subject to enforcement by the FTC if it does not do so. Companies must do what they promise to do.]
FTC.: Has Internet Gone Beyond Privacy Policies?
Date CapturedThursday January 21, 2010 08:55 AM
NY Times STEPHANIE CLIFFORD writes [Previous commissions looked at privacy under the framework of whether consumers were harmed, and with the basis that companies must advise consumers about what they’re doing and obtain their consent, Mr. Leibowitz said. But companies “haven’t given consumers effective notice, so they can make effective choices,” he said. Advise-and-consent “depended on the fiction that people were meaningfully giving consent,” Mr. Vladeck said. “The literature is clear” that few people read privacy policies, he said.]
FTC Probes Facebook's EPIC Privacy Fail
Date CapturedThursday January 21, 2010 08:44 AM
Media Post -- Wendy Davis writes - [In addition, a Facebook employee allegedly said recently that users' messages are stored in a database regardless of whether users attempt to delete them. "We track everything. Every photo you view, every person you're tagged with, every wall-post you make, and so forth," the employee allegedly added. EPIC alleges that these public statements demonstrate that Facebook engages in unfair and deceptive trade practices. The new filing also questions a new iPhone synching feature that transfers users' iPhone contacts to Facebook, even when the phone contacts are not Facebook friends with the users.]
Comments of the World Privacy Forum to FTC, Nov. 6, 2009
Date CapturedThursday December 17, 2009 10:58 PM
Pam Dixon Executive Director, World Privacy Forum -- Re: Privacy Roundtables – Comment, Project No. P095416 - [The World Privacy Forum understands that businesses have a right to exist and to make money, and that advertising and marketing is part of the marketplace. But we also believe that there is not a reasonable balance right now between what data is being collected and used, and what consumers can do to manage that data and their privacy. There are no perfect solutions, but we think that a rights-based framework based on approaches contained in the Fair Credit Reporting Act and on Fair Information Practices will address many of the problems and help create solutions that are equitable for all stakeholders.]
Refocusing the FTC’s Role in Privacy Protection
Date CapturedMonday December 14, 2009 05:31 PM
Comments of the Center for Democracy & Technology (CDT) in regards to the FTC Consumer Privacy Roundtable.
DOD nixes vendor of online monitoring software over privacy concerns
Date CapturedMonday December 07, 2009 08:53 PM
Jaikumar Vijayan writes [In September, EPIC, a Washington-based privacy advocacy group, filed a complaint against EchoMetrix with the Federal Trade Commission. EPIC claimed that EchoMetrix was violating the provisions of the Children's Online Privacy Protection Act (COPPA) by collecting personally identifiable information about children and their browsing habits and online chats. EPIC claimed that EchoMetrix used the information to deliver targeted advertising to children and also sold that information to third-party marketers. In its complaint, EPIC pointed to a separate service offered by EchoMetrix called Pulse, which analyzes data gathered from multiple sources including instant messages, blogs and chat rooms. The information is sold as market research intelligence to marketing companies, the EPIC complaint said.] [
Ad Industry Works on Ads About Ads
Date CapturedTuesday November 24, 2009 03:07 PM
Wall Street Journal Emily Steel writes -- [At issue is the practice of tracking consumers’ Web activities — from the searches they make to the sites they visit and the products they buy — for the purpose of targeting ads. The efforts follow calls from the FTC earlier this year for Web advertisers and Internet companies to do a better job explaining how they track and use information about consumers’ Web activities and creating a simple way consumers can opt out of being tracked.]
Lawmakers probe deeper into privacy
Date CapturedSaturday November 21, 2009 01:16 PM
By Kim Hart - 11/19/09 04:00 PM ET - [Jennifer Barrett, an executive with Acxiom, a marketing company, said the firm could collect 1,500 possible data points about individual consumers, such as age, hobbies, address, occupation and recent purchases. Acxiom typically maintains 20-40 data points on the average person. Acxiom receives that information from public records, surveys consumers fill out voluntarily (such as warranty cards) and information from other companies. In response to questions from Rep. Mike Doyle (D-Penn.), Barrett said consumers can see what data has been stored about them and can change or delete information used for marketing purposes. But consumers cannot find out who else has bought their data from Axciom.]
Federal data breach notification standard must pre-empt state laws
Date CapturedMonday November 16, 2009 08:33 PM
Nextgov Jill R. Aitoro writes -- [The Data Breach Notification Act, introduced in January by Sen. Dianne Feinstein, D-Calif., would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised in a breach and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act, introduced in July by Sen. Patrick Leahy, D-Vt., also would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and would require businesses to implement preventive security standards to guard against threats to their databases.] [Two states are credited for having breach notification laws with the most teeth, said Peter McLaughlin, senior counsel with Foley & Lardner LLP and a member of the law firm's privacy, security and information management practice. Foley & Lardner released a report on Monday that provides in-depth coverage of all major aspects of U.S. and international security breach laws.]
Refocusing the FTC’s Role in Privacy Protection
Date CapturedTuesday November 10, 2009 03:33 PM
Center for Technology in Government (CDT) Policy Post 15.17, November 10, 2009. [ A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology Refocusing the FTC’s Role in Privacy Protection 1) CDT Submits Comments in regards to the FTC Consumer Privacy Roundtable 2) The Significance of a Comprehensive Set of Fair Information Practice Principles 3) Examining FIPs at Work: Recent FTC Enforcement Actions Demonstrate a Path Forward 4) CDT Recommendations for Future FTC Action
PUBLIC Law, Chapter 230 LD 1183, item 1, 124th Maine State Legislature
Date CapturedSunday November 08, 2009 10:35 PM
SP0431, LR 597, item 1, Signed on 2009-06-02 00:00:00.0 - First Regular Session - 124th Maine Legislature, page 1 - 2. Marketing purposes. "Marketing purposes," with respect to the use of health-related information or personal information, means the purposes of marketing or advertising products, goods or services to individuals. 3. Person. "Person" includes an individual, firm, partnership, corporation, association, syndicate, organization, society, business trust, attorney-in-fact and every natural or artificial legal entity. 4. Personal information. "Personal information" means individually identifiable information, including: A. An individual's first name, or first initial, and last name; B. A home or other physical address; C. A social security number; D. A driver's license number or state identification card number; and E. Information concerning a minor that is collected in combination with an identifier described in this subsection. 5. Verifiable parental consent. "Verifiable parental consent" means any reasonable effort, taking into consideration available technology, including a request for authorization for future collection, use and disclosure described in the notice, to ensure that a parent of a minor receives notice of the PUBLIC Law, Chapter 230 LD 1183, item 1, 124th Maine State Legislature An Act To Prevent Predatory Marketing Practices against Minors collection of personal information, use and disclosure practices and authorizes the collection, use and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that minor. § 9552. Unlawful collection and use of data from minors
201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH
Date CapturedSaturday November 07, 2009 04:49 PM
(1) Purpose This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.
Predatory Marketing Law Opposed By AOL, News Corp., Yahoo, Others
Date CapturedSunday August 30, 2009 08:59 PM
A new privacy law in Maine is facing a court challenge from media organizations as well as a coalition of online companies including AOL, News Corp. and Yahoo. [The new law, officially titled "An Act To Prevent Predatory Marketing Practices against Minors," prohibits companies from knowingly collecting personal information or health-related information from minors under 18 without their parents' consent. The measure also bans companies from selling or transferring health information about minors that identifies them, regardless of how the data was collected. ] [Privacy advocate Jeff Chester said the law's basic premise is valid, but that it "likely needs to be revised to accommodate concerns about its impact on educational and other non-profit uses." ]
FTC Online Privacy Guidelines Faulted
Date CapturedFriday February 13, 2009 01:11 PM
Business Week -- Douglas MacMillan -- [On Feb. 12, the U.S. Federal Trade Commission issued guidelines designed to give consumers more information about how advertisers collect and use data about their Web surfing habits. Among the recommendations: Every site that follows Web-use patterns to tailor marketing messages, a practice known as behavioral targeting, should spell out how it is collecting data and give consumers the ability to opt out of targeting. The report also urges sites to keep collected data "as long as is necessary to fulfill a legitimate business or law enforcement need," inform users of any changes made to privacy policies, and only collect sensitive personal data—such as financial and health records—in cases where the user opts in.]
Student Information Not For Sale At UW- Marathon County
Date CapturedWednesday February 11, 2009 07:06 PM
Wsaw.com reporter: Margo Spann -- [Private companies looking to sell or market products to college students are buying information about them directly from their schools. The Assistant Director of Student Services at UW Marathon County Annette Hackbarth-Onson says federal law allows colleges to sell information about their students. She says companies are often looking to buy students names, birth-dates, and email addresses.]
Bill would make prescription data private
Date CapturedTuesday January 27, 2009 10:25 AM
["The sharing of prescription information for marketing purposes without consent violates the spirit of privacy law, and destroys the confidentiality of the doctor-patient relationship," said Leigh Sims, a spokeswoman for the coalition behind the bill. HIPAA allows states to pass stronger privacy protections.] [To fight this, Rep. Jamie Pedersen (D-Seattle) and others have introduced House Bill 1493 to close the loophole. Advocates say the change would protect thousands of patients at no cost to taxpayers.]
Washington state bill would make prescription data private
Date CapturedTuesday January 27, 2009 10:25 AM
["The sharing of prescription information for marketing purposes without consent violates the spirit of privacy law, and destroys the confidentiality of the doctor-patient relationship," said Leigh Sims, a spokeswoman for the coalition behind the bill. HIPAA allows states to pass stronger privacy protections.] [To fight this, Rep. Jamie Pedersen (D-Seattle) and others have introduced House Bill 1493 to close the loophole. Advocates say the change would protect thousands of patients at no cost to taxpayers.]
New York State Consumer Protection Board (CPB)
Date CapturedFriday December 26, 2008 05:07 PM
The Consumer Protection Board, established in 1970 by the New York State Legislature, is the State's top consumer watchdog and "think tank." The CPB's core mission is to protect New Yorkers by publicizing unscrupulous and questionable business practices and product recalls; conducting investigations and hearings; enforcing the "Do Not Call Law"; researching issues; developing legislation; creating consumer education programs and materials; responding to individual marketplace complaints by securing voluntary agreements; and, representing the interests of consumers before the Public Service Commission (PSC) and other State and federal agencies.

COPPA

16 C.F.R. Part 312: Children’s Online Privacy Protection Rule: Final Rule Amendments(COPPA)
Date CapturedWednesday December 19, 2012 01:15 PM
16 C.F.R. Part 312: Children’s Online Privacy Protection Rule: Final Rule Amendments – Consistent With the Requirements of the Children’s Online Privacy Protection Act – To Clarify the Scope of the Rule and Strengthen Its Protections For Children’s Personal Information
The Need for Privacy Protections: Perspectives from the Administration & FTC
Date CapturedTuesday May 29, 2012 09:08 AM
FTC May 9, 2012 testimony before the Committee on Commerce, Science & Transportation; US Senate
Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing
Date CapturedThursday February 16, 2012 11:10 AM
FTC staff report: Parents should be able to learn, before downloading an app for their children, what data will be collected, how the data will be used, and who will obtain access to the data.
COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER to THE FEDERAL TRADE COMMISSION
Date CapturedMonday March 07, 2011 06:04 PM
Marc Rotenberg, EPIC testimony to FTC: COPPA currently defines PI as: Personal information means individually identifiable information about an individual collected online, including: (a) A first and last name; (b) A home or other physical address including street name and name of a city or town; (c) An e-mail address or other online contact information, including but not limited to an instant messaging user identifier, or a screen name that reveals an individual's e-mail address; (d) A telephone number; (e) A Social Security number; (f) A persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with individually identifiable information; or a combination of a last name or photograph of the individual with other information such that the combination permits physical or online contacting; or (g) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.
COPPA Rulemaking and Rule Reviews
Date CapturedMonday March 07, 2011 05:46 PM
Includes public testimony and roundtable. March 24, 2010
How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies?
Date CapturedThursday April 15, 2010 06:12 PM
Chris Jay Hoofnagle - University of California, Berkeley - School of Law, Berkeley Center for Law & Technology; Jennifer King -UC Berkeley School of Information; Berkeley Center for Law & Technology; Su Li- University of California, Berkeley- School of Law, Center for the Study of Law and Society; Joseph Turow - University of Pennsylvania - Annenberg School for Communication: [Abstract: Media reports teem with stories of young people posting salacious photos online, writing about alcohol-fueled misdeeds on social networking sites, and publicizing other ill-considered escapades that may haunt them in the future. These anecdotes are interpreted as representing a generation-wide shift in attitude toward information privacy. Many commentators therefore claim that young people “are less concerned with maintaining privacy than older people are.” Surprisingly, though, few empirical investigations have explored the privacy attitudes of young adults. This report is among the first quantitative studies evaluating young adults’ attitudes. It demonstrates that the picture is more nuanced than portrayed in the popular media. ] [Among the findings: _ Eighty-eight percent of people of all ages said they have refused to give out information to a business because they thought it was too personal or unnecessary. Among young adults, 82 percent have refused, compared with 85 percent of those over 65. _ Most people — 86 percent — believe that anyone who posts a photo or video of them on the Internet should get their permission first, even if that photo was taken in public. Among young adults 18 to 24, 84 percent agreed — not far from the 90 percent among those 45 to 54. _ Forty percent of adults ages 18 to 24 believe executives should face jail time if their company uses someone's personal information illegally — the same as the response among those 35 to 44 years old.]
FTC Seeks Comment on Children's Online Privacy Protections; Questions Whether Changes to Technology Warrant Changes to Agency Rule.
Date CapturedTuesday April 06, 2010 02:51 PM
[In a Federal Register notice to be published shortly, the FTC poses its standard regulatory review questions and identifies several areas where public comment would be especially useful. Among other things, the FTC asks: What implications for COPPA enforcement are raised by mobile communications, interactive television, interactive gaming, or other similar interactive media. For input on the use of automated systems – those that filter out any personally identifiable information prior to posting – to review children’s Web submissions. Whether operators have the ability to contact specific individuals using information collected from children online, such as persistent IP addresses, mobile geolocation data, or information collected in connection with behavioral advertising, and whether the Rule’s definition of “personal information” should be expanded accordingly. Whether there are additional technological methods to obtain verifiable parental consent that should be added to the COPPA Rule, and whether any of the methods currently included should be removed. Whether parents are exercising their right under the Rule to review or delete personal information collected from their children, and what challenges operators face in authenticating parents. Whether the Rule’s process for FTC approval of self-regulatory guidelines – known as safe harbor programs – has enhanced compliance, and whether the criteria for FTC approval and oversight of the guidelines should be modified in any way.]
DOD nixes vendor of online monitoring software over privacy concerns
Date CapturedMonday December 07, 2009 08:53 PM
Jaikumar Vijayan writes [In September, EPIC, a Washington-based privacy advocacy group, filed a complaint against EchoMetrix with the Federal Trade Commission. EPIC claimed that EchoMetrix was violating the provisions of the Children's Online Privacy Protection Act (COPPA) by collecting personally identifiable information about children and their browsing habits and online chats. EPIC claimed that EchoMetrix used the information to deliver targeted advertising to children and also sold that information to third-party marketers. In its complaint, EPIC pointed to a separate service offered by EchoMetrix called Pulse, which analyzes data gathered from multiple sources including instant messages, blogs and chat rooms. The information is sold as market research intelligence to marketing companies, the EPIC complaint said.] [
Kids' Privacy
Date CapturedSunday November 01, 2009 09:40 PM
[Thanks to COPPA, sites have to get a parent’s permission if they want to collect or share your kids’ personal information, with only a few exceptions. That goes for information sites ask for up-front, and information your kids choose to post about themselves. Personal information includes your child’s full name, address, email address, or cell phone number. Under COPPA, sites also have to post privacy policies that give details about what kind of information they collect from kids — and what they might do with it (say, to send a weekly newsletter, direct advertising to them, or give the information to other companies). If a site plans to share the child’s information with another company, the privacy policy must say what that company will do with it. Links to the policies should be in places where they’re easy to spot. What Can You Do? Your kids’ personal information and privacy are valuable —to you, to them, and to marketers.] *****NOTE DISPARITY WITH PROTECTION PROVIDED UNDER FERPA.
Children's Online Privacy Protection Act of 1998
Date CapturedTuesday March 03, 2009 03:14 PM
TITLE XIII-CHILDREN'S ONLINE PRIVACY PROTECTION ***NOTE INCONSISTENCY BETWEEN DEFINITIONS OF PERSONAL INFORMATION AND PARENTAL CONSENT BETWEEN COPPA AND FERPA COPPA DEFINITION (LINK HAS FULL COPPA TEXT) (8) PERSONAL INFORMATION.—The term "personal information" means individually identifiable information about an individual collected online, including— (A) a first and last name; (B) a home or other physical address including street name and name of a city or town; (C) an e-mail address; (D) a telephone number; (E) a Social Security number; (F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or (G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph. (9) VERIFIABLE PARENTAL CONSENT.—The term "verifiable parental consent" means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator's personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.
Protect Your Kids’ Privacy Online
Date CapturedTuesday March 03, 2009 03:06 PM
The Children’s Online Privacy Protection Act – COPPA – gives parents control over what information websites can collect from their kids. Any website for kids under 13, or any general site that collects personal information from kids it knows are under 13, is required to comply with COPPA. The Federal Trade Commission, the nation’s consumer protection agency, enforces this law.
How to Protect Kids' Privacy Online: A Guide for Teachers
Date CapturedWednesday May 23, 2007 09:21 AM
Whether playing, shopping, studying or just surfing, today's kids are taking advantage of all that the web has to offer. But when it comes to their personal information, who's in charge? The Children's Online Privacy Protection Act, enforced by the Federal Trade Commission, requires commercial website operators to get parental consent before collecting any personal information from kids under 13. COPPA allows teachers to act on behalf of a parent during school activities online, but does not require them to do so. That is, the law does not require teachers to make decisions about the collection of their students' personal information. Check to see whether your school district has a policy about disclosing student information. Here's a look at the basic provisions of the law and what they mean for you and your students.

Cyber Bullying

New York’s Definitive Cyberbullying Census
Date CapturedThursday June 14, 2012 08:20 AM
Student Reports of Bullying and Cyber-Bullying: Results From the 2009 School Crime Supplement to the National Crime Victimization Survey
Date CapturedMonday September 05, 2011 01:33 PM
In school year 2008–09, some 7,066,000 U.S. students ages 12 through 18, or 28.0 percent of all such students, reported they were bullied at school, and about 1,521,000, or 6.0 percent, reported they were cyber-bullied anywhere (i.e., on or off school property). eligible for free or reduced-price lunch. Furthermore, the tables use the SCS data to show the relationship between bullying and cyber-bullying victimization and other variables of interest, such as the reported presence of
State Cyberbullying Laws
Date CapturedWednesday February 09, 2011 09:15 AM
A Brief Review of State Cyberbullying Laws and Policies - Sameer Hinduja, Ph.D. and Justin W. Patchin, Ph.D.; Cyberbullying Research Center   
Legal Guide for Bloggers - Electronic Frontier Foundation - EFF
Date CapturedSaturday February 14, 2009 01:51 AM
EFF- [Like all journalists and publishers, bloggers sometimes publish information that other people don't want published. You might, for example, publish something that someone considers defamatory, republish an AP news story that's under copyright, or write a lengthy piece detailing the alleged crimes of a candidate for public office. The difference between you and the reporter at your local newspaper is that in many cases, you may not have the benefit of training or resources to help you determine whether what you're doing is legal. And on top of that, sometimes knowing the law doesn't help - in many cases it was written for traditional journalists, and the courts haven't yet decided how it applies to bloggers.]
Wired Safety's Cyberbullying Video part 1 and 2
Date CapturedThursday January 29, 2009 11:10 AM
Enhancing Child Safety and Online Technologies
Date CapturedTuesday January 27, 2009 05:45 PM
The Internet Safety Technical Task Force was created in February 2008 in accordance with the Joint Statement on Key Principles of Social Networking Safety announced in January 2008 by the Attorneys General Multi-State Working Group on Social Networking and MySpace. The scope of the Task Force's inquiry was to consider those technologies that industry and end users - including parents - can use to help keep minors safer on the Internet.
Bullies Worse than Predators On Social Networks
Date CapturedSunday January 18, 2009 07:26 PM
Wired -- Kim Zetter - [encounters online often engage in risky behaviors or come from environments that make them more susceptible to risks, such as environments where there is little adult supervision or where there is drug abuse or physical and mental abuse. "Those who are most at risk often engage in risky behaviors and have difficulties in other parts of their lives. The psychosocial makeup of and family dynamics surrounding particular minors are better predictors of risk than the use of specific media or technologies," the report says. The report also says that although cyberbullying is a greater problem than predators, there is no evidence that bullying has increased because of social networking sites and that bullying still occurs more often offline than online, although social networking sites have created another avenue for expressing it. The report, titled "Enhancing Child Safety & Online Technologies," was commissioned by the National Association of Attorneys General, which is trying to determine the best way to combat cyberthreats against minors. It was produced by a task force headed by the Berkman Center for Internet and Society at Harvard University and is based on reviews of existing research in the area, of which the task force says there's a paucity, as well as an examination of existing tools that offer online safety features.]

Cyber Crime

State Cyberbullying Laws
Date CapturedWednesday February 09, 2011 09:15 AM
A Brief Review of State Cyberbullying Laws and Policies - Sameer Hinduja, Ph.D. and Justin W. Patchin, Ph.D.; Cyberbullying Research Center   
Enhancing Child Safety and Online Technologies
Date CapturedTuesday January 27, 2009 05:45 PM
The Internet Safety Technical Task Force was created in February 2008 in accordance with the Joint Statement on Key Principles of Social Networking Safety announced in January 2008 by the Attorneys General Multi-State Working Group on Social Networking and MySpace. The scope of the Task Force's inquiry was to consider those technologies that industry and end users - including parents - can use to help keep minors safer on the Internet.
Child Porn Laws Used Against Kids Who Photograph Themselves
Date CapturedThursday January 15, 2009 08:09 PM
Wired -- Kim Zetter -- [In the Pennsylvania case, a school official seized the phone of one of the boys after he was caught using it during school hours in violation of a school rule, according to local police Capt. George Seranko. The official found the picture on the phone, and after some interrogation, discovered that two other girls had also e-mailed photos of themselves in the nude to friends. That's when the school called police, who obtained search warrants to seize the phones and examine them. Police showed the images to the local district attorney, who recommended they bring charges.]

Cyber Security

NSF Funds Research to Enable Distributed, Fair, and Privacy-Preserving Collaboration
Date CapturedSaturday September 25, 2010 04:14 PM
Stevens Institute of Technology: [Hoboken, NJ, September 25, 2010 --(PR.com)-- Dr. Susanne Wetzel, Associate Professor of Computer Science, has recently been awarded a $457K research grant from the National Science Foundation (NSF) to investigate privacy and security in the context of enabling collaboration.]
Cisco 2008 Annual Security Report -- Highlighting Global Security Threats and Trends
Date CapturedMonday December 15, 2008 04:21 PM
[This year's report reveals that online and data security threats continue to increase in number and sophistication. They propagate faster and are more difficult to detect. Key report findings include: Spam accounts for nearly 200 billion messages each day, which is approximately 90 percent of email sent worldwide. The overall number of disclosed vulnerabilities grew by 11.5 percent over 2007. Vulnerabilities in virtualization products tripled to 103 in 2008 from 35 in 2007, as more organizations embraced virtualization technologies to increase cost-efficiency and productivity Over the course of 2008, Cisco saw a 90 percent growth rate in threats originating from legitimate domains; nearly double what the company saw in 2007. Spam due to email reputation hijacking from the top three webmail providers accounted for just under 1 percent of all spam worldwide, but constituted 7.6 percent of all these providers' mail. Fortunately, responses to these threats and trends are improving. Advances in attack response stem from the increased collaboration between vendors and security researchers to review, identify, and combat vulnerabilities.]
When Hackers Attack: Practicing Cybersecurity at Home
Date CapturedFriday December 12, 2008 02:01 PM
Brian Krebs writes [While Barack Obama has selected key members of his national security team—Defense Secretary, National Security Adviser and Secretary of State—there are calls for the president-elect to make another security appointment. The bipartisan Commission on Cybersecurity for the 44th Presidency suggests that there is a dire need to create a National Office for Cyberspace to protect our nation’s most sensitive computer networks. The need for national cyberspace security is a no-brainer, but who is going to protect us from the digital devices that organize our lives and leaves personal information vulnerable to theft? Here, a behind-the-scenes look at how hackers are unearthing the private details of our lives by attacking our web browsers, cell phones, and personal electronics.]
Securing Cyberspace for the 44th Presidency
Date CapturedMonday December 08, 2008 07:24 PM
The report of the CSIS Commission on Cybersecurity for the 44th Presidency -- Cochairs: Representative James R. Langevin, Representative Michael T. McCaul, Scott Charney, Lt. General Harry Raduege, USAF (Ret). Project Director: James A. Lewis, Center for Strategic and International Studies, Washington, DC. December - 2008.
Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
Date CapturedWednesday December 03, 2008 04:02 PM
National Academies Press - [All U.S. agencies with counterterrorism programs that collect or "mine" personal data -- such as phone records or Web sites visited -- should be required to evaluate the programs' effectiveness, lawfulness, and impacts on privacy. A framework is offered that agencies can use to evaluate such information-based programs, both classified and unclassified. The book urges Congress to re-examine existing privacy law to assess how privacy can be protected in current and future programs and recommends that any individuals harmed by violations of privacy be given a meaningful form of redress.]
CYBER ANALYSIS AND WARNING - DHS Faces Challenges in Establishing a Comprehensive National Capability
Date CapturedTuesday September 23, 2008 10:15 AM
GAO 08-588: We recommend that the Secretary of Homeland Security take four actions to fully establish a national cyber analysis and warning capability. Specifically, the Secretary should address deficiencies in each of the attributes identified for Recommendations for Executive Action • monitoring, including establish a comprehensive baseline understanding of the nation’s critical information infrastructure and engage appropriate nonfederal stakeholders to support a national-level cyber monitoring capability; • analysis, including expanding its capabilities to investigate incidents; • warning, including ensuring consistent notifications that are targeted, actionable, and timely; and • response, including ensuring that US-CERT provides assistance in the mitigation of and recovery from simultaneous severe incidents, including incidents of national significance. We also recommend that the Secretary address the challenges that impede DHS from fully implementing the key attributes, including the following 6 items: • engaging appropriate stakeholders in federal and nonfederal entities to determine ways to develop closer working and more trusted relationships; • expeditiously hiring sufficiently trained cyber analysts and developing strategies for hiring and retaining highly qualified cyber analysts; • identifying and acquiring technological tools to strengthen cyber analytical capabilities and handling the steadily increasing workload; developing predictive analysis capabilities by defining terminology, methodologies, and indicators, and engaging appropriate stakeholders in other federal and nonfederal entities; • filling key management positions and developing strategies for hiring and retaining those officials; and • ensuring that there are distinct and transparent lines of authority and responsibility assigned to DHS organizations with cybersecurity roles and responsibilities, including the Office of Cybersecurity and Communications and the National Cybersecurity Center.
"Cybersecurity Recommendations for the Next Administration”
Date CapturedTuesday September 23, 2008 10:05 AM
Hearing on “Cybersecurity Recommendations for the Next Administration”
One in four data breaches involves schools
Date CapturedTuesday June 03, 2008 08:34 PM
By Meris Stansbury, Assistant Editor, eSchool News, "Cyber criminals are becoming bolder and more sophisticated in their operations, federal computer security experts say. And that's bad news for schools, because educational institutions reportedly account for approximately one of every four data security breaches."
Understanding Denial-of-Service Attacks
Date CapturedThursday August 02, 2007 12:26 PM
Cyber Security Tip ST04-015 -- In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, web sites, online accounts (banking, etc.), or other services that rely on the affected computer.

Data Broker

Data Brokers – Is Consumers’ Information Secure
Date CapturedFriday November 13, 2015 09:27 AM
Ms. Pam Dixon; Executive Director -World Privacy Forum before Subcommittee on Privacy, Technology and the Law, Date: Tuesday, November 3, 2015; Time: 02:30 PM; Location: Dirksen Senate Office Building 226; Presiding: Chairman Flake
Data Broker Accountability and Transparency Act of 2014 (DATA Act)
Date CapturedThursday February 13, 2014 01:53 PM
What Information Do Data Brokers Have on Consumers, and How Do They Use It?
Date CapturedSaturday December 21, 2013 10:31 AM
Chairman John D. (Jay) Rockefeller IV today announced the U.S. Senate Committee on Commerce, Science, and Transportation will hold a hearing on Wednesday, December 18, 2013, at 2:30 p.m. to examine the data broker industry and how industry practices may impact consumers. The hearing comes after a yearlong Commerce Committee examination of how data brokers collect, compile, and sell consumer information for marketing purposes. In October 2012, Rockefeller launched an investigation into the data broker industry to give consumers a better understanding of how their personal information is handled, issuing information requests to nine representative data brokers. Rockefeller sent an additional set of inquiries in September 2013 to twelve popular personal finance, health, and family-focused websites to further explore data broker information collection practices, and further expanded the investigation in October 2013 by requesting that Experian provide specific information about the company’s customer vetting practices following news reports alleging that an Experian subsidiary sold data to an identity theft scheme.
Testimony of Pam Dixon Executive Director, World Privacy Forum Before the Senate Committee on Commerce, Science, and Transportation What Information Do Data Brokers Have on Consumers, and How Do They Use It?
Date CapturedSaturday December 21, 2013 09:13 AM
The data broker industry has not shown restraint. Nothing is out of bounds. No list is too obnoxious to sell. Data brokers sell lists that allow for the use of racial, ethnic and other factors that would be illegal or unacceptable in other circumstances. These lists and scores are used everyday to make decisions about how consumers can participate in the economic marketplace. Their information determines who gets in and who gets shut out. All of this must change. I urge you to take action.
A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes
Date CapturedSaturday December 21, 2013 08:45 AM
STAFF REPORT FOR CHAIRMAN ROCKEFELLER; DECEMBER 18, 2013; This Committee inquiry has been conducted at a time when sources of consumer data and technological capabilities for storage and speedy analysis of data continue to expand. As data brokers are creating increasingly detailed dossiers on millions of consumers, it is important for policymakers to continue vigorous oversight to assess the potential harms and benefits of evolving industry practices and to make sure appropriate consumer protections are in place.
INFORMATION RESELLERS Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace
Date CapturedThursday November 21, 2013 02:23 PM
What GAO Recommends: Congress should consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information. Any changes should seek to provide consumers with appropriate privacy protections without unduly inhibiting commerce and innovation. The Department of Commerce agreed that strengthened privacy protections could better protect consumers
FTC to Study Data Broker Industry’s Collection and Use of Consumer Data
Date CapturedTuesday December 18, 2012 01:44 PM
The nine data brokers receiving orders from the FTC are: 1) Acxiom, 2) Corelogic, 3) Datalogix, 4) eBureau, 5) ID Analytics, 6) Intelius, 7) Peekyou, 8) Rapleaf, and 9) Recorded Future. The FTC is seeking details about: the nature and sources of the consumer information the data brokers collect; how they use, maintain, and disseminate the information; and the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold.
Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers
Date CapturedMonday March 26, 2012 11:16 AM
The final report calls on companies handling consumer data to implement recommendations for protecting privacy, including: Privacy by Design - companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy; Simplified Choice for Businesses and Consumers - companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities. Greater Transparency - companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them. *****Data Brokers - The Commission calls on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data. In addition, the website should detail the choices that data brokers provide consumers about their own information.
American Student List (ASL)
Date CapturedMonday March 07, 2011 05:39 PM
Student data for sale ONLINE. College Bound High School Students - Over 3 million high school juniors and seniors who have indicated an interest in higher education. Selectable by class year, age, head of household, income, geography and more; Teenage Lifestyle Interests - 5 million individuals ages 14-19. Selectable by self-reported interests in specific areas including sports, scholastic activities, careers, computers and more; College Students - Approximately 5 million students attending numerous colleges and universities. Home and/or school addresses and phone numbers are available. Selectable by class year, field of study, college attended, tuition level, competitive rank and more; College Grads And Alumni - Approximately 17 million College Grads/Alumni. Selectable by school last attended, household income, home ownership and more; Families With Children - 20 million households with the presence of children, tweens and teens (newborn through age 19). Selectable by head of household, income, gender, ethnicity, geography and more. Ethnic Lists - Over 3 million Ethnic Teens, 4.5 million Ethnic Families and 15 million Ethnic Young Adults. Numerous backgrounds are available including Hispanic/Latino, Asian-American, Native-American, African-American and more. Also available — Foreign-Speaking Teens — first- or second-generation teens who speak the language of their ethnic group.
Directory Information Part 1 (WAV file, no text -- it's audio)
Date CapturedSunday December 26, 2010 05:36 PM
EDNY comments on Data Quality Campaign webcast with US ED response. See Part 2 for continuation of conversation.
COMMERCIAL DATA PRIVACY AND INNOVATION IN THE INTERNET ECONOMY: A DYNAMIC POLICY FRAMEWORK
Date CapturedThursday December 16, 2010 01:16 PM
US DEPT OF COMMERCE REPORT says the principles "should promote increased transparency through simple notices, clearly articulated purposes for data collection, commitments to limit data uses to fulfill these purposes, and expanded use of robust audit systems to bolster accountability." NO RECOMMENDATIONS REGARDING EDUCATION AND FERPA DIRECTORY INFORMATION.
“Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”
Date CapturedThursday December 09, 2010 04:45 PM
FTC: To reduce the burden on consumers and ensure basic privacy protections, the report first recommends that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices.” Second, the report states, consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find. One method of simplified choice the FTC staff recommends is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes. The report also recommends other measures to improve the transparency of information practices, including consideration of standardized notices that allow the public to compare information practices of competing companies. The report recommends allowing consumers “reasonable access” to the data that companies maintain about them, particularly for non-consumer facing entities such as data brokers. Finally, FTC staff proposes that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them.
Online Privacy: What Does It Mean to Parents and Kids?
Date CapturedFriday October 08, 2010 02:07 PM
Zogby International conducted a poll for Common Sense Media, asking both teens and parents about their views of online privacy and how they feel their personal information is being used by websites, social networks, and other online platforms.
Schools Selling Students' Personal Information
Date CapturedWednesday October 06, 2010 03:17 PM
Link to stories about schools selling student information
Letter to: Chairman Boucher and Ranking Member Stearns
Date CapturedMonday June 07, 2010 06:26 PM
Mike Sachoff -- [In response to a discussion draft of a new privacy bill now under consideration by the House Subcommittee on Communications, Technology and the Internet, ten privacy and consumer groups today called for stronger measures to protect consumer privacy both online and off. The organizations including the Consumer Federation of America, Electronic Frontier Foundation, Consumer Watchdog, World Privacy Forum, Consumer Action, USPIRG, Privacy Rights Clearinghouse, Privacy Times, Privacy Lives, and the Center for Digital Democracy, raised their concerns in a letter to Subcommittee Chairman Rick Boucher and Ranking Member Cliff Stearns. The groups recommended the following: *The bill should incorporate the Fair Information Practice Principles that have long served as the bedrock of consumer privacy protection in the U.S., including the principle of not collecting more data than is necessary for the stated purposes, limits on how long data should be retained, and a right to access and correct one's data. *The bill's definitions of what constitutes "sensitive information" need to be expanded; for instance, to include health-related information beyond just "medical records." *The bill should require strict "opt-in" procedures for the collection and use of covered data and should prohibit the collection and use of any sensitive information except for the transactions for which consumers provided it.]
On the Leakage of Personally Identi?able Information Via Online Social Networks
Date CapturedWednesday June 02, 2010 10:01 PM
Balachander Krishnamurthy and Craig E. Wills - [Abstract For purposes of this paper, we de?ne “Personally identi?- able information” (PII) as information which can be used to distinguish or trace an individual’s identity either alone or when combined with other information that is linkable to a speci?c individual. The popularity of Online Social Net- works (OSN) has accelerated the appearance of vast amounts of personal information on the Internet. Our research shows that it is possible for third-parties to link PII, which is leaked via OSNs, with user actions both within OSN sites and else- where on non-OSN sites. We refer to this ability to link PII and combine it with other information as “leakage”. We have identi?ed multiple ways by which such leakage occurs and discuss measures to prevent it.]
DRAFT - Boucher bill
Date CapturedThursday May 06, 2010 08:34 AM
A BILL : To require notice to and consent of an individual prior to the collection and disclosure of certain personal informa- tion relating to that individual.
Proposed Privacy Legislation Wins Few Fans
Date CapturedThursday May 06, 2010 08:24 AM
WSJ : [ The goal for the legislation is to set a standard for consumer privacy protections and also provide consumers with more transparency and control regarding the collection, use and sharing of their information, said Rep. Rick Boucher (D., Va.). Mr. Boucher released a draft of the bill for discussion on Tuesday along with Rep. Cliff Stearns (R., Fla.). The bill stipulates that as a general rule companies can collect information about consumers unless a person opts out of that data collection — a point of contention among privacy advocates. The regulation also specifies standards for the collection and use of personally identifiable information. Companies must disclose to consumers if they are collecting personally identifiable information and how they are using that data. Consumers must give a company permission to share that personally identifiable information with outside companies. ]
FACEBOOK privacy policy link:
Date CapturedMonday April 26, 2010 08:32 PM
Facebook’s Privacy Policy. This policy contains eight sections: 1. Introduction; 2. Information We Receive; 3. Information You Share With Third Parties; 4. Sharing Information on Facebook; 5. How We Use Your Information; 6. How We Share Information; 7. How You Can View, Change, or Remove Information; 8. How We Protect Information; 9. Other Terms.
FACEBOOK privacy policy link:
Date CapturedMonday April 26, 2010 08:32 PM
Facebook’s Privacy Policy. This policy contains eight sections: 1. Introduction; 2. Information We Receive; 3. Information You Share With Third Parties; 4. Sharing Information on Facebook; 5. How We Use Your Information; 6. How We Share Information; 7. How You Can View, Change, or Remove Information; 8. How We Protect Information; 9. Other Terms.
Instructions for using the Privacy Notice Online Form Builder:
Date CapturedThursday April 15, 2010 04:28 PM
FEDERAL RESERVE: 1. Select your form, based on (1) whether you provide an opt out and (2) whether you include affiliate marketing: If you provide an opt out and you want to include affiliate marketing, use Form 1. If you provide an opt out and you do not want to include affiliate marketing, use Form 2. If you do not provide an opt out and you want to include affiliate marketing, use Form 3. If you do not provide an opt out and you do not want to include affiliate marketing, use Form 4. 2. The PDF forms have fillable areas, indicated by the shaded boxes outlined in red. Place your cursor in the box and fill in the appropriate text.]
FACEBOOK: Another Step in Open Site Governance
Date CapturedThursday April 01, 2010 04:42 PM
Michael Richter - Friday, March 26, 2010 at 12:04pm - [We're proposing another set of revisions to our Privacy Policy and Statement of Rights and Responsibilities to make way for some exciting new products we're contemplating. Not all of these products have been finalized and many aren't yet built at all. However, we've definitely identified some interesting opportunities to improve the way you share and connect with the people and things in your life. ]
Privacy flags raise concern for graduate students
Date CapturedThursday March 11, 2010 09:24 PM
by Katie Perkowski -[Undergraduate students are not the only ones concerned with personal information available through UK’s online people search — now, graduate students are voicing their concern, too. Members of UK’s graduate school have recently voiced concern about their information like home address and home telephone number being available on the UK Web site without their knowledge, said English teaching assistant Jesslyn Collins-Frohlich.]
Comments of the World Privacy Forum to FTC, Nov. 6, 2009
Date CapturedThursday December 17, 2009 10:58 PM
Pam Dixon Executive Director, World Privacy Forum -- Re: Privacy Roundtables – Comment, Project No. P095416 - [The World Privacy Forum understands that businesses have a right to exist and to make money, and that advertising and marketing is part of the marketplace. But we also believe that there is not a reasonable balance right now between what data is being collected and used, and what consumers can do to manage that data and their privacy. There are no perfect solutions, but we think that a rights-based framework based on approaches contained in the Fair Credit Reporting Act and on Fair Information Practices will address many of the problems and help create solutions that are equitable for all stakeholders.]
DOD nixes vendor of online monitoring software over privacy concerns
Date CapturedMonday December 07, 2009 08:53 PM
Jaikumar Vijayan writes [In September, EPIC, a Washington-based privacy advocacy group, filed a complaint against EchoMetrix with the Federal Trade Commission. EPIC claimed that EchoMetrix was violating the provisions of the Children's Online Privacy Protection Act (COPPA) by collecting personally identifiable information about children and their browsing habits and online chats. EPIC claimed that EchoMetrix used the information to deliver targeted advertising to children and also sold that information to third-party marketers. In its complaint, EPIC pointed to a separate service offered by EchoMetrix called Pulse, which analyzes data gathered from multiple sources including instant messages, blogs and chat rooms. The information is sold as market research intelligence to marketing companies, the EPIC complaint said.] [
Ad Industry Works on Ads About Ads
Date CapturedTuesday November 24, 2009 03:07 PM
Wall Street Journal Emily Steel writes -- [At issue is the practice of tracking consumers’ Web activities — from the searches they make to the sites they visit and the products they buy — for the purpose of targeting ads. The efforts follow calls from the FTC earlier this year for Web advertisers and Internet companies to do a better job explaining how they track and use information about consumers’ Web activities and creating a simple way consumers can opt out of being tracked.]
GOOD STUDENT LIST FOR SALE
Date CapturedSaturday November 21, 2009 01:57 PM
See lists for sale.
Lawmakers probe deeper into privacy
Date CapturedSaturday November 21, 2009 01:16 PM
By Kim Hart - 11/19/09 04:00 PM ET - [Jennifer Barrett, an executive with Acxiom, a marketing company, said the firm could collect 1,500 possible data points about individual consumers, such as age, hobbies, address, occupation and recent purchases. Acxiom typically maintains 20-40 data points on the average person. Acxiom receives that information from public records, surveys consumers fill out voluntarily (such as warranty cards) and information from other companies. In response to questions from Rep. Mike Doyle (D-Penn.), Barrett said consumers can see what data has been stored about them and can change or delete information used for marketing purposes. But consumers cannot find out who else has bought their data from Axciom.]
Federal data breach notification standard must pre-empt state laws
Date CapturedMonday November 16, 2009 08:33 PM
Nextgov Jill R. Aitoro writes -- [The Data Breach Notification Act, introduced in January by Sen. Dianne Feinstein, D-Calif., would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised in a breach and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act, introduced in July by Sen. Patrick Leahy, D-Vt., also would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and would require businesses to implement preventive security standards to guard against threats to their databases.] [Two states are credited for having breach notification laws with the most teeth, said Peter McLaughlin, senior counsel with Foley & Lardner LLP and a member of the law firm's privacy, security and information management practice. Foley & Lardner released a report on Monday that provides in-depth coverage of all major aspects of U.S. and international security breach laws.]
PUBLIC Law, Chapter 230 LD 1183, item 1, 124th Maine State Legislature
Date CapturedSunday November 08, 2009 10:35 PM
SP0431, LR 597, item 1, Signed on 2009-06-02 00:00:00.0 - First Regular Session - 124th Maine Legislature, page 1 - 2. Marketing purposes. "Marketing purposes," with respect to the use of health-related information or personal information, means the purposes of marketing or advertising products, goods or services to individuals. 3. Person. "Person" includes an individual, firm, partnership, corporation, association, syndicate, organization, society, business trust, attorney-in-fact and every natural or artificial legal entity. 4. Personal information. "Personal information" means individually identifiable information, including: A. An individual's first name, or first initial, and last name; B. A home or other physical address; C. A social security number; D. A driver's license number or state identification card number; and E. Information concerning a minor that is collected in combination with an identifier described in this subsection. 5. Verifiable parental consent. "Verifiable parental consent" means any reasonable effort, taking into consideration available technology, including a request for authorization for future collection, use and disclosure described in the notice, to ensure that a parent of a minor receives notice of the PUBLIC Law, Chapter 230 LD 1183, item 1, 124th Maine State Legislature An Act To Prevent Predatory Marketing Practices against Minors collection of personal information, use and disclosure practices and authorizes the collection, use and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that minor. § 9552. Unlawful collection and use of data from minors
‘‘Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act’’ or the ‘‘BEST PRACTICES Act’’
Date CapturedThursday November 05, 2009 03:19 PM
H. R. 5777 -- To foster transparency about the commercial use of personal information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes. [Requires information brokers to: (1) establish procedures to verify the accuracy of information that identifies individuals; (2) provide to individuals whose personal information it maintains a means to review it; (3) place notice on the Internet instructing individuals how to request access to such information; and (4) correct inaccurate information. Directs the FTC to require information brokers to establish measures which facilitate the auditing or retracing of access to, or transmissions of, electronic data containing personal information. Prohibits information brokers from obtaining or disclosing personal information by false pretenses (pretexting).]
Target-Marketing Becomes More Communal
Date CapturedThursday November 05, 2009 10:45 AM
WSJ Emily Steel writes [["The data is becoming the most important component for marketers and Web sites. It tells them who their audience is," says Omar Tawakol, chief executive at Blue Kai. Some lawmakers, concerned about Internet privacy, are preparing legislation to make more transparent Web sites' tactics for collecting information on their users. In an effort to fend off legislation, data brokers say, they abide by industry standards and do not collect any personally identifiable information and sensitive data, such as health information. They also tout efforts to make their business practices more transparent to consumers.]
‘‘Personal Data Privacy and Security Act of 2009’’ S. 1490
Date CapturedWednesday November 04, 2009 02:19 PM
11TH CONGRESS - 1ST SESSION -- S. 1490: To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.
State says Cambridge Public Schools can't charge $14K for public records
Date CapturedFriday February 13, 2009 03:12 PM
David L. Harris -- GateHouse News Service - [On Nov. 30, 2007, the Chronicle sent a letter requesting directory information, but the request was later denied in a three-page letter from the school’s legal department. After appealing to the state’s supervisor of public records, Alan Cote, the school department sent a letter dated July 11, explaining that the work to compile the directory information would cost $14,426.88. The Chronicle’s sister paper, the Newton TAB, requested the same information from Newton Public Schools around the same time. The school department, which sent the data within three weeks of the request, did not charge the TAB for the information.]

Data Mining

Data Broker Accountability and Transparency Act of 2014 (DATA Act)
Date CapturedThursday February 13, 2014 01:53 PM
Testimony of Pam Dixon Executive Director, World Privacy Forum Before the Senate Committee on Commerce, Science, and Transportation What Information Do Data Brokers Have on Consumers, and How Do They Use It?
Date CapturedSaturday December 21, 2013 09:13 AM
The data broker industry has not shown restraint. Nothing is out of bounds. No list is too obnoxious to sell. Data brokers sell lists that allow for the use of racial, ethnic and other factors that would be illegal or unacceptable in other circumstances. These lists and scores are used everyday to make decisions about how consumers can participate in the economic marketplace. Their information determines who gets in and who gets shut out. All of this must change. I urge you to take action.
A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes
Date CapturedSaturday December 21, 2013 08:45 AM
STAFF REPORT FOR CHAIRMAN ROCKEFELLER; DECEMBER 18, 2013; This Committee inquiry has been conducted at a time when sources of consumer data and technological capabilities for storage and speedy analysis of data continue to expand. As data brokers are creating increasingly detailed dossiers on millions of consumers, it is important for policymakers to continue vigorous oversight to assess the potential harms and benefits of evolving industry practices and to make sure appropriate consumer protections are in place.
FTC to Study Data Broker Industry’s Collection and Use of Consumer Data
Date CapturedTuesday December 18, 2012 01:44 PM
The nine data brokers receiving orders from the FTC are: 1) Acxiom, 2) Corelogic, 3) Datalogix, 4) eBureau, 5) ID Analytics, 6) Intelius, 7) Peekyou, 8) Rapleaf, and 9) Recorded Future. The FTC is seeking details about: the nature and sources of the consumer information the data brokers collect; how they use, maintain, and disseminate the information; and the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold.
Rush Introduces Online Privacy Bill, H.R. 611, The BEST PRACTICES Act
Date CapturedFriday February 11, 2011 06:04 PM
Ensure that consumers have meaningful choices about the collection, use, and disclosure of their personal information. • Require companies that collect personal information to disclose their practices with respect to the collection, use, disclosure, merging, and retention of personal information, and explain consumers' options regarding those practices. • Require companies to provide disclosures of their practices in concise, meaningful, timely, and easy-to-understand notices, and direct the Federal Trade Commission to establish flexible and reasonable standards and requirements for such notices. • Require companies to obtain "opt-in" consent to disclose information to a third party. In the bill, the term, "third party" would be defined based on consumers' reasonable expectations rather than corporate structure. • Establish a "safe harbor" that would exempt companies from the "opt-in" consent requirement, provided those companies participate in a universal opt-out program operated by self-regulatory bodies and monitored by the FTC. • Require companies to have reasonable procedures to assure the accuracy of the personal information they collect. The bill would also require the companies to provide consumers with reasonable access to, and the ability to correct or amend, certain information. • Require companies to have reasonable procedures to secure information and to retain personal information only as long as it's necessary to fulfill a legitimate business or law enforcement need.
Guidelines on Security and Privacy in Public Cloud Computing
Date CapturedFriday February 04, 2011 03:36 PM
Cloud computing can and does mean different things to different people. The common characteristics most share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and dislocation of data from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment. Draft Special Publication 800-144
Directory Information Part 1 (WAV file, no text -- it's audio)
Date CapturedSunday December 26, 2010 05:36 PM
EDNY comments on Data Quality Campaign webcast with US ED response. See Part 2 for continuation of conversation.
COMMERCIAL DATA PRIVACY AND INNOVATION IN THE INTERNET ECONOMY: A DYNAMIC POLICY FRAMEWORK
Date CapturedThursday December 16, 2010 01:16 PM
US DEPT OF COMMERCE REPORT says the principles "should promote increased transparency through simple notices, clearly articulated purposes for data collection, commitments to limit data uses to fulfill these purposes, and expanded use of robust audit systems to bolster accountability." NO RECOMMENDATIONS REGARDING EDUCATION AND FERPA DIRECTORY INFORMATION.
Many States Collect Graduates’ Employment Information, but Clearer Guidance on Student Privacy Requirements Is Needed
Date CapturedMonday December 13, 2010 09:17 AM
GAO-10-927 - GAO recommends that Education clarify means by which states can collect and share graduates’ employment information under the Family Educational Rights and Privacy Act (FERPA) and establish a time frame for doing so. Education agreed with the recommendation.
“Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”
Date CapturedThursday December 09, 2010 04:45 PM
FTC: To reduce the burden on consumers and ensure basic privacy protections, the report first recommends that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices.” Second, the report states, consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find. One method of simplified choice the FTC staff recommends is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes. The report also recommends other measures to improve the transparency of information practices, including consideration of standardized notices that allow the public to compare information practices of competing companies. The report recommends allowing consumers “reasonable access” to the data that companies maintain about them, particularly for non-consumer facing entities such as data brokers. Finally, FTC staff proposes that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them.
Letter to: Chairman Boucher and Ranking Member Stearns
Date CapturedMonday June 07, 2010 06:26 PM
Mike Sachoff -- [In response to a discussion draft of a new privacy bill now under consideration by the House Subcommittee on Communications, Technology and the Internet, ten privacy and consumer groups today called for stronger measures to protect consumer privacy both online and off. The organizations including the Consumer Federation of America, Electronic Frontier Foundation, Consumer Watchdog, World Privacy Forum, Consumer Action, USPIRG, Privacy Rights Clearinghouse, Privacy Times, Privacy Lives, and the Center for Digital Democracy, raised their concerns in a letter to Subcommittee Chairman Rick Boucher and Ranking Member Cliff Stearns. The groups recommended the following: *The bill should incorporate the Fair Information Practice Principles that have long served as the bedrock of consumer privacy protection in the U.S., including the principle of not collecting more data than is necessary for the stated purposes, limits on how long data should be retained, and a right to access and correct one's data. *The bill's definitions of what constitutes "sensitive information" need to be expanded; for instance, to include health-related information beyond just "medical records." *The bill should require strict "opt-in" procedures for the collection and use of covered data and should prohibit the collection and use of any sensitive information except for the transactions for which consumers provided it.]
On the Leakage of Personally Identi?able Information Via Online Social Networks
Date CapturedWednesday June 02, 2010 10:01 PM
Balachander Krishnamurthy and Craig E. Wills - [Abstract For purposes of this paper, we de?ne “Personally identi?- able information” (PII) as information which can be used to distinguish or trace an individual’s identity either alone or when combined with other information that is linkable to a speci?c individual. The popularity of Online Social Net- works (OSN) has accelerated the appearance of vast amounts of personal information on the Internet. Our research shows that it is possible for third-parties to link PII, which is leaked via OSNs, with user actions both within OSN sites and else- where on non-OSN sites. We refer to this ability to link PII and combine it with other information as “leakage”. We have identi?ed multiple ways by which such leakage occurs and discuss measures to prevent it.]
How Unique Is Your Web Browser?
Date CapturedTuesday May 18, 2010 01:32 PM
Peter Eckersley? Electronic Frontier Foundation, pde@eff.org/ -- [Conclusions -- We implemented and tested one particular browser ?ngerprinting method. It appeared, in general, to be very e?ective, though as noted in Section 3.1 there are many measurements that could be added to strengthn it. Browser ?ngerprinting is a powerful technique, and ?ngerprints must be con- sidered alongside cookies, IP addresses and supercookies when we discuss web privacy and user trackability. Although ?ngerprints turn out not to be particu- larly stable, browsers reveal so much version and con?guration information that they remain overwhelmingly trackable. There are implications both for privacy policy and technical design. Policymakers should start treating ?ngerprintable records as potentially per- sonally identi?able, and set limits on the durations for which they can be asso- ciated with identities and sensitive logs like clickstreams and search terms. The Tor pro ject is noteworthy for already considering and designing against ?ngerprintability. Other software that purports to protect web surfers’ privacy should do likewise, and we hope that the test site at panopticlick.eff.org may prove useful for this purpose. Browser developers should also consider what they can do to reduce ?ngerprintability, particularly at the JavaScript API level. We identi?ed only three groups of browser with comparatively good resis- tance to ?ngerprinting: those that block JavaScript, those that use TorButton, and certain types of smartphone. It is possible that other such categories exist in our data. Cloned machines behind ?rewalls are fairly resistant to our algo- rithm, but would not be resistant to ?ngerprints that measure clock skew or other hardware characteristics. ]
DRAFT - Boucher bill
Date CapturedThursday May 06, 2010 08:34 AM
A BILL : To require notice to and consent of an individual prior to the collection and disclosure of certain personal informa- tion relating to that individual.
Proposed Privacy Legislation Wins Few Fans
Date CapturedThursday May 06, 2010 08:24 AM
WSJ : [ The goal for the legislation is to set a standard for consumer privacy protections and also provide consumers with more transparency and control regarding the collection, use and sharing of their information, said Rep. Rick Boucher (D., Va.). Mr. Boucher released a draft of the bill for discussion on Tuesday along with Rep. Cliff Stearns (R., Fla.). The bill stipulates that as a general rule companies can collect information about consumers unless a person opts out of that data collection — a point of contention among privacy advocates. The regulation also specifies standards for the collection and use of personally identifiable information. Companies must disclose to consumers if they are collecting personally identifiable information and how they are using that data. Consumers must give a company permission to share that personally identifiable information with outside companies. ]
FACEBOOK privacy policy link:
Date CapturedMonday April 26, 2010 08:32 PM
Facebook’s Privacy Policy. This policy contains eight sections: 1. Introduction; 2. Information We Receive; 3. Information You Share With Third Parties; 4. Sharing Information on Facebook; 5. How We Use Your Information; 6. How We Share Information; 7. How You Can View, Change, or Remove Information; 8. How We Protect Information; 9. Other Terms.
FACEBOOK privacy policy link:
Date CapturedMonday April 26, 2010 08:32 PM
Facebook’s Privacy Policy. This policy contains eight sections: 1. Introduction; 2. Information We Receive; 3. Information You Share With Third Parties; 4. Sharing Information on Facebook; 5. How We Use Your Information; 6. How We Share Information; 7. How You Can View, Change, or Remove Information; 8. How We Protect Information; 9. Other Terms.
Instructions for using the Privacy Notice Online Form Builder:
Date CapturedThursday April 15, 2010 04:28 PM
FEDERAL RESERVE: 1. Select your form, based on (1) whether you provide an opt out and (2) whether you include affiliate marketing: If you provide an opt out and you want to include affiliate marketing, use Form 1. If you provide an opt out and you do not want to include affiliate marketing, use Form 2. If you do not provide an opt out and you want to include affiliate marketing, use Form 3. If you do not provide an opt out and you do not want to include affiliate marketing, use Form 4. 2. The PDF forms have fillable areas, indicated by the shaded boxes outlined in red. Place your cursor in the box and fill in the appropriate text.]
Education and Workforce Data Connections: A Primer on States’ Status
Date CapturedWednesday April 14, 2010 06:16 PM
Data Quality Campaign - [States are currently working to connect education and workforce data, however, states are far from reaching the goal of having data systems that can link across the P-20/Workforce spectrum. To connect these education and workforce databases, states should engage a broad range of stakeholders to: 1. Prioritize, through broad-based stakeholder input, the critical policy questions to drive the development and use of longitudinal data systems. 2. Ensure data systems are interoperable within and across agencies and states by adopting or developing common data standards, definitions and language. 3. Protect personally identifiable information through governance policies and practices that promote the security of the information while allowing appropriate data access and sharing.]
FACEBOOK: Another Step in Open Site Governance
Date CapturedThursday April 01, 2010 04:42 PM
Michael Richter - Friday, March 26, 2010 at 12:04pm - [We're proposing another set of revisions to our Privacy Policy and Statement of Rights and Responsibilities to make way for some exciting new products we're contemplating. Not all of these products have been finalized and many aren't yet built at all. However, we've definitely identified some interesting opportunities to improve the way you share and connect with the people and things in your life. ]
Sebelius, Solis Announce Nearly $1 Billion Recovery Act Investment in Advancing Use of Health IT, Training Workers for Health Jobs of the Future
Date CapturedMonday February 15, 2010 06:21 PM
WASHINGTON, DC - Health and Human Services Secretary Kathleen Sebelius and Labor Secretary Hilda Solis today announced a total of nearly $1 billion in Recovery Act awards to help health care providers advance the adoption and meaningful use of health information technology (IT) and train workers for the health care jobs of the future. The awards will help make health IT available to over 100,000 hospitals and primary care physicians by 2014 and train thousands of people for careers in health care and information technology. This Recovery Act investment will help grow the emerging health IT industry which is expected to support tens of thousands of jobs ranging from nurses and pharmacy techs to IT technicians and trainers. The over $750 million in HHS grant awards Secretary Sebelius announced today are part of a federal initiative to build capacity to enable widespread meaningful use of health IT. This assistance at the state and regional level will facilitate health care providers' efforts to adopt and use electronic health records (EHRs) in a meaningful manner that has the potential to improve the quality and efficiency of health care for all Americans. Of the over $750 million investment, $386 million will go to 40 states and qualified State Designated Entities (SDEs) to facilitate health information exchange (HIE) at the state level, while $375 million will go to an initial 32 non-profit organizations to support the development of regional extension centers (RECs) that will aid health professionals as they work to implement and use health information technology - with additional HIE and REC awards to be announced in the near future. RECs are expected to provide outreach and support services to at least 100,000 primary care providers and hospitals within two years.
Comments of the World Privacy Forum to FTC, Nov. 6, 2009
Date CapturedThursday December 17, 2009 10:58 PM
Pam Dixon Executive Director, World Privacy Forum -- Re: Privacy Roundtables – Comment, Project No. P095416 - [The World Privacy Forum understands that businesses have a right to exist and to make money, and that advertising and marketing is part of the marketplace. But we also believe that there is not a reasonable balance right now between what data is being collected and used, and what consumers can do to manage that data and their privacy. There are no perfect solutions, but we think that a rights-based framework based on approaches contained in the Fair Credit Reporting Act and on Fair Information Practices will address many of the problems and help create solutions that are equitable for all stakeholders.]
DOD nixes vendor of online monitoring software over privacy concerns
Date CapturedMonday December 07, 2009 08:53 PM
Jaikumar Vijayan writes [In September, EPIC, a Washington-based privacy advocacy group, filed a complaint against EchoMetrix with the Federal Trade Commission. EPIC claimed that EchoMetrix was violating the provisions of the Children's Online Privacy Protection Act (COPPA) by collecting personally identifiable information about children and their browsing habits and online chats. EPIC claimed that EchoMetrix used the information to deliver targeted advertising to children and also sold that information to third-party marketers. In its complaint, EPIC pointed to a separate service offered by EchoMetrix called Pulse, which analyzes data gathered from multiple sources including instant messages, blogs and chat rooms. The information is sold as market research intelligence to marketing companies, the EPIC complaint said.] [
Ad Industry Works on Ads About Ads
Date CapturedTuesday November 24, 2009 03:07 PM
Wall Street Journal Emily Steel writes -- [At issue is the practice of tracking consumers’ Web activities — from the searches they make to the sites they visit and the products they buy — for the purpose of targeting ads. The efforts follow calls from the FTC earlier this year for Web advertisers and Internet companies to do a better job explaining how they track and use information about consumers’ Web activities and creating a simple way consumers can opt out of being tracked.]
GOOD STUDENT LIST FOR SALE
Date CapturedSaturday November 21, 2009 01:57 PM
See lists for sale.
Lawmakers probe deeper into privacy
Date CapturedSaturday November 21, 2009 01:16 PM
By Kim Hart - 11/19/09 04:00 PM ET - [Jennifer Barrett, an executive with Acxiom, a marketing company, said the firm could collect 1,500 possible data points about individual consumers, such as age, hobbies, address, occupation and recent purchases. Acxiom typically maintains 20-40 data points on the average person. Acxiom receives that information from public records, surveys consumers fill out voluntarily (such as warranty cards) and information from other companies. In response to questions from Rep. Mike Doyle (D-Penn.), Barrett said consumers can see what data has been stored about them and can change or delete information used for marketing purposes. But consumers cannot find out who else has bought their data from Axciom.]
Federal data breach notification standard must pre-empt state laws
Date CapturedMonday November 16, 2009 08:33 PM
Nextgov Jill R. Aitoro writes -- [The Data Breach Notification Act, introduced in January by Sen. Dianne Feinstein, D-Calif., would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised in a breach and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act, introduced in July by Sen. Patrick Leahy, D-Vt., also would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and would require businesses to implement preventive security standards to guard against threats to their databases.] [Two states are credited for having breach notification laws with the most teeth, said Peter McLaughlin, senior counsel with Foley & Lardner LLP and a member of the law firm's privacy, security and information management practice. Foley & Lardner released a report on Monday that provides in-depth coverage of all major aspects of U.S. and international security breach laws.]
‘‘Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act’’ or the ‘‘BEST PRACTICES Act’’
Date CapturedThursday November 05, 2009 03:19 PM
H. R. 5777 -- To foster transparency about the commercial use of personal information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes. [Requires information brokers to: (1) establish procedures to verify the accuracy of information that identifies individuals; (2) provide to individuals whose personal information it maintains a means to review it; (3) place notice on the Internet instructing individuals how to request access to such information; and (4) correct inaccurate information. Directs the FTC to require information brokers to establish measures which facilitate the auditing or retracing of access to, or transmissions of, electronic data containing personal information. Prohibits information brokers from obtaining or disclosing personal information by false pretenses (pretexting).]
Target-Marketing Becomes More Communal
Date CapturedThursday November 05, 2009 10:45 AM
WSJ Emily Steel writes [["The data is becoming the most important component for marketers and Web sites. It tells them who their audience is," says Omar Tawakol, chief executive at Blue Kai. Some lawmakers, concerned about Internet privacy, are preparing legislation to make more transparent Web sites' tactics for collecting information on their users. In an effort to fend off legislation, data brokers say, they abide by industry standards and do not collect any personally identifiable information and sensitive data, such as health information. They also tout efforts to make their business practices more transparent to consumers.]
Google Becomes Default Location Provider For Firefox
Date CapturedThursday April 30, 2009 06:47 PM
TechCrunch.com -- Jason Kincaid -- [Google says that the data isn't currently being used for advertising purposes (at least for now), and that this is really about getting location-based functionality deployed to the web. But even without the advertising dollars, there is one very major upside: Google is going to be able to perfect its location database, with millions of users tapping into it on a daily basis. And that database is going to be extremely valuable going forward. ]
F.B.I. and States Vastly Expand DNA Databases
Date CapturedSunday April 19, 2009 05:40 PM
NY Times By SOLOMON MOORE -- Published: April 18, 2009 -- [Minors are required to provide DNA samples in 35 states upon conviction, and in some states upon arrest. Three juvenile suspects in November filed the only current constitutional challenge against taking DNA at the time of arrest. The judge temporarily stopped DNA collection from the three youths, and the case is continuing. Sixteen states now take DNA from some who have been found guilty of misdemeanors. As more police agencies take DNA for a greater variety of lesser and suspected crimes, civil rights advocates say the government’s power is becoming too broadly applied. “What we object to — and what the Constitution prohibits — is the indiscriminate taking of DNA for things like writing an insufficient funds check, shoplifting, drug convictions,” said Michael Risher, a lawyer for the American Civil Liberties Union.]
An Icon That Says They’re Watching You
Date CapturedThursday March 19, 2009 06:20 PM
NY Times Saul Hansell writes [Mr. Turow has developed a plan that is simpler and more comprehensive: Put an icon on each ad that signifies that the ad collects or uses information about users. If you click the icon, you will go to what he calls a “privacy dashboard” that will let you understand exactly what information was used to choose that ad for you. And you’ll have the opportunity to edit the information or opt out of having any targeting done at all. “I don’t think ‘Ads by Google’ is enough,’” he said. “The problem with the whole rhetoric Google is using is that it is designed to stop you from wanting to learn more and do something.” ]
Behavioral Advertising and Privacy
Date CapturedFriday February 13, 2009 01:31 PM
World Privacy Forum - About Behaviorally targeted advertising, World Privacy Forum testimony and Comments, resources.
Upgraded Biometric Technology Facilitates Visitors' Entry to the United States
Date CapturedThursday January 15, 2009 07:41 PM
For nearly five years, U.S. Department of State (State) consular officers and U.S. Customs and Border Protection (CBP) officers have collected biometric information—digital fingerprints and a photograph—from all non-U.S. citizens between the ages of 14 and 79, with some exceptions, when they apply for visas or arrive at major U.S. ports of entry. State consular officers began collecting 10 fingerprints from visa applicants in 2007. Collecting 10 fingerprints increases fingerprint matching accuracy and reduces the possibility that the system will misidentify an international visitor. It also strengthens DHS's capability to check visitors' fingerprints against the Federal Bureau of Investigation's (FBI) criminal data and enables DHS to check visitors' fingerprints against latent fingerprints collected by Department of Defense (DOD) and the FBI from known and unknown terrorists around the world.
Careful what you search for
Date CapturedThursday January 01, 2009 05:15 PM
Fortune Jia Lynn Yang [So if you're a 33-year-old working female who lives in New York City and who likes to search for Jimmy Choo pumps, you might see ads for a local shoe store - thanks to the personal information the search engines have about you. "There are many free online tools, but they're not really free," explained Greg Conti, a professor of computer science at West Point and the author of Googling Security: How Much Does Google Know About You? "We end up paying for them with micro-payments of personal information which, in turn, are captured and used for data mining and targeted advertising."]
Minnesota Department of Health Continues to Violate State Law and Individual Privacy
Date CapturedSaturday December 13, 2008 04:29 PM
St. Paul/Minneapolis – Concerned parents and the Citizens’ Council on Health Care (CCHC) called on Governor Tim Pawlenty to require his Commissioner of Health to cease and desist the warehousing of newborn blood and baby DNA without informed, written parent consent.
2008 Data Mining Report
Date CapturedMonday December 08, 2008 06:18 PM
This report describes DHS programs that meet the definition of data mining required by the Congress in Section 804 of the 9/11 Commission Act, entitled the Federal Agency Data Mining Reporting Act, and summarizes the Privacy Office’s public workshop, Implementing Privacy Protections in Government Data Mining, which was held on July 24-25, 2008. The Report also presents principles for implementing privacy protections in research projects conducted by the DHS Science and Technology Directorate (S&T), the Department’s primary research and development arm. The Principles, which were developed jointly by the Privacy Office and S&T, provide guidance for incorporating privacy protections into privacy-sensitive S&T research and development projects in a manner that supports the DHS mission. [As the Privacy Office’s Data Mining Workshop demonstrated, the term “data mining” can mean different things to different people. One thing is clear, however: regardless of how data mining is defined, data mining research that uses PII can have significant impacts on individual privacy, and those impacts must be addressed. The Department has taken a major step toward this goal by developing its Principles for Implementing Privacy Protections for Research Projects, which will be embedded in new research projects carried out by S&T, whether they involve data mining or not. The Privacy Office looks forward to collaborating with S&T to implement these Principles, so that research critical to the Department’s mission is carried out in a manner that sustains individual privacy.]
Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
Date CapturedWednesday December 03, 2008 04:02 PM
National Academies Press - [All U.S. agencies with counterterrorism programs that collect or "mine" personal data -- such as phone records or Web sites visited -- should be required to evaluate the programs' effectiveness, lawfulness, and impacts on privacy. A framework is offered that agencies can use to evaluate such information-based programs, both classified and unclassified. The book urges Congress to re-examine existing privacy law to assess how privacy can be protected in current and future programs and recommends that any individuals harmed by violations of privacy be given a meaningful form of redress.]
In Pictures: Companies That Profit From Your Data
Date CapturedMonday June 23, 2008 03:13 PM
It may be your name, address and phone number. But it's their cash cow. By Andy Greenberg (there are a series of pictures/text with this link
PRIVACY -- Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Information
Date CapturedWednesday June 18, 2008 05:09 PM
In its report GAO identified alternatives that the Congress should consider, including revising the scope of privacy laws to cover all personal information, requiring that the use of such information be limited to a specific purpose, and revising the structure and publication of privacy notices. OMB commented that the Congress should consider these alternatives in the broader context of existing privacy and related statutes.
Report: Feds need better privacy protection for data
Date CapturedWednesday June 18, 2008 05:04 PM
USA reports, "Much of the way personal information is handled today, including being sifted through data-mining systems that search for patterns, is not covered by the Privacy Act of 1974, she says. As states begin collecting information in coming years to produce new secure drivers' licenses, government databases will get even larger. 'The government has no business collecting our personal information if it cannot ensure the American public it will be protected from identity thieves and other prying eyes,' says Caroline Fredrickson of the American Civil Liberties Union."
Huge Databases Offer a Research Gold Mine — and Privacy Worries
Date CapturedTuesday June 03, 2008 08:14 PM
By DAVID GLENN from the issue dated May 9, 2008 Chronicle of Higher Education, "Researchers have used the new databases to study many issues, including which high-school math courses are most important for college success and how exposure to adjunct instructors affects student retention. But the new education databases create obvious challenges for protecting student privacy — which is one reason most states have been slow to build them. Florida's education department takes elaborate steps to 'de-identify' its information before handing it to outside researchers. Despite those efforts, nervous officials in other states look at a system like Florida's and worry about potential violations of the Family Educational Rights and Privacy Act, or Ferpa. In March the U.S. Department of Education proposed new Ferpa regulations that might clarify the ground rules for the use of such databases, but it is far from certain that the new rules will make states more comfortable with the projects." http://chronicle.com -- Section: The Faculty -- Volume 54, Issue 35, Page A10
Data Mining and the Security-Liberty Debate
Date CapturedMonday June 02, 2008 04:57 PM
By Daniel Solove. "Countless discussions about the trade-offs between security and liberty begin by taking a security proposal and then weighing it against what it would cost our civil liberties. Often, the liberty interests are cast as individual rights and balanced against the security interests, which are cast in terms of the safety of society as a whole. Courts and commentators defer to the government's assertions about the effectiveness of the security interest. In the context of data mining, the liberty interest is limited by narrow understandings of privacy that neglect to account for many privacy problems. As a result, the balancing concludes with a victory in favor of the security interest. But as I argue, important dimensions of data mining's security benefits require more scrutiny, and the privacy concerns are significantly greater than currently acknowledged. These problems have undermined the balancing process and skewed the results toward the security side of the scale."

Data Stewardship

NCES 2011-602 Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records
Date CapturedTuesday January 04, 2011 09:55 PM
SLDS Technical Brief - Guidance for Statewide Longitudinal Data Systems (SLDS) [A privacy and data protection program for student education records must include an array of rules and procedures for protecting PII held in the record system. It also must include a full set of public disclosures of the existence and uses of the information included in the data system, a description of all parents’ or eligible students’ rights to review and appeal the contents of an individual education record and of their rights and the procedures to appeal a violation. ]*****[A school directory may include PII such as a student’s name, grade level, and contact information. Taken by itself, the release of this information is not harmful to a student. However, when combined with the student’s Social Security Number or another identifier and the student’s education record, this information has the potential for violating a student’s right to privacy. The release of this combined record could lead to harm or embarrassment. Thus, the privacy and data protection program should focus on PII that will be maintained in the electronic student record system with its likely wealth of student data.2}

Data-driven Education

Directory Information Part 1 (WAV file, no text -- it's audio)
Date CapturedSunday December 26, 2010 05:36 PM
EDNY comments on Data Quality Campaign webcast with US ED response. See Part 2 for continuation of conversation.
Education and Workforce Data Connections: A Primer on States’ Status
Date CapturedWednesday April 14, 2010 06:16 PM
Data Quality Campaign - [States are currently working to connect education and workforce data, however, states are far from reaching the goal of having data systems that can link across the P-20/Workforce spectrum. To connect these education and workforce databases, states should engage a broad range of stakeholders to: 1. Prioritize, through broad-based stakeholder input, the critical policy questions to drive the development and use of longitudinal data systems. 2. Ensure data systems are interoperable within and across agencies and states by adopting or developing common data standards, definitions and language. 3. Protect personally identifiable information through governance policies and practices that promote the security of the information while allowing appropriate data access and sharing.]

Deidentification

Challenges Associated With Data-Sharing HIPAA De-identification
Date CapturedSunday December 21, 2014 06:18 AM
Daniel Barth-Jones & James Janisse
Best Practices for Access Controls and Disclosure Avoidance Techniques
Date CapturedThursday November 27, 2014 07:31 AM
Webinar Nov 7, 2012
Case Study #5: Minimizing Access to PII: Best Practices for Access Controls and Disclosure Avoidance Techniques (Oct 2012)
Date CapturedThursday November 27, 2014 07:14 AM
is case study illustrates best practices for minimizing access to sensitive information with education data maintained in a Statewide Longitudinal Data System.
Why Deidentification Fails Research Subjects and Researchers, 10 American Journal of Bioethics, 28-30 (2010)
Date CapturedFriday November 14, 2014 10:11 AM
DOI:10.1080/15265161.2010.492892; Robert Gellman; pages 28-30
Building public trust in uses of Health Insurance Portability and Accountability Act de-identified data
Date CapturedFriday November 14, 2014 07:01 AM
Deven McGraw; The aim of this paper is to summarize concerns with the de-identification standard and methodologies established under the Health Insurance Portability and Accountability Act (HIPAA) regulations, and report some potential policies to address those concerns that were discussed at a recent workshop attended by industry, consumer, academic and research stakeholders. Center for Democracy & Technology, 1634 I Street, NW Suite 1100, Washington, DC 20006, USA; deven@cdt.org J Am Med Inform Assoc 2013;20:29-34 doi:10.1136/amiajnl-2012-000936
The PII Problem: Privacy and a New Concept of Personally Identifiable Information
Date CapturedFriday November 14, 2014 06:32 AM
Paul M. Schwartz University of California, Berkeley - School of Law; Daniel J. Solove George Washington University Law School; December 5, 2011; New York University Law Review, Vol. 86, p. 1814, 2011; UC Berkeley Public Law Research Paper No. 1909366; GWU Legal Studies Research Paper No. 584; GWU Law School Public Law Research Paper No. 584; We show how existing approaches to PII impede the effective regulation of behavioral marketing, and how PII 2.0 would resolve these problems.
Latanya Arvette Sweeney, Ph.D.cv
Date CapturedSaturday November 08, 2014 07:37 PM
Latanya Arvette Sweeney, Ph.D. Professor of Government and Technology in Residence Department of Government Director, Data Privacy Lab dataprivacylab.org/ Harvard University 1737 Cambridge Street, CGIS K310 Cambridge, MA 02138
Latanya Sweeney, Ph.D.
Date CapturedSaturday November 08, 2014 07:31 PM
I think Latanya Sweeney may be back at Harvard
The Importance of Disaggregating Student Data
Date CapturedSaturday November 08, 2014 08:26 AM
Common characteristics used to disaggregate data include (Boeke, 2012): Race/ethnicity (country of origin); Generation status (i.e. first, second, etc. generation or recently arrived); Immigrant/ refugee status (refugee status often means people are eligible for certain services) ;Age group; Gender; Grade; Geographic (within a state there is often enough data to compare school district data versus a state comparison to a national average); Sexual orientation; Free or reduced lunch status (as a SES indicator); Insurance status
Ethical Concerns, Conduct and Public Policy for Re-Identification and De-identification Practice: Part 3 (Re-Identification Symposium)
Date CapturedFriday November 07, 2014 10:27 AM
By Daniel C. Barth-Jones; In Part 1, and Part 2 of this symposium contribution I wrote about a number of re-identification demonstrations and their reporting, both by the popular press and in scientific communications. However, even beyond the ethical considerations that I’ve raised about the accuracy of some of these communications, there are additional ethical, “scientific ethos”, and pragmatic public policy considerations involved in the conduct of re-identification research and de-identification practice that warrant some more thorough discussion and debate.
Data Privacy Lab
Date CapturedFriday November 07, 2014 08:09 AM
Research projects - The Data Privacy Lab is a program in the Institute for Quantitative Social Science (IQSS) at Harvard University and offers thought leadership, research, and discussion on privacy and technology, working directly with researchers at IQSS and leveraging colleagues across Harvard School of Engineering and Applied Sciences, Harvard Medical School, Harvard Law School, and MIT. The Lab started in 2001 at Carnegie Mellon University in the Heinz School of Public Policy and in 2002, moved to the School of Computer Science, where it operated until 2011 before relocating to Harvard. The Lab has had dramatic impact on privacy technology developments and policy. Latanya Sweeney founded the Lab and continues as its Director.
Does de-identification work or not?
Date CapturedThursday November 06, 2014 09:20 AM
About the author: Daniel C. Barth-Jones, M.P.H., Ph.D., is a HIV and Infectious Disease Epidemiologist on the faculty at the Mailman School of Public Health at Columbia University. His work in the area of statistical disclosure control and implementation under the HIPAA Privacy Rule provisions for de-identification is focused on the importance of properly balancing competing goals of protecting patient privacy and preserving the accuracy of scientific research and statistical analyses conducted with de-identified data.
The 'Re-Identification' of Governor William Weld's Medical Information: A Critical Re-Examination of Health Data Identification Risks and Privacy Protections, Then and Now
Date CapturedThursday November 06, 2014 09:00 AM
Barth-Jones, Daniel C., The 'Re-Identification' of Governor William Weld's Medical Information: A Critical Re-Examination of Health Data Identification Risks and Privacy Protections, Then and Now (June 4, 2012).
The Deidentification Dilemma: A Legislative & Contractual Proposal by Bob Gellman
Date CapturedWednesday November 05, 2014 09:03 PM
Robert Gellman, The Deidentification Dilemma: A Legislative and Contractual Proposal, 21 Fordham Intell. Prop. Media & Ent. L.J. 33 (2011).
Data De-identification: An Overview of Basic Terms
Date CapturedWednesday January 16, 2013 01:35 PM
PTAC-GL, Oct 2012: In addition to defining and clarifying the distinction among several key terms, the paper provides general best practice suggestions regarding data de-identification strategies for different types of data. The information is presented in the form of an alphabetized list of definitions, followed at the end by additional resources on FERPA requirements and statistical techniques that can be used to protect student data against disclosures

DHS

EMERGENCY COMMUNICATIONS: Various Challenges Likely to Slow Implementation of a Public Safety Broadband Network
Date CapturedThursday February 23, 2012 07:07 PM
GAO-12-343 Implementation of a Public Safety Broadband Network: To help ensure that public safety agencies are not overpaying for handheld communication devices, the Secretary of Homeland Security should work with federal and state partners to identify and communicate opportunities for joint procurement of public safety LMR devices.
Secretary Napolitano Outlines Five Recommendations To Enhance Aviation Security
Date CapturedThursday January 07, 2010 07:53 PM
Secretary Napolitano outlined the following five recommendations: Re-evaluate and modify the criteria and process used to create terrorist watch lists—including adjusting the process by which names are added to the “No-Fly” and “Selectee” lists. Establish a partnership on aviation security between DHS and the Department of Energy and its National Laboratories in order to develop new and more effective technologies to deter and disrupt known threats and proactively anticipate and protect against new ways by which terrorists could seek to board an aircraft. Accelerate deployment of advanced imaging technology to provide greater explosives detection capabilities—and encourage foreign aviation security authorities to do the same—in order to identify materials such as those used in the attempted Dec. 25 attack. The Transportation Security Administration currently has 40 machines deployed throughout the United States, and plans to deploy at least 300 additional units in 2010. Strengthen the presence and capacity of aviation law enforcement—by deploying law enforcement officers from across DHS to serve as Federal Air Marshals to increase security aboard U.S.-bound flights. Work with international partners to strengthen international security measures and standards for aviation security.
Today's Living on 'Today's THV at 5': Real ID Program
Date CapturedTuesday December 01, 2009 03:27 PM
Rebecca Buerkle writes - [Twenty-four states have passed laws or resolutions saying they will not comply. Other states that want an extension on the Dec. 31 deadline had until Tuesday to demonstrate they are making progress. But as many as 12 states may not be able to do so, making 36 states non-compliant.]
Testimony of Secretary Janet Napolitano before the House Committee on Homeland Security on DHS, The Path Forward
Date CapturedWednesday February 25, 2009 03:13 PM
Release Date: February 25, 2009 - The Committee’s platform items: [Improving the governance, functionality, and accountability of the Department of Homeland Security; enhancing security for all modes of transportation; strengthening our Nation: response, resilience, and recovery; shielding the Nation’s critical infrastructure from attacks; securing the homeland and preserving privacy, civil rights, and civil liberties; connecting the dots: intelligence, information sharing, and interoperability; implementing common-sense border and port security; and inspiring minds and developing technology – the future of homeland security. ]
Data Privacy & Integrity Advisory Committee
Date CapturedTuesday February 03, 2009 05:45 PM
This letter (to Janet Napolitano and John W. Kropf) reflects the consensus recommendations provided by the Data Privacy and Integrity Advisory Committee to the Secretary and Acting Chief Privacy Officer of the Department of Homeland Security (DHS). The Committee’s charter under the Federal Advisory Committee Act is to provide advice on programmatic, policy, operational, administrative, and technological issues relevant to DHS that affect individual privacy, data integrity and other privacy-related issues. The Committee deliberated on and adopted the recommendations set forth below during a public meeting held by teleconference on February 3, 2009. This letter outlines certain key privacy issues currently facing the Department of Homeland Security that the Committee believes the new Administration should review. We recognize that efforts are underway on many of these issues and our intention is to highlight their importance. The letter reflects the consensus view of the members of the Committee.
Upgraded Biometric Technology Facilitates Visitors' Entry to the United States
Date CapturedThursday January 15, 2009 07:41 PM
For nearly five years, U.S. Department of State (State) consular officers and U.S. Customs and Border Protection (CBP) officers have collected biometric information—digital fingerprints and a photograph—from all non-U.S. citizens between the ages of 14 and 79, with some exceptions, when they apply for visas or arrive at major U.S. ports of entry. State consular officers began collecting 10 fingerprints from visa applicants in 2007. Collecting 10 fingerprints increases fingerprint matching accuracy and reduces the possibility that the system will misidentify an international visitor. It also strengthens DHS's capability to check visitors' fingerprints against the Federal Bureau of Investigation's (FBI) criminal data and enables DHS to check visitors' fingerprints against latent fingerprints collected by Department of Defense (DOD) and the FBI from known and unknown terrorists around the world.
DHS office describes how it assesses privacy
Date CapturedTuesday January 06, 2009 01:48 PM
The FIPPS said in the memo that DHS should: • Be transparent and provide notice to the individuals regarding collection and use of personally identifiable information (PII). • When possible, seek consent from individuals to use their PII and provide access, correction and redress regarding DHS’ use of PII. • Explain the authority that permits DHS to collect PII and the ways it will be used. • Only collect PII that is necessary to accomplish the specific purpose and keep it only as long as necessary. • Use PII only for the purpose specified in the notice. Limit sharing of PII outside the department to purposes that are compatible with the reasons that PII was collected. • Ensure, as much as possible, that data is accurate, relevant, timely and complete. • Protect PII with appropriate security. • Be held accountable for complying with the principles and provide training for all employees and contractors who use PII and perform audits.
DHS Announces $48.6 Million in Driver’s License Security Grants
Date CapturedTuesday December 16, 2008 08:35 PM
The U.S. Department of Homeland Security (DHS) today opened the application period for approximately $48.6 million under the Fiscal Year (FY) 2009 Driver’s License Security Grant Program. These grants support state efforts to prevent terrorism and reduce fraud by improving the reliability and accuracy of identification documents that state governments issue. The FY 2009 Driver’s License Security Grant Program will accept proposals that improve state capabilities consistent with the requirements of the REAL ID final rule. This year’s program also will contain pre-determined target allocation funds to all 56 states and territories instead of the competitively awarded funds issued to states and territories under the FY 2008 REAL ID program funds
2008 Data Mining Report
Date CapturedMonday December 08, 2008 06:18 PM
This report describes DHS programs that meet the definition of data mining required by the Congress in Section 804 of the 9/11 Commission Act, entitled the Federal Agency Data Mining Reporting Act, and summarizes the Privacy Office’s public workshop, Implementing Privacy Protections in Government Data Mining, which was held on July 24-25, 2008. The Report also presents principles for implementing privacy protections in research projects conducted by the DHS Science and Technology Directorate (S&T), the Department’s primary research and development arm. The Principles, which were developed jointly by the Privacy Office and S&T, provide guidance for incorporating privacy protections into privacy-sensitive S&T research and development projects in a manner that supports the DHS mission. [As the Privacy Office’s Data Mining Workshop demonstrated, the term “data mining” can mean different things to different people. One thing is clear, however: regardless of how data mining is defined, data mining research that uses PII can have significant impacts on individual privacy, and those impacts must be addressed. The Department has taken a major step toward this goal by developing its Principles for Implementing Privacy Protections for Research Projects, which will be embedded in new research projects carried out by S&T, whether they involve data mining or not. The Privacy Office looks forward to collaborating with S&T to implement these Principles, so that research critical to the Department’s mission is carried out in a manner that sustains individual privacy.]
CYBER ANALYSIS AND WARNING - DHS Faces Challenges in Establishing a Comprehensive National Capability
Date CapturedTuesday September 23, 2008 10:15 AM
GAO 08-588: We recommend that the Secretary of Homeland Security take four actions to fully establish a national cyber analysis and warning capability. Specifically, the Secretary should address deficiencies in each of the attributes identified for Recommendations for Executive Action • monitoring, including establish a comprehensive baseline understanding of the nation’s critical information infrastructure and engage appropriate nonfederal stakeholders to support a national-level cyber monitoring capability; • analysis, including expanding its capabilities to investigate incidents; • warning, including ensuring consistent notifications that are targeted, actionable, and timely; and • response, including ensuring that US-CERT provides assistance in the mitigation of and recovery from simultaneous severe incidents, including incidents of national significance. We also recommend that the Secretary address the challenges that impede DHS from fully implementing the key attributes, including the following 6 items: • engaging appropriate stakeholders in federal and nonfederal entities to determine ways to develop closer working and more trusted relationships; • expeditiously hiring sufficiently trained cyber analysts and developing strategies for hiring and retaining highly qualified cyber analysts; • identifying and acquiring technological tools to strengthen cyber analytical capabilities and handling the steadily increasing workload; developing predictive analysis capabilities by defining terminology, methodologies, and indicators, and engaging appropriate stakeholders in other federal and nonfederal entities; • filling key management positions and developing strategies for hiring and retaining those officials; and • ensuring that there are distinct and transparent lines of authority and responsibility assigned to DHS organizations with cybersecurity roles and responsibilities, including the Office of Cybersecurity and Communications and the National Cybersecurity Center.
"Cybersecurity Recommendations for the Next Administration”
Date CapturedTuesday September 23, 2008 10:05 AM
Hearing on “Cybersecurity Recommendations for the Next Administration”
How RFID Tags Could Be Used to Track Unsuspecting People
Date CapturedThursday September 11, 2008 08:41 PM
Scientific America -- "The new licenses come equipped with radio-frequency identification (RFID) tags that can be read right through a wallet, pocket or purse from as far away as 30 feet. Each tag incorporates a tiny microchip encoded with a unique identification number. As the bearer approaches a border station, radio energy broadcast by a reader device is picked up by an antenna connected to the chip, causing it to emit the ID number. By the time the license holder reaches the border agent, the number has already been fed into a Homeland Security database, and the traveler’s photograph and other details are displayed on the agent’s screen."
Analysis tool exempt from some privacy laws
Date CapturedWednesday August 20, 2008 12:51 PM
fcw.com reports, "People whose biographic or biometric data is being analyzed by a new Immigration and Customs Enforcement (ICE) data system will not automatically be granted access to their records or be able to review them for accuracy as usually permitted by federal privacy protection laws."
Fliers without ID placed on TSA list
Date CapturedWednesday August 13, 2008 09:30 PM
USA Today reports, "The Transportation Security Administration has collected records on thousands of passengers who went to airport checkpoints without identification, adding them to a database of people who violated security laws or were questioned for suspicious behavior. The TSA began storing the information in late June, tracking many people who said they had forgotten their driver's license or passport at home. The database has 16,500 records of such people and is open to law enforcement agencies, according to the TSA."
realnightmare.org
Date CapturedSunday July 20, 2008 06:48 PM
Anti-Real ID website
Jindal Vetoes His Vote
Date CapturedSunday July 20, 2008 06:12 PM
New Orleans blog, "As a new Republican governor, Jindal signed legislation into law earlier this month that prohibits Louisiana from participating in the very same Real ID Act he voted for as a congressman."
GOVERNOR PATERSON ANNOUNCES AVAILABILITY OF NEW ENHANCED DRIVER LICENSE
Date CapturedSaturday July 19, 2008 11:22 AM
July 9, 2008 PRESS RELEASE excerpts: The EDL can be readily obtained by applying at local DMV offices. Since it is a driver license, it will be easier to carry than a passport, making it especially convenient for those who make frequent or unplanned crossings. The EDL will be valid for up to eight years, the same period as a current drivers license. The new licenses will be clearly distinguishable as a limited use international travel document by the added features of a U.S. flag on the front and the machine readable text on the reverse, both identifying it is an “enhanced” driver license. Each EDL will have various new security features within the document that will help to deter counterfeiting.
Borderline searches and seizures
Date CapturedFriday June 27, 2008 07:34 PM
The Gripe Line | Ed Foster -- blog response is interesting.
Laptop Searches in Airports Draw Fire at Senate Hearing
Date CapturedFriday June 27, 2008 06:29 PM
NY Times reports, "'If you asked most Americans whether the government has the right to look through their luggage for contraband when they are returning from an overseas trip, they would tell you "yes, the government has that right," ' Senator Russ Feingold, Democrat of Wisconsin, said Wednesday at the hearing of a Senate Judiciary subcommittee.' 'But,' Mr. Feingold continued, 'if you asked them whether the government has a right to open their laptops, read their documents and e-mails, look at their photographs and examine the Web sites they have visited, all without any suspicion of wrongdoing, I think those same Americans would say that the government absolutely has no right to do that.'”
Plan to Fingerprint Foreigners Exiting U.S. Is Opposed
Date CapturedMonday June 23, 2008 03:01 PM
Washington Post reports, "The airline industry and embassies of 34 countries, including the members of the European Union, are urging the U.S. government to withdraw a plan that would require airlines and cruise lines to collect digital fingerprints of all foreigners before they depart the United States, starting in August 2009. Their opposition could trigger a battle with Congress and the Bush administration, which want the new plan established quickly."
Protecting Personal Information: Is the Federal Government Doing Enough?
Date CapturedWednesday June 18, 2008 06:20 PM
Statement of Ari Schwartz, Vice President Center for Democracy & Technology before the Committee on Homeland Security and Governmental Affairs -- "Current federal laws and policies provide to those agency officials who care about privacy valuable tools to protect personal information in the hands of the federal government. Unfortunately, these laws and policies clearly have not been implemented consistently in a way that prevents indifference or wanton neglect of personal information. Moreover, even diligent officials find gaps in existing laws, especially because those laws, especially the Privacy Act of 1974, have failed to keep pace with technological change. To adequately protect privacy in this digital age, when more information is collected and shared than ever before, both Congress and the Executive Branch will need to work together to close the long-recognized gaps in existing laws and policies. At the same time, both branches must foster the leadership and insist upon the measurement capabilities needed to ensure that existing and new laws and policies are implemented uniformly and diligently."
PRIVACY -- Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Information
Date CapturedWednesday June 18, 2008 05:09 PM
In its report GAO identified alternatives that the Congress should consider, including revising the scope of privacy laws to cover all personal information, requiring that the use of such information be limited to a specific purpose, and revising the structure and publication of privacy notices. OMB commented that the Congress should consider these alternatives in the broader context of existing privacy and related statutes.
Report: Feds need better privacy protection for data
Date CapturedWednesday June 18, 2008 05:04 PM
USA reports, "Much of the way personal information is handled today, including being sifted through data-mining systems that search for patterns, is not covered by the Privacy Act of 1974, she says. As states begin collecting information in coming years to produce new secure drivers' licenses, government databases will get even larger. 'The government has no business collecting our personal information if it cannot ensure the American public it will be protected from identity thieves and other prying eyes,' says Caroline Fredrickson of the American Civil Liberties Union."
Bills would give more access to DHS data
Date CapturedTuesday June 17, 2008 01:17 PM
The Intelligence, Information Sharing and Terrorism Risk Assessment Subcommittee sent the full committee a bill designed to enhance public access to government documents and a measure that would reduce the extent to which DHS classifies documents. The subcommittee also sent the full committee legislation that would require DHS to make greater use of open-source data for intelligence products. In addition, it agreed to a bill that would give state and local authorities greater flexibility in how they use DHS grants to pay analysts at state and local intelligence fusion centers.
DHS wants biometric helping hand
Date CapturedTuesday June 17, 2008 01:10 PM
Five years after Congress ordered biometric tracking of foreign visitors leaving the United States by land and after spending millions of dollars on planning and testing that yielded limited results, the Homeland Security Department is now seeking the private sector’s help to address the challenge.
Privacy Impact Assessment for the Use of Radio Frequency Identification (RFID) Technology for Border Crossings
Date CapturedThursday June 05, 2008 10:39 PM
U.S. Customs and Border Protection (CBP) employs Radio Frequency Identification (RFID) Technology that is to be used in cross border travel documents to facilitate the land border primary inspection process. A unique number is embedded in an RFID tag which, in turn, is embedded in each cross border travel document. At the border, the unique number is read wirelessly by CBP and then forwarded through a secured data circuit to back-end computer systems. The back-end systems use the unique number to retrieve personally identifiable information about the traveler. This information is sent to the CBP Officer to assist in the authentication of the identity of the traveler and to facilitate the land border primary inspection process. Multiple border crossing programs use or plan to take advantage of CBP’s vicinity RFID-reader enabled border crossing functionality including CBP’s own trusted traveler programs, the pending Department of State’s (DoS) Passport Card, the Mexican Border Crossing Card, the proposed Enhanced Driver’s License (EDL) offered by various states, tribal enrollment cards that could be developed by various Native American Tribes, and the proposed Enhanced Driver’s Licenses being developed within the various provincial authorities in Canada. DHS, DoS, and States and other entities collect PII from travelers during the enrollment/application process for current or anticipated RFID enabled travel documents. This PII is stored in secured computer systems and is associated with a unique RFID identifier stored in a card the traveler presents during the border crossing process. In order to expedite processing, this unique RFID identifier is transmitted wirelessly from the individual’s RFID enabled card to an RFID reader which triggers the CBP computer systems to retrieve the PII stored in secured back-end systems and pre-position the PII associated with that traveler corresponding to the unique RFID identifier. This automated process enables the CBP Officer to quickly compare the information presented on the computer screen with the information on the travel card and the traveler, and thus enhance security and complete the clearance process faster than if the enrollment information were not available. No personally identifiable information is transmitted via RFID, and the traveler is fully informed of the methods for transmitting and using this information as part of the enrollment process for RFID enabled travel documents.
"REAL ID Implementation Review: Few Benefits, Staggering Costs"
Date CapturedTuesday June 03, 2008 02:35 PM
EPIC: The final rule includes few protections for individual privacy and security in its massive national identification database. It harms national security by creating yet another “trusted” credential for criminals to exploit. The Department of Homeland Security has faced so many obstacles with the REAL ID system that the agency now plans an implementation deadline of 2017 – nine years later than the 2008 statutory deadline.181 It is an unfunded mandate that would cost billions, with the burden ultimately being placed on the individual taxpayer. Technical experts familiar with the challenges of privacy protection and identification presented the Department of Homeland Security with a variety of recommendations that would have minimized the risks of the REAL ID system. The DHS made some modifications, but left the essential system in place. As REAL ID currently stands, the costs are many and the benefits are few. Public opposition to implementation is understandable.
N.Y. opts for hybrid driver’s licenses
Date CapturedTuesday June 03, 2008 02:03 PM
Washington Technology reports, "Some of the enhanced licenses have been controversial because of privacy concerns. Washington, which was the first state to begin producing the new licenses, includes a radio frequency identification microchip on the licenses. The RFID chips, which can be read wirelessly from 20 feet to 30 feet away, have been criticized for their potential to be scanned without authorization, risking identity theft and loss of privacy. It is not clear whether New York’s licenses will include the RFID chip. Information was not immediately available from a spokesman for the state Department of Motor Vehicles."
FEMA to manage cellular alert system
Date CapturedTuesday June 03, 2008 01:58 PM
The alert system, mandated by Congress in the Warning Alert Response Network Act, will allow federal, state and local emergency alerts to be sent by authorized senders. FEMA, as the aggregator, will verify the authenticity of the alerts and pass them to commercial mobile phone providers, who will pass them on to their subscribers.
General Information Technology Access Account Records System (GITAARS) DHS/ALL-004, May 15, 2008, 73 FR 28139
Date CapturedTuesday June 03, 2008 12:51 PM
In accordance with the Privacy Act of 1974, the Department of Homeland Security is giving notice that it proposes to update a system of records in its inventory. The Department of Homeland Security is updating the General Information Technology Access Account Records System system of records notice to include four new routine uses and to add to the categories of records covered by the system. The first new routine use will allow for information sharing with federal agencies such as the Office of Personnel Management, the Merit Systems Protection Board, Office of Management and Budget, Federal Labor Relations Authority, Government Accountability Office, or the Equal Employment Opportunity Commission when information is requested in the performance of those agencies' official duties. The second routine use will allow for the routine sharing of business information outside of the Department for official purposes. This includes the sharing of business contact information to contacts outside of the Department. The third routine use allows for sharing for the purpose of investigating an alleged or proven act of identity fraud or theft. The fourth routine use allows sharing of information to regulatory and oversight bodies, including auditors, who are responsible for ensuring appropriate use of government resources.
DHS Announces Pre-Travel Authorization Program for U.S.-Bound Travelers from Visa Waiver Countries
Date CapturedTuesday June 03, 2008 12:47 PM
PRESS RELEASE: “Rather than relying on paper-based procedures, this system will leverage 21st century electronic means to obtain basic information about who is traveling to the U.S.without a visa,” said Homeland Security Secretary Michael Chertoff. “Getting this information in advance enables our frontline personnel to determine whether a visa-free traveler presents a threat, before boarding an aircraft or arriving on our shores. It is a relatively simple and effective way to strengthen our security, and that of international travelers, while helping to preserve an important program for key allies.”
Fact Sheet: Electronic System for Travel Authorization (ESTA)
Date CapturedTuesday June 03, 2008 12:44 PM
The Department of Homeland Security (DHS) has announced the ESTA Interim Final Rule (IFR), which establishes a new online system that is part of the Visa Waiver Program (VWP) and is required by the Implementing Recommendations of the 9/11 Commission Act of 2007. Once ESTA is mandatory, all nationals or citizens of Visa Waiver Program (VWP) countries who plan to travel to the United States for temporary business or pleasure will require an approved ESTA prior to boarding a carrier to travel by air or sea to the United States under the VWP. The rule does not apply to U.S. citizens traveling overseas.
Privacy Impact Assessment for the Western Hemisphere Travel Initiative Land and Sea Final
Date CapturedTuesday June 03, 2008 12:32 PM
The Department of Homeland Security (DHS) and U.S. Customs and Border Protection (CBP), in conjunction with the Bureau of Consular Affairs at the Department of State (DOS), published in the Federal Register a final rule to notify the public of how they will implement the Western Hemisphere Travel Initiative (WHTI) for sea and land ports-of entry. The final rule removes the current regulatory exceptions to the passport requirement provided under sections 212(d)(4)(B) and 215(b) of the Immigration and Nationality Act (INA). On August 9, 2007, the DHS Privacy Office issued a Privacy Impact Assessment (PIA) for the proposed rule, which was published in the Federal Register on June 26, 2007, at 72 FR 35088. This PIA updates the earlier PIA for the proposed rule to reflect changes in the WHTI final rule for land and sea ports-of-entry.
Documents Required for Travelers Departing From or Arriving in the United States
Date CapturedMonday June 02, 2008 06:49 PM
The WHTI final rule requires travelers to present a passport or other approved secure document denoting citizenship and identity for all land and sea travel into the United States. WHTI establishes document requirements for travelers entering the United States who were previously exempt, including citizens of the U.S., Canada and Bermuda. These document requirements will be effective June 1, 2009.
Understanding Denial-of-Service Attacks
Date CapturedThursday August 02, 2007 12:26 PM
Cyber Security Tip ST04-015 -- In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, web sites, online accounts (banking, etc.), or other services that rely on the affected computer.

Directory Information

Hearing on “How Emerging Technology Affects Student Privacy"
Date CapturedMonday February 16, 2015 12:24 PM
United States House of Representatives 114th Congress, 1st Session; Committee on Education and the Workforce Subcommittee on Early Childhood, Elementary and Secondary Education Hearing on “How Emerging Technology Affects Student Privacy" February 12, 2015 Statement of Joel R. Reidenberg Stanley D. and Nikki Waxberg Chair and Professor of Law Founding Academic Director, Center on Law and Information Policy Fordham University New York, NY Good morning Chairman Rokita, Ranking Member Fudge and distinguished
Opt-Out 2014: Protect Children video
Date CapturedTuesday August 12, 2014 06:39 PM
Opt-Out 2014: Protect Children
Date CapturedTuesday August 12, 2014 06:10 PM
Testimony of Pam Dixon Executive Director, World Privacy Forum Before the Senate Committee on Commerce, Science, and Transportation What Information Do Data Brokers Have on Consumers, and How Do They Use It?
Date CapturedSaturday December 21, 2013 09:13 AM
The data broker industry has not shown restraint. Nothing is out of bounds. No list is too obnoxious to sell. Data brokers sell lists that allow for the use of racial, ethnic and other factors that would be illegal or unacceptable in other circumstances. These lists and scores are used everyday to make decisions about how consumers can participate in the economic marketplace. Their information determines who gets in and who gets shut out. All of this must change. I urge you to take action.

DNA

Genetic Testing and Screening in the Age of Genomic Medicine
Date CapturedThursday October 18, 2012 08:38 AM
Most states, including New York, have added tests to their newborn screening panels without formal criteria or processes to guide them. Many commentators recommend that newborn screening programs form advisory committees composed of medical and laboratory professionals and community participants to establish criteria for screening tests and to review screening test panels and program outcomes.
ELSI Panel Addresses Genomics Consent and Privacy at CSHL
Date CapturedFriday May 08, 2009 07:06 PM
GenomeWeb Daily News -- Andrea Anderson-- [For instance, some have expressed concern that even de-identified genetic data could be linked to study participants. Last August, the National Institutes of Health pulled their GWAS data from public databases in response to research suggesting that it might be possible to identify an individual from pooled genetic data. There has also been a great deal of discussion about what information participants should get back from such studies as well as researchers' responsibility for informing subjects about incidental findings. ]
F.B.I. and States Vastly Expand DNA Databases
Date CapturedSunday April 19, 2009 05:40 PM
NY Times By SOLOMON MOORE -- Published: April 18, 2009 -- [Minors are required to provide DNA samples in 35 states upon conviction, and in some states upon arrest. Three juvenile suspects in November filed the only current constitutional challenge against taking DNA at the time of arrest. The judge temporarily stopped DNA collection from the three youths, and the case is continuing. Sixteen states now take DNA from some who have been found guilty of misdemeanors. As more police agencies take DNA for a greater variety of lesser and suspected crimes, civil rights advocates say the government’s power is becoming too broadly applied. “What we object to — and what the Constitution prohibits — is the indiscriminate taking of DNA for things like writing an insufficient funds check, shoplifting, drug convictions,” said Michael Risher, a lawyer for the American Civil Liberties Union.]
What Every American Needs to Know about the HIPAA Medical Privacy Rule* -- Updated November 2008
Date CapturedSunday January 18, 2009 09:39 PM
By Sue A. Blevins, president of the Institute for Health Freedom and Robin Kaigh, Esq., an attorney dedicated to patients’ health privacy rights. [Did you know that under the federal HIPPA (Health Insurance Portability and Accountability Act of 1996) medical privacy rule, your personal health information—including past records and genetic information—can be disclosed without your consent to large organizations such as the following? Data-processing companies; Insurers; Researchers (in some instances); Hospitals; Doctors (even those not treating you); Law enforcement officials; Public health officials; Federal government.
Genetic Privacy - Individual's Genetic Information - Personal Property Rights
Date CapturedMonday January 12, 2009 08:32 PM
HOUSE BILL 12 -- File Code: Criminal Law - Substantive Crimes Crossfiled with: SENATE BILL 54 - Prohibiting a person from knowingly collecting, analyzing, or retaining a DNA sample from an individual, performing a DNA analysis, or retaining or disclosing the results of a DNA analysis without written informed consent; exempting the collection and analysis of DNA samples for specified purposes from the prohibition; providing that the DNA sample and the results of the DNA analysis are the exclusive property of the individual from whom the sample is collected; etc.
Minnesota Department of Health Continues to Violate State Law and Individual Privacy
Date CapturedSaturday December 13, 2008 04:29 PM
St. Paul/Minneapolis – Concerned parents and the Citizens’ Council on Health Care (CCHC) called on Governor Tim Pawlenty to require his Commissioner of Health to cease and desist the warehousing of newborn blood and baby DNA without informed, written parent consent.

eBehavioral Advertising

The PII Problem: Privacy and a New Concept of Personally Identifiable Information
Date CapturedFriday November 14, 2014 06:32 AM
Paul M. Schwartz University of California, Berkeley - School of Law; Daniel J. Solove George Washington University Law School; December 5, 2011; New York University Law Review, Vol. 86, p. 1814, 2011; UC Berkeley Public Law Research Paper No. 1909366; GWU Legal Studies Research Paper No. 584; GWU Law School Public Law Research Paper No. 584; We show how existing approaches to PII impede the effective regulation of behavioral marketing, and how PII 2.0 would resolve these problems.
An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications
Date CapturedMonday January 03, 2011 09:11 PM
Dongseok Jang; Ranjit Jhala; Sorin Lerner; Hovav Shacham - Dept. of Computer Science and Engineering University of California, San Diego, USA : {d1jang,jhala,lerner,hovav}@cs.ucsd.edu --[Our JavaScript information ?ow framework found many interesting privacy-violating infor- mation ?ows including 46 cases of real history sni?ng over the Alexa global top 50,000 websites, despite some incom- pleteness. One direction for future work is a larger scale study on privacy-violating information ?ows. Such a study could per- form a deeper crawl of the web, going beyond the front- pages of web sites, and could look at more kinds of privacy- violating information ?ows. Moreover, we would also like to investigate the prevalence of security attacks led by privacy- violating information ?ows like phishing and request forgery] [...we believe that with careful and extensive engineering e?orts, there is a possibility that our framework could lead to a practical protection mechanism.]
“Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”
Date CapturedThursday December 09, 2010 04:45 PM
FTC: To reduce the burden on consumers and ensure basic privacy protections, the report first recommends that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices.” Second, the report states, consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find. One method of simplified choice the FTC staff recommends is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes. The report also recommends other measures to improve the transparency of information practices, including consideration of standardized notices that allow the public to compare information practices of competing companies. The report recommends allowing consumers “reasonable access” to the data that companies maintain about them, particularly for non-consumer facing entities such as data brokers. Finally, FTC staff proposes that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them.
html5
Date CapturedWednesday October 20, 2010 07:42 PM
HTML5 is a new version of HTML and XHTML. The HTML5 draft specification defines a single language that can be written in HTML and XML. It attempts to solve issues found in previous iterations of HTML and addresses the needs of Web Applications, an area previously not adequately covered by HTML.
On the Leakage of Personally Identi?able Information Via Online Social Networks
Date CapturedWednesday June 02, 2010 10:01 PM
Balachander Krishnamurthy and Craig E. Wills - [Abstract For purposes of this paper, we de?ne “Personally identi?- able information” (PII) as information which can be used to distinguish or trace an individual’s identity either alone or when combined with other information that is linkable to a speci?c individual. The popularity of Online Social Net- works (OSN) has accelerated the appearance of vast amounts of personal information on the Internet. Our research shows that it is possible for third-parties to link PII, which is leaked via OSNs, with user actions both within OSN sites and else- where on non-OSN sites. We refer to this ability to link PII and combine it with other information as “leakage”. We have identi?ed multiple ways by which such leakage occurs and discuss measures to prevent it.]
How Unique Is Your Web Browser?
Date CapturedTuesday May 18, 2010 01:32 PM
Peter Eckersley? Electronic Frontier Foundation, pde@eff.org/ -- [Conclusions -- We implemented and tested one particular browser ?ngerprinting method. It appeared, in general, to be very e?ective, though as noted in Section 3.1 there are many measurements that could be added to strengthn it. Browser ?ngerprinting is a powerful technique, and ?ngerprints must be con- sidered alongside cookies, IP addresses and supercookies when we discuss web privacy and user trackability. Although ?ngerprints turn out not to be particu- larly stable, browsers reveal so much version and con?guration information that they remain overwhelmingly trackable. There are implications both for privacy policy and technical design. Policymakers should start treating ?ngerprintable records as potentially per- sonally identi?able, and set limits on the durations for which they can be asso- ciated with identities and sensitive logs like clickstreams and search terms. The Tor pro ject is noteworthy for already considering and designing against ?ngerprintability. Other software that purports to protect web surfers’ privacy should do likewise, and we hope that the test site at panopticlick.eff.org may prove useful for this purpose. Browser developers should also consider what they can do to reduce ?ngerprintability, particularly at the JavaScript API level. We identi?ed only three groups of browser with comparatively good resis- tance to ?ngerprinting: those that block JavaScript, those that use TorButton, and certain types of smartphone. It is possible that other such categories exist in our data. Cloned machines behind ?rewalls are fairly resistant to our algo- rithm, but would not be resistant to ?ngerprints that measure clock skew or other hardware characteristics. ]
Proposed Privacy Legislation Wins Few Fans
Date CapturedThursday May 06, 2010 08:24 AM
WSJ : [ The goal for the legislation is to set a standard for consumer privacy protections and also provide consumers with more transparency and control regarding the collection, use and sharing of their information, said Rep. Rick Boucher (D., Va.). Mr. Boucher released a draft of the bill for discussion on Tuesday along with Rep. Cliff Stearns (R., Fla.). The bill stipulates that as a general rule companies can collect information about consumers unless a person opts out of that data collection — a point of contention among privacy advocates. The regulation also specifies standards for the collection and use of personally identifiable information. Companies must disclose to consumers if they are collecting personally identifiable information and how they are using that data. Consumers must give a company permission to share that personally identifiable information with outside companies. ]
FACEBOOK privacy policy link:
Date CapturedMonday April 26, 2010 08:32 PM
Facebook’s Privacy Policy. This policy contains eight sections: 1. Introduction; 2. Information We Receive; 3. Information You Share With Third Parties; 4. Sharing Information on Facebook; 5. How We Use Your Information; 6. How We Share Information; 7. How You Can View, Change, or Remove Information; 8. How We Protect Information; 9. Other Terms.
FACEBOOK privacy policy link:
Date CapturedMonday April 26, 2010 08:32 PM
Facebook’s Privacy Policy. This policy contains eight sections: 1. Introduction; 2. Information We Receive; 3. Information You Share With Third Parties; 4. Sharing Information on Facebook; 5. How We Use Your Information; 6. How We Share Information; 7. How You Can View, Change, or Remove Information; 8. How We Protect Information; 9. Other Terms.
How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies?
Date CapturedThursday April 15, 2010 06:12 PM
Chris Jay Hoofnagle - University of California, Berkeley - School of Law, Berkeley Center for Law & Technology; Jennifer King -UC Berkeley School of Information; Berkeley Center for Law & Technology; Su Li- University of California, Berkeley- School of Law, Center for the Study of Law and Society; Joseph Turow - University of Pennsylvania - Annenberg School for Communication: [Abstract: Media reports teem with stories of young people posting salacious photos online, writing about alcohol-fueled misdeeds on social networking sites, and publicizing other ill-considered escapades that may haunt them in the future. These anecdotes are interpreted as representing a generation-wide shift in attitude toward information privacy. Many commentators therefore claim that young people “are less concerned with maintaining privacy than older people are.” Surprisingly, though, few empirical investigations have explored the privacy attitudes of young adults. This report is among the first quantitative studies evaluating young adults’ attitudes. It demonstrates that the picture is more nuanced than portrayed in the popular media. ] [Among the findings: _ Eighty-eight percent of people of all ages said they have refused to give out information to a business because they thought it was too personal or unnecessary. Among young adults, 82 percent have refused, compared with 85 percent of those over 65. _ Most people — 86 percent — believe that anyone who posts a photo or video of them on the Internet should get their permission first, even if that photo was taken in public. Among young adults 18 to 24, 84 percent agreed — not far from the 90 percent among those 45 to 54. _ Forty percent of adults ages 18 to 24 believe executives should face jail time if their company uses someone's personal information illegally — the same as the response among those 35 to 44 years old.]
Updated and Corrected: E-Book Buyer's Guide to Privacy
Date CapturedThursday December 31, 2009 03:20 PM
Electronic Frontier Foundation -- [A few weeks ago, EFF published its first draft of a Buyer's Guide to E-Book Privacy. In that first draft we incorporated the actual language of the privacy policies as much as possible, which unfortunately created some confusion since companies generally use different language to address similar issues. We also did a few other things clumsily. First, we've re-written many of the questions and answers to provide more clarity about the behavior of each e-reader. Second, we've tried point out where companies' privacy policies themselves are unclear on particular issues. And finally, we've made the whole thing easier to read by changing its visual layout. This guide continues to be a work in progress.
Refocusing the FTC’s Role in Privacy Protection
Date CapturedMonday December 14, 2009 05:31 PM
Comments of the Center for Democracy & Technology (CDT) in regards to the FTC Consumer Privacy Roundtable.
Ad Industry Works on Ads About Ads
Date CapturedTuesday November 24, 2009 03:07 PM
Wall Street Journal Emily Steel writes -- [At issue is the practice of tracking consumers’ Web activities — from the searches they make to the sites they visit and the products they buy — for the purpose of targeting ads. The efforts follow calls from the FTC earlier this year for Web advertisers and Internet companies to do a better job explaining how they track and use information about consumers’ Web activities and creating a simple way consumers can opt out of being tracked.]
Target-Marketing Becomes More Communal
Date CapturedThursday November 05, 2009 10:45 AM
WSJ Emily Steel writes [["The data is becoming the most important component for marketers and Web sites. It tells them who their audience is," says Omar Tawakol, chief executive at Blue Kai. Some lawmakers, concerned about Internet privacy, are preparing legislation to make more transparent Web sites' tactics for collecting information on their users. In an effort to fend off legislation, data brokers say, they abide by industry standards and do not collect any personally identifiable information and sensitive data, such as health information. They also tout efforts to make their business practices more transparent to consumers.]
Americans Reject Tailored Advertising and Three Activities that Enable It
Date CapturedMonday October 05, 2009 07:01 PM
[First, federal legislation ought to require all websites to integrate the P3P protocols into their privacy policies. That will provide a web-wide computerreadable standard for websites to communicate their privacy policies automatically to people’s computers. Visitors can know immediately when they get to a site whether they feel comfortable with its information policy. An added advantage of mandating P3P is that the propositional logic that makes it work will force companies to be straightforward in presenting their positions about using data. It will greatly reduce ambiguities and obfuscations about whether and where personal information is taken. · Second, federal legislation ought to mandate data-flow disclosure for any entity that represents an organization online. The law would work this way: When an internet user begins an online encounter with a website or commercial email, that site or email should prominently notify the person of an immediately accessible place that will straightforwardly present (1) exactly what information the organization collected about that specific individual during their last encounter, if there was one; (2) whether and how that information was linked to other information; (3) specifically what other organizations, if any, received the information; and (4) what the entity expects will happen to the specific individual’s data during this new (or first) encounter. Some organizations may then choose to allow the individuals to negotiate which of forthcoming data-extraction, manipulation and sharing activities they will or won’t allow for that visit. · Third, the government should assign auditing organizations to verify through random tests that both forms of disclosure are correct—and to reveal the results at the start of each encounter. The organizations that collect the data should bear the expense of the audits. Inaccuracies should be considered deceptive practices by the Federal Trade Commission. The three proposals follow the widely recognized Federal Trade Commission goals of providing users with access, notice, choice, and security over their information. Companies will undoubtedly protest that these activities might scare people from allowing them to track information and raise the cost of maintaining databases about people online. One response is that people, not the companies, own their personal information. Another response is that perhaps consumers’ new analyses of the situation will lead them to conclude that such sharing is not often in their benefit. If that happens, it might lead companies that want to retain customers to change their information tracking-and-sharing approaches. The issues raised here about citizen understanding of privacy policies and data flow are already reaching beyond the web to the larger digital interactive world of personal video recorders (such as TiVo), cell phones, and personal digital assistants. At a time when technologies to extract and manipulate consumer information are becoming ever-more complex, citizens’ ability to control their personal information must be both more straightforward and yet more wide-ranging than previously contemplated.]Turow, Joseph, King, Jennifer, Hoofnagle, Chris Jay, Bleakley, Amy and Hennessy, Michael, Americans Reject Tailored Advertising and Three Activities that Enable It (September 29, 2009). Available at SSRN: http://ssrn.com/abstract=1478214
Americans Don't Like Being Tracked on Web
Date CapturedMonday October 05, 2009 06:21 PM
[The Times notes that Representative Rick Boucher, Democrat from Virginia, is planning to introduce privacy legislation that will address on-line tracking, while David Vladeck, head of consumer protection for the The Federal Trade Commission (FTC), is indicating that he is keeping a close watch on consumer privacy protection as well.]
In the garden of Google and evil
Date CapturedMonday May 11, 2009 05:55 PM
Computer World - Robert L. Mitchell -- [As the focus by regulators and privacy advocates intensifies, Google should take a leadership role in developing pro-consumer privacy laws and best practices. If it doesn't, Google could eventually lose the good will it has with its users, and regulators could make it the poster boy for privacy on the Web. Google need look no further than Microsoft to see how quickly public opinion can change for a defacto monopoly. ]
Location-based service
Date CapturedThursday April 30, 2009 10:12 PM
Wiki - [A location-based service (LBS) is an information and entertainment service, accessible with mobile devices through the mobile network and utilizing the ability to make use of the geographical position of the mobile device]
Google Becomes Default Location Provider For Firefox
Date CapturedThursday April 30, 2009 06:47 PM
TechCrunch.com -- Jason Kincaid -- [Google says that the data isn't currently being used for advertising purposes (at least for now), and that this is really about getting location-based functionality deployed to the web. But even without the advertising dollars, there is one very major upside: Google is going to be able to perfect its location database, with millions of users tapping into it on a daily basis. And that database is going to be extremely valuable going forward. ]
IE8's Cumbersome Privacy Controls May Discourage Use
Date CapturedMonday March 23, 2009 04:06 PM
Patricia Resende writes [Microsoft's new IE8 features follow a warning to Internet browser makers from the Federal Trade Commission to self-regulate privacy issues or face regulation. Microsoft came under fire for its Passport feature as the Electronic Privacy Information Center and 14 other groups asked the FTC in 2001 to force a revision of the security Relevant Products/Services standard on Passport. The groups alleged Microsoft violated the law by linking Windows XP with requests to sign up for Passport and misleading users to believe that Passport protected privacy when it instead tracked, profiled and monitored users.]
An Icon That Says They’re Watching You
Date CapturedThursday March 19, 2009 06:20 PM
NY Times Saul Hansell writes [Mr. Turow has developed a plan that is simpler and more comprehensive: Put an icon on each ad that signifies that the ad collects or uses information about users. If you click the icon, you will go to what he calls a “privacy dashboard” that will let you understand exactly what information was used to choose that ad for you. And you’ll have the opportunity to edit the information or opt out of having any targeting done at all. “I don’t think ‘Ads by Google’ is enough,’” he said. “The problem with the whole rhetoric Google is using is that it is designed to stop you from wanting to learn more and do something.” ]
A Call to Legislate Internet Privacy
Date CapturedMonday March 16, 2009 10:31 AM
NY Times Saul Hansell writes [“Internet users should be able to know what information is collected about them and have the opportunity to opt out,” he said. While he hasn’t written the bill yet, Mr. Boucher said that he, working with Representative Cliff Stearns, the Florida Republican who is the ranking minority member on the subcommittee, wants to require Web sites to disclose how they collect and use data, and give users the option to opt out of any data collection. That’s not a big change from what happens now, at least on most big sites. But in what could be a big change from current practice, Mr. Boucher wants sites to get explicit permission from users — an “opt in” — if they are going to share information with other companies.]
Advertisers Get a Trove of Clues in Smartphones
Date CapturedWednesday March 11, 2009 03:05 PM
NY Times STEPHANIE CLIFFORD writes [The capability for collecting information has alarmed privacy advocates. “It’s potentially a portable, personal spy,” said Jeff Chester, the executive director of the Center for Digital Democracy, who will appear before Federal Trade Commission staff members this month to brief them on privacy and mobile marketing. He is particularly concerned about data breaches, advertisers’ access to sensitive health or financial information, and a lack of transparency about how advertisers are collecting data. “Users are going to be inclined to say, sure, what’s harmful about a click, not realizing that they’ve consented to give up their information.”]
Google to Offer Ads Based on Interests
Date CapturedWednesday March 11, 2009 03:00 PM
NY Times MIGUEL HELFT writes [Google will use a cookie, a small piece of text that resides inside a Web browser, to track users as they visit one of the hundreds of thousands of sites that show ads through its AdSense program. Google will assign those users to categories based on the content of the pages they visit. For example, a user may be pegged as a potential car buyer, sports enthusiast or expectant mother. Google will then use that information to show people ads that are relevant to their interests, regardless of what sites they are visiting. An expectant mother may see an ad about baby products not only on a parenting site but also, for example, on a sports or fashion site that uses AdSense or on YouTube, which is owned by Google.]
PRIVACY AND DATA PROTECTION
Date CapturedWednesday March 11, 2009 02:42 PM
The Business Forum for Consumer Privacy (BFCP)--a coalition of companies including Microsoft, Google and HP released a whitepaper intended to start a discussion about governing information collection and use. The BFCP says the current U.S. approach, which holds consumers responsible for how their private information is used, is not sufficient in the information economy. In the whitepaper, the forum proposes an alternative approach toward securing private data: a "use-and-obligations" model. This model, the authors say, draws upon the OECD Guidelines and the APEC Privacy Framework, and outlines five categories of data use: fulfillment, marketing, internal business operations, antifraud and authentication, and external legal and public good. Forum members say a use-and-obligations model will better address ways in which information is collected and used in the twenty-first century.
ONLINE BEHAVIORAL ADVERTISING: A CHECKLIST OF PRACTICES THAT IMPACT CONSUMER TRUST
Date CapturedWednesday March 04, 2009 03:09 PM
Truste white paper -- [Self-regulation is a process often preceded by leading companies beginning to strengthen practices and chart advances that are then more widely adopted. In particular, companies should be aware of evolving industry practices in the following areas:4 Application of certain privacy principles to some types of non-personal data, for example, behavioral profiles, cookie IDs or IP addresses. Notices about ad-serving and behavioral targeting being provided in banner ads or on home pages, in addition to within a privacy policy. Choice being provided not only for the sharing of ad-serving data, but with regard to data use by a single company to tailor ads on its own sites. The establishment of specific data retention policies and anonymization techniques for log-file data.]
Behavioral Targeting: Not that Bad?! TRUSTe Survey Shows Decline in Concern for Behavioral Targeting
Date CapturedWednesday March 04, 2009 03:05 PM
Behavioral advertising still represents un-charted territory, without clearly applicable laws or regulations. In February, the Federal Trade Commission (FTC) published a set of guidelines (titled “Self-Regulatory Principles for Online Behavioral Advertising”) for companies collecting information on the actions of Internet users for the purpose of providing targeted advertising to them. The principles encourage self-regulatory action on the part of the companies themselves, specifically encouraging transparency and customer control, reasonable security and limited data retention for customer data. These principles have been criticized by privacy advocates, who assert that government should impose stricter laws rather than relying on companies to self regulate.
Cable Companies Target Commercials to Audience
Date CapturedWednesday March 04, 2009 02:53 PM
NY Times STEPHANIE CLIFFORD [Cablevision matches households to demographic data to divide its customers, using the data-collection company Experian. Experian has data on individuals that it collects through public records, registries and other sources. It matches the name and address of the subscriber to what it knows about them, and assigns demographic characteristics to households. (The match is a blind one: advertisers do not know what name and address they are advertising to, Cablevision executives said.) Advertisers can also give their existing customer lists to Experian, and Experian can make matches — so G.M., for example, could direct an ad based on who already owns a G.M. car. Advertisers are willing to pay premiums for ads that go only to audiences they have selected.]
YouTube's new 'nocookie' feature continues to serve cookies
Date CapturedTuesday March 03, 2009 03:20 PM
CNET -- Chris Soghoian says [ Those in the privacy community will likely pounce on this as evidence of Google's hypocrisy, while Google will likely respond by carefully parsing the definition of the phrase "non-session cookie" to not include Flash-cookie objects. Google might even even argue that its Flash-based cookies do not contain unique tracking information (something this blogger is unable to verify, since the Adobe Flash Manager only allows you to delete, but not view the contents of a Flash cookie). One thing is clear. YouTube has advertised a new delayed cookie feature, and stated that it "does not send a cookie until the visitor plays the video." That message is further reinforced by the fact that the new cookie-lite embedded video players are served from a different domain name, youtube-nocookie.com. Yet a user visiting a page that includes one of these "delayed cookie" videos still ends up with a long term, non-session Flash cookie hidden away in the depths of their browser. Technical definitions of "cookie" versus "Flash cookie" aside, YouTube's "delayed cookie" feature simply fails to deliver on the company's promises.] ]
Behavioral Advertising and Privacy
Date CapturedFriday February 13, 2009 01:31 PM
World Privacy Forum - About Behaviorally targeted advertising, World Privacy Forum testimony and Comments, resources.
FTC Staff Revises Online Behavioral Advertising Principles
Date CapturedThursday February 12, 2009 06:19 PM
The report discusses the potential benefits of behavioral advertising to consumers, including the free online content that advertising generally supports and personalization that many consumers appear to value. It also discusses the privacy concerns that the practice raises, including the invisibility of the data collection to consumers and the risk that the information collected – including sensitive information regarding health, finances, or children – could fall into the wrong hands or be used for unanticipated purposes. Consistent with the FTC’s overall approach to consumer privacy, the report seeks to balance the potential benefits of behavioral advertising against the privacy concerns it raises, and to encourage privacy protections while maintaining a competitive marketplace.
Ad groups to develop voluntary marketing privacy guidelines
Date CapturedWednesday January 14, 2009 07:46 PM
Daily News Alert - [The announcement of the joint effort took place on the same day that two consumer advocacy groups, the Center for Digital Democracy and the U.S. Public Interest Research Group, asked the FTC to investigate behavioral targeting practices aimed at users of mobile phones and requested regulations to make it easier for mobile phone users to control how information about them is used.]
"Cleaning Up After Cookies"
Date CapturedTuesday January 06, 2009 03:26 PM
Kate McKinley, a researcher at iSec Partners writes [Modern web browsers and plugins are rapidly expanding web developers’ ability to store data on users’ systems, while simultaneously adding features which allow users the perception of more control over that data. Users need to be confident that their perceptions match reality. Unfortunately, the privacy modes offered by browsers are still evolving (several are only available as betas), and none remove all the tracking data users might expect them to block. A tool was created to set and report on different data stores. This paper presents the findings from running this tool using several major browsers with two plug-ins across three common operating systems. We find current browsers are unable to extend tracking protection to third party plug-ins such as Google Gears and Adobe Flash. Some of these require no user prompting under common configurations and even expose tracking data saved with one browser sites visited by a different browser. We also recommend approaches for solving these problems.]
Careful what you search for
Date CapturedThursday January 01, 2009 05:15 PM
Fortune Jia Lynn Yang [So if you're a 33-year-old working female who lives in New York City and who likes to search for Jimmy Choo pumps, you might see ads for a local shoe store - thanks to the personal information the search engines have about you. "There are many free online tools, but they're not really free," explained Greg Conti, a professor of computer science at West Point and the author of Googling Security: How Much Does Google Know About You? "We end up paying for them with micro-payments of personal information which, in turn, are captured and used for data mining and targeted advertising."]
Why Obama should ditch YouTube
Date CapturedSunday December 14, 2008 09:35 PM
Christopher Soghoian, a student fellow at Harvard University's Berkman Center for Internet and Society and PhD candidate at Indiana University's School of Informatics blogs [The privacy risks aren't just limited to YouTube. Just a week ago, Dan Goodin at The Register criticized the use of the Google Analytics Web-tracking code in the Change.gov site--which also sets a permanent tracking cookie. Although he mostly focused on security risks, and not privacy-related threats, he blasted Obama's Web design team, stating that: The failure of Obama's Webmasters to follow anything remotely like best practices is more than a little troubling because it suggests they don't fully grasp the security realities of living in a Web 2.0 world. Eight years ago, the issue of cookies tracking users on government sites was a fairly big issue in tech policy circles, drawing the attention of those in Congress. Eventually, the Office of Management and Budget issued a directive that forbid the use of persistent cookies on federal agency sites. The Obama team's use of both YouTube and Google Analytics raises serious privacy concerns and likely clashes with the OMB directive.]

Education Policy

Education and Workforce Data Connections: A Primer on States’ Status
Date CapturedWednesday April 14, 2010 06:16 PM
Data Quality Campaign - [States are currently working to connect education and workforce data, however, states are far from reaching the goal of having data systems that can link across the P-20/Workforce spectrum. To connect these education and workforce databases, states should engage a broad range of stakeholders to: 1. Prioritize, through broad-based stakeholder input, the critical policy questions to drive the development and use of longitudinal data systems. 2. Ensure data systems are interoperable within and across agencies and states by adopting or developing common data standards, definitions and language. 3. Protect personally identifiable information through governance policies and practices that promote the security of the information while allowing appropriate data access and sharing.]

Education Reporting Systems

Sunguard
Date CapturedSaturday November 21, 2009 01:02 PM
[Student Information Management -- eSchoolPLUS is a student management system that helps educators and parents by providing them direct, real-time access to the most relevant student information available. Teachers and administrators can easily manage day-to-day student information and data such as demographics, scheduling, attendance, discipline, standardized tests, report cards and transcripts. With eSchoolPLUS, parents gain the ability to be more informed as to their child’s grades, attendance, assignments and discipline information. Superintendents, principals and other district administrators and school board members can track daily school status, student performance and progress.]

Electronic Health Records (EHR)

Sebelius, Solis Announce Nearly $1 Billion Recovery Act Investment in Advancing Use of Health IT, Training Workers for Health Jobs of the Future
Date CapturedMonday February 15, 2010 06:21 PM
WASHINGTON, DC - Health and Human Services Secretary Kathleen Sebelius and Labor Secretary Hilda Solis today announced a total of nearly $1 billion in Recovery Act awards to help health care providers advance the adoption and meaningful use of health information technology (IT) and train workers for the health care jobs of the future. The awards will help make health IT available to over 100,000 hospitals and primary care physicians by 2014 and train thousands of people for careers in health care and information technology. This Recovery Act investment will help grow the emerging health IT industry which is expected to support tens of thousands of jobs ranging from nurses and pharmacy techs to IT technicians and trainers. The over $750 million in HHS grant awards Secretary Sebelius announced today are part of a federal initiative to build capacity to enable widespread meaningful use of health IT. This assistance at the state and regional level will facilitate health care providers' efforts to adopt and use electronic health records (EHRs) in a meaningful manner that has the potential to improve the quality and efficiency of health care for all Americans. Of the over $750 million investment, $386 million will go to 40 states and qualified State Designated Entities (SDEs) to facilitate health information exchange (HIE) at the state level, while $375 million will go to an initial 32 non-profit organizations to support the development of regional extension centers (RECs) that will aid health professionals as they work to implement and use health information technology - with additional HIE and REC awards to be announced in the near future. RECs are expected to provide outreach and support services to at least 100,000 primary care providers and hospitals within two years.
Personal Health Information Privacy
Date CapturedSunday January 10, 2010 04:42 PM
News about medical and electronic health privacy risk.
ELSI Panel Addresses Genomics Consent and Privacy at CSHL
Date CapturedFriday May 08, 2009 07:06 PM
GenomeWeb Daily News -- Andrea Anderson-- [For instance, some have expressed concern that even de-identified genetic data could be linked to study participants. Last August, the National Institutes of Health pulled their GWAS data from public databases in response to research suggesting that it might be possible to identify an individual from pooled genetic data. There has also been a great deal of discussion about what information participants should get back from such studies as well as researchers' responsibility for informing subjects about incidental findings. ]
Behavioral Advertising and Privacy
Date CapturedFriday February 13, 2009 01:31 PM
World Privacy Forum - About Behaviorally targeted advertising, World Privacy Forum testimony and Comments, resources.
FTC Online Privacy Guidelines Faulted
Date CapturedFriday February 13, 2009 01:11 PM
Business Week -- Douglas MacMillan -- [On Feb. 12, the U.S. Federal Trade Commission issued guidelines designed to give consumers more information about how advertisers collect and use data about their Web surfing habits. Among the recommendations: Every site that follows Web-use patterns to tailor marketing messages, a practice known as behavioral targeting, should spell out how it is collecting data and give consumers the ability to opt out of targeting. The report also urges sites to keep collected data "as long as is necessary to fulfill a legitimate business or law enforcement need," inform users of any changes made to privacy policies, and only collect sensitive personal data—such as financial and health records—in cases where the user opts in.]
E P I C A l e r t - Volume 16.02 - February 10, 2009
Date CapturedThursday February 12, 2009 11:42 PM
[1] Medical Privacy Moves Forward in Congress - [2] Civil Society Launches Campaign for Privacy Convention - [3] National Academies Report Calls for New Approach to Medical -Privacy - [4] President Obama Promotes Open Government [5] Report - Google Latitude Poses Significant Privacy Risks [6] News in Brief [7] EPIC Bookstore: "The Dark Side" [8] Upcoming Conferences and Events
U.S. stimulus bill pushes e-health records for all
Date CapturedThursday February 12, 2009 07:29 PM
Declan McCullagh - [The U.S. Senate on Tuesday approved an $838 billion "stimulus" bill by a 61-37 vote, capping more than a week of political sparring between critics of the measure and President Obama, who claimed during a press conference that an "economic emergency" made it necessary. What didn't come up during the president's first press conference was how one section of the convoluted legislation--it's approximately 800 pages total--is intended to radically reshape the nation's medical system by having the government establish computerized medical records that would follow each American from birth to death. Billions will be handed to companies creating these databases. Billions will be handed to universities to incorporate patient databases "into the initial and ongoing training of health professionals." There's a mention of future "smart card functionality." Yet nowhere in this 140-page portion of the legislation does the government anticipate that some Americans may not want their medical histories electronically stored, shared, and searchable. Although a single paragraph promises that data-sharing will "be voluntary," there's no obvious way to opt out. "Without those protections, Americans' electronic health records could be shared--without their consent--with over 600,000 covered entities through the forthcoming nationally linked electronic health records network," said Sue Blevins, president of the Institute for Health Freedom, a nonprofit group that advocates health care privacy.]
DOD’s and VA’s Sharing of Information
Date CapturedFriday January 30, 2009 10:11 AM
(GAO-09-268) In the more than 10 years since DOD and VA began collaborating to electronically share health information, the two departments have increased interoperability. Nevertheless, while the departments continue to make progress, the manner in which they report progress—by reporting increases in interoperability over time—has limitations. These limitations are rooted in the departments’ plans, which identify interoperable capabilities to be implemented, but lack the results-oriented (i.e., objective, quantifiable, and measurable) goals and associated performance measures that are a necessary basis for effective management. Without establishing results-oriented goals, then reporting progress using measures relative to the established goals, the departments and their stakeholders do not have the comprehensive picture that they need to effectively manage their progress toward achieving increased interoperability. Further constraining the departments’ management effectiveness is their slow pace in addressing our July 2008 recommendation related to setting up the interagency program office that Congress called for to function as a single point of accountability in the development and implementation of electronic health record capabilities.
Rethinking the Role of Consent in Protecting Health Information Privacy
Date CapturedTuesday January 27, 2009 09:52 AM
CDT is advocating for the inclusion of privacy protections in the President's economic stimulus bill, which contains at least $20 billion for a national health information technology network. CDT's paper argues that personal health information should easily flow for treatment, payment, and certain core administrative tasks without requiring patient consent, but that stricter limits need to be placed on marketing and other secondary uses. January 26, 2009. This paper advocates for a new generation of privacy protections that allow personal health information to flow among health care entities for treatment, payment, and certain core administrative tasks without first requiring patient consent, as long as there is a comprehensive framework of rules that governs access to and disclosure of health data. Patient consent is one important element of this framework, but relying on consent would do little to protect privacy. This paper also suggests how a framework of protections can provide patients with more meaningful opportunities to make informed choices about sharing their personal health information online.
What Every American Needs to Know about the HIPAA Medical Privacy Rule* -- Updated November 2008
Date CapturedSunday January 18, 2009 09:39 PM
By Sue A. Blevins, president of the Institute for Health Freedom and Robin Kaigh, Esq., an attorney dedicated to patients’ health privacy rights. [Did you know that under the federal HIPPA (Health Insurance Portability and Accountability Act of 1996) medical privacy rule, your personal health information—including past records and genetic information—can be disclosed without your consent to large organizations such as the following? Data-processing companies; Insurers; Researchers (in some instances); Hospitals; Doctors (even those not treating you); Law enforcement officials; Public health officials; Federal government.
Institute for Health Freedom (IHF)
Date CapturedSunday January 18, 2009 09:32 PM
Health Freedom Watch (Email newsletter published by the Institute for Health Freedom) January 2009 -- Contents: Economic Stimulus Package and Your Health Privacy ; HHS Secretary Confirmation Hearing: Questions Remain about How to Pay for Proposed Health-Care Expansions; Lead Plaintiff in Medicare Lawsuit Asks for a Temporary Restraining Order and Preliminary Injunction against SSA and HHS.]
Center for Democracy & Technology (CDT) Applauds Critical Privacy, Security Provisions in Health IT Stimulus Bill
Date CapturedSunday January 18, 2009 05:59 PM
[The bill's privacy provisions include the following: Stronger protections against the use of personal heath information for marketing purposes; Accountability for all entities that handle personal health information; A federal, individual right to be notified in the event of a breach of identifiable health information; Prohibitions on the sale of valuable patient-identifiable data for inappropriate purposes; Development and implementation of federal privacy and security protections for personal health records; Easy access by patients to electronic copies of their records; and Strengthened enforcement of health privacy rules. The provisions in the bill are similar to those that received bipartisan approval by the House Energy & Commerce Committee in the last Congress.]
Privacy Issue Complicates Push to Link Medical Data
Date CapturedSunday January 18, 2009 05:39 PM
NY Times By ROBERT PEAR [“Until people are more confident about the security of electronic medical records,” Mr. Whitehouse said, “it’s vitally important that we err on the side of privacy.” The data in medical records has great potential commercial value. Several companies, for example, buy and sell huge amounts of data on the prescribing habits of doctors, and the information has proved invaluable to pharmaceutical sales representatives. “Health I.T. without privacy is an excellent way for companies to establish a gold mine of information that can be used to increase profits, promote expensive drugs, cherry-pick patients who are cheaper to insure and market directly to consumers,” said Dr. Deborah C. Peel, coordinator of the Coalition for Patient Privacy, which includes the American Civil Liberties Union among its members.]
Obama adds health IT to economic stimulus package
Date CapturedFriday December 19, 2008 07:34 PM
Published on December 8, 2008 -- Government Health IT Paul McCloskey writes [The Wired bill, which failed to pass the Senate this summer, created incentives for health IT adoption and addressed several privacy problems that had long delayed the bill. Obama’s address followed remarks a day earlier by Sen. Tom Daschle, the designated Secretary of the Department of Health and Human Services. The transition team will manage a series of “health care community discussions,” to run from Dec. 15 to Dec. 30, that will solicit opinions on health care reform directly from the public. The meetings will be modeled on the Obama election campaign, which took advantage of the Internet to solicit support directly from the public. Obama's Internet site asks people to submit ideas for how to improve the health care system.]
HHS -- Health Information Technology
Date CapturedThursday December 18, 2008 05:18 PM
Secretary Leavitt Announces New Principles, Tools to Protect Privacy, Encourage More Effective Use of Patient Information to Improve Care
Date CapturedThursday December 18, 2008 05:11 PM
The privacy principles articulated by Secretary Leavitt are as follows: Individual Access – Consumers should be provided with a simple and timely means to access and obtain their personal health information in a readable form and format. Correction – Consumers should be provided with a timely means to dispute the accuracy or integrity of their personal identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied. Consumers also should be able to add to and amend personal health information in products controlled by them such as personal health records (PHRs). Openness and Transparency -- Consumers should have information about the policies and practices related to the collection, use and disclosure of their personal information. This can be accomplished through an easy-to-read, standard notice about how their personal health information is protected. This notice should indicate with whom their information can or cannot be shared, under what conditions and how they can exercise choice over such collections, uses and disclosures. In addition, consumers should have reasonable opportunities to review who has accessed their personal identifiable health information and to whom it has been disclosed. Individual Choice -- Consumers should be empowered to make decisions about with whom, when, and how their personal health information is shared (or not shared). Collection, Use, and Disclosure Limitation – It is important to limit the collection, use and disclosure of personal health information to the extent necessary to accomplish a specified purpose. The ability to collect and analyze health care data as part of a public good serves the American people and it should be encouraged. But every precaution must be taken to ensure that this personal health information is secured, deidentified when appropriate, limited in scope and protected wherever possible. Data Integrity – Those who hold records must take reasonable steps to ensure that information is accurate and up-to-date and has not been altered or destroyed in an unauthorized manner. This principle is tightly linked to the correction principle. A process must exist in which, if consumers perceive a part of their record is inaccurate, they can notify their provider. Of course the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers that right, but this principle should be applied even where the information is not covered by the Rule. Safeguards – Personal identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. Accountability – Compliance with these principles is strongly encouraged so that Americans can realize the benefit of electronic health information exchange. Those who break rules and put consumers’ personal health information at risk must not be tolerated. Consumers need to be confident that violators will be held accountable.
The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information
Date CapturedThursday December 18, 2008 04:56 PM
The principles of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information below establish a single, consistent approach to address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization. The goal of this effort is to establish a policy framework for electronic health information exchange that can help guide the Nation’s adoption of health information technologies and help improve the availability of health information and health care quality. The principles have been designed to establish the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a netwo

Electronic Records

HHS Names David Blumenthal As National Coordinator for Health Information Technology
Date CapturedSaturday March 21, 2009 01:00 PM
The American Recovery and Reinvestment Act includes a $19.5 billion investment in health information technology, which will save money, improve quality of care for patients, and make our health care system more efficient. Dr. Blumenthal will lead the effort at HHS to modernize the health care system by catalyzing the adoption of interoperable health information technology by 2014 thereby reducing health costs for the federal government by an estimated $12 billion over 10 years.
Lost Cellphone? Your Carrier Has Your Backup
Date CapturedWednesday February 25, 2009 08:28 PM
Wall Street Journal - Mossberg Solution - KATHERINE BOEHRET [By the time you've left your cellphone in a taxi or dropped it into a pot of soup, it's too late. All those phone numbers you had at your finger tips -- your best friend, your boss, your mom -- are gone. (Well, maybe you'll remember Mom's.) Some companies have tried to soothe backup concerns with gadgets like the $50 Backup-Pal from Advanced Wireless Solutions LLC, or wireless services like Skydeck. But for many for people, it's just as easy to ignore the risk.]

Enhanced DL

Today's Living on 'Today's THV at 5': Real ID Program
Date CapturedTuesday December 01, 2009 03:27 PM
Rebecca Buerkle writes - [Twenty-four states have passed laws or resolutions saying they will not comply. Other states that want an extension on the Dec. 31 deadline had until Tuesday to demonstrate they are making progress. But as many as 12 states may not be able to do so, making 36 states non-compliant.]
Video: Hacker war drives San Francisco cloning RFID passports
Date CapturedTuesday February 03, 2009 07:21 PM
Thomas Ricker - [Chris recently drove around San Francisco reading RFID tags from passports, driver licenses, and other identity documents. In just 20 minutes, he found and cloned the passports of two very unaware US citizens.]
How RFID Tags Could Be Used to Track Unsuspecting People
Date CapturedThursday September 11, 2008 08:41 PM
Scientific America -- "The new licenses come equipped with radio-frequency identification (RFID) tags that can be read right through a wallet, pocket or purse from as far away as 30 feet. Each tag incorporates a tiny microchip encoded with a unique identification number. As the bearer approaches a border station, radio energy broadcast by a reader device is picked up by an antenna connected to the chip, causing it to emit the ID number. By the time the license holder reaches the border agent, the number has already been fed into a Homeland Security database, and the traveler’s photograph and other details are displayed on the agent’s screen."
Enhanced driver's license program a "threat" to privacy
Date CapturedWednesday August 13, 2008 08:12 PM
ITBusiness reports, "Despite widespread privacy concerns, several Canadian provinces are pushing through with the implementation of the enhanced driver's license (EDL) scheme that seeks to link U.S.-Canada border security measures."
Enhanced Driver’s Licenses Coming Your Way…
Date CapturedSunday July 27, 2008 05:01 PM
Steven A. Culbreath, Esq. blogs, "DHS has worked to align REAL ID and EDL requirements. EDLs that are developed consistent with the requirements of REAL ID can be used for official purposes such as accessing a Federal facility, boarding Federally-regulated commercial aircraft, and entering nuclear power plants." And... "While the REAL ID requires proof of legal status in the U.S., the state issued EDL will require that the card holder be a U.S. citizen."
realnightmare.org
Date CapturedSunday July 20, 2008 06:48 PM
Anti-Real ID website
GOVERNOR PATERSON ANNOUNCES AVAILABILITY OF NEW ENHANCED DRIVER LICENSE
Date CapturedSaturday July 19, 2008 11:22 AM
July 9, 2008 PRESS RELEASE excerpts: The EDL can be readily obtained by applying at local DMV offices. Since it is a driver license, it will be easier to carry than a passport, making it especially convenient for those who make frequent or unplanned crossings. The EDL will be valid for up to eight years, the same period as a current drivers license. The new licenses will be clearly distinguishable as a limited use international travel document by the added features of a U.S. flag on the front and the machine readable text on the reverse, both identifying it is an “enhanced” driver license. Each EDL will have various new security features within the document that will help to deter counterfeiting.

E-Reader

Updated and Corrected: E-Book Buyer's Guide to Privacy
Date CapturedThursday December 31, 2009 03:20 PM
Electronic Frontier Foundation -- [A few weeks ago, EFF published its first draft of a Buyer's Guide to E-Book Privacy. In that first draft we incorporated the actual language of the privacy policies as much as possible, which unfortunately created some confusion since companies generally use different language to address similar issues. We also did a few other things clumsily. First, we've re-written many of the questions and answers to provide more clarity about the behavior of each e-reader. Second, we've tried point out where companies' privacy policies themselves are unclear on particular issues. And finally, we've made the whole thing easier to read by changing its visual layout. This guide continues to be a work in progress.

European Union

Reconciling Personal Information in the United States and European Union
Date CapturedThursday June 27, 2013 04:16 PM
Paul M. Schwartz, University of California, Berkeley - School of Law; Daniel J. Solove, George Washington University Law School; May 3, 2013

FAA

Review: Federal program used to hide flights from public
Date CapturedTuesday April 13, 2010 08:22 PM
USA Today -- By Michael Grabell and Sebastian Jones, ProPublica - [Use of the airspace is considered public information because taxpayers fund air-traffic controllers, radars and runways. "It belongs to all of us," said Chuck Collins, who has studied private jet travel at the Institute for Policy Studies, a progressive think tank. "It's not a private preserve." NBAA spokesman Dan Hubbard said privacy is important to business fliers because competitors can learn of potential deals by tracking planes, and that could affect stock prices. "There are certain circumstances where there is a security concern," he said. In 2000, Congress required websites to stop posting flights of certain planes at the FAA's request. The FAA later agreed to let the aviation group be the clearinghouse. FAA spokeswoman Laura Brown said the agency lacks resources to evaluate whether requests to keep flights secret are justified, so the agency lets the NBAA decide each month the flights kept from public view.]

Fair Information Practice

INFORMATION RESELLERS Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace
Date CapturedThursday November 21, 2013 02:23 PM
What GAO Recommends: Congress should consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information. Any changes should seek to provide consumers with appropriate privacy protections without unduly inhibiting commerce and innovation. The Department of Commerce agreed that strengthened privacy protections could better protect consumers
FTC to Study Data Broker Industry’s Collection and Use of Consumer Data
Date CapturedTuesday December 18, 2012 01:44 PM
The nine data brokers receiving orders from the FTC are: 1) Acxiom, 2) Corelogic, 3) Datalogix, 4) eBureau, 5) ID Analytics, 6) Intelius, 7) Peekyou, 8) Rapleaf, and 9) Recorded Future. The FTC is seeking details about: the nature and sources of the consumer information the data brokers collect; how they use, maintain, and disseminate the information; and the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold.
Some questions raised over release of student info (North Dakota)
Date CapturedTuesday March 08, 2011 04:54 PM
[North Dakota: High schools across the state would be required to give names, addresses and phone numbers of their students to the State Board of Higher Education under a proposed Senate bill.] [Several committee members expressed concern about the additional information and wanted to make sure parents would be fully aware of what information was being requested before opting out. That view also was shared by Bev Nielson of the North Dakota School Boards Association.]
Rush Introduces Online Privacy Bill, H.R. 611, The BEST PRACTICES Act
Date CapturedFriday February 11, 2011 06:04 PM
Ensure that consumers have meaningful choices about the collection, use, and disclosure of their personal information. • Require companies that collect personal information to disclose their practices with respect to the collection, use, disclosure, merging, and retention of personal information, and explain consumers' options regarding those practices. • Require companies to provide disclosures of their practices in concise, meaningful, timely, and easy-to-understand notices, and direct the Federal Trade Commission to establish flexible and reasonable standards and requirements for such notices. • Require companies to obtain "opt-in" consent to disclose information to a third party. In the bill, the term, "third party" would be defined based on consumers' reasonable expectations rather than corporate structure. • Establish a "safe harbor" that would exempt companies from the "opt-in" consent requirement, provided those companies participate in a universal opt-out program operated by self-regulatory bodies and monitored by the FTC. • Require companies to have reasonable procedures to assure the accuracy of the personal information they collect. The bill would also require the companies to provide consumers with reasonable access to, and the ability to correct or amend, certain information. • Require companies to have reasonable procedures to secure information and to retain personal information only as long as it's necessary to fulfill a legitimate business or law enforcement need.
NCES 2011-602 Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records
Date CapturedTuesday January 04, 2011 09:55 PM
SLDS Technical Brief - Guidance for Statewide Longitudinal Data Systems (SLDS) [A privacy and data protection program for student education records must include an array of rules and procedures for protecting PII held in the record system. It also must include a full set of public disclosures of the existence and uses of the information included in the data system, a description of all parents’ or eligible students’ rights to review and appeal the contents of an individual education record and of their rights and the procedures to appeal a violation. ]*****[A school directory may include PII such as a student’s name, grade level, and contact information. Taken by itself, the release of this information is not harmful to a student. However, when combined with the student’s Social Security Number or another identifier and the student’s education record, this information has the potential for violating a student’s right to privacy. The release of this combined record could lead to harm or embarrassment. Thus, the privacy and data protection program should focus on PII that will be maintained in the electronic student record system with its likely wealth of student data.2}
COMMERCIAL DATA PRIVACY AND INNOVATION IN THE INTERNET ECONOMY: A DYNAMIC POLICY FRAMEWORK
Date CapturedThursday December 16, 2010 01:16 PM
US DEPT OF COMMERCE REPORT says the principles "should promote increased transparency through simple notices, clearly articulated purposes for data collection, commitments to limit data uses to fulfill these purposes, and expanded use of robust audit systems to bolster accountability." NO RECOMMENDATIONS REGARDING EDUCATION AND FERPA DIRECTORY INFORMATION.
html5
Date CapturedWednesday October 20, 2010 07:42 PM
HTML5 is a new version of HTML and XHTML. The HTML5 draft specification defines a single language that can be written in HTML and XML. It attempts to solve issues found in previous iterations of HTML and addresses the needs of Web Applications, an area previously not adequately covered by HTML.
Schools Selling Students' Personal Information
Date CapturedWednesday October 06, 2010 03:17 PM
Link to stories about schools selling student information
Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Information
Date CapturedTuesday September 28, 2010 02:51 PM
GAO-08-795T : In its report GAO identified alternatives that the Congress should consider, including revising the scope of privacy laws to cover all personal information, requiring that the use of such information be limited to a specific purpose, and revising the structure and publication of privacy notices.
Letter to: Chairman Boucher and Ranking Member Stearns
Date CapturedMonday June 07, 2010 06:26 PM
Mike Sachoff -- [In response to a discussion draft of a new privacy bill now under consideration by the House Subcommittee on Communications, Technology and the Internet, ten privacy and consumer groups today called for stronger measures to protect consumer privacy both online and off. The organizations including the Consumer Federation of America, Electronic Frontier Foundation, Consumer Watchdog, World Privacy Forum, Consumer Action, USPIRG, Privacy Rights Clearinghouse, Privacy Times, Privacy Lives, and the Center for Digital Democracy, raised their concerns in a letter to Subcommittee Chairman Rick Boucher and Ranking Member Cliff Stearns. The groups recommended the following: *The bill should incorporate the Fair Information Practice Principles that have long served as the bedrock of consumer privacy protection in the U.S., including the principle of not collecting more data than is necessary for the stated purposes, limits on how long data should be retained, and a right to access and correct one's data. *The bill's definitions of what constitutes "sensitive information" need to be expanded; for instance, to include health-related information beyond just "medical records." *The bill should require strict "opt-in" procedures for the collection and use of covered data and should prohibit the collection and use of any sensitive information except for the transactions for which consumers provided it.]
Delta College trustees won't add more student information to campus directory
Date CapturedThursday March 18, 2010 01:34 PM
By Andrew Dodson | The Bay City Times - [Currently, information on Delta College students that is readily available, unless they have opted out, includes their name, degree, address, awards, dates attended, program, participation in activities, enrollment, e-mail and weight and height for members of athletic teams. Higgs argued that the college should have more items on file, including a student photo, whether or not that student is full or part time and a phone number. "That's what the courts look to," said Higgs. "Our policy doesn't have those things and it should." Other board members disagreed, saying that more data collecting isn't required and isn't worth the time. They voted against the plan 8-1.]
CDT- Updating the Privacy Act of 1974 -
Date CapturedTuesday March 16, 2010 09:16 PM
[Updating the Privacy Act of 1974 June 5, 2009 government-wide push toward the development of policies and practices to protect the information of citizens and other individuals. While the underlying framework of the law, rooted in the principles of Fair Information Practices (FIPs), is still sound, the thirty-five year-old wording of the Act renders it ill-equipped to meet many of the privacy challenges posed by modern information technology. 1) Updating the Privacy Act of 1974 2) Fair Information Practices are Central 3) The Creation of Federal Privacy Leadership 4) Updating Definitions to Match Changing Data Practices 5) Strengthening Privacy Notices
THE FAILURE OF FAIR INFORMATION PRACTICE PRINCIPLES forthcoming in Consumer Protection in the Age of the ‘Information Economy’
Date CapturedSunday January 31, 2010 10:03 PM
Fred H. Cate - [The key is refocusing FIPPS on substantive tools for protecting privacy, and away from notice and consent; leveling the playing field between information processors and data subjects; and created sufficient, but limited, liability so that data processors will have meaningful incentives, rather than bureaucratic regulations, to motivate appropriate behavior, and that individuals will be compensated when processing results in serious harm. This is only a first step. These proposed Consumer Privacy Protection Principles are undoubtedly incomplete and imperfect, but they are an effort to return to a more meaningful dialogue about the legal regulation of privacy and the value of information flows in the face of explosive growth in technological capabilities in an increasingly global society.]
Summary of LD 1677 Bill Info LD 1677 (SP 649) "An Act To Protect Minors from Pharmaceutical Marketing Practices"
Date CapturedThursday January 07, 2010 06:04 PM
State of Maine Legislature - "An Act To Protect Minors from Pharmaceutical Marketing Practices" -- Sponsored by Senator Elizabeth Schneider. -- IAPP writes -- [The bill applies to online information only and is limited to pharmaceutical marketing. It gives the attorney general the power to adopt rules to determine its scope. Violation of the law would be considered an unfair trade practice.]
Comments of the World Privacy Forum to FTC, Nov. 6, 2009
Date CapturedThursday December 17, 2009 10:58 PM
Pam Dixon Executive Director, World Privacy Forum -- Re: Privacy Roundtables – Comment, Project No. P095416 - [The World Privacy Forum understands that businesses have a right to exist and to make money, and that advertising and marketing is part of the marketplace. But we also believe that there is not a reasonable balance right now between what data is being collected and used, and what consumers can do to manage that data and their privacy. There are no perfect solutions, but we think that a rights-based framework based on approaches contained in the Fair Credit Reporting Act and on Fair Information Practices will address many of the problems and help create solutions that are equitable for all stakeholders.]
Refocusing the FTC’s Role in Privacy Protection
Date CapturedMonday December 14, 2009 05:31 PM
Comments of the Center for Democracy & Technology (CDT) in regards to the FTC Consumer Privacy Roundtable.
Refocusing the FTC’s Role in Privacy Protection
Date CapturedTuesday November 10, 2009 03:33 PM
Center for Technology in Government (CDT) Policy Post 15.17, November 10, 2009. [ A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology Refocusing the FTC’s Role in Privacy Protection 1) CDT Submits Comments in regards to the FTC Consumer Privacy Roundtable 2) The Significance of a Comprehensive Set of Fair Information Practice Principles 3) Examining FIPs at Work: Recent FTC Enforcement Actions Demonstrate a Path Forward 4) CDT Recommendations for Future FTC Action
Use of parental list is faulted
Date CapturedTuesday November 03, 2009 08:06 PM
March 17, 2008 by Scott Waldman - [GUILDERLAND - Guilderland School District violated federal law when it provided the names and addresses of parents to the teachers union, according to the state's authority on open government. Last year, Guilderland Teachers Association used those names and addresses to send parents of school-aged children postcards promoting the union's picks in a school board election. School officials deny that any law was broken, but the district recently imposed a moratorium on releasing "directory" information after complaints by school board members and news coverage of the controversy.]
South Dakota Superintendent Thinks Info Policy Will Pass Tonight
Date CapturedFriday October 30, 2009 05:37 PM
[Over the past month some parents have voiced their concerns to the school board over what they consider the selling of their children's contact information. Some say they don't want it to land in the wrong hands. Pam Homan says parents have known about the information policy for some time. "On the blue card as we call it parents have been informed of the FERPA requirement and whether or not they wish to have their child's name included or excluded from information." Revisions have been made to the proposed policy. Allowing parents more control over where the information is given. It will allow four categories that are: school publications, directory information, SD board of regents, and military recruiters.]
FAIR INFORMATION PRACTICE PRINCIPLES
Date CapturedFriday October 30, 2009 11:08 AM
Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the manner in which entities collect and use personal information -- their "information practices" -- and the safeguards required to assure those practices are fair and provide adequate privacy protection. The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices. Common to all of these documents [hereinafter referred to as "fair information practice codes"] are five core principles of privacy protection: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress.
Protection of Pupil Rights Amendment (PPRA)
Date CapturedFriday October 30, 2009 11:00 AM
Protection of Pupil Rights Amendment (PPRA) The Protection of Pupil Rights Amendment (PPRA) (20 U.S.C. § 1232h; 34 CFR Part 98) applies to programs that receive funding from the U.S. Department of Education (ED). PPRA is intended to protect the rights of parents and students .
Education Marketing Group/ECRA LAWSUIT RE: SALE OF STUDENT INFORMATION
Date CapturedFriday October 30, 2009 10:15 AM
Parties Subject to Order ORDERED, ADJUDGED AND DECREED that this Consent Order and Judgment shall extend to Student Marketing Group, Inc. (“SMG”) and Educational Research Center of America, Inc. (“ERCA”), their successors, assignees, officers, agents, representatives, affiliates and employees and any other person under their direction or control, whether acting individually or in concert with others or through any corporate entity or device through which they may now or hereafter act or conduct business (collectively “respondents”).
Americans Don't Like Being Tracked on Web
Date CapturedMonday October 05, 2009 06:21 PM
[The Times notes that Representative Rick Boucher, Democrat from Virginia, is planning to introduce privacy legislation that will address on-line tracking, while David Vladeck, head of consumer protection for the The Federal Trade Commission (FTC), is indicating that he is keeping a close watch on consumer privacy protection as well.]
Commission Extension of Deferral of Enforcement of the Identity Theft Red Flags Rule Until August 1, 2009
Date CapturedMonday May 04, 2009 04:43 PM
[The Federal Trade Commission (the “FTC” or “Commission”) is extending its deferral of enforcement of the Identity Theft Red Flags Rule to August 1, 2009.2 This rule was promulgated pursuant to § 114 of the Fair and Accurate Credit Transactions Act (“FACTA”). Congress directed the Commission and other agencies to develop regulations requiring “creditors”3 and “financial institutions”4 to address the risk of identity theft. The resulting Identity Theft Red Flags Rule requires any of these entities that have “covered accounts” to develop and implement written identity theft prevention programs. The identity theft prevention programs must be designed to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. This rule applies to all entities that regularly permit deferred payments for goods or services, including entities such as health care providers, attorneys, and other professionals, as well as retailers and a wide range of businesses that invoice their customers.]
IE8's Cumbersome Privacy Controls May Discourage Use
Date CapturedMonday March 23, 2009 04:06 PM
Patricia Resende writes [Microsoft's new IE8 features follow a warning to Internet browser makers from the Federal Trade Commission to self-regulate privacy issues or face regulation. Microsoft came under fire for its Passport feature as the Electronic Privacy Information Center and 14 other groups asked the FTC in 2001 to force a revision of the security Relevant Products/Services standard on Passport. The groups alleged Microsoft violated the law by linking Windows XP with requests to sign up for Passport and misleading users to believe that Passport protected privacy when it instead tracked, profiled and monitored users.]
An Icon That Says They’re Watching You
Date CapturedThursday March 19, 2009 06:20 PM
NY Times Saul Hansell writes [Mr. Turow has developed a plan that is simpler and more comprehensive: Put an icon on each ad that signifies that the ad collects or uses information about users. If you click the icon, you will go to what he calls a “privacy dashboard” that will let you understand exactly what information was used to choose that ad for you. And you’ll have the opportunity to edit the information or opt out of having any targeting done at all. “I don’t think ‘Ads by Google’ is enough,’” he said. “The problem with the whole rhetoric Google is using is that it is designed to stop you from wanting to learn more and do something.” ]
A Call to Legislate Internet Privacy
Date CapturedMonday March 16, 2009 10:31 AM
NY Times Saul Hansell writes [“Internet users should be able to know what information is collected about them and have the opportunity to opt out,” he said. While he hasn’t written the bill yet, Mr. Boucher said that he, working with Representative Cliff Stearns, the Florida Republican who is the ranking minority member on the subcommittee, wants to require Web sites to disclose how they collect and use data, and give users the option to opt out of any data collection. That’s not a big change from what happens now, at least on most big sites. But in what could be a big change from current practice, Mr. Boucher wants sites to get explicit permission from users — an “opt in” — if they are going to share information with other companies.]
Commercial Activities in Schools: Use of Student Data is Limited and Additional Dissemination of Guidance Could Help Districts Develop Policies
Date CapturedThursday March 12, 2009 03:16 PM
GAO -- Recommendation: The Secretary of Education should take additional action to assist districts in understanding that they are required to have specific policies in place for the collection, disclosure, and use of student information for marketing and selling purposes by disseminating its guidance to state school boards associations.
Advertisers Get a Trove of Clues in Smartphones
Date CapturedWednesday March 11, 2009 03:05 PM
NY Times STEPHANIE CLIFFORD writes [The capability for collecting information has alarmed privacy advocates. “It’s potentially a portable, personal spy,” said Jeff Chester, the executive director of the Center for Digital Democracy, who will appear before Federal Trade Commission staff members this month to brief them on privacy and mobile marketing. He is particularly concerned about data breaches, advertisers’ access to sensitive health or financial information, and a lack of transparency about how advertisers are collecting data. “Users are going to be inclined to say, sure, what’s harmful about a click, not realizing that they’ve consented to give up their information.”]
PRIVACY AND DATA PROTECTION
Date CapturedWednesday March 11, 2009 02:42 PM
The Business Forum for Consumer Privacy (BFCP)--a coalition of companies including Microsoft, Google and HP released a whitepaper intended to start a discussion about governing information collection and use. The BFCP says the current U.S. approach, which holds consumers responsible for how their private information is used, is not sufficient in the information economy. In the whitepaper, the forum proposes an alternative approach toward securing private data: a "use-and-obligations" model. This model, the authors say, draws upon the OECD Guidelines and the APEC Privacy Framework, and outlines five categories of data use: fulfillment, marketing, internal business operations, antifraud and authentication, and external legal and public good. Forum members say a use-and-obligations model will better address ways in which information is collected and used in the twenty-first century.
ONLINE BEHAVIORAL ADVERTISING: A CHECKLIST OF PRACTICES THAT IMPACT CONSUMER TRUST
Date CapturedWednesday March 04, 2009 03:09 PM
Truste white paper -- [Self-regulation is a process often preceded by leading companies beginning to strengthen practices and chart advances that are then more widely adopted. In particular, companies should be aware of evolving industry practices in the following areas:4 Application of certain privacy principles to some types of non-personal data, for example, behavioral profiles, cookie IDs or IP addresses. Notices about ad-serving and behavioral targeting being provided in banner ads or on home pages, in addition to within a privacy policy. Choice being provided not only for the sharing of ad-serving data, but with regard to data use by a single company to tailor ads on its own sites. The establishment of specific data retention policies and anonymization techniques for log-file data.]
Cable Companies Target Commercials to Audience
Date CapturedWednesday March 04, 2009 02:53 PM
NY Times STEPHANIE CLIFFORD [Cablevision matches households to demographic data to divide its customers, using the data-collection company Experian. Experian has data on individuals that it collects through public records, registries and other sources. It matches the name and address of the subscriber to what it knows about them, and assigns demographic characteristics to households. (The match is a blind one: advertisers do not know what name and address they are advertising to, Cablevision executives said.) Advertisers can also give their existing customer lists to Experian, and Experian can make matches — so G.M., for example, could direct an ad based on who already owns a G.M. car. Advertisers are willing to pay premiums for ads that go only to audiences they have selected.]
Children's Online Privacy Protection Act of 1998
Date CapturedTuesday March 03, 2009 03:14 PM
TITLE XIII-CHILDREN'S ONLINE PRIVACY PROTECTION ***NOTE INCONSISTENCY BETWEEN DEFINITIONS OF PERSONAL INFORMATION AND PARENTAL CONSENT BETWEEN COPPA AND FERPA COPPA DEFINITION (LINK HAS FULL COPPA TEXT) (8) PERSONAL INFORMATION.—The term "personal information" means individually identifiable information about an individual collected online, including— (A) a first and last name; (B) a home or other physical address including street name and name of a city or town; (C) an e-mail address; (D) a telephone number; (E) a Social Security number; (F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or (G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph. (9) VERIFIABLE PARENTAL CONSENT.—The term "verifiable parental consent" means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator's personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.
RE: USE OF CLOUD COMPUTING APPLICATIONS AND SERVICES
Date CapturedThursday February 26, 2009 06:07 PM
Associate Director John B. Horrigan (202-419-4500) - September 2008 - Pew/Internet - [Convenience and flexibility are the watchwords for those who engage in cloud computing activities: 51% of internet users who have done a cloud computing activity say a major reason they do this is that it is easy and convenient. 41% of cloud users say a major reason they use these applications is that they like being able to access their data from whatever computer they are using. 39% cite the ease of sharing information as a major reason they use applications in cyberspace or store data there. At the same time, users report high levels of concern when presented with scenarios in which companies may put their data to uses of which they may not be aware. 90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party. 80% say they would be very concerned if companies used their photos or other data in marketing campaigns. 68% of users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.]
Cloud computing takes hold despite privacy fears
Date CapturedThursday February 26, 2009 06:03 PM
Computer Worlds -- Heather Havenstein [Users of online e-mail, storage systems fear the sale of personal data without permission]
Cloud Computing Privacy Tips
Date CapturedWednesday February 25, 2009 04:11 PM
World Privacy Forum -- February 23, 2009 -- By Robert Gellman and Pam Dixon [Cloud Computing Tips for Consumers: Read the Terms of Service before placing any information in the cloud. If you don’t understand the Terms of Service, consider using a different cloud provider. Don’t put anything in the cloud you would not want the government or a private litigant to see. Pay close attention if the cloud provider reserves rights to use, disclose, or make public your information. Read the privacy policy before placing your information in the cloud. If you don’t understand the policy, consider using a different provider. When you remove your data from the cloud provider, does the cloud provider still retain rights to your information? If so, consider whether that makes a difference to you. Will the cloud provider give advance notice of any change of terms in the terms of service or privacy policy? ]
REPORT: Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing
Date CapturedWednesday February 25, 2009 03:59 PM
Released February 23, 2009 - Author: Robert Gellman: [This report discusses the issue of cloud computing and outlines its implications for the privacy of personal information as well as its implications for the confidentiality of business and governmental information. The report finds that for some information and for some business users, sharing may be illegal, may be limited in some ways, or may affect the status or protections of the information shared. The report discusses how even when no laws or obligations block the ability of a user to disclose information to a cloud provider, disclosure may still not be free of consequences. The report finds that information stored by a business or an individual with a third party may have fewer or weaker privacy or other protections than information in the possession of the creator of the information. The report, in its analysis and discussion of relevant laws, finds that both government agencies and private litigants may be able to obtain information from a third party more easily than from the creator of the information. A cloud provider’s terms of service, privacy policy, and location may significantly affect a user’s privacy and confidentiality interests.] see policy recommendations in full report.
Does Cloud Computing Mean More Risks to Privacy?
Date CapturedWednesday February 25, 2009 03:44 PM
NY Times -- Saul Hansell -- [In the United States, information held by a company on your behalf — be it a bank, an e-mail provider or a social network — is often not protected as much as information a person keeps at home or a business stores in computers it owns. Sometimes that means that a government investigator, or even a lawyer in a civil lawsuit, can get access to records by simply using a subpoena rather than a search warrant, which requires more scrutiny by a court.]
FTC Online Privacy Guidelines Faulted
Date CapturedFriday February 13, 2009 01:11 PM
Business Week -- Douglas MacMillan -- [On Feb. 12, the U.S. Federal Trade Commission issued guidelines designed to give consumers more information about how advertisers collect and use data about their Web surfing habits. Among the recommendations: Every site that follows Web-use patterns to tailor marketing messages, a practice known as behavioral targeting, should spell out how it is collecting data and give consumers the ability to opt out of targeting. The report also urges sites to keep collected data "as long as is necessary to fulfill a legitimate business or law enforcement need," inform users of any changes made to privacy policies, and only collect sensitive personal data—such as financial and health records—in cases where the user opts in.]
The F.T.C. Talks Tough on Internet Privacy
Date CapturedThursday February 12, 2009 07:20 PM
NY Times - Saul Hansell -- [In another rather striking challenge to industry dogma, the commission rejected the idea that if an Internet site doesn’t collect a user’s name or other “personally identifiable information,” it isn’t a threat to the user’s privacy. Advertising companies have defended their systems by saying they only associate data with cookies, the random identifying numbers they place in the browsers of users, and with Internet Protocol addresses, the numbers used in routing information to specific computers. “This kind of information can be a key piece to identifying an individual,” Ms. Harrington said. Internet companies, she added, “should be really clear in telling the consumer what is being collected, treat that information with care and probably treat it as information that can be used to identify a user.” ]
Response to the 2008 NAI Principles: The Network Advertising Initiative’s Self-Regulatory Code of Conduct for Online Behavioral Advertising
Date CapturedThursday February 12, 2009 06:43 PM
[CDT believes the 2008 NAI Principles, while late in addressing new trends in the industry, demonstrate clear progress over the original code of conduct adopted in 2000. The transparency of the NAI’s revision and compliance process, the approach to sensitive information, and the coverage of advertising practices beyond behavioral advertising all represent important steps forward. While robust self-regulation in the behavioral advertising space does not obviate the need for a baseline federal privacy law covering data collection and usage of all kinds, the NAI has made advances in several areas, yielding what we hope will be better protections for consumer privacy. However, the 2008 NAI Principles still come up short in crucial respects including the opt-out choice requirement, the notice standard, the NAI member accountability model, the failure to address ISP behavioral advertising, the lack of a choice requirement for multi-site advertising, and the data retention principle. Some of these are outstanding issues that have existed within the NAI framework since its inception, while others are new concerns raised by the updates to the principles.]
Center for Democracy & Technology (CDT) Applauds Critical Privacy, Security Provisions in Health IT Stimulus Bill
Date CapturedSunday January 18, 2009 05:59 PM
[The bill's privacy provisions include the following: Stronger protections against the use of personal heath information for marketing purposes; Accountability for all entities that handle personal health information; A federal, individual right to be notified in the event of a breach of identifiable health information; Prohibitions on the sale of valuable patient-identifiable data for inappropriate purposes; Development and implementation of federal privacy and security protections for personal health records; Easy access by patients to electronic copies of their records; and Strengthened enforcement of health privacy rules. The provisions in the bill are similar to those that received bipartisan approval by the House Energy & Commerce Committee in the last Congress.]
Privacy Issue Complicates Push to Link Medical Data
Date CapturedSunday January 18, 2009 05:39 PM
NY Times By ROBERT PEAR [“Until people are more confident about the security of electronic medical records,” Mr. Whitehouse said, “it’s vitally important that we err on the side of privacy.” The data in medical records has great potential commercial value. Several companies, for example, buy and sell huge amounts of data on the prescribing habits of doctors, and the information has proved invaluable to pharmaceutical sales representatives. “Health I.T. without privacy is an excellent way for companies to establish a gold mine of information that can be used to increase profits, promote expensive drugs, cherry-pick patients who are cheaper to insure and market directly to consumers,” said Dr. Deborah C. Peel, coordinator of the Coalition for Patient Privacy, which includes the American Civil Liberties Union among its members.]
DHS office describes how it assesses privacy
Date CapturedTuesday January 06, 2009 01:48 PM
The FIPPS said in the memo that DHS should: • Be transparent and provide notice to the individuals regarding collection and use of personally identifiable information (PII). • When possible, seek consent from individuals to use their PII and provide access, correction and redress regarding DHS’ use of PII. • Explain the authority that permits DHS to collect PII and the ways it will be used. • Only collect PII that is necessary to accomplish the specific purpose and keep it only as long as necessary. • Use PII only for the purpose specified in the notice. Limit sharing of PII outside the department to purposes that are compatible with the reasons that PII was collected. • Ensure, as much as possible, that data is accurate, relevant, timely and complete. • Protect PII with appropriate security. • Be held accountable for complying with the principles and provide training for all employees and contractors who use PII and perform audits.

FBI

Undercover and Sensitive Operations Unit Attorney General's Guidelines on FBI Undercover Operations Revised 11/13/92
Date CapturedSaturday December 26, 2009 09:04 PM
[The following Guidelines on the use of undercover activities and operations by the Federal Bureau of Investigation (FBI) are issued under the authority of the Attorney General provided in Title 28, United States Code, Sections 509, 510, and 533. They apply to all investigations conducted by the FBI, except those conducted pursuant to its foreign counterintelligence and foreign intelligence responsibilities.]

FCC

Cable Companies Target Commercials to Audience
Date CapturedWednesday March 04, 2009 02:53 PM
NY Times STEPHANIE CLIFFORD [Cablevision matches households to demographic data to divide its customers, using the data-collection company Experian. Experian has data on individuals that it collects through public records, registries and other sources. It matches the name and address of the subscriber to what it knows about them, and assigns demographic characteristics to households. (The match is a blind one: advertisers do not know what name and address they are advertising to, Cablevision executives said.) Advertisers can also give their existing customer lists to Experian, and Experian can make matches — so G.M., for example, could direct an ad based on who already owns a G.M. car. Advertisers are willing to pay premiums for ads that go only to audiences they have selected.]
The Internet Safety Act launches a new battle on privacy
Date CapturedWednesday February 25, 2009 03:32 PM
The Christian Science Monitor -- Tom Regan [The bill would require almost everyone who provides Internet access to retain all records for two years. Right now, that includes big Internet service providers (ISPs) such as Verizon or Comcast, the coffee shop that offers free wireless access, and me because I have an Internet router set up at home that is accessed by several people. CNET News noted that the day the acts were introduced in Congress, “both the US Department of Justice’s position and legal definition of ‘electronic communication services’ line up with this [broad] interpretation.” Another section of the bill says that anyone who “knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography” can be tried under the law. More than a few ISPs worry that this broad wording includes the mere act of providing services such as e-mail might “facilitate access” to illegal material.]
2009 Media & Tech Priorities -- A Public Interest Agenda
Date CapturedMonday December 22, 2008 03:48 PM
Free Press Action Fund -- [Obama’s FCC should act quickly to adopt rules preserving Net Neutrality that mirror the legislative effort. These rules should pertain to all wired and wireless networks and should enshrine the FCC’s established four openness principles alongside a necessary fifth principle that prohibits discrimination and pay-for-priority tolls. The FCC should establish an expedited complaint process for violations of the rules and stiff penalties for violators. Finally, the FCC should move to require extensive disclosure of Internet providers’ network management techniques as well as specific information about the quality of the Internet service being purchased by consumers.]
Google Wants Its Own Fast Track on the Web
Date CapturedMonday December 15, 2008 09:27 AM
Wall Street Journal VISHESH KUMAR and CHRISTOPHER RHOADS write [For computer users, it could mean that Web sites by companies not able to strike fast-lane deals will respond more slowly than those by companies able to pay. In the worst-case scenario, the Internet could become a medium where large companies, such as Comcast Corp. in cable television, would control both distribution and content -- and much of what users can access, according to neutrality advocates. The developments could test Mr. Obama's professed commitment to network neutrality. "The Internet is perhaps the most open network in history, and we have to keep it that way," he told Google employees a year ago at the company's Mountain View, Calif., campus. "I will take a back seat to no one in my commitment to network neutrality." But Lawrence Lessig, an Internet law professor at Stanford University and an influential proponent of network neutrality, recently shifted gears by saying at a conference that content providers should be able to pay for faster service. Mr. Lessig, who has known President-elect Barack Obama since their days teaching law at the University of Chicago, has been mentioned as a candidate to head the Federal Communications Commission, which regulates the telecommunications industry.]

FERPA

Hearing on “How Emerging Technology Affects Student Privacy"
Date CapturedMonday February 16, 2015 12:24 PM
United States House of Representatives 114th Congress, 1st Session; Committee on Education and the Workforce Subcommittee on Early Childhood, Elementary and Secondary Education Hearing on “How Emerging Technology Affects Student Privacy" February 12, 2015 Statement of Joel R. Reidenberg Stanley D. and Nikki Waxberg Chair and Professor of Law Founding Academic Director, Center on Law and Information Policy Fordham University New York, NY Good morning Chairman Rokita, Ranking Member Fudge and distinguished
Privacy and Security Developments 2014 Issue 01
Date CapturedMonday November 24, 2014 06:23 AM
Privacy and Security Developments is a periodic briefing of new cases, statutes, articles, books, resources, and other developments. It is authored by Professors Daniel J. Solove and Paul M. Schwartz.
PTAC: Transparency Best Practices for Schools and Districts
Date CapturedFriday August 15, 2014 11:22 AM
FERPA Exceptions Summary
Date CapturedMonday April 14, 2014 09:03 AM
FERPA, COMMON CORE STATE STANDARDS & DATA-SHARING
Date CapturedWednesday March 06, 2013 09:54 AM
OPT-OUT PROTECT KIDS
Date CapturedSunday December 30, 2012 03:21 PM
FERPA and the Cloud: What FERPA Can Learn from HIPAA
Date CapturedTuesday December 18, 2012 07:01 AM
SOLOVE: Parents need to look at what their schools are doing about student privacy and speak up, because the law isn’t protecting their children’s privacy. School officials who want to develop a more meaningful and robust protection of privacy should talk to government officials who are tasked with complying with HIPAA. They can learn a lot from studying HIPAA and following some of its requirements. Congress should remake FERPA more in the model of HIPAA. If Congress won’t act, state legislatures should pass better education privacy laws. Because FERPA does not provide adequate oversight and enforcement of cloud computing providers, schools must be especially aggressive and assume the responsibility. Otherwise, their students’ data will not be adequately protected. School officials shouldn’t assume that the law is providing regulation of cloud computing providers and that they need not worry. The law isn’t, so right now the schools need to be especially vigilant.
It's 3PM: Who's Watching Your Children?
Date CapturedWednesday December 12, 2012 05:48 PM
Parents concerned about their children's privacy should be aware of how easily personally identifiable information can be bought and sold by marketers as well as by identity thieves. FERPA was enacted in 1974 to protect the privacy of education records and directory information -- including name, address, phone number, date of birth, and e-mail address, among other personally identifiable information. Parents should be aware that under FERPA, directory information can be disclosed without parental consent. If you do not opt-out of directory information personal and identifiable information about your children may be public.
DECEMBER 2011 – REVISED FERPA REGULATIONS: AN OVERVIEW FOR PARENTS AND STUDENTS
Date CapturedMonday November 12, 2012 11:00 AM
It is important for schools to have directory information policies, as schools may not do even mundane activities (such as publishing yearbooks or creating graduation programs) without having designated the items about the students contained in the publications as directory information. For example, without a directory information policy, FERPA would require schools to obtain consent for every student every time it wants to publish a yearbook. However, many schools have been forgoing designations of directory information, as they have concluded that such designations would put students at risk of becoming targets of marketing campaigns, the media, or even victims of criminal acts
APPENDIX A: FERPA Guidance for Reasonable Methods and Written Agreements
Date CapturedThursday January 05, 2012 05:57 PM
FERPA represents the floor for protecting [student] privacy, not the ceiling. PAGE A-5 Federal Register/Vol. 76, No. 232/Friday, December 2, 2011/Rules and Regulations.
DEPARTMENT OF EDUCATION 34 CFR Part 99 in the Federal Register (76 FR 19726)
Date CapturedMonday December 05, 2011 11:20 AM
SUMMARY: The Secretary of Education (Secretary) amends the regulations implementing section 444 of the General Education Provisions Act (GEPA), which is commonly referred to as the Family Educational Rights and Privacy Act (FERPA). These amendments are needed to ensure that the U.S. Department of Education (Department or we) continues to implement FERPA in a way that protects the privacy of education records while allowing for the effective use of data. Improved access to data will facilitate States’ ability to evaluate education programs, to ensure limited resources are invested effectively, to build upon what works and discard what does not, to increase accountability and transparency, and to contribute to a culture of innovation and continuous improvement in education.
National Opt-Out Campaign Informs Parents How to Protect the Privacy of their Children's School Records
Date CapturedTuesday September 20, 2011 04:53 PM
Parents have rights under the Family Educational Rights Privacy Act (FERPA) to restrict access to their children's personal information.
Example of customized opt-out form
Date CapturedSunday September 04, 2011 07:45 PM
COLLEGE OF CHARLESTON FERPA DIRECTORY INFORMATION OPT-OUT FORM - note parents or college students have choices as to which information they want to share.
California AB.143
Date CapturedSaturday September 03, 2011 02:40 PM
INTRODUCED BY Assembly Member Fuentes; This bill would redefine directory information to no longer include a pupil's place of birth and to also include a pupil's e-mail address.
FTC CONSUMER ALERT: Protecting Your Child's Personal Information at School
Date CapturedFriday September 02, 2011 06:10 PM
[Ask your child's school about its directory information policy. Student directory information can include your child's name, address, date of birth, telephone number, email address, and photo. FERPA requires schools to notify parents and guardians about their school directory policy, and give you the right to opt-out of the release of directory information to third parties. It's best to put your request in writing and keep a copy for your files. If you don't opt-out, directory information may be available not only to the people in your child's class and school, but also to the general public.]
TEXAS SB 1106
Date CapturedSaturday August 13, 2011 03:54 PM
AN ACT relating to the exchange of confidential information concerning certain juveniles.
S. 1464 - METRICS Act
Date CapturedSaturday August 13, 2011 03:10 PM
To enable States to implement integrated statewide education longitudinal data systems. This Act may be cited as the ``Measuring and Evaluating Trends for Reliability, Integrity, and Continued Success (METRICS) Act of 2011'' or the ``METRICS Act''.
Stolen Futures: A Forum on Child Identity Theft July 12, 2011
Date CapturedMonday July 25, 2011 05:26 PM
Session 3 TRANSCRIPT - Securing Children’s Data in the Educational System: Steven Toporoff - Federal Trade Commission. PANELISTS: Kathleen Styles, U.S. Department of Education; Michael Borkoski, Howard County Maryland Public Schools; Larry Wong, Montgomery County Maryland Public Schools; Richard Boyle ECMC, Denny Shaw i-SAFE, Inc. [This panel will explore the Family Educational Rights and Privacy Act (FERPA) and initiatives to protect children’s personal information in school systems. We will also explore lessons learned from a high-profile data breach involving student information. Finally, the panel will discuss outreach efforts to teach children, teachers, youth counselors, and school administrators about privacy and securing children’s personal information.]
Balancing Student Privacy and School Safety: A Guide to the Family Educational Rights and Privacy Act for Elementary and Secondary Schools
Date CapturedMonday July 25, 2011 01:51 PM
Many school districts employ security staff to monitor safety and security in and around schools. Some schools employ off-duty police officers as school security officers, while others designate a particular school official to be responsible for referring potential or alleged violations of law to local police authorities. Under FERPA, investigative reports and other records created and maintained by these "law enforcement units" are not considered "education records" subject to FERPA. Accordingly, schools may disclose information from law enforcement unit records to anyone, including outside law enforcement authorities, without parental consent. See 34 CFR § 99.8. While a school has flexibility in deciding how to carry out safety functions, it must also indicate to parents in its school policy or information provided to parents which office or school official serves as the school's "law enforcement unit." (The school's notification to parents of their rights under FERPA can include this designation. As an example, the U.S. Department of Education has posted a model notification on the Web at: http://www.ed.gov /policy/gen/guid/fpco/ferpa/lea-officials.html.) Law enforcement unit officials who are employed by the school should be designated in its FERPA notification as "school officials" with a "legitimate educational interest." As such, they may be given access to personally identifiable information from students' education records. The school's law enforcement unit officials must protect the privacy of education records it receives and may disclose them only in compliance with FERPA. For that reason, it is advisable that law enforcement unit records be maintained separately from education records.
Addressing Emergencies on Campus June 2011
Date CapturedTuesday June 28, 2011 06:32 PM
United States Department of Education (USED) : Summary of two applicable Federal education laws administered by the Department of Education (Department): the Family Educational Rights and Privacy Act (FERPA) and the Higher Education Act of 1965 (HEA), as amended. This Federal component is only one piece of what is necessary to consider in ensuring the safety of our Nation’s students, faculty, and school staff. A comprehensive and effective campus policy must incorporate all Federal and State policies regarding health and safety emergencies, education, student privacy, civil rights, and law enforcement, as well as specific local community needs.
Fordham CLIP Comments on FERPA NPRM May 23, 2011 Docket: ED-2011-OM-0002 1
Date CapturedWednesday June 22, 2011 10:24 PM
Fordham Professor of Law Joel Reidenberg: Proposed Amendments to the FERPA Regulations contradict Congressional Mandates; Impermissible expansion of “Authorized representative” proposed in §99.3; Problematic expansion of “directory information” proposed in §99.3; Impermissible expansion of the “audit and evaluation” provision proposed in § 99.35(a)(2); Questionable Enforcement proposed in §99.35 ;
NYS Sen. Oppenheimer and Sen. Montgomery on S.2357
Date CapturedTuesday June 21, 2011 04:25 PM
Sen. Oppenheimer and Sen. Montgomery on S.2357 @ 36:30 minutes. Senators demonstrate responsible data stewardship. S.2357 excerpt: [(C) UNLESS OTHERWISE ALLOWED BY LAW, A SCHOOL MAY NOT, EVEN WITH THE AFFIRMATIVE CONSENT OF THE PARENT OF THE STUDENT IN ATTENDANCE OR THE ELIGIBLE STUDENT IN ATTENDANCE, DISCLOSE PERSONALLY IDENTIFIABLE STUDENT INFORMATION FOR A COMMERCIAL, FOR-PROFIT ACTIVITY INCLUDING BUT NOT LIMITED TO USE FOR: (I) MARKETING PRODUCTS OR SERVICES; (II) SELLING PERSONALLY IDENTIFIABLE STUDENT INFORMATION FOR USE IN MARKETING PRODUCTS OR SERVICES; (III) CREATING OR CORRECTING AN INDIVIDUAL OR HOUSEHOLD PROFILE; (IV) COMPILATION OF A STUDENT LIST; (V) SALE OF THE INFORMATION FOR ANY COMMERCIAL PURPOSE; OR (VI) ANY OTHER PURPOSE CONSIDERED BY THE SCHOOL AS LIKELY TO BE A COMMERCIAL, FOR-PROFIT ACTIVITY. (D) IN MAKING AN ALLOWABLE DISCLOSURE UNDER THIS SUBDIVISION, A SCHOOL MAY ONLY DISCLOSE THE MINIMUM AMOUNT OF INFORMATION NECESSARY TO ACCOM PLISH THE PURPOSE OF THE DISCLOSURE.]
Supporting Data Use While Protecting the Privacy, Security and Confidentiality of Student Information
Date CapturedMonday May 02, 2011 06:28 PM
Data Quality Campaign: [Meet the moral and legal responsibility to respect the privacy and the confidentiality of students’ personally identifiable information; Mitigate risks related to the intentional and unintentional misuse of data, which are amplified by the digital nature of today’s society in which more information — in education and every sector — is housed and shared in electronic and web-based forms; and ensure clarity around roles and responsibilities, including states’ authority to share data, in what form the data can be shared, at what level of detail, with whom and with what protections in place.]
DQC: The American Recovery and Reinvestment Act (ARRA) Support for State Longitudinal Data Systems (SLDS)
Date CapturedFriday April 22, 2011 05:06 PM
Data Quality Campaign - The American Recovery and Reinvestment Act provides federal support to states to further build and promote the use of statewide longitudinal data systems. This document includes: 1. ARRA Overview and Data Systems; a. American Recovery and Reinvestment Act; b. America COMPETES Act; 2. State Stabilization Funds and Assurances 3. Institute of Education Sciences State Longitudinal Data Systems Grants: a. American Recovery and Reinvestment Act – IES Funding; 4. U.S. Department of Education Guidance on Implementation of ARRA : a. Fact sheet: The American Recovery and Reinvestment Act of 2009: Saving and Creating Jobs and Reforming Education; b. Letter to Governors from Secretary of Education Arne Duncan c. Implementing the American Recovery Act – Letter from Secretary of Education Arne Duncan
U.S. Department of Education (USED) Safeguarding Student Privacy 
Date CapturedFriday April 08, 2011 06:38 PM
The use of data is vital to ensuring the best education for our children.  However, the benefits of using  student data must always be balanced with the need to protect students’ privacy rights.  Students and their  parents should expect that their personal information is safe, properly collected and maintained and that it is  used only for appropriate purposes and not improperly redisclosed.  It is imperative to protect students’  privacy to avoid discrimination, identity theft or other malicious and damaging criminal acts.  All education  data holders must act responsibly and be held accountable for safeguarding students’ personally identifiable  information – from practitioners of early learning to those developing systems across the education  continuum (P-20) and from schools to their contractors.  The need for articulated privacy protections and  data security continues to grow as Statewide Longitudinal Data Systems (SLDS) are built and more education  records are digitized and shared electronically.  As States develop and refine their information management  systems, it is critical that they ensure that student information continues to be protected and that students’  personally identifiable information is disclosed only for authorized purposes and under the circumstances  permitted by law.  All P-20 stakeholders should be involved in the development of these statewide systems  and protection policies.    
"What every school official should know about privacy"
Date CapturedThursday March 17, 2011 02:24 PM
Video of Daniel Solove on schools and privacy taped at Cornell University.
TITLE 20 > CHAPTER 31 > SUBCHAPTER III > Part 4 > § 1232g
Date CapturedTuesday March 15, 2011 12:47 PM
FERPA statute regarding directory information - note PICTURE and E-MAIL NOT in statute. US ED added through regulations -- they were not added by Congress: 5)(A) For the purposes of this section the term “directory information” relating to a student includes the following: the student’s name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student.
GAMMILL v USED - USA Merit System Board documents
Date CapturedMonday March 14, 2011 01:14 PM
Proposed regulatory (not statutory) change vastly expands term authorized representative well beyond these four 3 entities: Comptroller General of US, Secretary, Attorney General, and state or local education authorities. (See pages 10 and 11)
PAUL GAMMILL v U.S. DEPARTMENT OF EDUCATION
Date CapturedMonday March 14, 2011 12:44 PM
Whistleblower Retaliation lawsuit filed by Gammill against USED for retaliation of sharing an illegal attempt to circumvent FERPA. Case Number: 1:2011cv00409; Filed: February 18, 2011; Court: District Of Columbia District Court; Office: Washington, DC Office; County: 88888; Presiding Judge: John D. Bates
The Handbook for Campus Safety and Security Reporting
Date CapturedFriday March 11, 2011 07:35 PM
FERPA does not preclude an institution’s compliance with the timely warning provision of the campus security regulations. FERPA recognizes that information can, in case of an emergency, be released without consent when needed to protect the health and safety of others. In addition, if institutions utilize information from the records of a campus law enforcement unit to issue a timely warning, FERPA is not implicated as those records are not protected by FERPA. U.S. Department of Education, Office of Postsecondary Education, The Handbook for Campus Safety and Security Reporting, Washington, D.C., 2011.
FERPA and Social Media
Date CapturedThursday March 10, 2011 02:50 PM
When students are assigned to post information to public social media platforms outside of the university LMS, they should be informed that their material may be viewed by others. Students should not be required to release personal information on a public site. Instructor comments or grades on student material should not be made public. (Interestingly, grades given by other students on “peer-graded” work can be made public under FERPA). (ACE, 2008) While not clearly required by law, students under the age of 18 should get their parent’s consent to post public work. FERPA does not forbid instructors from using social media in the classroom, but common sense guidelines should be used to ensure the protection of students.
OHIO 3319.321 Confidentiality
Date CapturedThursday March 10, 2011 02:40 PM
Ohio Revised Code » Title [33] XXXIII EDUCATION (A) No person shall release, or permit access to, the directory information concerning any students attending a public school to any person or group for use in a profit-making plan or activity. Notwithstanding division (B)(4) of section 149.43 of the Revised Code, a person may require disclosure of the requestor’s identity or the intended use of the directory information concerning any students attending a public school to ascertain whether the directory information is for use in a profit-making plan or activity.
Some questions raised over release of student info (North Dakota)
Date CapturedTuesday March 08, 2011 04:54 PM
[North Dakota: High schools across the state would be required to give names, addresses and phone numbers of their students to the State Board of Higher Education under a proposed Senate bill.] [Several committee members expressed concern about the additional information and wanted to make sure parents would be fully aware of what information was being requested before opting out. That view also was shared by Bev Nielson of the North Dakota School Boards Association.]
Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting
Date CapturedThursday March 03, 2011 01:36 PM
NCES 2011-603 Building on current best practices, the Brief outlines reporting recommendations. Primarily, the goal of these reporting recommendations is to maximize the reporting of student outcomes while protecting students’ personally identifiable information.
Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records
Date CapturedThursday March 03, 2011 01:21 PM
NCES 2011-601 This first brief discusses basic concepts and definitions that establish a common set of terms related to the protection of personally identifiable information, especially in education records.
Recommendations on Data Security and Privacy Protections
Date CapturedSaturday February 19, 2011 11:00 PM
Excerpted from the Data Protections Report submitted to the U.S. Department of Education’s Performance Information Management Service by Highlight Technologies on June 16, 2010. (Where is original report and comments?)
NYC Schools Parents Bill of Rights
Date CapturedMonday February 14, 2011 09:49 PM
Parents have the right to: 12. consent to disclosures of personally identifiable information contained in the student’s education records, except to the extent that Family Educational Rights and Privacy Act (FERPA) and Chancellor’s Regulation A-820 authorize disclose without consent.
NYC P-3 SCHOOL FAMILY HANDBOOK
Date CapturedSunday February 13, 2011 05:39 PM
See page 19 for information deemed appropriate to release about 4 year old CHILDREN.
CONFIDENTIALITY AND RELEASE OF STUDENT RECORDS; RECORDS RETENTION
Date CapturedSunday February 13, 2011 03:13 PM
This regulation supersedes New York City Chancellor’s Regulation A-820 dated July 8, 2008. Changes: • The regulation was revised to conform to amendments to federal regulations under the Family Educational Rights and Privacy Act (“FERPA”).
Identifying Violence-prone Students
Date CapturedThursday January 13, 2011 02:02 PM
The fine line higher education officials walk in dealing with troubled students is discussed.
NCES 2011-602 Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records
Date CapturedTuesday January 04, 2011 09:55 PM
SLDS Technical Brief - Guidance for Statewide Longitudinal Data Systems (SLDS) [A privacy and data protection program for student education records must include an array of rules and procedures for protecting PII held in the record system. It also must include a full set of public disclosures of the existence and uses of the information included in the data system, a description of all parents’ or eligible students’ rights to review and appeal the contents of an individual education record and of their rights and the procedures to appeal a violation. ]*****[A school directory may include PII such as a student’s name, grade level, and contact information. Taken by itself, the release of this information is not harmful to a student. However, when combined with the student’s Social Security Number or another identifier and the student’s education record, this information has the potential for violating a student’s right to privacy. The release of this combined record could lead to harm or embarrassment. Thus, the privacy and data protection program should focus on PII that will be maintained in the electronic student record system with its likely wealth of student data.2}
Directory Information Part 1 (WAV file, no text -- it's audio)
Date CapturedSunday December 26, 2010 05:36 PM
EDNY comments on Data Quality Campaign webcast with US ED response. See Part 2 for continuation of conversation.
New York State Student Information Repository System (SIRS) Manual
Date CapturedWednesday December 22, 2010 08:44 PM
New York State Student t Information Repository System (SIRS) Manual; Reporting Data for the 2010–11 School Year (SEE APPENDIX 19)
K-12 EDUCATION - Selected Cases of Public and Private Schools That Hired or Retained Individuals with Histories of Sexual Misconduct
Date CapturedFriday December 17, 2010 01:00 PM
GAO-11-200 ; GAO examined show that individuals with histories of sexual misconduct were hired or retained by public and private schools as teachers, support staff, volunteers, and contractors.
Many States Collect Graduates’ Employment Information, but Clearer Guidance on Student Privacy Requirements Is Needed
Date CapturedMonday December 13, 2010 09:17 AM
GAO-10-927 - GAO recommends that Education clarify means by which states can collect and share graduates’ employment information under the Family Educational Rights and Privacy Act (FERPA) and establish a time frame for doing so. Education agreed with the recommendation.
Schools Selling Students' Personal Information
Date CapturedWednesday October 06, 2010 03:17 PM
Link to stories about schools selling student information
Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Information
Date CapturedTuesday September 28, 2010 02:51 PM
GAO-08-795T : In its report GAO identified alternatives that the Congress should consider, including revising the scope of privacy laws to cover all personal information, requiring that the use of such information be limited to a specific purpose, and revising the structure and publication of privacy notices.
FERPA Myth Busters
Date CapturedFriday July 23, 2010 02:58 PM
Organization: Education Counsel -- Draft for WICHE Conference Use -- December 16, 2008
Family Educational Rights and Privacy Act (FERPA) and the Disclosure of Student Information Related to Emergencies and Disasters
Date CapturedThursday June 24, 2010 01:48 PM
The purpose of this guidance is to answer questions that have arisen about the sharing of personally identifiable information from students’ education records to outside parties when responding to emergencies, including natural or man-made disasters. Understanding how, what, and when information can be shared with outside parties is an important part of emergency preparedness.
Delta College trustees won't add more student information to campus directory
Date CapturedThursday March 18, 2010 01:34 PM
By Andrew Dodson | The Bay City Times - [Currently, information on Delta College students that is readily available, unless they have opted out, includes their name, degree, address, awards, dates attended, program, participation in activities, enrollment, e-mail and weight and height for members of athletic teams. Higgs argued that the college should have more items on file, including a student photo, whether or not that student is full or part time and a phone number. "That's what the courts look to," said Higgs. "Our policy doesn't have those things and it should." Other board members disagreed, saying that more data collecting isn't required and isn't worth the time. They voted against the plan 8-1.]
Privacy flags raise concern for graduate students
Date CapturedThursday March 11, 2010 09:24 PM
by Katie Perkowski -[Undergraduate students are not the only ones concerned with personal information available through UK’s online people search — now, graduate students are voicing their concern, too. Members of UK’s graduate school have recently voiced concern about their information like home address and home telephone number being available on the UK Web site without their knowledge, said English teaching assistant Jesslyn Collins-Frohlich.]
Clash Over Student Privacy
Date CapturedTuesday March 09, 2010 05:05 PM
This document should not be shared due to copyright. Inside Higher Ed - [WASHINGTON -- The U.S. Education Department has fired the top federal official charged with protecting student privacy, in what the dismissed official says was a conflict with the agency's political leaders over their zeal to encourage the collection of data about students' academic performance. Paul Gammill says he was physically escorted out of the department's offices on a Friday morning last month after he refused to resign as director of the agency's Family Policy Compliance Office. Administration officials said that "[p]rivacy laws require us to keep certain employment matters confidential, so we cannot comment on Mr. Gammill. But Gammill, not so encumbered, maintains that he was dismissed because, on several occasions, he argued in internal meetings and documents that the department's approach to prodding states to expand their longitudinal student data systems violated the Family Educational Rights and Privacy Act, which protects the privacy of students' educational records.]
Federal Register: July 6, 2000 (Volume 65, Number 130)
Date CapturedTuesday March 09, 2010 04:56 PM
DEPARTMENT OF EDUCATION - 34 CFR Part 99 - Family Educational Rights and Privacy- AGENCY: Department of Education. ACTION: Final regulations. SUMMARY: The Secretary amends the regulations implementing the Family Educational Rights and Privacy Act (FERPA). The amendments are needed to implement sections 951 and 952 of the Higher Education Amendments of 1998 (HEA). These amendments permit postsecondary institutions to disclose certain information to the public and to parents of students. DATES: These regulations are effective August 7, 2000.
Putting Private Info on Government Database
Date CapturedTuesday March 09, 2010 04:34 PM
Phyllis Schlafly writes - [The Fordham report made numerous recommendations to beef up student privacy, such as collecting only information relevant to articulated purposes, purging unjustified data, enacting time limits for data retention and hiring a chief privacy officer for each state. There is no indication that these suggestions will be implemented. The Obama Department of Education officials believe that collecting personally identifiable data is "at the heart of improving schools and school districts." One of the four reform mandates of the Race to the Top competition is to establish pre-kindergarten to college-and-career data systems that "track progress and foster continuous improvement."]
Comments of the World Privacy Forum regarding Notice of Proposed Rulemaking, FERPA
Date CapturedTuesday February 02, 2010 08:28 PM
[Our comments focus on several aspects of the Notice of Proposed Rulemaking (NPRM), notably, the definition and handling of directory information and personally identifiable information. We also comment on the use of full tax returns to determine eligibility. And finally, we comment on the issue of outsourcing, including the need for audit trails in regards to the proposed expansion of the school official exemption.]
Personal school data not always private
Date CapturedTuesday November 03, 2009 08:15 PM
SCOTT WALDMAN Staff Writer Section: Capital Region, Page: B1 Date: Saturday, February 9, 2008 [GUILDERLAND - Last year, the Guilderland Teachers Association got the address of every local family and sent those with school-age children postcards promoting the union's picks in the May school board election. But trying to get that kind of personal information from other school districts won't work. The issue shines a light on how school districts interpret a federal law that permits the disclosure of "directory" information - including student and parent names, addresses and phone numbers - without consent. The law leaves it up to individual districts to define what is considered directory information. The statute also stipulates that schools must tell residents they have the right to withhold the information.]
Use of parental list is faulted
Date CapturedTuesday November 03, 2009 08:06 PM
March 17, 2008 by Scott Waldman - [GUILDERLAND - Guilderland School District violated federal law when it provided the names and addresses of parents to the teachers union, according to the state's authority on open government. Last year, Guilderland Teachers Association used those names and addresses to send parents of school-aged children postcards promoting the union's picks in a school board election. School officials deny that any law was broken, but the district recently imposed a moratorium on releasing "directory" information after complaints by school board members and news coverage of the controversy.]
Kids' Privacy
Date CapturedSunday November 01, 2009 09:40 PM
[Thanks to COPPA, sites have to get a parent’s permission if they want to collect or share your kids’ personal information, with only a few exceptions. That goes for information sites ask for up-front, and information your kids choose to post about themselves. Personal information includes your child’s full name, address, email address, or cell phone number. Under COPPA, sites also have to post privacy policies that give details about what kind of information they collect from kids — and what they might do with it (say, to send a weekly newsletter, direct advertising to them, or give the information to other companies). If a site plans to share the child’s information with another company, the privacy policy must say what that company will do with it. Links to the policies should be in places where they’re easy to spot. What Can You Do? Your kids’ personal information and privacy are valuable —to you, to them, and to marketers.] *****NOTE DISPARITY WITH PROTECTION PROVIDED UNDER FERPA.
South Dakota Superintendent Thinks Info Policy Will Pass Tonight
Date CapturedFriday October 30, 2009 05:37 PM
[Over the past month some parents have voiced their concerns to the school board over what they consider the selling of their children's contact information. Some say they don't want it to land in the wrong hands. Pam Homan says parents have known about the information policy for some time. "On the blue card as we call it parents have been informed of the FERPA requirement and whether or not they wish to have their child's name included or excluded from information." Revisions have been made to the proposed policy. Allowing parents more control over where the information is given. It will allow four categories that are: school publications, directory information, SD board of regents, and military recruiters.]
CHILDREN’S EDUCATIONAL RECORDS AND PRIVACY -- A STUDY OF ELEMENTARY AND SECONDARY SCHOOL STATE REPORTING SYSTEMS -- October 28, 2009
Date CapturedFriday October 30, 2009 09:44 AM
[The Study reports on the results of a survey of all fifty states and finds that state educational databases across the country ignore key privacy protections for the nation's K-12 children. The Study finds that large amounts of personally identifiable data and sensitive personal information about children are stored by the state departments of education in electronic warehouses or for the states by third party vendors. These data warehouses typically lack adequate privacy protections, such as clear access and use restrictions and data retention policies, are often not compliant with the Family Educational Rights and Privacy Act, and leave K-12 children unprotected from data misuse, improper data release, and data breaches. The Study provides recommendations for best practices and legislative reform to address these privacy problems.] Joel R. Reidenberg, Professor of Law and Founding Academic Director of CLIP Jamela Debelak, Esq., Executive Director of CLIP
National Forum on Education Statistics. Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies
Date CapturedSaturday March 21, 2009 01:43 PM
National Forum on Education Statistics. Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies, NCES 2004–330. Washington, DC: 2004.
FERPA Online Library
Date CapturedThursday March 12, 2009 03:22 PM
Family Policy Compliance Office Letters
Commercial Activities in Schools: Use of Student Data is Limited and Additional Dissemination of Guidance Could Help Districts Develop Policies
Date CapturedThursday March 12, 2009 03:16 PM
GAO -- Recommendation: The Secretary of Education should take additional action to assist districts in understanding that they are required to have specific policies in place for the collection, disclosure, and use of student information for marketing and selling purposes by disseminating its guidance to state school boards associations.
Report Is Said To Criticize On-Campus Recruitment
Date CapturedThursday March 12, 2009 03:10 PM
September 6, 2007 -- NY SUN -- ALEXANDER BRITELL -- [A report by a civil liberties group and the president of Manhattan, Scott Stringer, will criticize military recruitment tactics at some city school campuses. A source familiar with the findings of the report, which is drawn from the survey responses of nearly 1,000 students, said it alleges that military recruiters have been given too much access to public school classrooms, and that the city's Department of Education has not adequately informed students about their right to remove their names from recruiting lists.]
Family Policy Compliance Office (FPCO)
Date CapturedThursday March 12, 2009 02:49 PM
State says Cambridge Public Schools can't charge $14K for public records
Date CapturedFriday February 13, 2009 03:12 PM
David L. Harris -- GateHouse News Service - [On Nov. 30, 2007, the Chronicle sent a letter requesting directory information, but the request was later denied in a three-page letter from the school’s legal department. After appealing to the state’s supervisor of public records, Alan Cote, the school department sent a letter dated July 11, explaining that the work to compile the directory information would cost $14,426.88. The Chronicle’s sister paper, the Newton TAB, requested the same information from Newton Public Schools around the same time. The school department, which sent the data within three weeks of the request, did not charge the TAB for the information.]
Student Information Not For Sale At UW- Marathon County
Date CapturedWednesday February 11, 2009 07:06 PM
Wsaw.com reporter: Margo Spann -- [Private companies looking to sell or market products to college students are buying information about them directly from their schools. The Assistant Director of Student Services at UW Marathon County Annette Hackbarth-Onson says federal law allows colleges to sell information about their students. She says companies are often looking to buy students names, birth-dates, and email addresses.]
Rethinking the Role of Consent in Protecting Health Information Privacy
Date CapturedTuesday January 27, 2009 09:52 AM
CDT is advocating for the inclusion of privacy protections in the President's economic stimulus bill, which contains at least $20 billion for a national health information technology network. CDT's paper argues that personal health information should easily flow for treatment, payment, and certain core administrative tasks without requiring patient consent, but that stricter limits need to be placed on marketing and other secondary uses. January 26, 2009. This paper advocates for a new generation of privacy protections that allow personal health information to flow among health care entities for treatment, payment, and certain core administrative tasks without first requiring patient consent, as long as there is a comprehensive framework of rules that governs access to and disclosure of health data. Patient consent is one important element of this framework, but relying on consent would do little to protect privacy. This paper also suggests how a framework of protections can provide patients with more meaningful opportunities to make informed choices about sharing their personal health information online.
Family Educational Rights and Privacy; Final Rule
Date CapturedTuesday December 09, 2008 07:02 PM
FR Doc E8-28864[Federal Register: December 9, 2008 (Volume 73, Number 237)] [Rules and Regulations] [Page 74805-74855] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr09de08-8]
U Alabama at Birmingham Student Records Policy, Photo as Directory Information
Date CapturedThursday December 04, 2008 08:41 PM
UAB’s Student Records Policy, derived from the Federal Educational Rights and Privacy Act (FERPA), lists the following items of a student record as “directory information:” Name, Telephone number, E-mail address, Date and place of birth, Major field of study, Participation in officially recognized activities and sports, Dates of attendance, Degrees and awards received, Institution most recently previously attended These items are considered public information which may be made available by the university without prior consent of the student and are considered part of the public record of the student’s attendance. Effective Spring 2009, the photo used on the CampusCard will become an item of directory information. Under the provisions of FERPA, students have the right to withhold the disclosure of directory information.
Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records (ID: CSD5578)
Date CapturedThursday December 04, 2008 04:36 PM
The HIPAA Privacy Rule specifically excludes from its coverage those records that are protected by FERPA. At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic, that receives funds under any program administered by the U.S. Department of Education are “education records” subject to FERPA, including health and medical records maintained by a school nurse who is employed by or under contract with a school or school district. Some schools may receive a grant from a foundation or government agency to hire a nurse. Notwithstanding the source of the funding, if the nurse is hired as a school official (or contractor), the records maintained by the nurse or clinic are “education records” subject to FERPA.
Vermont to study student privacy policies
Date CapturedThursday June 12, 2008 04:14 PM
Reformer reports, "The state (Vermont) board is also going to consider how the education department handles third party research requests on behalf of the education department using student data. Under the proposed change, the department information technology team would classify data as sensitive and confidential, and a written contract would have to be signed before the release of records. A third proposed policy spells out how organizations that contract with the education department go about obtaining student information for their work."
Students anxious about directory data
Date CapturedWednesday June 11, 2008 10:06 AM
Columbia Tribune reports, "The names, telephone numbers, e-mail addresses, mailing addresses and other information of University of Missouri students are all considered public information and have been drawing the attention of marketing agencies eager to sell goods and services to the student body."
One in four data breaches involves schools
Date CapturedTuesday June 03, 2008 08:34 PM
By Meris Stansbury, Assistant Editor, eSchool News, "Cyber criminals are becoming bolder and more sophisticated in their operations, federal computer security experts say. And that's bad news for schools, because educational institutions reportedly account for approximately one of every four data security breaches."
EDUCAUSE
Date CapturedTuesday June 03, 2008 08:26 PM
EDUCAUSE is a nonprofit association and good source of information about FERPA and higher education.
Huge Databases Offer a Research Gold Mine — and Privacy Worries
Date CapturedTuesday June 03, 2008 08:14 PM
By DAVID GLENN from the issue dated May 9, 2008 Chronicle of Higher Education, "Researchers have used the new databases to study many issues, including which high-school math courses are most important for college success and how exposure to adjunct instructors affects student retention. But the new education databases create obvious challenges for protecting student privacy — which is one reason most states have been slow to build them. Florida's education department takes elaborate steps to 'de-identify' its information before handing it to outside researchers. Despite those efforts, nervous officials in other states look at a system like Florida's and worry about potential violations of the Family Educational Rights and Privacy Act, or Ferpa. In March the U.S. Department of Education proposed new Ferpa regulations that might clarify the ground rules for the use of such databases, but it is far from certain that the new rules will make states more comfortable with the projects." http://chronicle.com -- Section: The Faculty -- Volume 54, Issue 35, Page A10
FERPA Violation
Date CapturedMonday June 02, 2008 10:10 PM
Letter from Wisconsin College Republicans to Family Policy Compliance Office regarding FERPA violation claim.
Frequently Asked Questions
Date CapturedSunday June 01, 2008 04:41 PM
What is "Directory Information"? FERPA defines "directory information" as information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy if disclosed. Typically, "directory information" includes information such as name, address, telephone listing, date and place of birth, participation in officially recognized activities and sports, and dates of attendance. A school may disclose "directory information" to third parties without consent if it has given public notice of the types of information which it has designated as "directory information," the parent's or eligible student's right to restrict the disclosure of such information, and the period of time within which a parent or eligible student has to notify the school in writing that he or she does not want any or all of those types of information designated as "directory information." The means of notification could include publication in various sources, including a newsletter, in a local newspaper, or in the student handbook. The school could also include the "directory information" notification as part of the general notification of rights under FERPA. The school does not have to notify a parent or eligible student individually. (34 CFR § 99.37.)
Legislative History of Major FERPA Provisions
Date CapturedSunday June 01, 2008 04:20 PM
Family Educational Rights and Privacy Act (FERPA)
Date CapturedThursday July 27, 2006 09:36 PM
"The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are 'eligible students.'" parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31): School officials with legitimate educational interest; Other schools to which a student is transferring; Specified officials for audit or evaluation purposes; Appropriate parties in connection with financial aid to a student; Organizations conducting certain studies for or on behalf of the school; Accrediting organizations; To comply with a judicial order or lawfully issued subpoena; Appropriate officials in cases of health and safety emergencies; and State and local authorities, within a juvenile justice system, pursuant to specific State law. Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.

File Sharing

16 Apps That Make Sharing Large Files A Snap
Date CapturedSunday August 09, 2009 05:00 PM
Orli Yakuel-- [So why would you use an file-sharing app anyway? Actually for many reasons: for larger files, for privacy, multiple files, file format support, and more. In this post, I compare 16 file-sharing services. I took three main issues under consideration when creating the comprehensive app list below: Free, Fast, and Useful . . .]

First Amendment

Brandeis in Italy: The Privacy Issues in the Google Video Case
Date CapturedWednesday March 10, 2010 03:59 PM
Huffington Post - Marc Rotenberg writes [I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established in the United States. The video at the center of this case was very popular in Italy and drove lots of users to the Google Video site. This boosted advertising and support for other Google services. As a consequence, Google actually had an incentive not to respond to the many requests it received before it actually took down the video. Back in the U.S., here is the relevant history: after Brandeis and Warren published their famous article on the right to privacy in 1890, state courts struggled with its application. In a New York state case in 1902, a court rejected the newly proposed right. In a second case, a Georgia state court in 1905 endorsed it.] Marc Rotenberg is the Executive Director, Electronic Privacy Information Center (EPIC).
Free Speech Coalition v. Holder
Date CapturedSunday March 07, 2010 06:12 PM
Electronic Frontier Foundation (EFF) has filed a friend-of-the-court brief urging a federal court judge to block two criminal statutes that unconstitutionally limit the free expression of millions of adults who use the Internet and other electronic forms of communication, bringing the threat of criminal sanctions for private, lawful speech. At issue are provisions of federal law that require anyone who produces a visual depiction of sexually explicit expression to maintain extensive records -- including copies of drivers' licenses, the dates and times images were taken, and all URLs where images were posted -- and often force public disclosure of a creator's home address. Even more troubling, the regulations allow law enforcement warrantless entry into homes or offices in order to inspect the records that are supposed to be kept. While these statutes regulate the commercial pornography industry, they also likely apply to a staggering number of Americans who create and share images of themselves over social networks, online dating services, personal erotic websites, and text messaging. The current implementation of 18 U.S.C. § 2257 unconstitutionally encroaches on the free expression of a staggering number of Americans. Section 2257, which originally targeted producers of child pornography by creating a rebuttable presumption that an individual depicted in sexually explicit expression was a minor in a child pornography prosecution if the producer did not maintain records, has been amended to expand its scope such that it now applies to individual photographers and videographers who create and publish sexual content for personal and non-commercial purposes.1 As a result, the use of social networking applications, dating profiles, personal erotic websites, sexual text messaging and other forms of adult expression are burdened by onerous recordkeeping requirements of which most speakers are likely not even aware. The price of failure to comply is potential criminal penalties and significant prison time.
Bloggers Now Eligible For Press Passes In NYC
Date CapturedTuesday March 02, 2010 08:02 PM
Wendy David writes [Under the new proposed policy, the New York Police Department would be able to issue press passes good for two years to any journalist who has personally attended and reported on at least six qualified events in the city in the preceding two years, regardless of whether the reports were published online, in print newspapers, magazines, books or other media. Events that will qualify include city-sponsored activity -- like a press conference or parade -- as well as emergencies where the city has set up do-not-cross lines. The proposal also allows inexperienced journalists to obtain single-use press passes.]
Two German Killers Demanding Anonymity Sue Wikipedia’s Parent
Date CapturedFriday November 13, 2009 06:29 PM
NYT John Schwartz writes [ Wolfgang Werlé and Manfred Lauber became infamous for killing a German actor in 1990. Now they are suing to force Wikipedia to forget them. The legal fight pits German privacy law against the American First Amendment. German courts allow the suppression of a criminal’s name in news accounts once he has paid his debt to society, noted Alexander H. Stopp, the lawyer for the two men, who are now out of prison.]

Fourth Amendment

Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era
Date CapturedTuesday July 12, 2011 06:12 PM
Christopher Soghoian - [This paper will argue that this doctrine [[third-party doctrine]] becomes moot once encryption is in use and companies no longer have access to their customers’ private data.] [The real threat to privacy lies with the fact that corporations can and have repeatedly been forced to modify their own products in ways that harm end user privacy, such as by circumventing encryption.] Soghoian, Christopher, Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era (August 17, 2009). 8 J. on Telecomm. and High Tech. L. 359; Berkman Center Research Publication No. 2009-07
Internet Privacy - this house believes that governments must do far more to protect online privacy.
Date CapturedWednesday August 25, 2010 07:53 PM
Marc Rotenberg Marc Rotenberg President and executive director, Electronic Privacy Information Center [Today there is no meaningful check on private-sector data collection. Companies post "privacy policies" on websites and then do as they wish with the personal information they collect.] THE ECONOMIST - Jim Harper -- Director of information policy studies, Cato Institute: [The internet is not for couch potatoes. It is an interactive medium. While internet users enjoy its offerings, they should be obligated to participate in watching out for themselves.]
Review: Federal program used to hide flights from public
Date CapturedTuesday April 13, 2010 08:22 PM
USA Today -- By Michael Grabell and Sebastian Jones, ProPublica - [Use of the airspace is considered public information because taxpayers fund air-traffic controllers, radars and runways. "It belongs to all of us," said Chuck Collins, who has studied private jet travel at the Institute for Policy Studies, a progressive think tank. "It's not a private preserve." NBAA spokesman Dan Hubbard said privacy is important to business fliers because competitors can learn of potential deals by tracking planes, and that could affect stock prices. "There are certain circumstances where there is a security concern," he said. In 2000, Congress required websites to stop posting flights of certain planes at the FAA's request. The FAA later agreed to let the aviation group be the clearinghouse. FAA spokeswoman Laura Brown said the agency lacks resources to evaluate whether requests to keep flights secret are justified, so the agency lets the NBAA decide each month the flights kept from public view.]
Coalition pushes ECPA update for online privacy in cloud computing age
Date CapturedWednesday March 31, 2010 04:46 PM
[A powerful collection of organizations has formed a new coalition to push for an update to the Electronic Communications Privacy Act (ECPA). Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.]
Digital Due Process
Date CapturedWednesday March 31, 2010 04:23 PM
[A powerful collection of organizations has formed a new coalition to push for an update to the Electronic Communications Privacy Act (ECPA). Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.]
Nelson v. NASA
Date CapturedWednesday March 10, 2010 03:46 PM
[On August 30, 2007, Appellants filed suit alleging, both individually and on behalf of the class of JPL employees in non-sensitive or “low risk” positions, that NASA’s newly imposed background investigations are unlawful. Appellants bring three primary claims: (1) NASA and the Department of Commerce (collectively “Federal Appellees”) violated the Administrative Procedure Act (“APA”) by acting withoutstatutory authority in imposing the investigations on contract employees; (2) the investigations constitute unreasonable searches prohibited by the Fourth Amendment; and (3) the investigations violate their constitutional right to informational privacy.]
Security and Privacy? Forget About It
Date CapturedMonday March 08, 2010 08:41 PM
By Richard Adhikari - TechNewsWorld - [As the Obama administration grapples with the thorny issue of beefing up the United States' cybersecurity infrastructure, and as security experts warn of impending cyberwarfare, a debate is raging over how much surveillance is enough. One of the biggest problems about implementing cybersecurity is that it involves a measure of surveillance, and the line between surveillance and snooping is razor thin. Thin enough, in fact, that Einstein 3, the latest iteration of the Federal government's intrusion detection program, has aroused privacy concerns because it can examine the content of email. That, some privacy advocates believe, makes it almost equivalent to warrantless wiretapping. The security community is divided over the issue.] [Using NSA technology almost certainly will lead to an invasion of privacy, the EFF's Rotenberg fears. "The folks over at NSA are not just interested in looking for malware, they're very interested in content," he said. "This is the problem with Einstein 2 and Einstein 3." On the other hand, turning over the responsibility for deep packet inspection to private companies could have its own pitfalls. "Deep packet inspection opens the doors to commercialization," Rotenberg warned. "The companies can say, 'We have to do this because of our security mandate and oh, by the way, there's a marketing opportunity here.'"]
Free Speech Coalition v. Holder
Date CapturedSunday March 07, 2010 06:12 PM
Electronic Frontier Foundation (EFF) has filed a friend-of-the-court brief urging a federal court judge to block two criminal statutes that unconstitutionally limit the free expression of millions of adults who use the Internet and other electronic forms of communication, bringing the threat of criminal sanctions for private, lawful speech. At issue are provisions of federal law that require anyone who produces a visual depiction of sexually explicit expression to maintain extensive records -- including copies of drivers' licenses, the dates and times images were taken, and all URLs where images were posted -- and often force public disclosure of a creator's home address. Even more troubling, the regulations allow law enforcement warrantless entry into homes or offices in order to inspect the records that are supposed to be kept. While these statutes regulate the commercial pornography industry, they also likely apply to a staggering number of Americans who create and share images of themselves over social networks, online dating services, personal erotic websites, and text messaging. The current implementation of 18 U.S.C. § 2257 unconstitutionally encroaches on the free expression of a staggering number of Americans. Section 2257, which originally targeted producers of child pornography by creating a rebuttable presumption that an individual depicted in sexually explicit expression was a minor in a child pornography prosecution if the producer did not maintain records, has been amended to expand its scope such that it now applies to individual photographers and videographers who create and publish sexual content for personal and non-commercial purposes.1 As a result, the use of social networking applications, dating profiles, personal erotic websites, sexual text messaging and other forms of adult expression are burdened by onerous recordkeeping requirements of which most speakers are likely not even aware. The price of failure to comply is potential criminal penalties and significant prison time.
Undercover and Sensitive Operations Unit Attorney General's Guidelines on FBI Undercover Operations Revised 11/13/92
Date CapturedSaturday December 26, 2009 09:04 PM
[The following Guidelines on the use of undercover activities and operations by the Federal Bureau of Investigation (FBI) are issued under the authority of the Attorney General provided in Title 28, United States Code, Sections 509, 510, and 533. They apply to all investigations conducted by the FBI, except those conducted pursuant to its foreign counterintelligence and foreign intelligence responsibilities.]
U.S. Constitution: Fourth Amendment
Date CapturedThursday January 01, 2009 07:07 PM
Linked page includes Findlaw annotations [The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.]
You Have Near-Zero Expectation of Privacy in Your Cell Phone Records [Part I]
Date CapturedThursday January 01, 2009 07:01 PM
Journalist Mark Nestmann -- [The calling records on your cell phone have "no expectation of privacy," according to a court decision issued by a federal court in Kansas. And under the court's reasoning, it's possible that other data stored on modern cell phones have no expectation of privacy, either.]
Court: Constitution Protects Stored Cell Phone Location Information (CDT Amicus Brief in the Case [PDF], July 31, 2008)
Date CapturedMonday September 29, 2008 10:15 PM
The Electronic Frontier Foundation, joined by CDT, ACLU and the ACLU of Pennsylvania, had argued for the warrant requirement that the court adopted in an amicus curiae brief filed in July. September 11, 2008.
Court: Constitution Protects Stored Cell Phone Location Information (Federal Court Decision [PDF], September 10, 2008
Date CapturedMonday September 29, 2008 10:05 PM
A federal court ruled September 10th that stored cell phone location information is protected by the Fourth Amendment. The court said the government needed a warrant, based on probable cause, in order to gain access to stored cell phone location information. Other courts have required probable cause for law enforcement access to real-time cell phone location information; however, this decision is particularly important because it extends the probable cause requirement to stored location information. The Electronic Frontier Foundation, joined by CDT, ACLU and the ACLU of Pennsylvania, had argued for the warrant requirement that the court adopted in an amicus curiae brief filed in July. September 11, 2008

Freedom of Information (FOI)

NYS Department of State Committee on Open Government
Date CapturedSaturday February 14, 2009 01:43 AM
The Committee on Open Government is responsible for overseeing and advising with regard to the Freedom of Information, Open Meetings and Personal Privacy Protection Laws (Public Officers Law, Articles 6, 7 and 6-A respectively).
Freedom of Information (FOI)
Date CapturedSaturday December 06, 2008 05:12 PM
Links to FOI sites.

FTC

The Internet of Things: Privacy and Security in a Connected World
Date CapturedTuesday January 27, 2015 09:14 AM
Federal Trade Commission Staff Report On the November 2013 Workshop
The PII Problem: Privacy and a New Concept of Personally Identifiable Information
Date CapturedFriday November 14, 2014 06:32 AM
Paul M. Schwartz University of California, Berkeley - School of Law; Daniel J. Solove George Washington University Law School; December 5, 2011; New York University Law Review, Vol. 86, p. 1814, 2011; UC Berkeley Public Law Research Paper No. 1909366; GWU Legal Studies Research Paper No. 584; GWU Law School Public Law Research Paper No. 584; We show how existing approaches to PII impede the effective regulation of behavioral marketing, and how PII 2.0 would resolve these problems.
“Mobile Apps for Kids: Disclosures Still Not Making the Grade"
Date CapturedThursday December 13, 2012 12:18 PM
FTC: The report strongly urges all entities in the mobile app industry – including app stores, app developers, and third parties providing services within the apps – to accelerate efforts to ensure that parents have the key information they need to make decisions about the apps they download for their children. The report also urges industry to implement recommendations in the recent FTC Privacy Report including: Incorporating privacy protections into the design of mobile products and services; Offering parents easy-to-understand choices about the data collection and sharing through kids’ apps; and Providing greater transparency about how data is collected, used, and shared through kids’ apps.
The Need for Privacy Protections: Perspectives from the Administration & FTC
Date CapturedTuesday May 29, 2012 09:08 AM
FTC May 9, 2012 testimony before the Committee on Commerce, Science & Transportation; US Senate
Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers
Date CapturedMonday March 26, 2012 11:16 AM
The final report calls on companies handling consumer data to implement recommendations for protecting privacy, including: Privacy by Design - companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy; Simplified Choice for Businesses and Consumers - companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities. Greater Transparency - companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them. *****Data Brokers - The Commission calls on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data. In addition, the website should detail the choices that data brokers provide consumers about their own information.
FTC Alerta para Consumidores: Cómo proteger la información personal de su hijo en la escuela
Date CapturedSunday September 11, 2011 07:37 PM
Pregunte en la escuela de su hijo cuál es la política aplicable al directorio de información de los estudiantes. En el directorio de información de los estudiantes se pueden listar el nombre, domicilio, fecha de nacimiento, número de teléfono, domicilio de email y foto de su hijo. La ley FERPA establece que las escuelas deben notificar a los padres y tutores sus respectivas políticas aplicables al directorio de información de los estudiantes, y darle el derecho de optar por que no se suministre esa información a terceros. Es mejor que presente su solicitud por escrito y que guarde una copia para sus archivos. Si usted no ejerce su derecho de optar por que no se comparta la información de su hijo, los datos listados en el directorio de la escuela pueden estar a disposición no sólo de los compañeros de clase y personal de la escuela de su hijo, sino también del público en general.
PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION on CHILD IDENTITY THEFT
Date CapturedFriday September 02, 2011 09:38 PM
PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION Before the SUBCOMMITTEE ON SOCIAL SECURITY of the HOUSE COMMITTEE ON WAYS AND MEANS on Child Identity Theft Field Hearing Plano, Texas September 1, 2011; EXCERPT: A. The Child Identity Theft Forum Discussions [They noted that identity thieves often steal children’s information from schools, businesses, and government agencies.]
FTC CONSUMER ALERT: Student Surveys: Ask Yourself Some Questions
Date CapturedFriday September 02, 2011 06:35 PM
[The Protection of Pupil Rights Amendment (PPRA) is a federal law that affords certain rights to parents of minor students with regard to surveys that ask questions of a personal nature, as well as to surveys designed to collect personal information from students for marketing purposes. Briefly, with regard to marketing surveys, PPRA generally requires schools to develop policies, notify parents about these surveys and permit them to opt their children out of participation in those surveys. Surveys that are exclusively used for certain educational purposes are excepted from these requirements.] [FTC recommends that you check to see if the survey form includes a privacy statement. If there is no privacy statement, you may want to think twice about distributing the survey. In any case, it is wise to know: • who is collecting the information; • how the information will be used; • with whom the information will be shared; and • whether students will have a choice about the use of their information.]
FTC CONSUMER ALERT: Protecting Your Child's Personal Information at School
Date CapturedFriday September 02, 2011 06:10 PM
[Ask your child's school about its directory information policy. Student directory information can include your child's name, address, date of birth, telephone number, email address, and photo. FERPA requires schools to notify parents and guardians about their school directory policy, and give you the right to opt-out of the release of directory information to third parties. It's best to put your request in writing and keep a copy for your files. If you don't opt-out, directory information may be available not only to the people in your child's class and school, but also to the general public.]
Stolen Futures: A Forum on Child Identity Theft July 12, 2011
Date CapturedMonday July 25, 2011 05:26 PM
Session 3 TRANSCRIPT - Securing Children’s Data in the Educational System: Steven Toporoff - Federal Trade Commission. PANELISTS: Kathleen Styles, U.S. Department of Education; Michael Borkoski, Howard County Maryland Public Schools; Larry Wong, Montgomery County Maryland Public Schools; Richard Boyle ECMC, Denny Shaw i-SAFE, Inc. [This panel will explore the Family Educational Rights and Privacy Act (FERPA) and initiatives to protect children’s personal information in school systems. We will also explore lessons learned from a high-profile data breach involving student information. Finally, the panel will discuss outreach efforts to teach children, teachers, youth counselors, and school administrators about privacy and securing children’s personal information.]
Stolen Futures: A Forum on Child Identity Theft July 12, 2011
Date CapturedWednesday July 20, 2011 06:12 PM
TRANSCRIPT SESSION ONE: Stolen Futures: A Forum on Child Identity Theft July 12, 2011; The Federal Trade Commission (FTC) and the Office for Victims Rights (OVC), Office of Justice Programs, U.S. Department of Justice, will hold a forum to discuss child identity theft. Government, business, non-profit, legal service providers, and victim advocates will explore the nature of child identity theft, including foster care identity theft and identity theft within families, with the goal of advising parents and victims on how to prevent the crime and how to resolve child identity theft problems.
CONSUMER SENTINEL NETWORK \DATA BOOK for January - December 2010
Date CapturedSaturday March 12, 2011 11:39 AM
The 2010 Consumer Sentinel Network Data Book is based on unverified complaints reported by consumers. The data is not based on a consumer survey.
COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER to THE FEDERAL TRADE COMMISSION
Date CapturedMonday March 07, 2011 06:04 PM
Marc Rotenberg, EPIC testimony to FTC: COPPA currently defines PI as: Personal information means individually identifiable information about an individual collected online, including: (a) A first and last name; (b) A home or other physical address including street name and name of a city or town; (c) An e-mail address or other online contact information, including but not limited to an instant messaging user identifier, or a screen name that reveals an individual's e-mail address; (d) A telephone number; (e) A Social Security number; (f) A persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with individually identifiable information; or a combination of a last name or photograph of the individual with other information such that the combination permits physical or online contacting; or (g) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.
COPPA Rulemaking and Rule Reviews
Date CapturedMonday March 07, 2011 05:46 PM
Includes public testimony and roundtable. March 24, 2010
“Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”
Date CapturedThursday December 09, 2010 04:45 PM
FTC: To reduce the burden on consumers and ensure basic privacy protections, the report first recommends that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices.” Second, the report states, consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find. One method of simplified choice the FTC staff recommends is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes. The report also recommends other measures to improve the transparency of information practices, including consideration of standardized notices that allow the public to compare information practices of competing companies. The report recommends allowing consumers “reasonable access” to the data that companies maintain about them, particularly for non-consumer facing entities such as data brokers. Finally, FTC staff proposes that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them.
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
Date CapturedFriday October 01, 2010 07:22 PM
To appear at the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI’10) William Enck, Peter Gilbert Byung-Gon Chun,Landon P. Cox , Jaeyeon Jung, Patrick McDaniel Anmol N. Sheth at CONCLUSION: While some mobile phone operating systems allow users to control applications’ access to sensitive informa- tion, such as location sensors, camera images, and con- tact lists, users lack visibility into how applications use their private data. To address this, we present TaintDroid, an ef?cient, system-wide information ?ow tracking tool that can simultaneously track multiple sources of sensi- tive data. A key design goal of TaintDroid is ef?ciency, and TaintDroid achieves this by integrating four gran- ularities of taint propagation (variable-level, message- level, method-level, and ?le-level) to achieve a 14% per- formance overhead on a CPU-bound microbenchmark. We also used our TaintDroid implementation to study the behavior of 30 popular third-party applications, cho- sen at random from the Android Marketplace. Our study revealed that two-thirds of the applications in our study exhibit suspicious handling of sensitive data, and that 15 of the 30 applications reported users’ locations to remote advertising servers. Our ?ndings demonstrate the effec- tiveness and value of enhancing smartphone platforms with monitoring tools such as TaintDroid.
FACEBOOK - Complaint, Request for Investigation, Injunction, and Other Relief
Date CapturedMonday May 10, 2010 09:54 AM
[This complaint concerns material changes to privacy settings made by Facebook, the largest social network service in the United States, that adversely impact the users of the service. Facebook now discloses personal information to the public that Facebook users previously restricted. Facebook now discloses personal information to third parties that Facebook users previously did not make available. These changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations. These business practices are Unfair and Deceptive Trade Practices, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of the Federal Trade Commission Act.]
Proposed Privacy Legislation Wins Few Fans
Date CapturedThursday May 06, 2010 08:24 AM
WSJ : [ The goal for the legislation is to set a standard for consumer privacy protections and also provide consumers with more transparency and control regarding the collection, use and sharing of their information, said Rep. Rick Boucher (D., Va.). Mr. Boucher released a draft of the bill for discussion on Tuesday along with Rep. Cliff Stearns (R., Fla.). The bill stipulates that as a general rule companies can collect information about consumers unless a person opts out of that data collection — a point of contention among privacy advocates. The regulation also specifies standards for the collection and use of personally identifiable information. Companies must disclose to consumers if they are collecting personally identifiable information and how they are using that data. Consumers must give a company permission to share that personally identifiable information with outside companies. ]
FTC Seeks Comment on Children's Online Privacy Protections; Questions Whether Changes to Technology Warrant Changes to Agency Rule.
Date CapturedTuesday April 06, 2010 02:51 PM
[In a Federal Register notice to be published shortly, the FTC poses its standard regulatory review questions and identifies several areas where public comment would be especially useful. Among other things, the FTC asks: What implications for COPPA enforcement are raised by mobile communications, interactive television, interactive gaming, or other similar interactive media. For input on the use of automated systems – those that filter out any personally identifiable information prior to posting – to review children’s Web submissions. Whether operators have the ability to contact specific individuals using information collected from children online, such as persistent IP addresses, mobile geolocation data, or information collected in connection with behavioral advertising, and whether the Rule’s definition of “personal information” should be expanded accordingly. Whether there are additional technological methods to obtain verifiable parental consent that should be added to the COPPA Rule, and whether any of the methods currently included should be removed. Whether parents are exercising their right under the Rule to review or delete personal information collected from their children, and what challenges operators face in authenticating parents. Whether the Rule’s process for FTC approval of self-regulatory guidelines – known as safe harbor programs – has enhanced compliance, and whether the criteria for FTC approval and oversight of the guidelines should be modified in any way.]
THE FAILURE OF FAIR INFORMATION PRACTICE PRINCIPLES forthcoming in Consumer Protection in the Age of the ‘Information Economy’
Date CapturedSunday January 31, 2010 10:03 PM
Fred H. Cate - [The key is refocusing FIPPS on substantive tools for protecting privacy, and away from notice and consent; leveling the playing field between information processors and data subjects; and created sufficient, but limited, liability so that data processors will have meaningful incentives, rather than bureaucratic regulations, to motivate appropriate behavior, and that individuals will be compensated when processing results in serious harm. This is only a first step. These proposed Consumer Privacy Protection Principles are undoubtedly incomplete and imperfect, but they are an effort to return to a more meaningful dialogue about the legal regulation of privacy and the value of information flows in the face of explosive growth in technological capabilities in an increasingly global society.]
Subject: EU-US Safe Harbor
Date CapturedSaturday January 23, 2010 09:34 PM
Chris Wolf - [There are three principal methods to legally export data from the EU to the US and overcome the prohibition against export to a country deemed to lack adequate protections. The first two are through so-called "model contracts" and "Binding Corporate Rules". The third is pursuant to a "Safe Harbor" framework that that EU and US agreed upon in 2001. To participate in the Safe Harbor, a U.S. company self-certifies to the U.S. Department of Commerce that it will follow the Safe Harbor Privacy Principles, which contain the core requirements of the EU Data Protection Directive (notice, choice, access, security, protection in onward transfers, data integrity, and enforcement). The company also is to publicize its adherence to the Safe Harbor Principles on its website. The Federal Trade Commission (FTC) is charged with enforcement of the Safe Harbor undertakings under Section 5 of the Federal Trade Commission Act, which governs deceptive and unfair business practices. In other words, a company that commits publicly to adhering to the Safe Harbor principles (and that it has so certified to the Department of Commerce) is subject to enforcement by the FTC if it does not do so. Companies must do what they promise to do.]
FTC.: Has Internet Gone Beyond Privacy Policies?
Date CapturedThursday January 21, 2010 08:55 AM
NY Times STEPHANIE CLIFFORD writes [Previous commissions looked at privacy under the framework of whether consumers were harmed, and with the basis that companies must advise consumers about what they’re doing and obtain their consent, Mr. Leibowitz said. But companies “haven’t given consumers effective notice, so they can make effective choices,” he said. Advise-and-consent “depended on the fiction that people were meaningfully giving consent,” Mr. Vladeck said. “The literature is clear” that few people read privacy policies, he said.]
FTC Probes Facebook's EPIC Privacy Fail
Date CapturedThursday January 21, 2010 08:44 AM
Media Post -- Wendy Davis writes - [In addition, a Facebook employee allegedly said recently that users' messages are stored in a database regardless of whether users attempt to delete them. "We track everything. Every photo you view, every person you're tagged with, every wall-post you make, and so forth," the employee allegedly added. EPIC alleges that these public statements demonstrate that Facebook engages in unfair and deceptive trade practices. The new filing also questions a new iPhone synching feature that transfers users' iPhone contacts to Facebook, even when the phone contacts are not Facebook friends with the users.]
FTC spam site
Date CapturedTuesday January 05, 2010 09:00 PM
[This website has information about the Federal Trade Commission's recent law enforcement actions against deceptive commercial email and spammers' responsibilities under the CAN-SPAM law. In the "For Consumers" section, you'll find tips on how to reduce the amount of spam email in your in-box.]
Net Privacy 2010: How Far Will the Needle Move?
Date CapturedSaturday January 02, 2010 01:33 PM
eSecurity Planet Kenneth Corbin writes [Some of the largest companies in the industry, including Google (NASDAQ: GOOG) and Microsoft (NASDAQ: MSFT), have expressed support for baseline privacy legislation, providing it doesn't get too specific in targeting specific technologies. In the early part of 2010, Rep. Rick Boucher, who chairs the House subcommittee on technology and the Internet, has said he plans to introduce a bill that would do just that. He has been working with Cliff Stearns, the ranking Republican on the subcommittee, as well as the leaders of the subcommittee on consumer protection, to draft the bill, and spent the better part of 2009 seeking input from a variety of stakeholders.]
Refocusing the FTC’s Role in Privacy Protection
Date CapturedMonday December 14, 2009 05:31 PM
Comments of the Center for Democracy & Technology (CDT) in regards to the FTC Consumer Privacy Roundtable.
DOD nixes vendor of online monitoring software over privacy concerns
Date CapturedMonday December 07, 2009 08:53 PM
Jaikumar Vijayan writes [In September, EPIC, a Washington-based privacy advocacy group, filed a complaint against EchoMetrix with the Federal Trade Commission. EPIC claimed that EchoMetrix was violating the provisions of the Children's Online Privacy Protection Act (COPPA) by collecting personally identifiable information about children and their browsing habits and online chats. EPIC claimed that EchoMetrix used the information to deliver targeted advertising to children and also sold that information to third-party marketers. In its complaint, EPIC pointed to a separate service offered by EchoMetrix called Pulse, which analyzes data gathered from multiple sources including instant messages, blogs and chat rooms. The information is sold as market research intelligence to marketing companies, the EPIC complaint said.] [
Ad Industry Works on Ads About Ads
Date CapturedTuesday November 24, 2009 03:07 PM
Wall Street Journal Emily Steel writes -- [At issue is the practice of tracking consumers’ Web activities — from the searches they make to the sites they visit and the products they buy — for the purpose of targeting ads. The efforts follow calls from the FTC earlier this year for Web advertisers and Internet companies to do a better job explaining how they track and use information about consumers’ Web activities and creating a simple way consumers can opt out of being tracked.]
Federal data breach notification standard must pre-empt state laws
Date CapturedMonday November 16, 2009 08:33 PM
Nextgov Jill R. Aitoro writes -- [The Data Breach Notification Act, introduced in January by Sen. Dianne Feinstein, D-Calif., would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised in a breach and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act, introduced in July by Sen. Patrick Leahy, D-Vt., also would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and would require businesses to implement preventive security standards to guard against threats to their databases.] [Two states are credited for having breach notification laws with the most teeth, said Peter McLaughlin, senior counsel with Foley & Lardner LLP and a member of the law firm's privacy, security and information management practice. Foley & Lardner released a report on Monday that provides in-depth coverage of all major aspects of U.S. and international security breach laws.]
Refocusing the FTC’s Role in Privacy Protection
Date CapturedTuesday November 10, 2009 03:33 PM
Center for Technology in Government (CDT) Policy Post 15.17, November 10, 2009. [ A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology Refocusing the FTC’s Role in Privacy Protection 1) CDT Submits Comments in regards to the FTC Consumer Privacy Roundtable 2) The Significance of a Comprehensive Set of Fair Information Practice Principles 3) Examining FIPs at Work: Recent FTC Enforcement Actions Demonstrate a Path Forward 4) CDT Recommendations for Future FTC Action
‘‘Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act’’ or the ‘‘BEST PRACTICES Act’’
Date CapturedThursday November 05, 2009 03:19 PM
H. R. 5777 -- To foster transparency about the commercial use of personal information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes. [Requires information brokers to: (1) establish procedures to verify the accuracy of information that identifies individuals; (2) provide to individuals whose personal information it maintains a means to review it; (3) place notice on the Internet instructing individuals how to request access to such information; and (4) correct inaccurate information. Directs the FTC to require information brokers to establish measures which facilitate the auditing or retracing of access to, or transmissions of, electronic data containing personal information. Prohibits information brokers from obtaining or disclosing personal information by false pretenses (pretexting).]
Kids' Privacy
Date CapturedSunday November 01, 2009 09:40 PM
[Thanks to COPPA, sites have to get a parent’s permission if they want to collect or share your kids’ personal information, with only a few exceptions. That goes for information sites ask for up-front, and information your kids choose to post about themselves. Personal information includes your child’s full name, address, email address, or cell phone number. Under COPPA, sites also have to post privacy policies that give details about what kind of information they collect from kids — and what they might do with it (say, to send a weekly newsletter, direct advertising to them, or give the information to other companies). If a site plans to share the child’s information with another company, the privacy policy must say what that company will do with it. Links to the policies should be in places where they’re easy to spot. What Can You Do? Your kids’ personal information and privacy are valuable —to you, to them, and to marketers.] *****NOTE DISPARITY WITH PROTECTION PROVIDED UNDER FERPA.
FAIR INFORMATION PRACTICE PRINCIPLES
Date CapturedFriday October 30, 2009 11:08 AM
Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the manner in which entities collect and use personal information -- their "information practices" -- and the safeguards required to assure those practices are fair and provide adequate privacy protection. The result has been a series of reports, guidelines, and model codes that represent widely-accepted principles concerning fair information practices. Common to all of these documents [hereinafter referred to as "fair information practice codes"] are five core principles of privacy protection: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress.
Education Marketing Group/ECRA LAWSUIT RE: SALE OF STUDENT INFORMATION
Date CapturedFriday October 30, 2009 10:15 AM
Parties Subject to Order ORDERED, ADJUDGED AND DECREED that this Consent Order and Judgment shall extend to Student Marketing Group, Inc. (“SMG”) and Educational Research Center of America, Inc. (“ERCA”), their successors, assignees, officers, agents, representatives, affiliates and employees and any other person under their direction or control, whether acting individually or in concert with others or through any corporate entity or device through which they may now or hereafter act or conduct business (collectively “respondents”).
Commission Extension of Deferral of Enforcement of the Identity Theft Red Flags Rule Until August 1, 2009
Date CapturedMonday May 04, 2009 04:43 PM
[The Federal Trade Commission (the “FTC” or “Commission”) is extending its deferral of enforcement of the Identity Theft Red Flags Rule to August 1, 2009.2 This rule was promulgated pursuant to § 114 of the Fair and Accurate Credit Transactions Act (“FACTA”). Congress directed the Commission and other agencies to develop regulations requiring “creditors”3 and “financial institutions”4 to address the risk of identity theft. The resulting Identity Theft Red Flags Rule requires any of these entities that have “covered accounts” to develop and implement written identity theft prevention programs. The identity theft prevention programs must be designed to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. This rule applies to all entities that regularly permit deferred payments for goods or services, including entities such as health care providers, attorneys, and other professionals, as well as retailers and a wide range of businesses that invoice their customers.]
FTC Will Grant Three-Month Delay of Enforcement of ‘Red Flags’ Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs
Date CapturedMonday May 04, 2009 04:38 PM
[The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many lawyers, doctors, and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.]
IE8's Cumbersome Privacy Controls May Discourage Use
Date CapturedMonday March 23, 2009 04:06 PM
Patricia Resende writes [Microsoft's new IE8 features follow a warning to Internet browser makers from the Federal Trade Commission to self-regulate privacy issues or face regulation. Microsoft came under fire for its Passport feature as the Electronic Privacy Information Center and 14 other groups asked the FTC in 2001 to force a revision of the security Relevant Products/Services standard on Passport. The groups alleged Microsoft violated the law by linking Windows XP with requests to sign up for Passport and misleading users to believe that Passport protected privacy when it instead tracked, profiled and monitored users.]
An Icon That Says They’re Watching You
Date CapturedThursday March 19, 2009 06:20 PM
NY Times Saul Hansell writes [Mr. Turow has developed a plan that is simpler and more comprehensive: Put an icon on each ad that signifies that the ad collects or uses information about users. If you click the icon, you will go to what he calls a “privacy dashboard” that will let you understand exactly what information was used to choose that ad for you. And you’ll have the opportunity to edit the information or opt out of having any targeting done at all. “I don’t think ‘Ads by Google’ is enough,’” he said. “The problem with the whole rhetoric Google is using is that it is designed to stop you from wanting to learn more and do something.” ]
Before the Federal Trade Commission Washington, DC 20580 In the Matter of Google, Inc. and Cloud Computing Services
Date CapturedTuesday March 17, 2009 06:48 PM
EPIC President Marc Rotenberg on Google and Cloud Computing [The recent growth of Cloud Computing Services signals an unprecedented shift of personal information from computers controlled by individuals to networks administered by corporations. Data breaches concerning Cloud Computing Services can result in great harm, which arises from the centralized nature of the services and large volume of information stored "in the cloud." Past data breaches have resulted in serious consumer injury, including identity theft. As a result of the popularity of Cloud Computing Services, data breaches on these services pose a heightened risk of identity theft. The FTC should hold accountable the purveyors of Cloud]
Behavioral Targeting: Not that Bad?! TRUSTe Survey Shows Decline in Concern for Behavioral Targeting
Date CapturedWednesday March 04, 2009 03:05 PM
Behavioral advertising still represents un-charted territory, without clearly applicable laws or regulations. In February, the Federal Trade Commission (FTC) published a set of guidelines (titled “Self-Regulatory Principles for Online Behavioral Advertising”) for companies collecting information on the actions of Internet users for the purpose of providing targeted advertising to them. The principles encourage self-regulatory action on the part of the companies themselves, specifically encouraging transparency and customer control, reasonable security and limited data retention for customer data. These principles have been criticized by privacy advocates, who assert that government should impose stricter laws rather than relying on companies to self regulate.
Cable Companies Target Commercials to Audience
Date CapturedWednesday March 04, 2009 02:53 PM
NY Times STEPHANIE CLIFFORD [Cablevision matches households to demographic data to divide its customers, using the data-collection company Experian. Experian has data on individuals that it collects through public records, registries and other sources. It matches the name and address of the subscriber to what it knows about them, and assigns demographic characteristics to households. (The match is a blind one: advertisers do not know what name and address they are advertising to, Cablevision executives said.) Advertisers can also give their existing customer lists to Experian, and Experian can make matches — so G.M., for example, could direct an ad based on who already owns a G.M. car. Advertisers are willing to pay premiums for ads that go only to audiences they have selected.]
YouTube's new 'nocookie' feature continues to serve cookies
Date CapturedTuesday March 03, 2009 03:20 PM
CNET -- Chris Soghoian says [ Those in the privacy community will likely pounce on this as evidence of Google's hypocrisy, while Google will likely respond by carefully parsing the definition of the phrase "non-session cookie" to not include Flash-cookie objects. Google might even even argue that its Flash-based cookies do not contain unique tracking information (something this blogger is unable to verify, since the Adobe Flash Manager only allows you to delete, but not view the contents of a Flash cookie). One thing is clear. YouTube has advertised a new delayed cookie feature, and stated that it "does not send a cookie until the visitor plays the video." That message is further reinforced by the fact that the new cookie-lite embedded video players are served from a different domain name, youtube-nocookie.com. Yet a user visiting a page that includes one of these "delayed cookie" videos still ends up with a long term, non-session Flash cookie hidden away in the depths of their browser. Technical definitions of "cookie" versus "Flash cookie" aside, YouTube's "delayed cookie" feature simply fails to deliver on the company's promises.] ]
Protect Your Kids’ Privacy Online
Date CapturedTuesday March 03, 2009 03:06 PM
The Children’s Online Privacy Protection Act – COPPA – gives parents control over what information websites can collect from their kids. Any website for kids under 13, or any general site that collects personal information from kids it knows are under 13, is required to comply with COPPA. The Federal Trade Commission, the nation’s consumer protection agency, enforces this law.
FTC Online Privacy Guidelines Faulted
Date CapturedFriday February 13, 2009 01:11 PM
Business Week -- Douglas MacMillan -- [On Feb. 12, the U.S. Federal Trade Commission issued guidelines designed to give consumers more information about how advertisers collect and use data about their Web surfing habits. Among the recommendations: Every site that follows Web-use patterns to tailor marketing messages, a practice known as behavioral targeting, should spell out how it is collecting data and give consumers the ability to opt out of targeting. The report also urges sites to keep collected data "as long as is necessary to fulfill a legitimate business or law enforcement need," inform users of any changes made to privacy policies, and only collect sensitive personal data—such as financial and health records—in cases where the user opts in.]
The F.T.C. Talks Tough on Internet Privacy
Date CapturedThursday February 12, 2009 07:20 PM
NY Times - Saul Hansell -- [In another rather striking challenge to industry dogma, the commission rejected the idea that if an Internet site doesn’t collect a user’s name or other “personally identifiable information,” it isn’t a threat to the user’s privacy. Advertising companies have defended their systems by saying they only associate data with cookies, the random identifying numbers they place in the browsers of users, and with Internet Protocol addresses, the numbers used in routing information to specific computers. “This kind of information can be a key piece to identifying an individual,” Ms. Harrington said. Internet companies, she added, “should be really clear in telling the consumer what is being collected, treat that information with care and probably treat it as information that can be used to identify a user.” ]
Response to the 2008 NAI Principles: The Network Advertising Initiative’s Self-Regulatory Code of Conduct for Online Behavioral Advertising
Date CapturedThursday February 12, 2009 06:43 PM
[CDT believes the 2008 NAI Principles, while late in addressing new trends in the industry, demonstrate clear progress over the original code of conduct adopted in 2000. The transparency of the NAI’s revision and compliance process, the approach to sensitive information, and the coverage of advertising practices beyond behavioral advertising all represent important steps forward. While robust self-regulation in the behavioral advertising space does not obviate the need for a baseline federal privacy law covering data collection and usage of all kinds, the NAI has made advances in several areas, yielding what we hope will be better protections for consumer privacy. However, the 2008 NAI Principles still come up short in crucial respects including the opt-out choice requirement, the notice standard, the NAI member accountability model, the failure to address ISP behavioral advertising, the lack of a choice requirement for multi-site advertising, and the data retention principle. Some of these are outstanding issues that have existed within the NAI framework since its inception, while others are new concerns raised by the updates to the principles.]
FTC Staff Revises Online Behavioral Advertising Principles
Date CapturedThursday February 12, 2009 06:19 PM
The report discusses the potential benefits of behavioral advertising to consumers, including the free online content that advertising generally supports and personalization that many consumers appear to value. It also discusses the privacy concerns that the practice raises, including the invisibility of the data collection to consumers and the risk that the information collected – including sensitive information regarding health, finances, or children – could fall into the wrong hands or be used for unanticipated purposes. Consistent with the FTC’s overall approach to consumer privacy, the report seeks to balance the potential benefits of behavioral advertising against the privacy concerns it raises, and to encourage privacy protections while maintaining a competitive marketplace.
Security In Numbers: Social Security Numbers and Identity Theft: A Federal Trade Commission Report Providing Recommendations On Social Security Number Use In the Private Sector
Date CapturedThursday December 18, 2008 05:57 PM
(December, 2008) Conclusion -- Since the creation of the SSN in 1936, the private sector increasingly has utilized it for various purposes – both as an identifier and an authenticator – because it is the only permanent, unique piece of information that most Americans have about themselves. The SSN’s use has expanded as organizations have adapted their business and record-keeping systems to utilize increasingly sophisticated automated data processing. The SSN has, over time, become an integral part of our financial system. As the private sector’s use of the SSN has grown, so too has its availability and value for identity thieves. The Commission believes that a number of actions could be taken to reduce the role of SSNs in identity theft, with emphasis on reducing the demand for SSNs by minimizing their value to identity thieves through improved authentication processes. Most importantly, the Commission recommends that Congress consider establishing national authentication standards for businesses that have consumer accounts and are not already subject to authentication requirements from other federal agencies. Because authentication can never be perfect, however, the Commission also recommends carefully targeted actions to limit the supply or availability of SSNs to identity thieves. Specifically, the Commission recommends that Congress consider prohibiting the display of SSNs on publicly-available documents, identification cards, and other materials that could potentially fall into the hands of identity thieves. The Commission also recommends that Congress set national safeguards and breach notification standards, because better-protected SSNs are less likely to fall into the hands of criminals. Finally, the Commission is committed to educating consumers on protecting their SSNs and businesses on reducing their use of SSNs, and recommends that the government and private sector entities explore information sharing and other cooperative efforts to achieve these goals. Together, these actions could substantially reduce the misuse of SSNs by identity thieves, while at the same time preserving the beneficial uses of SSNs in our economic system.
FTC Issues Report on Social Security Numbers and Identity Theft
Date CapturedThursday December 18, 2008 05:48 PM
The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities. “Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars,” the report states.

Fusion Centers

Comments of the World Privacy Forum to FTC, Nov. 6, 2009
Date CapturedThursday December 17, 2009 10:58 PM
Pam Dixon Executive Director, World Privacy Forum -- Re: Privacy Roundtables – Comment, Project No. P095416 - [The World Privacy Forum understands that businesses have a right to exist and to make money, and that advertising and marketing is part of the marketplace. But we also believe that there is not a reasonable balance right now between what data is being collected and used, and what consumers can do to manage that data and their privacy. There are no perfect solutions, but we think that a rights-based framework based on approaches contained in the Fair Credit Reporting Act and on Fair Information Practices will address many of the problems and help create solutions that are equitable for all stakeholders.]

GAO

INFORMATION RESELLERS Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace
Date CapturedThursday November 21, 2013 02:23 PM
What GAO Recommends: Congress should consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information. Any changes should seek to provide consumers with appropriate privacy protections without unduly inhibiting commerce and innovation. The Department of Commerce agreed that strengthened privacy protections could better protect consumers
MOBILE DEVICE LOCATION DATA: Additional Federal Actions Could Help Protect Consumer Privacy
Date CapturedFriday October 12, 2012 06:02 PM
"Companies GAO examined disclosed in their privacy policies that the companies were collecting consumers' location data, but did not clearly state how the companies were using these data or what third parties they may share them with," GAO investigators wrote. "Furthermore, although policies stated that companies shared location data with third parties, they were sometimes vague about which types of companies these were and why they were sharing the data." Without clear information on exactly how companies use information, consumers "would be unable to effectively judge whether the uses of their location data might violate their privacy," the report concludes.
EMERGENCY COMMUNICATIONS: Various Challenges Likely to Slow Implementation of a Public Safety Broadband Network
Date CapturedThursday February 23, 2012 07:07 PM
GAO-12-343 Implementation of a Public Safety Broadband Network: To help ensure that public safety agencies are not overpaying for handheld communication devices, the Secretary of Homeland Security should work with federal and state partners to identify and communicate opportunities for joint procurement of public safety LMR devices.
K-12 Education: Many Challenges Arise in Educating Students Who Change Schools Frequently
Date CapturedMonday December 20, 2010 09:20 PM
GAO-11-40 November 18, 2010 - The recent economic downturn, with foreclosures and homelessness, may be increasing student mobility.
K-12 EDUCATION - Selected Cases of Public and Private Schools That Hired or Retained Individuals with Histories of Sexual Misconduct
Date CapturedFriday December 17, 2010 01:00 PM
GAO-11-200 ; GAO examined show that individuals with histories of sexual misconduct were hired or retained by public and private schools as teachers, support staff, volunteers, and contractors.
Many States Collect Graduates’ Employment Information, but Clearer Guidance on Student Privacy Requirements Is Needed
Date CapturedMonday December 13, 2010 09:17 AM
GAO-10-927 - GAO recommends that Education clarify means by which states can collect and share graduates’ employment information under the Family Educational Rights and Privacy Act (FERPA) and establish a time frame for doing so. Education agreed with the recommendation.
OPM Should Better Monitor Implementation of Privacy-Related Policies and Procedures for Background
Date CapturedSaturday October 09, 2010 11:00 AM
GAO-10-849 Privacy -- GAO is recommending that the Director of OPM (1) develop guidance for analyzing and mitigating privacy risks in privacy impact assessments, and (2) develop and implement oversight mechanisms for ensuring that investigators properly protect PII and that customer agencies adhere to agreed-upon privacy protection measures. OPM agreed with our recommendations.
Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Information
Date CapturedTuesday September 28, 2010 02:51 PM
GAO-08-795T : In its report GAO identified alternatives that the Congress should consider, including revising the scope of privacy laws to cover all personal information, requiring that the use of such information be limited to a specific purpose, and revising the structure and publication of privacy notices.
Privacy flags raise concern for graduate students
Date CapturedThursday March 11, 2010 09:24 PM
by Katie Perkowski -[Undergraduate students are not the only ones concerned with personal information available through UK’s online people search — now, graduate students are voicing their concern, too. Members of UK’s graduate school have recently voiced concern about their information like home address and home telephone number being available on the UK Web site without their knowledge, said English teaching assistant Jesslyn Collins-Frohlich.]
Commercial Activities in Schools: Use of Student Data is Limited and Additional Dissemination of Guidance Could Help Districts Develop Policies
Date CapturedThursday March 12, 2009 03:16 PM
GAO -- Recommendation: The Secretary of Education should take additional action to assist districts in understanding that they are required to have specific policies in place for the collection, disclosure, and use of student information for marketing and selling purposes by disseminating its guidance to state school boards associations.
DOD’s and VA’s Sharing of Information
Date CapturedFriday January 30, 2009 10:11 AM
(GAO-09-268) In the more than 10 years since DOD and VA began collaborating to electronically share health information, the two departments have increased interoperability. Nevertheless, while the departments continue to make progress, the manner in which they report progress—by reporting increases in interoperability over time—has limitations. These limitations are rooted in the departments’ plans, which identify interoperable capabilities to be implemented, but lack the results-oriented (i.e., objective, quantifiable, and measurable) goals and associated performance measures that are a necessary basis for effective management. Without establishing results-oriented goals, then reporting progress using measures relative to the established goals, the departments and their stakeholders do not have the comprehensive picture that they need to effectively manage their progress toward achieving increased interoperability. Further constraining the departments’ management effectiveness is their slow pace in addressing our July 2008 recommendation related to setting up the interagency program office that Congress called for to function as a single point of accountability in the development and implementation of electronic health record capabilities.
CYBER ANALYSIS AND WARNING - DHS Faces Challenges in Establishing a Comprehensive National Capability
Date CapturedTuesday September 23, 2008 10:15 AM
GAO 08-588: We recommend that the Secretary of Homeland Security take four actions to fully establish a national cyber analysis and warning capability. Specifically, the Secretary should address deficiencies in each of the attributes identified for Recommendations for Executive Action • monitoring, including establish a comprehensive baseline understanding of the nation’s critical information infrastructure and engage appropriate nonfederal stakeholders to support a national-level cyber monitoring capability; • analysis, including expanding its capabilities to investigate incidents; • warning, including ensuring consistent notifications that are targeted, actionable, and timely; and • response, including ensuring that US-CERT provides assistance in the mitigation of and recovery from simultaneous severe incidents, including incidents of national significance. We also recommend that the Secretary address the challenges that impede DHS from fully implementing the key attributes, including the following 6 items: • engaging appropriate stakeholders in federal and nonfederal entities to determine ways to develop closer working and more trusted relationships; • expeditiously hiring sufficiently trained cyber analysts and developing strategies for hiring and retaining highly qualified cyber analysts; • identifying and acquiring technological tools to strengthen cyber analytical capabilities and handling the steadily increasing workload; developing predictive analysis capabilities by defining terminology, methodologies, and indicators, and engaging appropriate stakeholders in other federal and nonfederal entities; • filling key management positions and developing strategies for hiring and retaining those officials; and • ensuring that there are distinct and transparent lines of authority and responsibility assigned to DHS organizations with cybersecurity roles and responsibilities, including the Office of Cybersecurity and Communications and the National Cybersecurity Center.
Alternatives Exist for Enhancing Protection of Personally Identifiable Information
Date CapturedSaturday June 21, 2008 08:57 PM
Highlights of GAO-08-536, a report to congressional requesters: In assessing the appropriate balance between the needs of the federal government to collect personally identifiable information for programmatic purposes and the assurances that individuals should have that their information is being sufficiently protected and properly used, Congress should consider amending applicable laws, such as the Privacy Act and the E-Government Act, according to the alternatives outlined in this report, including: • revising the scope of the laws to cover all personally identifiable information collected, used, and maintained by the federal government; • setting requirements to ensure that the collection and use of personally identifiable information is limited to a stated purpose; and • establishing additional mechanisms for informing the public about privacy protections by revising requirements for the structure and publication of public notices.
PRIVACY -- Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Information
Date CapturedWednesday June 18, 2008 05:09 PM
In its report GAO identified alternatives that the Congress should consider, including revising the scope of privacy laws to cover all personal information, requiring that the use of such information be limited to a specific purpose, and revising the structure and publication of privacy notices. OMB commented that the Congress should consider these alternatives in the broader context of existing privacy and related statutes.
Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown
Date CapturedThursday June 05, 2008 07:03 PM
GAO-07-737 -- There are two primary forms of identity theft. First, identity thieves can use financial account identifiers, such as credit card or bank account numbers, to take over an individual’s existing accounts to make unauthorized charges or withdraw money. Second, thieves can use identifying data, which can include such things as SSNs and driver’s license numbers, to open new financial accounts and incur charges and credit in an individual’s name, without that person’s knowledge. This second form of identity theft is potentially the most damaging because, among other things, it can take some time before a victim becomes aware of the problem, and it can cause substantial harm to the victim’s credit rating. While some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records.

Geo-Tagging

Cybercasing the Joint: On the Privacy Implications of Geo-Tagging
Date CapturedThursday August 12, 2010 02:40 PM
Gerald Friedland (International Computer Science Institute ) and Robin Sommer (Lawrence Berkeley National Laboratory) [This article aims to raise awareness of a rapidly emerging privacy threat that we term cybercasing: using geo-tagged in- formation available online to mount real-world attacks. While users typically realize that sharing locations has some implica- tions for their privacy, we provide evidence that many (i) are unaware of the full scope of the threat they face when doing so, and (ii) often do not even realize when they publish such information. [Often, how- ever, users do not even realize that their files contain lo- cation information. For example, Apple’s iPhone 3G em- beds high-precision geo-coordinates with all photos and videos taken with the internal camera unless explicitly switched off in the global settings.]

Health and Human Services (HHS)

Federal departments fall short on civil liberties
Date CapturedTuesday January 27, 2009 10:14 AM
By Peter Eisler, USA TODAY - [WASHINGTON — The departments of Defense, State, and Health and Human Services have not met legal requirements meant to protect Americans' civil liberties, and a board that's supposed to enforce the mandates has been dormant since 2007, according to federal records. All three departments have failed to comply with a 2007 law directing them to appoint civil liberties protection officers and report regularly to Congress on the safeguards they use to make sure their programs don't undermine the public's rights and privacy, a USA TODAY review of congressional filings shows.]
Rethinking the Role of Consent in Protecting Health Information Privacy
Date CapturedTuesday January 27, 2009 09:52 AM
CDT is advocating for the inclusion of privacy protections in the President's economic stimulus bill, which contains at least $20 billion for a national health information technology network. CDT's paper argues that personal health information should easily flow for treatment, payment, and certain core administrative tasks without requiring patient consent, but that stricter limits need to be placed on marketing and other secondary uses. January 26, 2009. This paper advocates for a new generation of privacy protections that allow personal health information to flow among health care entities for treatment, payment, and certain core administrative tasks without first requiring patient consent, as long as there is a comprehensive framework of rules that governs access to and disclosure of health data. Patient consent is one important element of this framework, but relying on consent would do little to protect privacy. This paper also suggests how a framework of protections can provide patients with more meaningful opportunities to make informed choices about sharing their personal health information online.

Healthcare

Health care meets social networking
Date CapturedThursday January 22, 2009 03:59 PM
Jacksonville Business Journal - Kimberly Morrison -- [Mayo Clinic, which has a campus in Jacksonville, has come a long way in just a few years, since adding a Facebook page with more than 3,000 friends, a YouTube channel with videos of doctors talking about illness, treatments and research, a health blog for consumers and another for media to improve the process of medical reporting. It’s also creating “secret groups” on Facebook to connect patients to others with similar illnesses, an area it hopes to expand in the future. But that’s just the tip of the iceberg in the brave new world of Health 2.0.]

Higher Education

Some questions raised over release of student info (North Dakota)
Date CapturedTuesday March 08, 2011 04:54 PM
[North Dakota: High schools across the state would be required to give names, addresses and phone numbers of their students to the State Board of Higher Education under a proposed Senate bill.] [Several committee members expressed concern about the additional information and wanted to make sure parents would be fully aware of what information was being requested before opting out. That view also was shared by Bev Nielson of the North Dakota School Boards Association.]
Many States Collect Graduates’ Employment Information, but Clearer Guidance on Student Privacy Requirements Is Needed
Date CapturedMonday December 13, 2010 09:17 AM
GAO-10-927 - GAO recommends that Education clarify means by which states can collect and share graduates’ employment information under the Family Educational Rights and Privacy Act (FERPA) and establish a time frame for doing so. Education agreed with the recommendation.
Delta College trustees won't add more student information to campus directory
Date CapturedThursday March 18, 2010 01:34 PM
By Andrew Dodson | The Bay City Times - [Currently, information on Delta College students that is readily available, unless they have opted out, includes their name, degree, address, awards, dates attended, program, participation in activities, enrollment, e-mail and weight and height for members of athletic teams. Higgs argued that the college should have more items on file, including a student photo, whether or not that student is full or part time and a phone number. "That's what the courts look to," said Higgs. "Our policy doesn't have those things and it should." Other board members disagreed, saying that more data collecting isn't required and isn't worth the time. They voted against the plan 8-1.]
H.R.6. Higher Education Amendments of 1998
Date CapturedMonday March 08, 2010 06:54 PM
An Act - To extend the authorization of programs under the Higher Education Act of 1965, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) SHORT TITLE.—This Act may be cited as the ‘‘Higher Education Amendments of 1998’’.
Quinn Emanuel Brochure Spills Value of Confidential Facebook Settlement
Date CapturedWednesday February 11, 2009 07:17 PM
The Reporter - Zusha Elinson -- [Facebook paid the founders of ConnectU $65 million to settle lawsuits accusing Facebook CEO Mark Zuckerberg of stealing the idea for the wildly successful social-networking Web site, according to a law firm's marketing brochure. Lawyers in the heavyweight fight had expended great effort to keep the settlement secret -- even going as far as persuading a judge to clear the courtroom of reporters on one occasion. But ConnectU's former lawyers from Quinn Emanuel Urquhart Oliver & Hedges published the settlement amount in a firm advertisement trumpeting the firm's prowess.] [The ConnectU dispute got started at Harvard, where ConnectU's founders, Cameron and Tyler Winklevoss and Divya Narendra hired fellow student Zuckerberg to work on code for a dating Web site for Harvard students. They sued Facebook in 2004, accusing Zuckerberg of delaying the project while using the information to start his own Web site. He quit Harvard and moved to Palo Alto, Calif., to start the company. ConnectU's lawyers argued that it amounted to trade secret theft and copyright infringement. Last February, Facebook agreed to settle the matter by paying to acquire ConnectU.]
Student Information Not For Sale At UW- Marathon County
Date CapturedWednesday February 11, 2009 07:06 PM
Wsaw.com reporter: Margo Spann -- [Private companies looking to sell or market products to college students are buying information about them directly from their schools. The Assistant Director of Student Services at UW Marathon County Annette Hackbarth-Onson says federal law allows colleges to sell information about their students. She says companies are often looking to buy students names, birth-dates, and email addresses.]
Family Educational Rights and Privacy; Final Rule
Date CapturedTuesday December 09, 2008 07:02 PM
FR Doc E8-28864[Federal Register: December 9, 2008 (Volume 73, Number 237)] [Rules and Regulations] [Page 74805-74855] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr09de08-8]
Thurston cameras not a privacy violation
Date CapturedThursday December 04, 2008 05:06 PM
Amanda Crowe, a freshman majoring in international affairs and Hatchet columnist says [Authoritarianism prevents personal freedoms, these cameras do not. Students are free to do as they wish, as long as they follow the law and University rules. These laws and rules are what you agree to when you live in this country and go to this school. So what's there to hide?]
Mobile phones demystify commuter rat race
Date CapturedSaturday June 07, 2008 05:04 PM
Blog responds to this controversial academic research.
Study secretly tracks cellphone users
Date CapturedThursday June 05, 2008 03:01 PM
AP reports, "Researchers secretly tracked the locations of 100,000 people outside the United States through their cellphone use and concluded that most people rarely stray more than a few miles from home. The first-of-its-kind study by Northeastern University raises privacy and ethical questions for its monitoring methods, which would be illegal in the United States."
EDUCAUSE
Date CapturedTuesday June 03, 2008 08:26 PM
EDUCAUSE is a nonprofit association and good source of information about FERPA and higher education.
Huge Databases Offer a Research Gold Mine — and Privacy Worries
Date CapturedTuesday June 03, 2008 08:14 PM
By DAVID GLENN from the issue dated May 9, 2008 Chronicle of Higher Education, "Researchers have used the new databases to study many issues, including which high-school math courses are most important for college success and how exposure to adjunct instructors affects student retention. But the new education databases create obvious challenges for protecting student privacy — which is one reason most states have been slow to build them. Florida's education department takes elaborate steps to 'de-identify' its information before handing it to outside researchers. Despite those efforts, nervous officials in other states look at a system like Florida's and worry about potential violations of the Family Educational Rights and Privacy Act, or Ferpa. In March the U.S. Department of Education proposed new Ferpa regulations that might clarify the ground rules for the use of such databases, but it is far from certain that the new rules will make states more comfortable with the projects." http://chronicle.com -- Section: The Faculty -- Volume 54, Issue 35, Page A10
Guidelines for Working with Law Enforcement Agencies
Date CapturedWednesday August 08, 2007 12:15 PM
By Michael Corn. EQ -- Volume 30 Number 3 2007. Checklist: * Create a policy to address the handling of all legal documents. * Form a team consisting of the security officer, legal counsel, and campus police. * Put campus legal counsel on your telephone speed-dial. * Meet with provost and/or chancellor to discuss law enforcement requests and investigations. * Review and document the salient features of your environment, including your institutional policies on data release and retention. * Understand your obligations with regard to confidentiality. * Discuss with the agent(s) in charge of an investigation whom you wish to inform of the investigation and why. * Work with the agent(s) in charge of an investigation to review what they are looking for and what will not be useful to them. * Develop internal procedures that control the materials and information of legally restricted information. Buy a safe for storing legal materials. * Work with law enforcement agents to better understand your environment and narrow the scope of information requests.

HIPAA

Privacy and Security Developments 2014 Issue 01
Date CapturedMonday November 24, 2014 06:23 AM
Privacy and Security Developments is a periodic briefing of new cases, statutes, articles, books, resources, and other developments. It is authored by Professors Daniel J. Solove and Paul M. Schwartz.
Proposed Changes to Common Rule (2011)
Date CapturedSaturday November 15, 2014 07:44 AM
Proposed Changes to Common Rule: The 3 most important responses related to data privacy - The proposed ban on re-identification would drive re-identification methods further into hidden, commercial activities and deprive the public, the research community and policy makers of knowledge about re-identification risks and potential harms to the public. The de-identification provisions of the HIPAA Privacy Rule do not take advantage of advances in data privacy or the nuances it provides in terms of dealing with different kinds of data and finely matching sensitivity to risk. There needs to be a channel for NCHS, NIST or a professional data privacy body to operationalize research results so that real-world data sharing decisions rely on the latest guidelines and best practices.
Building public trust in uses of Health Insurance Portability and Accountability Act de-identified data
Date CapturedFriday November 14, 2014 07:01 AM
Deven McGraw; The aim of this paper is to summarize concerns with the de-identification standard and methodologies established under the Health Insurance Portability and Accountability Act (HIPAA) regulations, and report some potential policies to address those concerns that were discussed at a recent workshop attended by industry, consumer, academic and research stakeholders. Center for Democracy & Technology, 1634 I Street, NW Suite 1100, Washington, DC 20006, USA; deven@cdt.org J Am Med Inform Assoc 2013;20:29-34 doi:10.1136/amiajnl-2012-000936
Latanya Arvette Sweeney, Ph.D.cv
Date CapturedSaturday November 08, 2014 07:37 PM
Latanya Arvette Sweeney, Ph.D. Professor of Government and Technology in Residence Department of Government Director, Data Privacy Lab dataprivacylab.org/ Harvard University 1737 Cambridge Street, CGIS K310 Cambridge, MA 02138
Latanya Sweeney, Ph.D.
Date CapturedSaturday November 08, 2014 07:31 PM
I think Latanya Sweeney may be back at Harvard
The Importance of Disaggregating Student Data
Date CapturedSaturday November 08, 2014 08:26 AM
Common characteristics used to disaggregate data include (Boeke, 2012): Race/ethnicity (country of origin); Generation status (i.e. first, second, etc. generation or recently arrived); Immigrant/ refugee status (refugee status often means people are eligible for certain services) ;Age group; Gender; Grade; Geographic (within a state there is often enough data to compare school district data versus a state comparison to a national average); Sexual orientation; Free or reduced lunch status (as a SES indicator); Insurance status
Does de-identification work or not?
Date CapturedThursday November 06, 2014 09:20 AM
About the author: Daniel C. Barth-Jones, M.P.H., Ph.D., is a HIV and Infectious Disease Epidemiologist on the faculty at the Mailman School of Public Health at Columbia University. His work in the area of statistical disclosure control and implementation under the HIPAA Privacy Rule provisions for de-identification is focused on the importance of properly balancing competing goals of protecting patient privacy and preserving the accuracy of scientific research and statistical analyses conducted with de-identified data.
The 'Re-Identification' of Governor William Weld's Medical Information: A Critical Re-Examination of Health Data Identification Risks and Privacy Protections, Then and Now
Date CapturedThursday November 06, 2014 09:00 AM
Barth-Jones, Daniel C., The 'Re-Identification' of Governor William Weld's Medical Information: A Critical Re-Examination of Health Data Identification Risks and Privacy Protections, Then and Now (June 4, 2012).
Identifying Violence-prone Students
Date CapturedThursday January 13, 2011 02:02 PM
The fine line higher education officials walk in dealing with troubled students is discussed.
Personal Health Information Privacy
Date CapturedSunday January 10, 2010 04:42 PM
News about medical and electronic health privacy risk.
Bill would make prescription data private
Date CapturedTuesday January 27, 2009 10:25 AM
["The sharing of prescription information for marketing purposes without consent violates the spirit of privacy law, and destroys the confidentiality of the doctor-patient relationship," said Leigh Sims, a spokeswoman for the coalition behind the bill. HIPAA allows states to pass stronger privacy protections.] [To fight this, Rep. Jamie Pedersen (D-Seattle) and others have introduced House Bill 1493 to close the loophole. Advocates say the change would protect thousands of patients at no cost to taxpayers.]
Washington state bill would make prescription data private
Date CapturedTuesday January 27, 2009 10:25 AM
["The sharing of prescription information for marketing purposes without consent violates the spirit of privacy law, and destroys the confidentiality of the doctor-patient relationship," said Leigh Sims, a spokeswoman for the coalition behind the bill. HIPAA allows states to pass stronger privacy protections.] [To fight this, Rep. Jamie Pedersen (D-Seattle) and others have introduced House Bill 1493 to close the loophole. Advocates say the change would protect thousands of patients at no cost to taxpayers.]
Health care meets social networking
Date CapturedThursday January 22, 2009 03:59 PM
Jacksonville Business Journal - Kimberly Morrison -- [Mayo Clinic, which has a campus in Jacksonville, has come a long way in just a few years, since adding a Facebook page with more than 3,000 friends, a YouTube channel with videos of doctors talking about illness, treatments and research, a health blog for consumers and another for media to improve the process of medical reporting. It’s also creating “secret groups” on Facebook to connect patients to others with similar illnesses, an area it hopes to expand in the future. But that’s just the tip of the iceberg in the brave new world of Health 2.0.]
What Every American Needs to Know about the HIPAA Medical Privacy Rule* -- Updated November 2008
Date CapturedSunday January 18, 2009 09:39 PM
By Sue A. Blevins, president of the Institute for Health Freedom and Robin Kaigh, Esq., an attorney dedicated to patients’ health privacy rights. [Did you know that under the federal HIPPA (Health Insurance Portability and Accountability Act of 1996) medical privacy rule, your personal health information—including past records and genetic information—can be disclosed without your consent to large organizations such as the following? Data-processing companies; Insurers; Researchers (in some instances); Hospitals; Doctors (even those not treating you); Law enforcement officials; Public health officials; Federal government.
Privacy Issue Complicates Push to Link Medical Data
Date CapturedSunday January 18, 2009 05:39 PM
NY Times By ROBERT PEAR [“Until people are more confident about the security of electronic medical records,” Mr. Whitehouse said, “it’s vitally important that we err on the side of privacy.” The data in medical records has great potential commercial value. Several companies, for example, buy and sell huge amounts of data on the prescribing habits of doctors, and the information has proved invaluable to pharmaceutical sales representatives. “Health I.T. without privacy is an excellent way for companies to establish a gold mine of information that can be used to increase profits, promote expensive drugs, cherry-pick patients who are cheaper to insure and market directly to consumers,” said Dr. Deborah C. Peel, coordinator of the Coalition for Patient Privacy, which includes the American Civil Liberties Union among its members.]
Secretary Leavitt Announces New Principles, Tools to Protect Privacy, Encourage More Effective Use of Patient Information to Improve Care
Date CapturedThursday December 18, 2008 05:11 PM
The privacy principles articulated by Secretary Leavitt are as follows: Individual Access – Consumers should be provided with a simple and timely means to access and obtain their personal health information in a readable form and format. Correction – Consumers should be provided with a timely means to dispute the accuracy or integrity of their personal identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied. Consumers also should be able to add to and amend personal health information in products controlled by them such as personal health records (PHRs). Openness and Transparency -- Consumers should have information about the policies and practices related to the collection, use and disclosure of their personal information. This can be accomplished through an easy-to-read, standard notice about how their personal health information is protected. This notice should indicate with whom their information can or cannot be shared, under what conditions and how they can exercise choice over such collections, uses and disclosures. In addition, consumers should have reasonable opportunities to review who has accessed their personal identifiable health information and to whom it has been disclosed. Individual Choice -- Consumers should be empowered to make decisions about with whom, when, and how their personal health information is shared (or not shared). Collection, Use, and Disclosure Limitation – It is important to limit the collection, use and disclosure of personal health information to the extent necessary to accomplish a specified purpose. The ability to collect and analyze health care data as part of a public good serves the American people and it should be encouraged. But every precaution must be taken to ensure that this personal health information is secured, deidentified when appropriate, limited in scope and protected wherever possible. Data Integrity – Those who hold records must take reasonable steps to ensure that information is accurate and up-to-date and has not been altered or destroyed in an unauthorized manner. This principle is tightly linked to the correction principle. A process must exist in which, if consumers perceive a part of their record is inaccurate, they can notify their provider. Of course the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers that right, but this principle should be applied even where the information is not covered by the Rule. Safeguards – Personal identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. Accountability – Compliance with these principles is strongly encouraged so that Americans can realize the benefit of electronic health information exchange. Those who break rules and put consumers’ personal health information at risk must not be tolerated. Consumers need to be confident that violators will be held accountable.
The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information
Date CapturedThursday December 18, 2008 04:56 PM
The principles of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information below establish a single, consistent approach to address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization. The goal of this effort is to establish a policy framework for electronic health information exchange that can help guide the Nation’s adoption of health information technologies and help improve the availability of health information and health care quality. The principles have been designed to establish the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a netwo
Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records (ID: CSD5578)
Date CapturedThursday December 04, 2008 04:36 PM
The HIPAA Privacy Rule specifically excludes from its coverage those records that are protected by FERPA. At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic, that receives funds under any program administered by the U.S. Department of Education are “education records” subject to FERPA, including health and medical records maintained by a school nurse who is employed by or under contract with a school or school district. Some schools may receive a grant from a foundation or government agency to hire a nurse. Notwithstanding the source of the funding, if the nurse is hired as a school official (or contractor), the records maintained by the nurse or clinic are “education records” subject to FERPA.
Medical Blogs May Threaten Patient Privacy
Date CapturedFriday August 08, 2008 04:57 PM
US News and World Report -- "In some cases, patients described in medical blogs may be able to identify themselves, the researchers said. For example, three of the blogs in the study had recognizable photos of patients, including one with an extensive description of the patient and links to photos. The researchers also found that some of the medical blogs allowed advertisements, and some promoted health -care products within the blog text. None of the bloggers who described products within the text adhered to medical ethics standards of providing information on conflicts of interest, or whether payment was received for promotion of the products. The study was published online in the Journal of General Internal Medicine." (Dr. Tara Lagu, Robert Wood Johnson Foundation Clinical Scholar, and colleagues at the University of Pennsylvania)
CDT Testimony before House Health Subcommittee, June 04, 2008
Date CapturedWednesday June 04, 2008 04:20 PM
CDT Testimony Supports Draft Health Health Information Legislation -- We need a comprehensive privacy and security framework that is based on fair information practices (i.e., the Markle Foundation Common Framework) and sets clear guidelines for use and disclosure of electronic health information. The framework should build on HIPAA and incorporate protections for health information held by non-health care entities.CDT today testified before the House Health Subcommittee in support of draft legislation regarding health information technology and privacy legislation. CDT supports the draft language because it takes critical steps toward the goal of a comprehensive privacy and security framework, and targets many of the key issues raised by the new e-health environment. CDT urged the Subcommittee to develop this framework by building on the HIPAA Privacy and Security Rules. CDT also recommended including strong protections for health information held, or managed on behalf of consumers, by employers and companies not part of the traditional health care system
Personal Health Records: Why Many PHRs Threaten Privacy
Date CapturedMonday June 02, 2008 05:26 PM
Prepared by Robert Gellman for the World Privacy Forum - "Significant privacy consequences of PHRs not covered under HIPAA can include: • Health records in a PHR may lose their privileged status. • PHR records can be more easily subpoenaed by a third party than health records covered under HIPAA. • Identifiable health information may leak out of a PHR into the marketing system or to commercial data brokers. • In some cases, the information in a non-HIPAA covered PHR may be sold, rented, or otherwise shared. • It may be easier for consumers to accidentally or casually authorize the sharing of records in a PHR. • Consumers may think they have more control over the disclosure of PHR records than they actually do. • The linkage of PHR records from different sources may be embarrassing, cause family problems, or have other unexpected consequences. • Privacy protections offered by PHR vendors may be weaker than consumers expect and may be subject to change without notice or consumer consent."
Hospitals, patients clash on privacy rights
Date CapturedMonday June 02, 2008 03:45 PM
"California has a medical privacy act 'designed to prevent patients from being used as a marketing database,' said San Francisco attorney Khaldoun Baghdadi, who has handled claims from patients who believe their privacy has been violated. 'If that medical information was disclosed negligently, each patient can be awarded $1,000 per violation.'"

History Sniffing

An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications
Date CapturedMonday January 03, 2011 09:11 PM
Dongseok Jang; Ranjit Jhala; Sorin Lerner; Hovav Shacham - Dept. of Computer Science and Engineering University of California, San Diego, USA : {d1jang,jhala,lerner,hovav}@cs.ucsd.edu --[Our JavaScript information ?ow framework found many interesting privacy-violating infor- mation ?ows including 46 cases of real history sni?ng over the Alexa global top 50,000 websites, despite some incom- pleteness. One direction for future work is a larger scale study on privacy-violating information ?ows. Such a study could per- form a deeper crawl of the web, going beyond the front- pages of web sites, and could look at more kinds of privacy- violating information ?ows. Moreover, we would also like to investigate the prevalence of security attacks led by privacy- violating information ?ows like phishing and request forgery] [...we believe that with careful and extensive engineering e?orts, there is a possibility that our framework could lead to a practical protection mechanism.]

Homeless Students

K-12 Education: Many Challenges Arise in Educating Students Who Change Schools Frequently
Date CapturedMonday December 20, 2010 09:20 PM
GAO-11-40 November 18, 2010 - The recent economic downturn, with foreclosures and homelessness, may be increasing student mobility.

html5

Wright: Erosion of privacy may save journalism
Date CapturedWednesday October 20, 2010 08:57 PM
sfnblog.com -- Posted by Leah McBride Mensching - [HTML 5, the latest version of code used to create websites, is expected to further erode users' privacy, by letting sites know where users are physically located, as well as better track browsing histories. Consumer activists and privacy advocates are certain to be against these privacy threats, but those in the journalism world may find it to be their "salvation," writes The New York Times's Robert Wright.]
html5
Date CapturedWednesday October 20, 2010 07:42 PM
HTML5 is a new version of HTML and XHTML. The HTML5 draft specification defines a single language that can be written in HTML and XML. It attempts to solve issues found in previous iterations of HTML and addresses the needs of Web Applications, an area previously not adequately covered by HTML.

ID

"REAL ID Implementation Review: Few Benefits, Staggering Costs"
Date CapturedTuesday June 03, 2008 02:35 PM
EPIC: The final rule includes few protections for individual privacy and security in its massive national identification database. It harms national security by creating yet another “trusted” credential for criminals to exploit. The Department of Homeland Security has faced so many obstacles with the REAL ID system that the agency now plans an implementation deadline of 2017 – nine years later than the 2008 statutory deadline.181 It is an unfunded mandate that would cost billions, with the burden ultimately being placed on the individual taxpayer. Technical experts familiar with the challenges of privacy protection and identification presented the Department of Homeland Security with a variety of recommendations that would have minimized the risks of the REAL ID system. The DHS made some modifications, but left the essential system in place. As REAL ID currently stands, the costs are many and the benefits are few. Public opposition to implementation is understandable.
N.Y. opts for hybrid driver’s licenses
Date CapturedTuesday June 03, 2008 02:03 PM
Washington Technology reports, "Some of the enhanced licenses have been controversial because of privacy concerns. Washington, which was the first state to begin producing the new licenses, includes a radio frequency identification microchip on the licenses. The RFID chips, which can be read wirelessly from 20 feet to 30 feet away, have been criticized for their potential to be scanned without authorization, risking identity theft and loss of privacy. It is not clear whether New York’s licenses will include the RFID chip. Information was not immediately available from a spokesman for the state Department of Motor Vehicles."
Identification and Authentication Resource Page
Date CapturedMonday June 02, 2008 03:13 PM
This is a resource page in connection with the Center for American Progress report “The ID Divide: Addressing the Problems of Identification and Authentication in American Society,” by Peter P. Swire and Cassandra Q. Butts.
The ID Divide -- Addressing the Challenges of Identification and Authentication in American Society
Date CapturedMonday June 02, 2008 03:03 PM
By Peter Swire, Cassandra Q. Butts. "Our report first explores the background of the issue, including the sharp rise in recent years in how often Americans are asked for proof of identity. We then examine the facts of the ID Divide in detail, identifying at least four important types of problems: A large population affected by identity theft and data breaches; The growing effects of watch lists; Specific groups that disproportionately lack IDs today; The effects of new and stricter ID and matching requirements.

Identity Theft

ID THEFT RESOURCES
Date CapturedFriday February 01, 2013 08:50 PM
Identity Theft Reported by Households, 2005-2010
Date CapturedMonday December 05, 2011 11:06 AM
Lynn Langton - In 2010, 7.0% of households in the United States, or about 8.6 million households, had at least one member age 12 or older who experienced one or more types of identity theft victimization. Among households in which at least one member experienced one or more types of identity theft, 64.1% experienced the misuse or attempted misuse of an existing credit card account in 2010. From 2005 to 2010, the percentage of all households with one or more type of identity theft that suffered no direct financial loss increased from 18.5% to 23.7%.
PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION on CHILD IDENTITY THEFT
Date CapturedFriday September 02, 2011 09:38 PM
PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION Before the SUBCOMMITTEE ON SOCIAL SECURITY of the HOUSE COMMITTEE ON WAYS AND MEANS on Child Identity Theft Field Hearing Plano, Texas September 1, 2011; EXCERPT: A. The Child Identity Theft Forum Discussions [They noted that identity thieves often steal children’s information from schools, businesses, and government agencies.]
FTC CONSUMER ALERT: Protecting Your Child's Personal Information at School
Date CapturedFriday September 02, 2011 06:10 PM
[Ask your child's school about its directory information policy. Student directory information can include your child's name, address, date of birth, telephone number, email address, and photo. FERPA requires schools to notify parents and guardians about their school directory policy, and give you the right to opt-out of the release of directory information to third parties. It's best to put your request in writing and keep a copy for your files. If you don't opt-out, directory information may be available not only to the people in your child's class and school, but also to the general public.]
Stolen Futures: A Forum on Child Identity Theft July 12, 2011
Date CapturedMonday July 25, 2011 05:26 PM
Session 3 TRANSCRIPT - Securing Children’s Data in the Educational System: Steven Toporoff - Federal Trade Commission. PANELISTS: Kathleen Styles, U.S. Department of Education; Michael Borkoski, Howard County Maryland Public Schools; Larry Wong, Montgomery County Maryland Public Schools; Richard Boyle ECMC, Denny Shaw i-SAFE, Inc. [This panel will explore the Family Educational Rights and Privacy Act (FERPA) and initiatives to protect children’s personal information in school systems. We will also explore lessons learned from a high-profile data breach involving student information. Finally, the panel will discuss outreach efforts to teach children, teachers, youth counselors, and school administrators about privacy and securing children’s personal information.]
Stolen Futures: A Forum on Child Identity Theft July 12, 2011
Date CapturedWednesday July 20, 2011 06:12 PM
TRANSCRIPT SESSION ONE: Stolen Futures: A Forum on Child Identity Theft July 12, 2011; The Federal Trade Commission (FTC) and the Office for Victims Rights (OVC), Office of Justice Programs, U.S. Department of Justice, will hold a forum to discuss child identity theft. Government, business, non-profit, legal service providers, and victim advocates will explore the nature of child identity theft, including foster care identity theft and identity theft within families, with the goal of advising parents and victims on how to prevent the crime and how to resolve child identity theft problems.
Commission Extension of Deferral of Enforcement of the Identity Theft Red Flags Rule Until August 1, 2009
Date CapturedMonday May 04, 2009 04:43 PM
[The Federal Trade Commission (the “FTC” or “Commission”) is extending its deferral of enforcement of the Identity Theft Red Flags Rule to August 1, 2009.2 This rule was promulgated pursuant to § 114 of the Fair and Accurate Credit Transactions Act (“FACTA”). Congress directed the Commission and other agencies to develop regulations requiring “creditors”3 and “financial institutions”4 to address the risk of identity theft. The resulting Identity Theft Red Flags Rule requires any of these entities that have “covered accounts” to develop and implement written identity theft prevention programs. The identity theft prevention programs must be designed to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. This rule applies to all entities that regularly permit deferred payments for goods or services, including entities such as health care providers, attorneys, and other professionals, as well as retailers and a wide range of businesses that invoice their customers.]
FTC Will Grant Three-Month Delay of Enforcement of ‘Red Flags’ Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs
Date CapturedMonday May 04, 2009 04:38 PM
[The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many lawyers, doctors, and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.]
New York State Consumer Protection Board (CPB)
Date CapturedFriday December 26, 2008 05:07 PM
The Consumer Protection Board, established in 1970 by the New York State Legislature, is the State's top consumer watchdog and "think tank." The CPB's core mission is to protect New Yorkers by publicizing unscrupulous and questionable business practices and product recalls; conducting investigations and hearings; enforcing the "Do Not Call Law"; researching issues; developing legislation; creating consumer education programs and materials; responding to individual marketplace complaints by securing voluntary agreements; and, representing the interests of consumers before the Public Service Commission (PSC) and other State and federal agencies.
Security In Numbers: Social Security Numbers and Identity Theft: A Federal Trade Commission Report Providing Recommendations On Social Security Number Use In the Private Sector
Date CapturedThursday December 18, 2008 05:57 PM
(December, 2008) Conclusion -- Since the creation of the SSN in 1936, the private sector increasingly has utilized it for various purposes – both as an identifier and an authenticator – because it is the only permanent, unique piece of information that most Americans have about themselves. The SSN’s use has expanded as organizations have adapted their business and record-keeping systems to utilize increasingly sophisticated automated data processing. The SSN has, over time, become an integral part of our financial system. As the private sector’s use of the SSN has grown, so too has its availability and value for identity thieves. The Commission believes that a number of actions could be taken to reduce the role of SSNs in identity theft, with emphasis on reducing the demand for SSNs by minimizing their value to identity thieves through improved authentication processes. Most importantly, the Commission recommends that Congress consider establishing national authentication standards for businesses that have consumer accounts and are not already subject to authentication requirements from other federal agencies. Because authentication can never be perfect, however, the Commission also recommends carefully targeted actions to limit the supply or availability of SSNs to identity thieves. Specifically, the Commission recommends that Congress consider prohibiting the display of SSNs on publicly-available documents, identification cards, and other materials that could potentially fall into the hands of identity thieves. The Commission also recommends that Congress set national safeguards and breach notification standards, because better-protected SSNs are less likely to fall into the hands of criminals. Finally, the Commission is committed to educating consumers on protecting their SSNs and businesses on reducing their use of SSNs, and recommends that the government and private sector entities explore information sharing and other cooperative efforts to achieve these goals. Together, these actions could substantially reduce the misuse of SSNs by identity thieves, while at the same time preserving the beneficial uses of SSNs in our economic system.
FTC Issues Report on Social Security Numbers and Identity Theft
Date CapturedThursday December 18, 2008 05:48 PM
The Federal Trade Commission issued a report today recommending five measures to help prevent Social Security numbers from being used for identity theft. Principal among the report’s recommendations is that Congress consider taking action to strengthen the procedures that private-sector organizations use to authenticate their customers’ identities. “Identity theft continues to be a major problem in this country, with victims numbering in the millions each year and out-of-pocket losses (primarily to businesses) in the billions of dollars,” the report states.
Federal Trade Commission Identity Theft Survery Report 2006
Date CapturedFriday June 27, 2008 07:43 PM
Executive Summary Identity theft (ID theft) is an issue that continues to plague consumers, businesses, and law enforcement. To provide greater insight into the prevalence and cost of ID theft, the Federal Trade Commission (FTC) has sponsored its second ID theft survey of US adults. The specific objectives of the survey were to: • Estimate the prevalence of ID theft victimization • Measure the impacts of ID theft on the victims • Identify actions taken by victims • Explore measures that may help victims of future cases of ID theft
Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown
Date CapturedThursday June 05, 2008 07:03 PM
GAO-07-737 -- There are two primary forms of identity theft. First, identity thieves can use financial account identifiers, such as credit card or bank account numbers, to take over an individual’s existing accounts to make unauthorized charges or withdraw money. Second, thieves can use identifying data, which can include such things as SSNs and driver’s license numbers, to open new financial accounts and incur charges and credit in an individual’s name, without that person’s knowledge. This second form of identity theft is potentially the most damaging because, among other things, it can take some time before a victim becomes aware of the problem, and it can cause substantial harm to the victim’s credit rating. While some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records.
Do Data Breach Disclosure Laws Reduce Identity Theft?
Date CapturedThursday June 05, 2008 06:07 PM
Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured. We use panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.

Immigration

Enhanced Driver’s Licenses Coming Your Way…
Date CapturedSunday July 27, 2008 05:01 PM
Steven A. Culbreath, Esq. blogs, "DHS has worked to align REAL ID and EDL requirements. EDLs that are developed consistent with the requirements of REAL ID can be used for official purposes such as accessing a Federal facility, boarding Federally-regulated commercial aircraft, and entering nuclear power plants." And... "While the REAL ID requires proof of legal status in the U.S., the state issued EDL will require that the card holder be a U.S. citizen."

Information Policy

Center for Digital Democracy
Date CapturedFriday February 13, 2009 01:22 PM
Open for Questions at change.gov: What about privacy?
Date CapturedSunday December 14, 2008 09:30 PM
Medical Blogs May Threaten Patient Privacy
Date CapturedFriday August 08, 2008 04:57 PM
US News and World Report -- "In some cases, patients described in medical blogs may be able to identify themselves, the researchers said. For example, three of the blogs in the study had recognizable photos of patients, including one with an extensive description of the patient and links to photos. The researchers also found that some of the medical blogs allowed advertisements, and some promoted health -care products within the blog text. None of the bloggers who described products within the text adhered to medical ethics standards of providing information on conflicts of interest, or whether payment was received for promotion of the products. The study was published online in the Journal of General Internal Medicine." (Dr. Tara Lagu, Robert Wood Johnson Foundation Clinical Scholar, and colleagues at the University of Pennsylvania)
Wolf Reveals House Computers Compromised by Outside Source
Date CapturedTuesday June 17, 2008 01:21 PM
Offers Privileged Resolution on House Floor Calling for Greater Protection Of Congressional Computer and Information Systems.
Access Rights to Business Data on Personally-Owned Computers
Date CapturedThursday June 05, 2008 10:51 AM
A White Paper by John C. Montaña for The ARMA International Education Foundation. "The continuing and pervasive blurring of the boundaries between work and home environments is another reality for many workers. Increased responsibilities and workloads, demands for longer hours and many other factors combine to create a situation in which many workers are required to resort to extraordinary measures to meet the demands of work and profession. In many cases, these demands are met by working at home. Increasingly, this work is computer-based work, and includes e-mail, word processing documents, spreadsheet and other computer-generated data objects. In many cases, this work is done on a computer provided by the employer for the purposes of facilitating the employee’s at-home work. In many other cases, however, the work is performed on a computer owned the employee themselves or someone else living in the employee’s residence."
The Internet in Transition: A Platform To Keep the Internet Open, Innovative and Free
Date CapturedThursday June 05, 2008 10:13 AM
CDT publication excerpt: "The Internet’s remarkable success is built on a policy framework based on the principles of openness, competition, innovation, non-discrimination, privacy, consumer choice and freedom of expression. Faced with legitimate concerns ranging from terrorism to the protection of children online, policymakers must find solutions that reinforce — rather than undermine — these core principles."
Electronic Privacy Information Center (EPIC)
Date CapturedSunday June 01, 2008 05:31 PM
EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.

Intellectual Property

Google's Big Fat Looming Antitrust Problem
Date CapturedFriday May 08, 2009 06:58 PM
E-Commerce Times -- By Erika Morphy -- [It is difficult to pinpoint exactly where the antitrust fault line is in this particular case, which revolves around a lawsuit the Association of American Publishers and the Authors Guild filed against Google some three years ago in an effort to shut down its book-scanning project. Critics of last month's settlement said the plaintiffs do not represent all of the authors of works that Google will eventually publish in its Book Search Project. The possibility that this deal could give Google a monopoly over electronically available copyrighted works appears to be the antitrust basis for the inquiry.]

International

Reconciling Personal Information in the United States and European Union
Date CapturedThursday June 27, 2013 04:16 PM
Paul M. Schwartz, University of California, Berkeley - School of Law; Daniel J. Solove, George Washington University Law School; May 3, 2013
A Call for Agility: The Next-Generation Privacy Professionals
Date CapturedThursday March 18, 2010 01:50 PM
International Association of Privacy Professionals (IAPP) “A Call for Agility: The Next-Generation Privacy Professional,” examines key developments in the privacy arena over the last 10 years. It offers a compelling perspective of what roles, issues and challenges will face us in the coming years.
Canadian airlines plead with government to solve U.S. security dilemma
Date CapturedThursday January 07, 2010 08:04 PM
C Jim Bronskill (CP) -- [OTTAWA — Canada's major airlines say they will be forced either to break privacy laws or to ignore new American air security rules unless the federal government comes up with a response to U.S. demands for passenger information.]

Internet

Happy Birthday, Internet
Date CapturedFriday October 30, 2009 08:22 PM
NPR interview -- authentication and privacy concerns mentioned. October 30, 2009 [On Oct. 29, 1969, around 10:30 P.M., a message from one computer was sent over a modified phone line to another computer hundreds of miles away. Some say the Internet was born that day. UCLA computer scientist Leonard Kleinrock, who was there, gives his account.] IMPORTANT EXCERPT: [Dr. KLEINROCK: Yes. In fact, in those early days, the culture of the Internet was one of trust, openness, shared ideas. You know, I knew everybody on the Internet in those days and I trusted them all. And everybody behaved well, so we had a very easy, open access. We did not introduce any limitations nor did we introduce what we should have, which was the ability to do strong user authentication and strong file authentication. So I know that if you are communicating with me, it's you, Ira Flatow, and not someone else. And if you send me a file, I receive the file you intended me to receive. We should've installed that in the architecture in the early days. And the first thing we should've done with it is turn it off, because we needed this open, trusted, available, shared environment, which was the culture, the ethics of the early Internet. And then when we approach the late 1980s and the early 1990s and spam, and viruses, and pornography and eventually the identity theft and the fraud, and the botnets and the denial of service we see today, as that began to emerge, we should then slowly have turned on that authentication process, which is part of what your other caller referred to is this IPV6 is an attempt to bring on and patch on some of this authentication capability. But it's very hard now that it's not built deep into the architecture of the Internet.]
The F.T.C. Talks Tough on Internet Privacy
Date CapturedThursday February 12, 2009 07:20 PM
NY Times - Saul Hansell -- [In another rather striking challenge to industry dogma, the commission rejected the idea that if an Internet site doesn’t collect a user’s name or other “personally identifiable information,” it isn’t a threat to the user’s privacy. Advertising companies have defended their systems by saying they only associate data with cookies, the random identifying numbers they place in the browsers of users, and with Internet Protocol addresses, the numbers used in routing information to specific computers. “This kind of information can be a key piece to identifying an individual,” Ms. Harrington said. Internet companies, she added, “should be really clear in telling the consumer what is being collected, treat that information with care and probably treat it as information that can be used to identify a user.” ]

Interoperability

Transforming Data to Information in Service of Learning,
Date CapturedFriday May 24, 2013 08:58 AM
SETDA developed this new report, "Transforming Data to Information in Service of Learning," to raise awareness about the major K-12 data standards and interoperability initiatives underway to address this gap and to offer recommendations for how K-12 education can become more responsive to educators and better targeted toward individual student success. The report will help education leaders understand the context for these interoperability initiatives and their relationship to teaching and learning. The widespread implementation of new and emerging interoperability initiatives will be instrumental to realizing the full potential of technology in education.

iot

The Internet of Things: Privacy and Security in a Connected World
Date CapturedTuesday January 27, 2015 09:14 AM
Federal Trade Commission Staff Report On the November 2013 Workshop

IRB

Lettter to IRB
Date CapturedSunday December 07, 2014 08:53 AM
The Belmont Report
Date CapturedMonday November 24, 2014 10:57 AM
Belmont Report does not make specific recommendations for administrative action by the Secretary of Health, Education, and Welfare. Rather, the Commission recommended that the Belmont Report be adopted in its entirety, as a statement of the Department's policy.
World Privacy Forum comments Big Data Study
Date CapturedThursday November 20, 2014 01:52 PM
The World Privacy Forum’s recent public comments to the White House regarding Big Data focus on using a foundation of Fair Information Principles to address issues connected to bias, error, and privacy regarding big data as applied to vulnerable populations. The comments also discuss large medical research data sets, and stress the importance of applying the Common Rule in any human subjects research, in particular, identifiable data. The benefits of analysis using large data sets need to be maintained while resolving problems raised in analysis of vulnerable populations. Pam Dixon & Bob Gellman
Proposed Changes to Common Rule (2011)
Date CapturedSaturday November 15, 2014 07:44 AM
Proposed Changes to Common Rule: The 3 most important responses related to data privacy - The proposed ban on re-identification would drive re-identification methods further into hidden, commercial activities and deprive the public, the research community and policy makers of knowledge about re-identification risks and potential harms to the public. The de-identification provisions of the HIPAA Privacy Rule do not take advantage of advances in data privacy or the nuances it provides in terms of dealing with different kinds of data and finely matching sensitivity to risk. There needs to be a channel for NCHS, NIST or a professional data privacy body to operationalize research results so that real-world data sharing decisions rely on the latest guidelines and best practices.

Juvenile Justice

TEXAS SB 1106
Date CapturedSaturday August 13, 2011 03:54 PM
AN ACT relating to the exchange of confidential information concerning certain juveniles.

Legislation

California AB.143
Date CapturedSaturday September 03, 2011 02:40 PM
INTRODUCED BY Assembly Member Fuentes; This bill would redefine directory information to no longer include a pupil's place of birth and to also include a pupil's e-mail address.
OHIO 3319.321 Confidentiality
Date CapturedThursday March 10, 2011 02:40 PM
Ohio Revised Code » Title [33] XXXIII EDUCATION (A) No person shall release, or permit access to, the directory information concerning any students attending a public school to any person or group for use in a profit-making plan or activity. Notwithstanding division (B)(4) of section 149.43 of the Revised Code, a person may require disclosure of the requestor’s identity or the intended use of the directory information concerning any students attending a public school to ascertain whether the directory information is for use in a profit-making plan or activity.
Letter to: Chairman Boucher and Ranking Member Stearns
Date CapturedMonday June 07, 2010 06:26 PM
Mike Sachoff -- [In response to a discussion draft of a new privacy bill now under consideration by the House Subcommittee on Communications, Technology and the Internet, ten privacy and consumer groups today called for stronger measures to protect consumer privacy both online and off. The organizations including the Consumer Federation of America, Electronic Frontier Foundation, Consumer Watchdog, World Privacy Forum, Consumer Action, USPIRG, Privacy Rights Clearinghouse, Privacy Times, Privacy Lives, and the Center for Digital Democracy, raised their concerns in a letter to Subcommittee Chairman Rick Boucher and Ranking Member Cliff Stearns. The groups recommended the following: *The bill should incorporate the Fair Information Practice Principles that have long served as the bedrock of consumer privacy protection in the U.S., including the principle of not collecting more data than is necessary for the stated purposes, limits on how long data should be retained, and a right to access and correct one's data. *The bill's definitions of what constitutes "sensitive information" need to be expanded; for instance, to include health-related information beyond just "medical records." *The bill should require strict "opt-in" procedures for the collection and use of covered data and should prohibit the collection and use of any sensitive information except for the transactions for which consumers provided it.]
DRAFT - Boucher bill
Date CapturedThursday May 06, 2010 08:34 AM
A BILL : To require notice to and consent of an individual prior to the collection and disclosure of certain personal informa- tion relating to that individual.
Proposed Privacy Legislation Wins Few Fans
Date CapturedThursday May 06, 2010 08:24 AM
WSJ : [ The goal for the legislation is to set a standard for consumer privacy protections and also provide consumers with more transparency and control regarding the collection, use and sharing of their information, said Rep. Rick Boucher (D., Va.). Mr. Boucher released a draft of the bill for discussion on Tuesday along with Rep. Cliff Stearns (R., Fla.). The bill stipulates that as a general rule companies can collect information about consumers unless a person opts out of that data collection — a point of contention among privacy advocates. The regulation also specifies standards for the collection and use of personally identifiable information. Companies must disclose to consumers if they are collecting personally identifiable information and how they are using that data. Consumers must give a company permission to share that personally identifiable information with outside companies. ]
FERPA Legislative History
Date CapturedWednesday May 05, 2010 10:21 AM
The Family Educational Rights and Privacy Act of 1974 (“FERPA”), § 513 of P.L. 93- 380 (The Education Amendments of 1974), was signed into law by President Ford on August 21, 1974, with an effective date of November 19, 1974, 90 days after enactment. FERPA was enacted as a new § 4381 of the General Education Provisions Act (GEPA) called “Protection of the Rights and Privacy of Parents and Students,” and codified at 20 U.S.C. § 1232g.2 It was also commonly referred to as the “Buckley Amendment” after its principal sponsor, Senator James Buckley of New York. FERPA was offered as an amendment on the Senate floor and was not the subject of Committee consideration. Accordingly, traditional legislative history for FERPA as first enacted is unavailable.
Federal Register: July 6, 2000 (Volume 65, Number 130)
Date CapturedTuesday March 09, 2010 04:56 PM
DEPARTMENT OF EDUCATION - 34 CFR Part 99 - Family Educational Rights and Privacy- AGENCY: Department of Education. ACTION: Final regulations. SUMMARY: The Secretary amends the regulations implementing the Family Educational Rights and Privacy Act (FERPA). The amendments are needed to implement sections 951 and 952 of the Higher Education Amendments of 1998 (HEA). These amendments permit postsecondary institutions to disclose certain information to the public and to parents of students. DATES: These regulations are effective August 7, 2000.
H.R.6. Higher Education Amendments of 1998
Date CapturedMonday March 08, 2010 06:54 PM
An Act - To extend the authorization of programs under the Higher Education Act of 1965, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) SHORT TITLE.—This Act may be cited as the ‘‘Higher Education Amendments of 1998’’.
Summary of LD 1677 Bill Info LD 1677 (SP 649) "An Act To Protect Minors from Pharmaceutical Marketing Practices"
Date CapturedThursday January 07, 2010 06:04 PM
State of Maine Legislature - "An Act To Protect Minors from Pharmaceutical Marketing Practices" -- Sponsored by Senator Elizabeth Schneider. -- IAPP writes -- [The bill applies to online information only and is limited to pharmaceutical marketing. It gives the attorney general the power to adopt rules to determine its scope. Violation of the law would be considered an unfair trade practice.]
Net Privacy 2010: How Far Will the Needle Move?
Date CapturedSaturday January 02, 2010 01:33 PM
eSecurity Planet Kenneth Corbin writes [Some of the largest companies in the industry, including Google (NASDAQ: GOOG) and Microsoft (NASDAQ: MSFT), have expressed support for baseline privacy legislation, providing it doesn't get too specific in targeting specific technologies. In the early part of 2010, Rep. Rick Boucher, who chairs the House subcommittee on technology and the Internet, has said he plans to introduce a bill that would do just that. He has been working with Cliff Stearns, the ranking Republican on the subcommittee, as well as the leaders of the subcommittee on consumer protection, to draft the bill, and spent the better part of 2009 seeking input from a variety of stakeholders.]
Lawmakers probe deeper into privacy
Date CapturedSaturday November 21, 2009 01:16 PM
By Kim Hart - 11/19/09 04:00 PM ET - [Jennifer Barrett, an executive with Acxiom, a marketing company, said the firm could collect 1,500 possible data points about individual consumers, such as age, hobbies, address, occupation and recent purchases. Acxiom typically maintains 20-40 data points on the average person. Acxiom receives that information from public records, surveys consumers fill out voluntarily (such as warranty cards) and information from other companies. In response to questions from Rep. Mike Doyle (D-Penn.), Barrett said consumers can see what data has been stored about them and can change or delete information used for marketing purposes. But consumers cannot find out who else has bought their data from Axciom.]
PUBLIC Law, Chapter 230 LD 1183, item 1, 124th Maine State Legislature
Date CapturedSunday November 08, 2009 10:35 PM
SP0431, LR 597, item 1, Signed on 2009-06-02 00:00:00.0 - First Regular Session - 124th Maine Legislature, page 1 - 2. Marketing purposes. "Marketing purposes," with respect to the use of health-related information or personal information, means the purposes of marketing or advertising products, goods or services to individuals. 3. Person. "Person" includes an individual, firm, partnership, corporation, association, syndicate, organization, society, business trust, attorney-in-fact and every natural or artificial legal entity. 4. Personal information. "Personal information" means individually identifiable information, including: A. An individual's first name, or first initial, and last name; B. A home or other physical address; C. A social security number; D. A driver's license number or state identification card number; and E. Information concerning a minor that is collected in combination with an identifier described in this subsection. 5. Verifiable parental consent. "Verifiable parental consent" means any reasonable effort, taking into consideration available technology, including a request for authorization for future collection, use and disclosure described in the notice, to ensure that a parent of a minor receives notice of the PUBLIC Law, Chapter 230 LD 1183, item 1, 124th Maine State Legislature An Act To Prevent Predatory Marketing Practices against Minors collection of personal information, use and disclosure practices and authorizes the collection, use and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that minor. § 9552. Unlawful collection and use of data from minors
201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH
Date CapturedSaturday November 07, 2009 04:49 PM
(1) Purpose This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.
‘‘Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act’’ or the ‘‘BEST PRACTICES Act’’
Date CapturedThursday November 05, 2009 03:19 PM
H. R. 5777 -- To foster transparency about the commercial use of personal information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes. [Requires information brokers to: (1) establish procedures to verify the accuracy of information that identifies individuals; (2) provide to individuals whose personal information it maintains a means to review it; (3) place notice on the Internet instructing individuals how to request access to such information; and (4) correct inaccurate information. Directs the FTC to require information brokers to establish measures which facilitate the auditing or retracing of access to, or transmissions of, electronic data containing personal information. Prohibits information brokers from obtaining or disclosing personal information by false pretenses (pretexting).]
‘‘Personal Data Privacy and Security Act of 2009’’ S. 1490
Date CapturedWednesday November 04, 2009 02:19 PM
11TH CONGRESS - 1ST SESSION -- S. 1490: To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.
Americans Don't Like Being Tracked on Web
Date CapturedMonday October 05, 2009 06:21 PM
[The Times notes that Representative Rick Boucher, Democrat from Virginia, is planning to introduce privacy legislation that will address on-line tracking, while David Vladeck, head of consumer protection for the The Federal Trade Commission (FTC), is indicating that he is keeping a close watch on consumer privacy protection as well.]
Predatory Marketing Law Opposed By AOL, News Corp., Yahoo, Others
Date CapturedSunday August 30, 2009 08:59 PM
A new privacy law in Maine is facing a court challenge from media organizations as well as a coalition of online companies including AOL, News Corp. and Yahoo. [The new law, officially titled "An Act To Prevent Predatory Marketing Practices against Minors," prohibits companies from knowingly collecting personal information or health-related information from minors under 18 without their parents' consent. The measure also bans companies from selling or transferring health information about minors that identifies them, regardless of how the data was collected. ] [Privacy advocate Jeff Chester said the law's basic premise is valid, but that it "likely needs to be revised to accommodate concerns about its impact on educational and other non-profit uses." ]
Facebook to modify its privacy guidelines
Date CapturedSaturday August 22, 2009 06:55 PM
By Matt Hartley, Financial Post [Facebook Inc. says it's on the same page as Canada's top privacy watchdog and plans to tweak its privacy and security policies to bring the world's largest social network in line with Canadian privacy law.]
Bill would make prescription data private
Date CapturedTuesday January 27, 2009 10:25 AM
["The sharing of prescription information for marketing purposes without consent violates the spirit of privacy law, and destroys the confidentiality of the doctor-patient relationship," said Leigh Sims, a spokeswoman for the coalition behind the bill. HIPAA allows states to pass stronger privacy protections.] [To fight this, Rep. Jamie Pedersen (D-Seattle) and others have introduced House Bill 1493 to close the loophole. Advocates say the change would protect thousands of patients at no cost to taxpayers.]
Washington state bill would make prescription data private
Date CapturedTuesday January 27, 2009 10:25 AM
["The sharing of prescription information for marketing purposes without consent violates the spirit of privacy law, and destroys the confidentiality of the doctor-patient relationship," said Leigh Sims, a spokeswoman for the coalition behind the bill. HIPAA allows states to pass stronger privacy protections.] [To fight this, Rep. Jamie Pedersen (D-Seattle) and others have introduced House Bill 1493 to close the loophole. Advocates say the change would protect thousands of patients at no cost to taxpayers.]
Child Porn Laws Used Against Kids Who Photograph Themselves
Date CapturedThursday January 15, 2009 08:09 PM
Wired -- Kim Zetter -- [In the Pennsylvania case, a school official seized the phone of one of the boys after he was caught using it during school hours in violation of a school rule, according to local police Capt. George Seranko. The official found the picture on the phone, and after some interrogation, discovered that two other girls had also e-mailed photos of themselves in the nude to friends. That's when the school called police, who obtained search warrants to seize the phones and examine them. Police showed the images to the local district attorney, who recommended they bring charges.]
Genetic Privacy - Individual's Genetic Information - Personal Property Rights
Date CapturedMonday January 12, 2009 08:32 PM
HOUSE BILL 12 -- File Code: Criminal Law - Substantive Crimes Crossfiled with: SENATE BILL 54 - Prohibiting a person from knowingly collecting, analyzing, or retaining a DNA sample from an individual, performing a DNA analysis, or retaining or disclosing the results of a DNA analysis without written informed consent; exempting the collection and analysis of DNA samples for specified purposes from the prohibition; providing that the DNA sample and the results of the DNA analysis are the exclusive property of the individual from whom the sample is collected; etc.
HB 38 - Microchip Consent Act of 2009
Date CapturedMonday January 12, 2009 07:29 PM
To amend Chapter 1 of Title 51 of the Official Code of Georgia Annotated, relating to general provisions regarding torts, so as to prohibit requiring a person to be implanted with a microchip; to provide for a short title; to provide for definitions; to provide for penalties; to provide for regulation by the Composite State Board of Medical Examiners; to provide for related matters; to provide for an effective date; to repeal conflicting laws; and for other purposes. BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:
Ohio House Bill Number 648
Date CapturedThursday December 25, 2008 02:23 PM
(127th General Assembly) (Substitute House Bill Number 648) AN ACT -- To amend section 1347.99 and to enact sections 1347.15 and 5703.211 of the Revised Code to require state agencies to adopt rules governing access to the confidential personal information that they keep, to create a civil action for harm resulting from an intentional violation of these rules, to impose a criminal penalty for such an intentional violation, and to require the Department of Taxation to adopt rules to generally require the tracking of searches of any of the Department's databases.
Ohio moves to change privacy laws
Date CapturedThursday December 25, 2008 02:07 PM
Putnamsentinel.com sez [HB 648 would require state agencies to develop criteria for determining which employees may access or authorize access to confidential personal information and list valid reasons for accessing the data, based on the agencies' responsibilities. Also, agencies must define procedures for recording each specific case where an employee accesses somebody's personal information. Should an unclassified employee violate these rules by improperly accessing personal information, they would be fired and could be charged with a first degree misdemeanor.]
Facebook and the Social Dynamics of Privacy (DRAFT)
Date CapturedMonday December 08, 2008 06:08 PM
James Grimmelmann. 2008. "Facebook and the Social Dynamics of Privacy" The Selected Works of James Grimmelmann -- [This Article provides the first comprehensive analysis of the law and policy of privacy on social network sites, using Facebook as its principal example. It explains how Facebook users socialize on the site, why they misunderstand the risks involved, and how their privacy suffers as a result. Facebook offers a socially compelling platform that also facilitates peer-to-peer privacy violations: users harming each others’ privacy interests. These two facts are inextricably linked; people use Facebook with the goal of sharing some information about themselves. Policymakers cannot make Facebook completely safe, but they can help people use it safely. The Article makes this case by presenting a rich, factually grounded description of the social dynamics of privacy on Facebook. It then uses that description to evaluate a dozen possible policy interventions. Unhelpful interventions—such as mandatory data portability and bans on underage use—fail because they also fail to engage with key aspects of how and why people use social network sites. The potentially helpful interventions, on the other hand—such as a strengthened public-disclosure tort and a right to opt out completely—succeed because they do engage with these social dynamics.]
Electronic Frontier Foundation (EFF)
Date CapturedSunday June 29, 2008 02:40 PM
EFF fights for freedom primarily in the courts, bringing and defending lawsuits even when that means taking on the US government or large corporations. By mobilizing more than 50,000 concerned citizens through our Action Center, EFF beats back bad legislation. In addition to advising policymakers, EFF educates the press and public.
CDT Policy Post 14.10: Recommended Principles for Updating Privacy Laws
Date CapturedThursday June 26, 2008 07:24 PM
Recommended Principles for Updating Privacy Laws (1) Legislation Needed to Bring Privacy Laws Up to Date (2) Shortcomings of the Privacy Act of 1974 (3) Shortcomings of the Privacy Impact Assessment Process and Lack of OMB Guidance (4) Recommendations
Google Says it Would Support U.S. Privacy Law
Date CapturedWednesday June 11, 2008 03:51 PM
Reuters reports, "Marc Rotenberg, executive director of the Electronic Privacy Information Center, was skeptical of Google's endorsement of a federal privacy law. Rotenberg said that when companies push for a 'comprehensive' law, they often want something that would preempt more stringent state laws.'"
Housing Bill Creates National Fingerprint Registry
Date CapturedTuesday June 10, 2008 07:37 PM
Heritage Foundation -- Sens. Diane Feinstein (D-Calif.) and Mel Martinez (R-Fla.) authored a bill (with 11 co-sponsors, including Sen. Barack Obama) that was incorporated into a housing bill passed by the Senate Banking Committee 19-2 before the Memorial Day recess — a bill that creates a national fingerprint registry. (some interesting blog comments)
IAPP Privacy Tracker
Date CapturedMonday June 09, 2008 04:24 PM
Notable bills to watch.
What If Samuel D. Warren Hadn’t Married A Senator’s Daughter?: Uncovering The Press Coverage That Led To The Right To Privacy
Date CapturedThursday June 05, 2008 06:42 PM
Modern tort protection for personal privacy is commonly traced back to Samuel Warren and Louis Brandeis’1890 law review article, The Right of Privacy, yet scholars have long been uncertain what prompted Warren and Brandeis’ impassioned attack on invasive press practices, unable to point to any news coverage of Warren that might convincingly explain his evident outrage at the press. This Article attempts to solve that mystery by examining approximately 60 newspaper stories from Boston, New York, and Washington, D.C., most never before analyzed, that report on the personal lives of Warren and his family. These stories—including some particularly intrusive coverage of Warren family tragedies—very plausibly explain what Warren had in mind when he wrote that ruthless gossip regarding private matters had become a social blight requiring legal remedy. This Article, part of a symposium dedicated to exploring how modern law might have developed differently without catalytic events, concludes that Warren and Brandeis’ landmark article would not have been written if Warren had not married into a political family in the public eye.
Privacy's Other Path: Recovering the Law of Confidentiality
Date CapturedMonday June 02, 2008 10:23 AM
NEIL M. RICHARDS & DANIEL J. SOLOVE - 96 Geo. L.J. 124 -- ... "The familiar legend of privacy law holds that Samuel Warren and Louis Brandeis "invented" the right to privacy in 1890, and that William Prosser aided its development by recognizing four privacy torts in 1960. ... Prosser did not include the breach of confidentiality tort in the "invasion of privacy" section of the Restatement, which consisted solely of the four Warren and Brandeis privacy torts. ... For almost a century, some English commentators had called for the establishment of a Warren-and-Brandeis-style privacy tort to supplement breach of confidence. ... Although the court noted that the breach of confidence analysis was affected by the passage of the HRA, it stated that there was still no free-standing privacy tort under English law. ... At the outset, he declared that such cases should appropriately be resolved through the existing doctrinal mechanism of breach of confidence, and that the creation of a new privacy tort would be unnecessary. ... The key conceptual difference between the breach of confidence tort and public disclosure of private facts tort is the nature of what is protected. ... Yet despite its significant power, as demonstrated by English law, the American breach of confidentiality tort often fails to make an appearance in privacy cases even when it seems to be highly applicable. ... More broadly, since American privacy law often remains focused around individualistic conceptions of privacy, it has not fully embraced protecting confidentiality in relationships. ... "
Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes
Date CapturedMonday June 02, 2008 10:15 AM
ORIN S. KERR -- George Washington University - Law School -- NYU Law Review, Vol. 78, No. 5, pp. 1596-1668, November 2003. This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably naïve. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting access and authorization. This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges. The section justifies this proposal on several grounds. First, the proposal will best mediate the line between securing privacy and protecting the liberty of Internet users. Second, the proposal mirrors criminal law's traditional treatment of crimes that contain a consent element. Third, the proposed approach is consistent with the basic theories of punishment. Fourth, the proposed interpretation avoids possible constitutional difficulties that may arise under the broader constructions that courts recently have favored.

Location Based Services

Location-based service
Date CapturedThursday April 30, 2009 10:12 PM
Wiki - [A location-based service (LBS) is an information and entertainment service, accessible with mobile devices through the mobile network and utilizing the ability to make use of the geographical position of the mobile device]
Google Becomes Default Location Provider For Firefox
Date CapturedThursday April 30, 2009 06:47 PM
TechCrunch.com -- Jason Kincaid -- [Google says that the data isn't currently being used for advertising purposes (at least for now), and that this is really about getting location-based functionality deployed to the web. But even without the advertising dollars, there is one very major upside: Google is going to be able to perfect its location database, with millions of users tapping into it on a daily basis. And that database is going to be extremely valuable going forward. ]

Longitudinal Database

Updated Guidance on the Collection and Reporting of Teacher and Course Data in the Student Information Repository System (SIRS)
Date CapturedWednesday February 29, 2012 09:19 AM
This memorandum provides important updates on the implementation of federal and State requirements for reporting professional staff and course data for students. This guidance directly addresses three issues: (1) Federal and State requirements for charter and other public schools, school districts, and BOCES to report additional student data, including course enrollment and the teachers/principals responsible for a student’s instruction; (2) The timeline for reporting new data elements; and (3) Implementation strategies for collecting and reporting these data.
NEW YORK: RACE TO THE TOP ANNUAL PERFORMANCE REPORT
Date CapturedFriday January 20, 2012 02:57 PM
New York faces the ongoing challenge of communicating and collaborating with its various stakeholders. Similarly, the complexity of reviewing and approving Scopes of Work, budgets, expenditures, and evaluation plans for all of the State’s participating LEAs presented a formidable task that required a high level of strategic planning and logistical coordination by NYSED leadership. The State is working to overcome these challenges by investing in communication tools and leveraging other quality-control methods (such as a new online expenditure reporting tool) in order to increase its responsiveness and efficiency in the future.
S. 1464 - METRICS Act
Date CapturedSaturday August 13, 2011 03:10 PM
To enable States to implement integrated statewide education longitudinal data systems. This Act may be cited as the ``Measuring and Evaluating Trends for Reliability, Integrity, and Continued Success (METRICS) Act of 2011'' or the ``METRICS Act''.
Fordham CLIP Comments on FERPA NPRM May 23, 2011 Docket: ED-2011-OM-0002 1
Date CapturedWednesday June 22, 2011 10:24 PM
Fordham Professor of Law Joel Reidenberg: Proposed Amendments to the FERPA Regulations contradict Congressional Mandates; Impermissible expansion of “Authorized representative” proposed in §99.3; Problematic expansion of “directory information” proposed in §99.3; Impermissible expansion of the “audit and evaluation” provision proposed in § 99.35(a)(2); Questionable Enforcement proposed in §99.35 ;
Education New York comments re Student Privacy submitted to FERPA NPRM - May 23, 2011
Date CapturedMonday May 23, 2011 09:22 PM
Document ID: ED-2011-OM-0002-0001: Family Educational Rights and Privacy. The proposed changes to FERPA do not adequately address the capacity of marketers and other commercial enterprises to capture, use, and re-sell student information. Even with privacy controls in place, it is also far too easy for individuals to get a hold of student information and use it for illegal purposes, including identity theft, child abduction in custody battles, and domestic violence. Few parents are aware, for example, that anyone can request -- and receive -- a student directory from a school. Data and information breaches occur every day in Pre-K-20 schools across the country, so that protecting student privacy has become a matter of plugging holes in a dyke rather than advancing a comprehensive policy that makes student privacy protection the priority.
Supporting Data Use While Protecting the Privacy, Security and Confidentiality of Student Information
Date CapturedMonday May 02, 2011 06:28 PM
Data Quality Campaign: [Meet the moral and legal responsibility to respect the privacy and the confidentiality of students’ personally identifiable information; Mitigate risks related to the intentional and unintentional misuse of data, which are amplified by the digital nature of today’s society in which more information — in education and every sector — is housed and shared in electronic and web-based forms; and ensure clarity around roles and responsibilities, including states’ authority to share data, in what form the data can be shared, at what level of detail, with whom and with what protections in place.]
DQC: The American Recovery and Reinvestment Act (ARRA) Support for State Longitudinal Data Systems (SLDS)
Date CapturedFriday April 22, 2011 05:06 PM
Data Quality Campaign - The American Recovery and Reinvestment Act provides federal support to states to further build and promote the use of statewide longitudinal data systems. This document includes: 1. ARRA Overview and Data Systems; a. American Recovery and Reinvestment Act; b. America COMPETES Act; 2. State Stabilization Funds and Assurances 3. Institute of Education Sciences State Longitudinal Data Systems Grants: a. American Recovery and Reinvestment Act – IES Funding; 4. U.S. Department of Education Guidance on Implementation of ARRA : a. Fact sheet: The American Recovery and Reinvestment Act of 2009: Saving and Creating Jobs and Reforming Education; b. Letter to Governors from Secretary of Education Arne Duncan c. Implementing the American Recovery Act – Letter from Secretary of Education Arne Duncan
U.S. Department of Education (USED) Safeguarding Student Privacy 
Date CapturedFriday April 08, 2011 06:38 PM
The use of data is vital to ensuring the best education for our children.  However, the benefits of using  student data must always be balanced with the need to protect students’ privacy rights.  Students and their  parents should expect that their personal information is safe, properly collected and maintained and that it is  used only for appropriate purposes and not improperly redisclosed.  It is imperative to protect students’  privacy to avoid discrimination, identity theft or other malicious and damaging criminal acts.  All education  data holders must act responsibly and be held accountable for safeguarding students’ personally identifiable  information – from practitioners of early learning to those developing systems across the education  continuum (P-20) and from schools to their contractors.  The need for articulated privacy protections and  data security continues to grow as Statewide Longitudinal Data Systems (SLDS) are built and more education  records are digitized and shared electronically.  As States develop and refine their information management  systems, it is critical that they ensure that student information continues to be protected and that students’  personally identifiable information is disclosed only for authorized purposes and under the circumstances  permitted by law.  All P-20 stakeholders should be involved in the development of these statewide systems  and protection policies.    
United States House of Representatives Committee on Education and Labor Hearing on “How Data Can be Used to Inform Educational Outcomes” April 14, 2010
Date CapturedMonday March 14, 2011 07:36 PM
1. States are warehousing sensitive information about identifiable children. 2. The Fordham CLIP study documents that privacy protections are lacking and rules need to be developed and implemented to assure that children’s educational records are adequately protected. 3. As part of basic privacy standards, strong data security is necessary to minimize the risks of data invasions, scandals and melt-downs from centralized databases of children’s personal information. Statement of Joel R. Reidenberg, Professor of Law and Founding Academic Director Center on Law and Information Policy, Fordham University School of Law New York, NY
GAMMILL v USED - USA Merit System Board documents
Date CapturedMonday March 14, 2011 01:14 PM
Proposed regulatory (not statutory) change vastly expands term authorized representative well beyond these four 3 entities: Comptroller General of US, Secretary, Attorney General, and state or local education authorities. (See pages 10 and 11)
PAUL GAMMILL v U.S. DEPARTMENT OF EDUCATION
Date CapturedMonday March 14, 2011 12:44 PM
Whistleblower Retaliation lawsuit filed by Gammill against USED for retaliation of sharing an illegal attempt to circumvent FERPA. Case Number: 1:2011cv00409; Filed: February 18, 2011; Court: District Of Columbia District Court; Office: Washington, DC Office; County: 88888; Presiding Judge: John D. Bates
P-20 Data System with Instructional Reporting
Date CapturedThursday March 10, 2011 09:18 PM
2010 SLDS P-20 Best Practice Conference - Summary: The Statewide Longitudinal Data Systems Grant Program (SLDS) hosted the 2010 SLDS P-20 Best Practice Conference on November 16–17, 2010, in Washington, DC. The meeting served as a forum for dialogue, collaboration, and the sharing of best practices, providing the opportunity for more than 150 representatives from forty-nine states and the District of Columbia. FY 2006, FY 2007, FY 2009, and FY 2009 ARRA grantee states shared solutions and ideas with one another and took home information on topics identified as critical to their projects in the upcoming year.
Data Quality Campaign (DQC) archived webcasts/events
Date CapturedMonday March 07, 2011 06:20 PM
Amazing SLDS/longitudinal database resource.
Data Quality Campaign Release of Data for Action 2010: DQC's State Analysis
Date CapturedMonday March 07, 2011 06:15 PM
On February 16, 2011 DQC discussed the results of its sixth annual state analysis Data for Action 2010, a powerful policymaking tool to drive education leaders to use data in decision making. Data for Action is a series of analyses on states’ ability to collect and use data to improve student success. It provides transparency about state progress and priority actions they need to take to collect and use longitudinal data to improve student success.
Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records
Date CapturedThursday March 03, 2011 01:21 PM
NCES 2011-601 This first brief discusses basic concepts and definitions that establish a common set of terms related to the protection of personally identifiable information, especially in education records.
Recommendations on Data Security and Privacy Protections
Date CapturedSaturday February 19, 2011 11:00 PM
Excerpted from the Data Protections Report submitted to the U.S. Department of Education’s Performance Information Management Service by Highlight Technologies on June 16, 2010. (Where is original report and comments?)
NCES 2011-602 Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records
Date CapturedTuesday January 04, 2011 09:55 PM
SLDS Technical Brief - Guidance for Statewide Longitudinal Data Systems (SLDS) [A privacy and data protection program for student education records must include an array of rules and procedures for protecting PII held in the record system. It also must include a full set of public disclosures of the existence and uses of the information included in the data system, a description of all parents’ or eligible students’ rights to review and appeal the contents of an individual education record and of their rights and the procedures to appeal a violation. ]*****[A school directory may include PII such as a student’s name, grade level, and contact information. Taken by itself, the release of this information is not harmful to a student. However, when combined with the student’s Social Security Number or another identifier and the student’s education record, this information has the potential for violating a student’s right to privacy. The release of this combined record could lead to harm or embarrassment. Thus, the privacy and data protection program should focus on PII that will be maintained in the electronic student record system with its likely wealth of student data.2}
Directory Information Part 1 (WAV file, no text -- it's audio)
Date CapturedSunday December 26, 2010 05:36 PM
EDNY comments on Data Quality Campaign webcast with US ED response. See Part 2 for continuation of conversation.
New York State Student Information Repository System (SIRS) Manual
Date CapturedWednesday December 22, 2010 08:44 PM
New York State Student t Information Repository System (SIRS) Manual; Reporting Data for the 2010–11 School Year (SEE APPENDIX 19)
Many States Collect Graduates’ Employment Information, but Clearer Guidance on Student Privacy Requirements Is Needed
Date CapturedMonday December 13, 2010 09:17 AM
GAO-10-927 - GAO recommends that Education clarify means by which states can collect and share graduates’ employment information under the Family Educational Rights and Privacy Act (FERPA) and establish a time frame for doing so. Education agreed with the recommendation.
NSF Funds Research to Enable Distributed, Fair, and Privacy-Preserving Collaboration
Date CapturedSaturday September 25, 2010 04:14 PM
Stevens Institute of Technology: [Hoboken, NJ, September 25, 2010 --(PR.com)-- Dr. Susanne Wetzel, Associate Professor of Computer Science, has recently been awarded a $457K research grant from the National Science Foundation (NSF) to investigate privacy and security in the context of enabling collaboration.]
Education and Workforce Data Connections: A Primer on States’ Status
Date CapturedWednesday April 14, 2010 06:16 PM
Data Quality Campaign - [States are currently working to connect education and workforce data, however, states are far from reaching the goal of having data systems that can link across the P-20/Workforce spectrum. To connect these education and workforce databases, states should engage a broad range of stakeholders to: 1. Prioritize, through broad-based stakeholder input, the critical policy questions to drive the development and use of longitudinal data systems. 2. Ensure data systems are interoperable within and across agencies and states by adopting or developing common data standards, definitions and language. 3. Protect personally identifiable information through governance policies and practices that promote the security of the information while allowing appropriate data access and sharing.]
Clash Over Student Privacy
Date CapturedTuesday March 09, 2010 05:05 PM
This document should not be shared due to copyright. Inside Higher Ed - [WASHINGTON -- The U.S. Education Department has fired the top federal official charged with protecting student privacy, in what the dismissed official says was a conflict with the agency's political leaders over their zeal to encourage the collection of data about students' academic performance. Paul Gammill says he was physically escorted out of the department's offices on a Friday morning last month after he refused to resign as director of the agency's Family Policy Compliance Office. Administration officials said that "[p]rivacy laws require us to keep certain employment matters confidential, so we cannot comment on Mr. Gammill. But Gammill, not so encumbered, maintains that he was dismissed because, on several occasions, he argued in internal meetings and documents that the department's approach to prodding states to expand their longitudinal student data systems violated the Family Educational Rights and Privacy Act, which protects the privacy of students' educational records.]
Putting Private Info on Government Database
Date CapturedTuesday March 09, 2010 04:34 PM
Phyllis Schlafly writes - [The Fordham report made numerous recommendations to beef up student privacy, such as collecting only information relevant to articulated purposes, purging unjustified data, enacting time limits for data retention and hiring a chief privacy officer for each state. There is no indication that these suggestions will be implemented. The Obama Department of Education officials believe that collecting personally identifiable data is "at the heart of improving schools and school districts." One of the four reform mandates of the Race to the Top competition is to establish pre-kindergarten to college-and-career data systems that "track progress and foster continuous improvement."]
Data Quality Campaign Quarterly Issue Meeting: Linking Data Across Agencies: States That Are Making It Work
Date CapturedMonday November 09, 2009 07:27 PM
The Data Quality Campaign (DQC) will host Linking Data Across Agencies: States That Are Making It Work on Thursday, November 12, 2009 from 2:30 to 4:30 P.M. (ET) in Washington, DC at the Hall of the States, 444 North Capitol Street, Room 233-235. This meeting will highlight leading states that are successfully linking data across systems and agencies to answer critical policy questions aimed at improving student achievement. A corresponding issue brief co-authored by the DQC and the Forum for Youth Investment will be released at the meeting that captures the current status of states’ ability to link data across agencies and provide several state case studies that capture promising strategies to sharing individual-level data across systems and agencies to improve student achievement. Registration to attend in person is required by Tuesday November 10, 2009 and strongly encouraged if participating in the interactive webcast. Seating is limited, so please sign up early! A video of this session and corresponding issue brief will be available at the campaign’s Web site after November 16, 2009.
CHILDREN’S EDUCATIONAL RECORDS AND PRIVACY -- A STUDY OF ELEMENTARY AND SECONDARY SCHOOL STATE REPORTING SYSTEMS -- October 28, 2009
Date CapturedFriday October 30, 2009 09:44 AM
[The Study reports on the results of a survey of all fifty states and finds that state educational databases across the country ignore key privacy protections for the nation's K-12 children. The Study finds that large amounts of personally identifiable data and sensitive personal information about children are stored by the state departments of education in electronic warehouses or for the states by third party vendors. These data warehouses typically lack adequate privacy protections, such as clear access and use restrictions and data retention policies, are often not compliant with the Family Educational Rights and Privacy Act, and leave K-12 children unprotected from data misuse, improper data release, and data breaches. The Study provides recommendations for best practices and legislative reform to address these privacy problems.] Joel R. Reidenberg, Professor of Law and Founding Academic Director of CLIP Jamela Debelak, Esq., Executive Director of CLIP

Media

The State of the News Media 2010 i
Date CapturedThursday March 18, 2010 01:24 PM
The State of the News Media 2010 is the seventh edition of our annual report on the health and status of American journalism.

Migrant Education

K-12 Education: Many Challenges Arise in Educating Students Who Change Schools Frequently
Date CapturedMonday December 20, 2010 09:20 PM
GAO-11-40 November 18, 2010 - The recent economic downturn, with foreclosures and homelessness, may be increasing student mobility.

MOOC

What Campus Leaders Need to Know About MOOCs
Date CapturedFriday February 01, 2013 10:42 PM
An EDUCAUSE Executive Briefing on MASSIVE OPEN ONLINE COURSES (MOOCs)

National Security

Review: Federal program used to hide flights from public
Date CapturedTuesday April 13, 2010 08:22 PM
USA Today -- By Michael Grabell and Sebastian Jones, ProPublica - [Use of the airspace is considered public information because taxpayers fund air-traffic controllers, radars and runways. "It belongs to all of us," said Chuck Collins, who has studied private jet travel at the Institute for Policy Studies, a progressive think tank. "It's not a private preserve." NBAA spokesman Dan Hubbard said privacy is important to business fliers because competitors can learn of potential deals by tracking planes, and that could affect stock prices. "There are certain circumstances where there is a security concern," he said. In 2000, Congress required websites to stop posting flights of certain planes at the FAA's request. The FAA later agreed to let the aviation group be the clearinghouse. FAA spokeswoman Laura Brown said the agency lacks resources to evaluate whether requests to keep flights secret are justified, so the agency lets the NBAA decide each month the flights kept from public view.]
Security and Privacy? Forget About It
Date CapturedMonday March 08, 2010 08:41 PM
By Richard Adhikari - TechNewsWorld - [As the Obama administration grapples with the thorny issue of beefing up the United States' cybersecurity infrastructure, and as security experts warn of impending cyberwarfare, a debate is raging over how much surveillance is enough. One of the biggest problems about implementing cybersecurity is that it involves a measure of surveillance, and the line between surveillance and snooping is razor thin. Thin enough, in fact, that Einstein 3, the latest iteration of the Federal government's intrusion detection program, has aroused privacy concerns because it can examine the content of email. That, some privacy advocates believe, makes it almost equivalent to warrantless wiretapping. The security community is divided over the issue.] [Using NSA technology almost certainly will lead to an invasion of privacy, the EFF's Rotenberg fears. "The folks over at NSA are not just interested in looking for malware, they're very interested in content," he said. "This is the problem with Einstein 2 and Einstein 3." On the other hand, turning over the responsibility for deep packet inspection to private companies could have its own pitfalls. "Deep packet inspection opens the doors to commercialization," Rotenberg warned. "The companies can say, 'We have to do this because of our security mandate and oh, by the way, there's a marketing opportunity here.'"]
Canadian airlines plead with government to solve U.S. security dilemma
Date CapturedThursday January 07, 2010 08:04 PM
C Jim Bronskill (CP) -- [OTTAWA — Canada's major airlines say they will be forced either to break privacy laws or to ignore new American air security rules unless the federal government comes up with a response to U.S. demands for passenger information.]
Testimony of Secretary Janet Napolitano before the House Committee on Homeland Security on DHS, The Path Forward
Date CapturedWednesday February 25, 2009 03:13 PM
Release Date: February 25, 2009 - The Committee’s platform items: [Improving the governance, functionality, and accountability of the Department of Homeland Security; enhancing security for all modes of transportation; strengthening our Nation: response, resilience, and recovery; shielding the Nation’s critical infrastructure from attacks; securing the homeland and preserving privacy, civil rights, and civil liberties; connecting the dots: intelligence, information sharing, and interoperability; implementing common-sense border and port security; and inspiring minds and developing technology – the future of homeland security. ]
E P I C - A l e r t -- Volume 15.25 -- December 23, 2008
Date CapturedTuesday December 23, 2008 06:41 PM
Published by the Electronic Privacy Information Center (EPIC) - Washington, D.C. Table of Contents - [1] Privacy Coalition Members Write to President-elect Obama [2] India Hosts Third Internet Governance Forum [3] Government Issues Final Rules in Education Records Privacy [4] Privacy, Security and Openness at the Internet Governance Forum [5] DHS Releases Fusion Center Privacy Impact Assessment [6] News in Brief
Securing Cyberspace for the 44th Presidency
Date CapturedMonday December 08, 2008 07:24 PM
The report of the CSIS Commission on Cybersecurity for the 44th Presidency -- Cochairs: Representative James R. Langevin, Representative Michael T. McCaul, Scott Charney, Lt. General Harry Raduege, USAF (Ret). Project Director: James A. Lewis, Center for Strategic and International Studies, Washington, DC. December - 2008.
Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
Date CapturedWednesday December 03, 2008 04:02 PM
National Academies Press - [All U.S. agencies with counterterrorism programs that collect or "mine" personal data -- such as phone records or Web sites visited -- should be required to evaluate the programs' effectiveness, lawfulness, and impacts on privacy. A framework is offered that agencies can use to evaluate such information-based programs, both classified and unclassified. The book urges Congress to re-examine existing privacy law to assess how privacy can be protected in current and future programs and recommends that any individuals harmed by violations of privacy be given a meaningful form of redress.]
CYBER ANALYSIS AND WARNING - DHS Faces Challenges in Establishing a Comprehensive National Capability
Date CapturedTuesday September 23, 2008 10:15 AM
GAO 08-588: We recommend that the Secretary of Homeland Security take four actions to fully establish a national cyber analysis and warning capability. Specifically, the Secretary should address deficiencies in each of the attributes identified for Recommendations for Executive Action • monitoring, including establish a comprehensive baseline understanding of the nation’s critical information infrastructure and engage appropriate nonfederal stakeholders to support a national-level cyber monitoring capability; • analysis, including expanding its capabilities to investigate incidents; • warning, including ensuring consistent notifications that are targeted, actionable, and timely; and • response, including ensuring that US-CERT provides assistance in the mitigation of and recovery from simultaneous severe incidents, including incidents of national significance. We also recommend that the Secretary address the challenges that impede DHS from fully implementing the key attributes, including the following 6 items: • engaging appropriate stakeholders in federal and nonfederal entities to determine ways to develop closer working and more trusted relationships; • expeditiously hiring sufficiently trained cyber analysts and developing strategies for hiring and retaining highly qualified cyber analysts; • identifying and acquiring technological tools to strengthen cyber analytical capabilities and handling the steadily increasing workload; developing predictive analysis capabilities by defining terminology, methodologies, and indicators, and engaging appropriate stakeholders in other federal and nonfederal entities; • filling key management positions and developing strategies for hiring and retaining those officials; and • ensuring that there are distinct and transparent lines of authority and responsibility assigned to DHS organizations with cybersecurity roles and responsibilities, including the Office of Cybersecurity and Communications and the National Cybersecurity Center.
"Cybersecurity Recommendations for the Next Administration”
Date CapturedTuesday September 23, 2008 10:05 AM
Hearing on “Cybersecurity Recommendations for the Next Administration”
"REAL ID Implementation Review: Few Benefits, Staggering Costs"
Date CapturedTuesday June 03, 2008 02:35 PM
EPIC: The final rule includes few protections for individual privacy and security in its massive national identification database. It harms national security by creating yet another “trusted” credential for criminals to exploit. The Department of Homeland Security has faced so many obstacles with the REAL ID system that the agency now plans an implementation deadline of 2017 – nine years later than the 2008 statutory deadline.181 It is an unfunded mandate that would cost billions, with the burden ultimately being placed on the individual taxpayer. Technical experts familiar with the challenges of privacy protection and identification presented the Department of Homeland Security with a variety of recommendations that would have minimized the risks of the REAL ID system. The DHS made some modifications, but left the essential system in place. As REAL ID currently stands, the costs are many and the benefits are few. Public opposition to implementation is understandable.
TESTIMONY OF DANIEL J. SOLOVE -- “RFID TAGS AND INFORMATION PRIVACY”
Date CapturedMonday June 02, 2008 10:34 AM
"The problems, then, don’t end with the collection of data from RFID tags or the implantation of RFID tags. Merely getting people’s consent at these stages is not sufficient enough protection. The problem is what happens to all that data that is stored. We need better downstream protections of the data from RFID tags. We need a way to ensure that the tags can be permanently deactivated. We need a way to ensure that the tags are not read by unauthorized persons. And we need a way to ensure that when people agree to use an RFID tag, that the tags or the information are not later used for different purposes without that person’s consent. The technology of RFID is not malignant or benign in and of itself. It all depends upon how we regulate it. Right now, our law protecting personal information needs to advance much further in order for RFID to be of net benefit to our society.

NCLB

Education New York comments re Student Privacy submitted to FERPA NPRM - May 23, 2011
Date CapturedMonday May 23, 2011 09:22 PM
Document ID: ED-2011-OM-0002-0001: Family Educational Rights and Privacy. The proposed changes to FERPA do not adequately address the capacity of marketers and other commercial enterprises to capture, use, and re-sell student information. Even with privacy controls in place, it is also far too easy for individuals to get a hold of student information and use it for illegal purposes, including identity theft, child abduction in custody battles, and domestic violence. Few parents are aware, for example, that anyone can request -- and receive -- a student directory from a school. Data and information breaches occur every day in Pre-K-20 schools across the country, so that protecting student privacy has become a matter of plugging holes in a dyke rather than advancing a comprehensive policy that makes student privacy protection the priority.
New York State Student Information Repository System (SIRS) Manual
Date CapturedWednesday December 22, 2010 08:44 PM
New York State Student t Information Repository System (SIRS) Manual; Reporting Data for the 2010–11 School Year (SEE APPENDIX 19)
Education and Workforce Data Connections: A Primer on States’ Status
Date CapturedWednesday April 14, 2010 06:16 PM
Data Quality Campaign - [States are currently working to connect education and workforce data, however, states are far from reaching the goal of having data systems that can link across the P-20/Workforce spectrum. To connect these education and workforce databases, states should engage a broad range of stakeholders to: 1. Prioritize, through broad-based stakeholder input, the critical policy questions to drive the development and use of longitudinal data systems. 2. Ensure data systems are interoperable within and across agencies and states by adopting or developing common data standards, definitions and language. 3. Protect personally identifiable information through governance policies and practices that promote the security of the information while allowing appropriate data access and sharing.]

Net Neutrality

2009 Media & Tech Priorities -- A Public Interest Agenda
Date CapturedMonday December 22, 2008 03:48 PM
Free Press Action Fund -- [Obama’s FCC should act quickly to adopt rules preserving Net Neutrality that mirror the legislative effort. These rules should pertain to all wired and wireless networks and should enshrine the FCC’s established four openness principles alongside a necessary fifth principle that prohibits discrimination and pay-for-priority tolls. The FCC should establish an expedited complaint process for violations of the rules and stiff penalties for violators. Finally, the FCC should move to require extensive disclosure of Internet providers’ network management techniques as well as specific information about the quality of the Internet service being purchased by consumers.]
Google Wants Its Own Fast Track on the Web
Date CapturedMonday December 15, 2008 09:27 AM
Wall Street Journal VISHESH KUMAR and CHRISTOPHER RHOADS write [For computer users, it could mean that Web sites by companies not able to strike fast-lane deals will respond more slowly than those by companies able to pay. In the worst-case scenario, the Internet could become a medium where large companies, such as Comcast Corp. in cable television, would control both distribution and content -- and much of what users can access, according to neutrality advocates. The developments could test Mr. Obama's professed commitment to network neutrality. "The Internet is perhaps the most open network in history, and we have to keep it that way," he told Google employees a year ago at the company's Mountain View, Calif., campus. "I will take a back seat to no one in my commitment to network neutrality." But Lawrence Lessig, an Internet law professor at Stanford University and an influential proponent of network neutrality, recently shifted gears by saying at a conference that content providers should be able to pay for faster service. Mr. Lessig, who has known President-elect Barack Obama since their days teaching law at the University of Chicago, has been mentioned as a candidate to head the Federal Communications Commission, which regulates the telecommunications industry.]

News

E P I C A l e r t -- Volume 15.15 -- July 25, 2008
Date CapturedFriday July 25, 2008 10:12 AM
Table of Contents -- [1] Court Rules that Data Breach Violates Fundamental Human Rights [2] Federal Court Strikes Down Internet Censorship Law, Again [3] Google Complies with California Privacy Policy Law After 30 Days [4] First European Privacy Seal Awarded to Search Engine Ixquick [5] DNS Security Standard Implemented into .org Domain [6] News in Brief
E P I C A l e r t - Volume 15.13 -- June 27, 2008
Date CapturedFriday June 27, 2008 08:27 PM
Table of Contents -- [1] OECD and Korea Host Ministerial Conference on Future of the Internet [2] Civil Society Seoul Declaration Sets Out Broad Policy Framework [3] FCC: Do-Not-Call List is Permanent [4] Supreme Court Rejects Limits on Freedom of Information Requests [5] Under Pressure, Charter Cable Drops Internet Snooping Plan [6] News in Brief [7] EPIC Bookstore: NAACP v. Alabama, Privacy and Data Protection
PogoWasRight.org
Date CapturedSaturday June 07, 2008 03:52 PM
Privacy news, data breaches, and privacy-related events and resources from around the world.
Study secretly tracks cellphone users
Date CapturedThursday June 05, 2008 03:01 PM
AP reports, "Researchers secretly tracked the locations of 100,000 people outside the United States through their cellphone use and concluded that most people rarely stray more than a few miles from home. The first-of-its-kind study by Northeastern University raises privacy and ethical questions for its monitoring methods, which would be illegal in the United States."
RFID Journal
Date CapturedTuesday June 03, 2008 08:07 PM
News and white papers on RFIDs
N.Y. opts for hybrid driver’s licenses
Date CapturedTuesday June 03, 2008 02:03 PM
Washington Technology reports, "Some of the enhanced licenses have been controversial because of privacy concerns. Washington, which was the first state to begin producing the new licenses, includes a radio frequency identification microchip on the licenses. The RFID chips, which can be read wirelessly from 20 feet to 30 feet away, have been criticized for their potential to be scanned without authorization, risking identity theft and loss of privacy. It is not clear whether New York’s licenses will include the RFID chip. Information was not immediately available from a spokesman for the state Department of Motor Vehicles."
Electronic Privacy Information Center (EPIC)
Date CapturedSunday June 01, 2008 05:31 PM
EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.
E P I C A l e r t -- Volume 15.11 -- May 30, 2008
Date CapturedSunday June 01, 2008 05:16 PM
Published by the Electronic Privacy Information Center (EPIC Washington, D.C. Table of Contents -- [1] Congressman Barton Urges Scrutiny of Google's Privacy Practices [2] Computers, Freedom & Privacy Conference Explores Technology Policy [3] Telecom Immunity 'Compromise' Under Consideration in Congress [4] Senate Investigates Role of US Firms in China [5] Congressmembers Call on Charter Cable to Halt Net Snooping Plan [6] News in Brief [7] EPIC Bookstore: Privacy Journal Survey of State and Federal Laws [8] Upcoming Conferences and Events

Obama

The Obama Administration’s Silence on Privacy
Date CapturedWednesday June 03, 2009 07:03 PM
By Saul Hansell [Peter Swire, an Ohio State law professor who served on the Obama transition team, offered one reason it might be difficult for the administration to find its voice on privacy. There is a split, he told the conference, between the typical view of privacy among technology experts and the emerging view of people brought up in the social networking, Web 2.0 world. “The Web 2.0 movement is opposed to the privacy movement,” he said. Traditionally, privacy advocates have pushed for a policy of “data minimization,” he argued. The less information kept about people, this theory goes, the less there is for government or corporations to use to hurt individuals. The new ideology revolves around what Mr. Swire called “data empowerment.” People assemble and control information about themselves through online social networking and other sites. And access to data can create political and social movements, just as volunteers met each other and organized during the Obama presidential campaign.]
White House Responds to Privacy Complaints?
Date CapturedTuesday March 03, 2009 03:29 PM
EFF -- Hugh D'Andrade [YouTube cookies are not the only third-party web tracking technology in use on government websites, as we pointed out in our letter. There is still the issue of "invisible pixel" style webbug/tracker on every page on the site, hosted by WebTrends.com, which raises equally important concerns. Also, if the government continues to use edge-caching technology such as that provided by Akamai, Inc. or Amazon S3, the government should require those providers to destroy any IP address or other information that they obtain about visitors to the websites as part of providing the service as soon as reasonably possible.]

OMB

M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
Date CapturedTuesday March 15, 2011 10:00 PM
A. Definitions; Information in identifiable form- is information in an IT system or online collection: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).2Information in identifiable form is defined in section 208(d) of the Act as "any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means." Information "permitting the physical or online contacting of a specific individual" (see section 208(b)(1)(A)(ii)(II)) is the same as "information in identifiable form."
Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies Privacy Committee Web 2.0/Cloud Computing Subcommittee -- August 2010
Date CapturedThursday September 16, 2010 09:02 PM
bstract: Good privacy practices are a key component of agency governance and accountability. One of the Federal government's key business imperatives today is to maintain the privacy of personally identifiable information (PII) we collect and hold. The Office of Management and Budget (OMB) Memorandum 07-16 defines PII as "information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc." The purpose of this paper, and of privacy interests in general, is not to discourage agencies from using cloud computing; indeed a thoughtfully considered cloud computing solution can enhance privacy and security. Instead, the purpose is to ensure that Federal agencies recognize and consider the privacy rights of individuals, and that agencies identify and address the potential risks when using cloud computing.

Open Government

MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES SUBJECT: Transparency and Open Government
Date CapturedMonday June 28, 2010 08:44 PM
[My Administration is committed to creating an unprecedented level of openness in Government. We will work together to ensure the public trust and establish a system of transparency, public participation, and collaboration. Openness will strengthen our democracy and promote efficiency and effectiveness in Government.] from Barack Obama

Opt out: What you need to know

It's 3PM: Who's Watching Your Children?
Date CapturedWednesday December 12, 2012 05:48 PM
Parents concerned about their children's privacy should be aware of how easily personally identifiable information can be bought and sold by marketers as well as by identity thieves. FERPA was enacted in 1974 to protect the privacy of education records and directory information -- including name, address, phone number, date of birth, and e-mail address, among other personally identifiable information. Parents should be aware that under FERPA, directory information can be disclosed without parental consent. If you do not opt-out of directory information personal and identifiable information about your children may be public.
Welcome to The Opt Out of Standardized Tests Site!
Date CapturedSaturday August 04, 2012 07:05 PM
This site was created to collect and share information on state by state rules and experiences related to opting out of standardized tests. This is an open community for any parent, student, or educator interested in finding or sharing opt out information, irrespective of personal decisions regarding political party, religion, or choice of public or non public education.
Parent Right to Opt Out Lawsuit Emerges
Date CapturedSaturday August 04, 2012 07:01 PM
ACLU is interested in supporting any parents whose children received a penalty/threats for opting out of testing. If you want to participate in the complaint please share the following: your story; permission to join in on the ACLU complaint; your return address; a signature on a hard copy.

Opt-Out

Opt-Out 2014: Protect Children video
Date CapturedTuesday August 12, 2014 06:39 PM
OPT-OUT PROTECT KIDS
Date CapturedSunday December 30, 2012 03:21 PM
Parent Right to Opt Out Lawsuit Emerges
Date CapturedSaturday August 04, 2012 07:01 PM
ACLU is interested in supporting any parents whose children received a penalty/threats for opting out of testing. If you want to participate in the complaint please share the following: your story; permission to join in on the ACLU complaint; your return address; a signature on a hard copy.
New York State Sample Parental Notice Language for 2011-2012 School Year
Date CapturedTuesday January 24, 2012 01:44 PM
If you do not wish to have your child’s weight status group information included as part of the Health Department’s survey this year, please print and sign your name below and return this form:
Example of customized opt-out form
Date CapturedSunday September 04, 2011 07:45 PM
COLLEGE OF CHARLESTON FERPA DIRECTORY INFORMATION OPT-OUT FORM - note parents or college students have choices as to which information they want to share.
FTC CONSUMER ALERT: Student Surveys: Ask Yourself Some Questions
Date CapturedFriday September 02, 2011 06:35 PM
[The Protection of Pupil Rights Amendment (PPRA) is a federal law that affords certain rights to parents of minor students with regard to surveys that ask questions of a personal nature, as well as to surveys designed to collect personal information from students for marketing purposes. Briefly, with regard to marketing surveys, PPRA generally requires schools to develop policies, notify parents about these surveys and permit them to opt their children out of participation in those surveys. Surveys that are exclusively used for certain educational purposes are excepted from these requirements.] [FTC recommends that you check to see if the survey form includes a privacy statement. If there is no privacy statement, you may want to think twice about distributing the survey. In any case, it is wise to know: • who is collecting the information; • how the information will be used; • with whom the information will be shared; and • whether students will have a choice about the use of their information.]
Letter to: Chairman Boucher and Ranking Member Stearns
Date CapturedMonday June 07, 2010 06:26 PM
Mike Sachoff -- [In response to a discussion draft of a new privacy bill now under consideration by the House Subcommittee on Communications, Technology and the Internet, ten privacy and consumer groups today called for stronger measures to protect consumer privacy both online and off. The organizations including the Consumer Federation of America, Electronic Frontier Foundation, Consumer Watchdog, World Privacy Forum, Consumer Action, USPIRG, Privacy Rights Clearinghouse, Privacy Times, Privacy Lives, and the Center for Digital Democracy, raised their concerns in a letter to Subcommittee Chairman Rick Boucher and Ranking Member Cliff Stearns. The groups recommended the following: *The bill should incorporate the Fair Information Practice Principles that have long served as the bedrock of consumer privacy protection in the U.S., including the principle of not collecting more data than is necessary for the stated purposes, limits on how long data should be retained, and a right to access and correct one's data. *The bill's definitions of what constitutes "sensitive information" need to be expanded; for instance, to include health-related information beyond just "medical records." *The bill should require strict "opt-in" procedures for the collection and use of covered data and should prohibit the collection and use of any sensitive information except for the transactions for which consumers provided it.]
Instructions for using the Privacy Notice Online Form Builder:
Date CapturedThursday April 15, 2010 04:28 PM
FEDERAL RESERVE: 1. Select your form, based on (1) whether you provide an opt out and (2) whether you include affiliate marketing: If you provide an opt out and you want to include affiliate marketing, use Form 1. If you provide an opt out and you do not want to include affiliate marketing, use Form 2. If you do not provide an opt out and you want to include affiliate marketing, use Form 3. If you do not provide an opt out and you do not want to include affiliate marketing, use Form 4. 2. The PDF forms have fillable areas, indicated by the shaded boxes outlined in red. Place your cursor in the box and fill in the appropriate text.]

People

Melissa Ngo
Date CapturedSunday July 20, 2008 07:48 PM
Professor Joel R. Reidenberg
Date CapturedSaturday June 21, 2008 09:35 PM
Joel R. Reidenberg is Professor of Law and a past Director of the Graduate Program in Law at Fordham University School of Law. Professor Reidenberg has testified before the U.S. Congress on data privacy issues, served as a consultant to both the Federal Trade Commission and the European Commission on privacy issues, and served as a Special Assistant Attorney General for the State of Washington in connection with privacy litigation. He has also chaired the Section on Defamation and Privacy of the Association of American Law Schools (the academic society for American law professors) and is a former chair of the association's Section on Law and Computers.
Lawrence Ponemon
Date CapturedWednesday June 04, 2008 06:06 PM
Dr. Ponemon was appointed to the Online Access and Security Advisory Committee of the United States Federal Trade Commission. He was also appointed to two California State task forces on privacy and data security laws. Dr. Ponemon was recently appointed to the Data Privacy and Integrity Advisory Committee of the Department of Homeland Security. Dr. Ponemon earned his Ph.D. at Union College in Schenectady, New York. He has a Master's degree from Harvard University, Cambridge, Massachusetts, and attended the doctoral program in system sciences at Carnegie Mellon University, Pittsburgh, Pennsylvania. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona.
Chris Jay Hoofnagle
Date CapturedMonday June 02, 2008 06:40 PM
Chris Jay Hoofnagle is senior staff attorney to the Samuelson Law, Technology & Public Policy Clinic and senior fellow with the Berkeley Center for Law & Technology. His focus is consumer privacy law. From 2000 to 2006, he was senior counsel to the Electronic Privacy Information Center (EPIC) and director of the organization’s West Coast office.
Daniel Solove
Date CapturedMonday June 02, 2008 04:54 PM
Daniel J. Solove is an associate professor of law at the George Washington University Law School. He is the author of The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press 2007), The Digital Person: Technology and Privacy in the Information Age (NYU Press 2004) and Information Privacy Law (Aspen Publishing, 2d ed. 2006).
Bruce Schneier
Date CapturedSunday June 01, 2008 05:40 PM
Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," Schneier is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.
Marc Rotenberg
Date CapturedSunday June 01, 2008 05:35 PM
Marc is Executive Director of the Electronic Privacy Information Center (EPIC) in Washington, DC. He teaches information privacy law at Georgetown University Law Center and has testified before Congress on many issues, including access to information, encryption policy, consumer protection, computer security, and communications privacy. He testified before the 9-11 Commission on "Security and Liberty: Protecting Privacy, Preventing Terrorism." He has served on several national and international advisory panels, including the expert panels on Cryptography Policy and Computer Security for the OECD, the Legal Experts on Cyberspace Law for UNESCO, and the Countering Spam program of the ITU. He currently chairs the ABA Committee on Privacy and Information Protection.

Pew Internet

Report: Wikipedia, past and present
Date CapturedWednesday January 19, 2011 07:51 PM
This report examines the history of Wikipedia use since 2007, as well as analysis of the demographics of its users over time. The percentage of all American adults who use Wikipedia to look for information has increased from 25% in February 2007 to 42% in May 2010. This translates to 53% of adult internet users.

Policy

E P I C A l e r t - 15.24
Date CapturedMonday December 08, 2008 08:56 PM
Volume 15.24 - December 8, 2008. Table of Contents: [1] Senator Leahy Presses Justice Department on Telephone Privacy [2] EPIC Urges Disclosure of Google Flu Trends Information [3] EPIC Writes to NPR to drop E-verify Promotion, Urges DHS Disclosure [4] EPIC Pursues Disclosure of FBI Surveillance Guidelines [5] House Committee Host Day Long Discussion on the Transition of DHS [6] News in Brief [7] EPIC Bookstore: "The Online Panopticon"
Electronic Frontier Foundation (EFF)
Date CapturedSunday June 29, 2008 02:40 PM
EFF fights for freedom primarily in the courts, bringing and defending lawsuits even when that means taking on the US government or large corporations. By mobilizing more than 50,000 concerned citizens through our Action Center, EFF beats back bad legislation. In addition to advising policymakers, EFF educates the press and public.
Testimony of David Sohn -- Senior Policy Counsel -- Center for Democracy and Technology
Date CapturedThursday June 12, 2008 11:21 AM
Testimony before The House Committee on Small Business June 12, 2008 -- CDT expressed concern about the impact on privacy and data security of a proposal that would require banks to track credit card payments, and report the data to the Internal Revenue Service for tax enforcement purposes. CDT explained that the proposal would require increased private sector tracking of Social Security numbers of individual businesspeople; such tracking could lead to additional data collection from small businesses and others, and would set a dangerous precedent.
Public Interest and Privacy Groups Call on Congress to Investigate the Use of New Technology that Discloses Private and Personal Internet Activity without Notice to Consumers
Date CapturedFriday June 06, 2008 02:11 PM
This privacy invasion is enabled by a technology called, “Deep Packet Inspection,” which allows an ISP to grab all the information coming out of a user’s computer before it hits the Internet. This private and personal information is then turned over to the ISP’s business partner, usually a third-party firm, which then logs the subscriber information, categorizes it, and delivers ads to the consumer based on a customized profile, gleaned from the information snared by the ISP. Technology that collects and uses this level of personal and private data without any opportunity for the consumer to opt out is unacceptable. Consumers must be made aware of the practice and allowed to choose for themselves whether releasing personal information is an acceptable trade-off for receiving targeted advertising.
The Samuelson Law, Technology & Public Policy Clinic
Date CapturedMonday June 02, 2008 06:34 PM
The Samuelson Law, Technology & Public Policy Clinic at UC Berkeley Law provides an opportunity for law students and graduate students to represent clients and conduct interdisciplinary research.
MODEL REGIME OF PRIVACY PROTECTION - Version 2
Date CapturedMonday June 02, 2008 06:25 PM
By Daniel J. Solove & Chris Jay Hoofnagle. "Currently, the collection and use of personal data by businesses and the government is spinning out of control. An entire industry devoted primarily to processing and disseminating personal information has arisen, and this industry is not well-regulated. Many companies brokering in data have found ways to avoid being regulated by the Fair Credit Reporting Act (FCRA), a landmark law passed in 1970 to regulate consumer reporting agencies. Increasingly, the government is relying on data broker companies to supply personal data for intelligence and law enforcement purposes as well as to analyze it. As a result, the government is navigating around the protections of the Privacy Act, a law passed in 1974 to regulate the collection and use of data by government agencies. The FCRA and Privacy Act form the basic framework that regulates a large portion of the flow of personal data, but this framework is riddled with exceptions and shunted with limitations. We propose a Model Regime of Privacy Protection to address these problems."
The Center for Democracy and Technology
Date CapturedMonday June 02, 2008 03:34 PM
The Center for Democracy and Technology is a non-profit public interest organization working to keep the Internet open, innovative, and free. As a civil liberties group with expertise in law, technology, and policy, CDT works to enhance free expression and privacy in communications technologies by finding practical and innovative solutions to public policy challenges while protecting civil liberties. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media.

PPRA

Methodology of the Youth Risk Behavior Surveillance System 2013
Date CapturedSunday November 03, 2013 09:39 PM
The Youth Risk Behavior Surveillance System (YRBSS), established in 1991, monitors six categories of priority health-risk behaviors among youths and young adults: 1) behaviors that contribute to unintentional injuries and violence; 2) sexual behaviors that contribute to human immunodeficiency virus (HIV) infection, other sexually transmitted diseases, and unintended pregnancy; 3) tobacco use; 4) alcohol and other drug use; 5) unhealthy dietary behaviors; and 6) physical inactivity. In addition, YRBSS monitors the prevalence of obesity and asthma among this population. [Certain schools use active permission, meaning that parents must send back to the school a signed form indicating their approval before their child can participate. Other schools use passive permission, meaning that parents send back a signed form only if they do not want their child to participate in the survey.]
FTC CONSUMER ALERT: Student Surveys: Ask Yourself Some Questions
Date CapturedFriday September 02, 2011 06:35 PM
[The Protection of Pupil Rights Amendment (PPRA) is a federal law that affords certain rights to parents of minor students with regard to surveys that ask questions of a personal nature, as well as to surveys designed to collect personal information from students for marketing purposes. Briefly, with regard to marketing surveys, PPRA generally requires schools to develop policies, notify parents about these surveys and permit them to opt their children out of participation in those surveys. Surveys that are exclusively used for certain educational purposes are excepted from these requirements.] [FTC recommends that you check to see if the survey form includes a privacy statement. If there is no privacy statement, you may want to think twice about distributing the survey. In any case, it is wise to know: • who is collecting the information; • how the information will be used; • with whom the information will be shared; and • whether students will have a choice about the use of their information.]
Protection of Pupil Rights Amendment (PPRA)
Date CapturedFriday October 30, 2009 11:00 AM
Protection of Pupil Rights Amendment (PPRA) The Protection of Pupil Rights Amendment (PPRA) (20 U.S.C. § 1232h; 34 CFR Part 98) applies to programs that receive funding from the U.S. Department of Education (ED). PPRA is intended to protect the rights of parents and students .
Education Marketing Group/ECRA LAWSUIT RE: SALE OF STUDENT INFORMATION
Date CapturedFriday October 30, 2009 10:15 AM
Parties Subject to Order ORDERED, ADJUDGED AND DECREED that this Consent Order and Judgment shall extend to Student Marketing Group, Inc. (“SMG”) and Educational Research Center of America, Inc. (“ERCA”), their successors, assignees, officers, agents, representatives, affiliates and employees and any other person under their direction or control, whether acting individually or in concert with others or through any corporate entity or device through which they may now or hereafter act or conduct business (collectively “respondents”).

Privacy

Privacy and Security Developments 2014 Issue 01
Date CapturedMonday November 24, 2014 06:23 AM
Privacy and Security Developments is a periodic briefing of new cases, statutes, articles, books, resources, and other developments. It is authored by Professors Daniel J. Solove and Paul M. Schwartz.
Reconciling Personal Information in the United States and European Union
Date CapturedThursday June 27, 2013 04:16 PM
Paul M. Schwartz, University of California, Berkeley - School of Law; Daniel J. Solove, George Washington University Law School; May 3, 2013
Get Cocoon Daily Privacy News
Date CapturedSaturday October 06, 2012 01:30 PM
Great resource.
NIST DRAFT: Security and Privacy Controls for Federal Information Systems and Organizations
Date CapturedFriday August 19, 2011 06:54 PM
Special Publication 800-53 - Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance; • Establish a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements which may overlap in concept and in implementation within federal information systems, programs, and organizations; • Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment, and monitoring of privacy controls deployed in federal information systems, programs, and organizations; and • Promote closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards, and guidance.
“The Right to Privacy”
Date CapturedSaturday December 11, 2010 05:58 PM
Warren and Brandeis - Harvard Law Review. Vol. IV - December 15, 1890 - No. 5 [Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right "to be let alone" [10] Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops." For years there has been a feeling that the law must afford some remedy for the unauthorized circulation of portraits of private persons;[11] and the evil of invasion of privacy by the newspapers, long keenly felt, has been but recently discussed by an able writer.[12] The alleged facts of a somewhat notorious case brought before an inferior tribunal in New York a few months ago,[13] directly involved the consideration of the right of circulating portraits; and the question whether our law will recognize and protect the right to privacy in this and in other respects must soon come before our courts for consideration.]
OPM Should Better Monitor Implementation of Privacy-Related Policies and Procedures for Background
Date CapturedSaturday October 09, 2010 11:00 AM
GAO-10-849 Privacy -- GAO is recommending that the Director of OPM (1) develop guidance for analyzing and mitigating privacy risks in privacy impact assessments, and (2) develop and implement oversight mechanisms for ensuring that investigators properly protect PII and that customer agencies adhere to agreed-upon privacy protection measures. OPM agreed with our recommendations.
A Call for Agility: The Next-Generation Privacy Professionals
Date CapturedThursday March 18, 2010 01:50 PM
International Association of Privacy Professionals (IAPP) “A Call for Agility: The Next-Generation Privacy Professional,” examines key developments in the privacy arena over the last 10 years. It offers a compelling perspective of what roles, issues and challenges will face us in the coming years.
New digital signs target people by age and gender
Date CapturedSunday March 07, 2010 06:26 PM
sjohnson@mercurynews.com writes ["The vast majority of people walking in stores, near elevators and in other public and private spaces have no idea that the innocent-looking flat screen TVs playing videos may be capturing their images and then dissecting and analyzing them for marketing purposes," the nonprofit, Southern California-based World Privacy Forum warned in a report it issued on digital signs in January. "Controls need to be put in place now, before this technology runs amok."]
New digital signs target people by age and gender
Date CapturedSunday March 07, 2010 06:26 PM
sjohnson@mercurynews.com writes ["The vast majority of people walking in stores, near elevators and in other public and private spaces have no idea that the innocent-looking flat screen TVs playing videos may be capturing their images and then dissecting and analyzing them for marketing purposes," the nonprofit, Southern California-based World Privacy Forum warned in a report it issued on digital signs in January. "Controls need to be put in place now, before this technology runs amok."]
Updated and Corrected: E-Book Buyer's Guide to Privacy
Date CapturedThursday December 31, 2009 03:20 PM
Electronic Frontier Foundation -- [A few weeks ago, EFF published its first draft of a Buyer's Guide to E-Book Privacy. In that first draft we incorporated the actual language of the privacy policies as much as possible, which unfortunately created some confusion since companies generally use different language to address similar issues. We also did a few other things clumsily. First, we've re-written many of the questions and answers to provide more clarity about the behavior of each e-reader. Second, we've tried point out where companies' privacy policies themselves are unclear on particular issues. And finally, we've made the whole thing easier to read by changing its visual layout. This guide continues to be a work in progress.
Happy Birthday, Internet
Date CapturedFriday October 30, 2009 08:22 PM
NPR interview -- authentication and privacy concerns mentioned. October 30, 2009 [On Oct. 29, 1969, around 10:30 P.M., a message from one computer was sent over a modified phone line to another computer hundreds of miles away. Some say the Internet was born that day. UCLA computer scientist Leonard Kleinrock, who was there, gives his account.] IMPORTANT EXCERPT: [Dr. KLEINROCK: Yes. In fact, in those early days, the culture of the Internet was one of trust, openness, shared ideas. You know, I knew everybody on the Internet in those days and I trusted them all. And everybody behaved well, so we had a very easy, open access. We did not introduce any limitations nor did we introduce what we should have, which was the ability to do strong user authentication and strong file authentication. So I know that if you are communicating with me, it's you, Ira Flatow, and not someone else. And if you send me a file, I receive the file you intended me to receive. We should've installed that in the architecture in the early days. And the first thing we should've done with it is turn it off, because we needed this open, trusted, available, shared environment, which was the culture, the ethics of the early Internet. And then when we approach the late 1980s and the early 1990s and spam, and viruses, and pornography and eventually the identity theft and the fraud, and the botnets and the denial of service we see today, as that began to emerge, we should then slowly have turned on that authentication process, which is part of what your other caller referred to is this IPV6 is an attempt to bring on and patch on some of this authentication capability. But it's very hard now that it's not built deep into the architecture of the Internet.]
Americans Reject Tailored Advertising and Three Activities that Enable It
Date CapturedMonday October 05, 2009 07:01 PM
[First, federal legislation ought to require all websites to integrate the P3P protocols into their privacy policies. That will provide a web-wide computerreadable standard for websites to communicate their privacy policies automatically to people’s computers. Visitors can know immediately when they get to a site whether they feel comfortable with its information policy. An added advantage of mandating P3P is that the propositional logic that makes it work will force companies to be straightforward in presenting their positions about using data. It will greatly reduce ambiguities and obfuscations about whether and where personal information is taken. · Second, federal legislation ought to mandate data-flow disclosure for any entity that represents an organization online. The law would work this way: When an internet user begins an online encounter with a website or commercial email, that site or email should prominently notify the person of an immediately accessible place that will straightforwardly present (1) exactly what information the organization collected about that specific individual during their last encounter, if there was one; (2) whether and how that information was linked to other information; (3) specifically what other organizations, if any, received the information; and (4) what the entity expects will happen to the specific individual’s data during this new (or first) encounter. Some organizations may then choose to allow the individuals to negotiate which of forthcoming data-extraction, manipulation and sharing activities they will or won’t allow for that visit. · Third, the government should assign auditing organizations to verify through random tests that both forms of disclosure are correct—and to reveal the results at the start of each encounter. The organizations that collect the data should bear the expense of the audits. Inaccuracies should be considered deceptive practices by the Federal Trade Commission. The three proposals follow the widely recognized Federal Trade Commission goals of providing users with access, notice, choice, and security over their information. Companies will undoubtedly protest that these activities might scare people from allowing them to track information and raise the cost of maintaining databases about people online. One response is that people, not the companies, own their personal information. Another response is that perhaps consumers’ new analyses of the situation will lead them to conclude that such sharing is not often in their benefit. If that happens, it might lead companies that want to retain customers to change their information tracking-and-sharing approaches. The issues raised here about citizen understanding of privacy policies and data flow are already reaching beyond the web to the larger digital interactive world of personal video recorders (such as TiVo), cell phones, and personal digital assistants. At a time when technologies to extract and manipulate consumer information are becoming ever-more complex, citizens’ ability to control their personal information must be both more straightforward and yet more wide-ranging than previously contemplated.]Turow, Joseph, King, Jennifer, Hoofnagle, Chris Jay, Bleakley, Amy and Hennessy, Michael, Americans Reject Tailored Advertising and Three Activities that Enable It (September 29, 2009). Available at SSRN: http://ssrn.com/abstract=1478214
Browser Privacy Features: A Work In Progress
Date CapturedSunday August 09, 2009 03:39 PM
CDT Releases Updated Report on Privacy Controls for Web Browsers. The report compares browser offerings in three key areas: privacy mode, cookie controls and object controls. Each of those, when used correctly, can greatly reduce the amount of personal information users transmit online. August 05, 2009
E P I C - A l e r t -- Volume 15.25 -- December 23, 2008
Date CapturedTuesday December 23, 2008 06:41 PM
Published by the Electronic Privacy Information Center (EPIC) - Washington, D.C. Table of Contents - [1] Privacy Coalition Members Write to President-elect Obama [2] India Hosts Third Internet Governance Forum [3] Government Issues Final Rules in Education Records Privacy [4] Privacy, Security and Openness at the Internet Governance Forum [5] DHS Releases Fusion Center Privacy Impact Assessment [6] News in Brief
Privacy Lives
Date CapturedFriday December 12, 2008 06:15 PM
Melissa Ngo -- more than a blog -- lots of policy and topic specific archives.
Pavesich, Property and Privacy: The Common Origins of Property Rights and Privacy Rights in Georgia
Date CapturedFriday December 12, 2008 01:28 PM
Kent, Michael B.,Pavesich, Property and Privacy: The Common Origins of Property Rights and Privacy Rights in Georgia(December 10, 2008). John Marshall Law Journal, Forthcoming. Available at SSRN: http://ssrn.com/abstract=1313825 ABSTRACT: [Abstract: Many modern-day Americans think about legal rights in a dualistic fashion. "Personal rights" fall on one side of the divide, while "property rights" fall on the other, and these categories of rights often are deemed to be separate and distinct. This essay, which introduces a symposium on governmental interference with privacy and private property, seeks to moderate such dualistic thinking (at least with regard to the two categories of rights at issue) by showing the common origins of the right to privacy and the right to property as they have developed under Georgia law. The essay focuses on the reasoning used by the Georgia Supreme Court in its 1905 decision in Pavesich v. New England Life Insurance Company, the first decision by a court of last resort to recognize privacy as a specific, remediable common-law right. Included in the Pavesich opinion are allusions to natural law and social compact theory, references to Blackstone and his conception of absolute or fundamental rights, and the use of precedent and language littered with deep-rooted, property-based associations. A careful evaluation of these different elements of the court's reasoning, in light of both prior and subsequent authority, demonstrates the close philosophical and practical connections between privacy rights and property rights. Moreover, these connections help demonstrate that the dichotomy between personal rights and property rights is not as clear as it might appear. ]
E P I C A l e r t - 15.24
Date CapturedMonday December 08, 2008 08:56 PM
Volume 15.24 - December 8, 2008. Table of Contents: [1] Senator Leahy Presses Justice Department on Telephone Privacy [2] EPIC Urges Disclosure of Google Flu Trends Information [3] EPIC Writes to NPR to drop E-verify Promotion, Urges DHS Disclosure [4] EPIC Pursues Disclosure of FBI Surveillance Guidelines [5] House Committee Host Day Long Discussion on the Transition of DHS [6] News in Brief [7] EPIC Bookstore: "The Online Panopticon"
Eric Holder and Privacy: A Preliminary Analysis
Date CapturedFriday December 05, 2008 08:51 PM
“Reforming Fourth Amendment Privacy Doctrine”
Date CapturedSaturday July 26, 2008 07:38 PM
Jim Harper, in American University Law Review article concludes, "The Fourth Amendment takes the individual’s circumstances as a given (including his or her privacy) and asks whether the government has been reasonable. It does not ask whether Americans’ privacy is reasonable. Current Fourth Amendment doctrine has it backward. It should be reformed. 81. See U.S. CONST. amend. IV (declaring that people have the right 'to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures')."
“The Blind Eye to Privacy Law Arbitrage by Google -- Broadly Threatens Respect for Privacy”
Date CapturedFriday July 25, 2008 09:54 AM
Testimony of Scott Cleland, President, Precursor LLC before the House Energy & Commerce Subcommittee on Internet Hearing, July 17, 2008 -- By turning a blind eye to what Google, the worst privacy offender on the Internet, is doing to systematically invade and abuse Americans’ expectation of privacy, Congress is perversely encouraging copycat behavior “deep packet inspection” advertising entrepreneurs who see that there is a huge privacy double standard arbitrage. Companies like NebuAd are essentially just following the privacy-arbitrage leader – Google.
Right of Publicity
Date CapturedWednesday June 25, 2008 11:19 PM
In Pictures: Companies That Profit From Your Data
Date CapturedMonday June 23, 2008 03:13 PM
It may be your name, address and phone number. But it's their cash cow. By Andy Greenberg (there are a series of pictures/text with this link
What Privacy Policy?
Date CapturedMonday June 23, 2008 03:06 PM
Forbes reports, "In recent years, passing on sensitive data points like e-mail addresses and credit card codes to marketing partners has also been a frequent source of corporate data breaches--about 40% of all breach incidents were a result of a third party's handling of data, according to another Ponemon study, released in November 2007."
Alternatives Exist for Enhancing Protection of Personally Identifiable Information
Date CapturedSaturday June 21, 2008 08:57 PM
Highlights of GAO-08-536, a report to congressional requesters: In assessing the appropriate balance between the needs of the federal government to collect personally identifiable information for programmatic purposes and the assurances that individuals should have that their information is being sufficiently protected and properly used, Congress should consider amending applicable laws, such as the Privacy Act and the E-Government Act, according to the alternatives outlined in this report, including: • revising the scope of the laws to cover all personally identifiable information collected, used, and maintained by the federal government; • setting requirements to ensure that the collection and use of personally identifiable information is limited to a stated purpose; and • establishing additional mechanisms for informing the public about privacy protections by revising requirements for the structure and publication of public notices.
The US Court of Appeals for the Ninth Circuit [PDF text]
Date CapturedSaturday June 21, 2008 06:14 PM
The decision is the first time that a federal appeals court has found that electronic messages are covered by Fourth Amendment protections.
Ninth Circuit rules text messages protected by Fourth Amendment
Date CapturedSaturday June 21, 2008 06:10 PM
Considering the privacy implications of the case, the court wrote: The extent to which the Fourth Amendment provides protection for the contents of electronic communications in the Internet age is an open question. The recently minted standard of electronic communication via e-mails, text messages, and other means opens a new frontier in Fourth Amendment jurisprudence that has been little explored. Here, we must first answer the threshold question: Do users of text messaging services such as those provided by Arch Wireless have a reasonable expectation of privacy in their text messages stored on the service provider’s network? We hold that they do.
Protecting Personal Information: Is the Federal Government Doing Enough?
Date CapturedWednesday June 18, 2008 06:20 PM
Statement of Ari Schwartz, Vice President Center for Democracy & Technology before the Committee on Homeland Security and Governmental Affairs -- "Current federal laws and policies provide to those agency officials who care about privacy valuable tools to protect personal information in the hands of the federal government. Unfortunately, these laws and policies clearly have not been implemented consistently in a way that prevents indifference or wanton neglect of personal information. Moreover, even diligent officials find gaps in existing laws, especially because those laws, especially the Privacy Act of 1974, have failed to keep pace with technological change. To adequately protect privacy in this digital age, when more information is collected and shared than ever before, both Congress and the Executive Branch will need to work together to close the long-recognized gaps in existing laws and policies. At the same time, both branches must foster the leadership and insist upon the measurement capabilities needed to ensure that existing and new laws and policies are implemented uniformly and diligently."
PRIVACY -- Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Information
Date CapturedWednesday June 18, 2008 05:09 PM
In its report GAO identified alternatives that the Congress should consider, including revising the scope of privacy laws to cover all personal information, requiring that the use of such information be limited to a specific purpose, and revising the structure and publication of privacy notices. OMB commented that the Congress should consider these alternatives in the broader context of existing privacy and related statutes.
How Facebook spells the end of privacy
Date CapturedWednesday June 18, 2008 10:15 AM
We can hope for common sense about information privacy, but technology keeps changing the norms.
Testimony of David Sohn -- Senior Policy Counsel -- Center for Democracy and Technology
Date CapturedThursday June 12, 2008 11:21 AM
Testimony before The House Committee on Small Business June 12, 2008 -- CDT expressed concern about the impact on privacy and data security of a proposal that would require banks to track credit card payments, and report the data to the Internal Revenue Service for tax enforcement purposes. CDT explained that the proposal would require increased private sector tracking of Social Security numbers of individual businesspeople; such tracking could lead to additional data collection from small businesses and others, and would set a dangerous precedent.
INTERNET LAW - European Approach to Privacy in the Workplace
Date CapturedWednesday June 11, 2008 05:09 PM
Internet Business Law Services -- "The employees' right to privacy in Europe is ingrained in their culture and it has evolved as a human right since the French revolution, which created new employment rights in Europe and various countries in the world. The Council of Europe is one of the European highest authorities on human rights. Thus, the Council's legal principles and rulings on data protection and privacy are relevant for the European issue of privacy in the workplace. Besides the Council's principles, the European Union's directives on electronic surveillance of employees in the workplace and their respective member states' implementing laws compose the legal framework of European employees' surveillance in the workplace. "
Law Enforcement Use of Cell Info Raises New Privacy Concerns
Date CapturedTuesday June 10, 2008 08:00 PM
The Heartland Institute -- "Kramer [attorney with Kramer Telecom Law Firm in Los Angeles] says consumers often misunderstand their privacy rights. Though the content of phone calls is private, a cell phone number is property of the wireless provider, and thus can be tracked and used as the provider sees fit. As with banking records, people give up a certain level of privacy when they choose to use a cell phone, because their location and activity can be traced. 'We live in a very networked world,' Kramer noted. 'People have a higher expectation of privacy than actually exists.'"
Outbound Email and Data Loss Prevention in Today’s Enterprise, 2008
Date CapturedFriday June 06, 2008 07:23 PM
This report summarizes findings from Proofpoint’s fifth annual study of outbound email security and content security issues in the enterprise. This effort was started in 2004 when enterprise attitudes about inbound messaging issues (e.g., spam and viruses) were much better understood than concerns about outbound email content (e.g., data protection, privacy, regulatory compliance and intellectual property leak protection). This study was designed to examine (1) the level of concern about the content of email (and other forms of electronic messaging) leaving large organizations, (2) the techniques and technologies those organizations have put in place to mitigate risks associated with outbound messaging, (3) the state of messaging-related policy implementation and enforcement in large organizations and (4) the frequency of various types of policy violations and data security breaches.
What If Samuel D. Warren Hadn’t Married A Senator’s Daughter?: Uncovering The Press Coverage That Led To The Right To Privacy
Date CapturedThursday June 05, 2008 06:42 PM
Modern tort protection for personal privacy is commonly traced back to Samuel Warren and Louis Brandeis’1890 law review article, The Right of Privacy, yet scholars have long been uncertain what prompted Warren and Brandeis’ impassioned attack on invasive press practices, unable to point to any news coverage of Warren that might convincingly explain his evident outrage at the press. This Article attempts to solve that mystery by examining approximately 60 newspaper stories from Boston, New York, and Washington, D.C., most never before analyzed, that report on the personal lives of Warren and his family. These stories—including some particularly intrusive coverage of Warren family tragedies—very plausibly explain what Warren had in mind when he wrote that ruthless gossip regarding private matters had become a social blight requiring legal remedy. This Article, part of a symposium dedicated to exploring how modern law might have developed differently without catalytic events, concludes that Warren and Brandeis’ landmark article would not have been written if Warren had not married into a political family in the public eye.
Study secretly tracks cellphone users
Date CapturedThursday June 05, 2008 03:01 PM
AP reports, "Researchers secretly tracked the locations of 100,000 people outside the United States through their cellphone use and concluded that most people rarely stray more than a few miles from home. The first-of-its-kind study by Northeastern University raises privacy and ethical questions for its monitoring methods, which would be illegal in the United States."
Access Rights to Business Data on Personally-Owned Computers
Date CapturedThursday June 05, 2008 10:51 AM
A White Paper by John C. Montaña for The ARMA International Education Foundation. "The continuing and pervasive blurring of the boundaries between work and home environments is another reality for many workers. Increased responsibilities and workloads, demands for longer hours and many other factors combine to create a situation in which many workers are required to resort to extraordinary measures to meet the demands of work and profession. In many cases, these demands are met by working at home. Increasingly, this work is computer-based work, and includes e-mail, word processing documents, spreadsheet and other computer-generated data objects. In many cases, this work is done on a computer provided by the employer for the purposes of facilitating the employee’s at-home work. In many other cases, however, the work is performed on a computer owned the employee themselves or someone else living in the employee’s residence."
Office of Privacy Commissioner (OPC) Web Site for Youth
Date CapturedWednesday June 04, 2008 05:57 PM
An interactive web site that offers advice about how youth can protect their personal information and take charge of how their identity is being shaped online. Canadian youth are among the most wired in the world – they see the Internet as one of the most powerful ways to connect with and make new friends. And while we know that the Internet is the least private of spaces, many young people think that the messages they send online are private and no one else will see them. This web site aims to encourage young people to build a secure online identity, so they are not putting themselves in any kind of risk. The goal is to capture the attention of young people and to keep them interested so they’ll be motivated to start protecting their privacy when they are online and out in the real world.
RFID Journal
Date CapturedTuesday June 03, 2008 08:07 PM
News and white papers on RFIDs
How public opinion polls define and circumscribe online privacy
Date CapturedTuesday June 03, 2008 07:42 PM
By Kim Bartel Sheehan. Abstract: The advent of new communications technologies and the integration of such technologies into individuals’ lives have resulted in major changes to society. Responding to such privacy concerns is of key interest to legislators, policy–makers, and business leaders as these groups seek to balance consumer privacy needs with the realities of this new society. These groups, and others, use public opinion polls and surveys to measure the current climate of opinion among citizens. This study examines the language of 43 opinion polls and surveys dealing with privacy and the Internet to understand how these polls define and assess online privacy. Results suggest that polls treat the complex construction of privacy in an overly simplistic way. Additionally, pollsters present many poll questions in a way that may lead survey respondents to express stronger negative feelings about privacy than really exist. First Monday, volume 9, number 7 (July 2004)
Microchips Everywhere: a Future Vision (RFID)
Date CapturedTuesday June 03, 2008 06:54 PM
January, 2008 -- AP reports, "Some of the world's largest corporations are vested in the success of RFID technology, which couples highly miniaturized computers with radio antennas to broadcast information about sales and buyers to company databases. Already, microchips are turning up in some computer printers, car keys and tires, on shampoo bottles and department store clothing tags. They're also in library books and 'contactless' payment cards (such as American Express' 'Blue' and ExxonMobil's 'Speedpass.')"
MODEL REGIME OF PRIVACY PROTECTION - Version 2
Date CapturedMonday June 02, 2008 06:25 PM
By Daniel J. Solove & Chris Jay Hoofnagle. "Currently, the collection and use of personal data by businesses and the government is spinning out of control. An entire industry devoted primarily to processing and disseminating personal information has arisen, and this industry is not well-regulated. Many companies brokering in data have found ways to avoid being regulated by the Fair Credit Reporting Act (FCRA), a landmark law passed in 1970 to regulate consumer reporting agencies. Increasingly, the government is relying on data broker companies to supply personal data for intelligence and law enforcement purposes as well as to analyze it. As a result, the government is navigating around the protections of the Privacy Act, a law passed in 1974 to regulate the collection and use of data by government agencies. The FCRA and Privacy Act form the basic framework that regulates a large portion of the flow of personal data, but this framework is riddled with exceptions and shunted with limitations. We propose a Model Regime of Privacy Protection to address these problems."
Electronic Privacy Information Center (EPIC)
Date CapturedSunday June 01, 2008 05:31 PM
EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.
Teens, Privacy and Online Social Networks: How teens manage their online identities and personal information in the age of MySpace
Date CapturedWednesday June 27, 2007 08:26 PM
Pew Internet Study by Amanda Lenhart and Mary Madden, "While many teens post their first name and photos on their profiles, they rarely post information on public profiles they believe would help strangers actually locate them such as their full name, home phone number or cell phone number. At the same time, nearly two-thirds of teens with profiles (63%) believe that a motivated person could eventually identify them from the information they publicly provide on their profiles. A new report, based on a survey and a series of focus groups conducted by the Pew Internet & American Life Project examine how teens, particularly those with profiles online, make decisions about disclosing or shielding personal information. Some 55% of online teens have profiles and most of them restrict access to their profile in some way. Of those with profiles, 66% say their profile is not visible to all internet users. Of those whose profile can be accessed by anyone online, nearly half (46%) say they give at least some false information. Teens post fake information to protect themselves and also to be playful or silly."

Privacy Harm

The Problems Of Web Surveillance
Date CapturedTuesday January 11, 2011 08:54 AM
Clarification by Ryan Calo: 1) Consumers do not understand the circumstances under which the government may gain access to their data. 2) Electronic privacy laws are outdated and do not reflect contemporary technology or practices. 3) Regardless of the government’s motives, certain practices threaten to chill free speech and should be viewed with great skepticism.
“The Right to Privacy”
Date CapturedSaturday December 11, 2010 05:58 PM
Warren and Brandeis - Harvard Law Review. Vol. IV - December 15, 1890 - No. 5 [Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right "to be let alone" [10] Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops." For years there has been a feeling that the law must afford some remedy for the unauthorized circulation of portraits of private persons;[11] and the evil of invasion of privacy by the newspapers, long keenly felt, has been but recently discussed by an able writer.[12] The alleged facts of a somewhat notorious case brought before an inferior tribunal in New York a few months ago,[13] directly involved the consideration of the right of circulating portraits; and the question whether our law will recognize and protect the right to privacy in this and in other respects must soon come before our courts for consideration.]
The Boundaries of Privacy Harm
Date CapturedSaturday July 17, 2010 07:00 PM
M. Ryan Calo -- Stanford Law School -- July 16, 2010 -- Abstract: [This Essay describes the outer boundaries and core properties of privacy harm. Properly understood, privacy harm falls into just two categories. The subjective category of privacy harm is the unwanted perception of observation. This category describes unwelcome mental states—anxiety, embarrassment, fear—that stem from the belief that one is being watched or monitored. Examples include everything from a landlord listening in on his tenants to generalized government surveillance. The objective category of privacy harm is the unanticipated or coerced use of information concerning a person against that person. These are negative, external actions justified by reference to personal information. Examples include identity theft, the leaking of classified information that reveals an undercover agent, and the use of a drunk-driving suspect’s blood as evidence against him. The subjective and objective categories of privacy harm are distinct but related. Just as assault is the apprehension of battery, so is the unwanted perception of observation largely an apprehension of information-driven injury. The categories represent, respectively, the anticipation and consequence of a loss of control over personal information. The approach offers several advantages. It uncouples privacy harm from privacy violations, demonstrating that no person need commit a privacy violation for privacy harm to occur (and vice versa). It creates a “limiting principle” capable of revealing when another value—autonomy or equality, for instance—is more directly at stake. It also creates a “rule of recognition” that permits the identification of a privacy harm when no other harm is apparent. Finally, the approach permits the sizing and redress of privacy harm in novel ways.]

Public Domain

MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES SUBJECT: Transparency and Open Government
Date CapturedMonday June 28, 2010 08:44 PM
[My Administration is committed to creating an unprecedented level of openness in Government. We will work together to ensure the public trust and establish a system of transparency, public participation, and collaboration. Openness will strengthen our democracy and promote efficiency and effectiveness in Government.] from Barack Obama
Review: Federal program used to hide flights from public
Date CapturedTuesday April 13, 2010 08:22 PM
USA Today -- By Michael Grabell and Sebastian Jones, ProPublica - [Use of the airspace is considered public information because taxpayers fund air-traffic controllers, radars and runways. "It belongs to all of us," said Chuck Collins, who has studied private jet travel at the Institute for Policy Studies, a progressive think tank. "It's not a private preserve." NBAA spokesman Dan Hubbard said privacy is important to business fliers because competitors can learn of potential deals by tracking planes, and that could affect stock prices. "There are certain circumstances where there is a security concern," he said. In 2000, Congress required websites to stop posting flights of certain planes at the FAA's request. The FAA later agreed to let the aviation group be the clearinghouse. FAA spokeswoman Laura Brown said the agency lacks resources to evaluate whether requests to keep flights secret are justified, so the agency lets the NBAA decide each month the flights kept from public view.]

Race to the Top (RttT)

RACE TO THE TOP: Reform Efforts Are Under Way and Information Sharing Could Be Improved
Date CapturedMonday February 27, 2012 10:49 PM
GAO: RACE TO THE TOP: Reform Efforts Are Under Way and Information Sharing Could Be Improved
New York State Race to the Top Subgrants to Participating LEAs NOV 2010
Date CapturedTuesday February 14, 2012 12:08 AM
Race to the Top Subgrants to Participating LEA's (50% of Total) Based on Receipt of Letters of Intent total $348,323,000 in 2010.
NEW YORK: RACE TO THE TOP ANNUAL PERFORMANCE REPORT
Date CapturedFriday January 20, 2012 02:57 PM
New York faces the ongoing challenge of communicating and collaborating with its various stakeholders. Similarly, the complexity of reviewing and approving Scopes of Work, budgets, expenditures, and evaluation plans for all of the State’s participating LEAs presented a formidable task that required a high level of strategic planning and logistical coordination by NYSED leadership. The State is working to overcome these challenges by investing in communication tools and leveraging other quality-control methods (such as a new online expenditure reporting tool) in order to increase its responsiveness and efficiency in the future.
New York State Race to the Top Application
Date CapturedWednesday March 16, 2011 10:54 AM
New York State submitted its Phase II Race to the Top application to the U.S. Department of Education on June 1. On August 24, the U.S. Department of Education announced that New York State had been awarded $696,646,000 as a winner in the second round of the federal Race to the Top competition. The application and related documents are posted below: Selection Criteria and Competition Priorities (4.05 MB) Appendices (28.88 MB) Participating LEA Memorandum of Understanding and Preliminary Scope of Work (Exhibit I) (63 KB) Frequently Asked Questions and Answers (57 KB) The Regents Education Reform Plan and New York State's Race to the Top (RTTT) Application Summary | PDF (41 KB) Legislation in Support of Race to the Top Application

Real ID

Today's Living on 'Today's THV at 5': Real ID Program
Date CapturedTuesday December 01, 2009 03:27 PM
Rebecca Buerkle writes - [Twenty-four states have passed laws or resolutions saying they will not comply. Other states that want an extension on the Dec. 31 deadline had until Tuesday to demonstrate they are making progress. But as many as 12 states may not be able to do so, making 36 states non-compliant.]
Bill Introduced To Repeal Failed Real ID Act (7/31/2009) Bill Would Protect Civil Liberties And Drivers' License Security
Date CapturedSunday August 09, 2009 05:13 PM
WASHINGTON – In a welcome move today, legislation was introduced in the House of Representatives to repeal the discredited Real ID Act of 2005. The REAL ID Repeal and Identification Security Enhancement Act of 2009, introduced by Representative Steve Cohen (D-TN), would repeal Real ID and replace it with the original negotiated rulemaking process passed by Congress as part of the 9/11 Commission recommendations. Twenty-five states have already rejected Real ID, citing its high cost, invasiveness and the bureaucratic hassles it creates for citizens. The Real ID Act of 2005 directs states to issue a federally-approved driver's license or other form of ID that would be necessary for airline travel and become part of a national database. Like state governments from coast to coast, the American Civil Liberties Union has long opposed the Act as too invasive, too much red tape and too expensive.
DHS Announces $48.6 Million in Driver’s License Security Grants
Date CapturedTuesday December 16, 2008 08:35 PM
The U.S. Department of Homeland Security (DHS) today opened the application period for approximately $48.6 million under the Fiscal Year (FY) 2009 Driver’s License Security Grant Program. These grants support state efforts to prevent terrorism and reduce fraud by improving the reliability and accuracy of identification documents that state governments issue. The FY 2009 Driver’s License Security Grant Program will accept proposals that improve state capabilities consistent with the requirements of the REAL ID final rule. This year’s program also will contain pre-determined target allocation funds to all 56 states and territories instead of the competitively awarded funds issued to states and territories under the FY 2008 REAL ID program funds
Enhanced Driver’s Licenses Coming Your Way…
Date CapturedSunday July 27, 2008 05:01 PM
Steven A. Culbreath, Esq. blogs, "DHS has worked to align REAL ID and EDL requirements. EDLs that are developed consistent with the requirements of REAL ID can be used for official purposes such as accessing a Federal facility, boarding Federally-regulated commercial aircraft, and entering nuclear power plants." And... "While the REAL ID requires proof of legal status in the U.S., the state issued EDL will require that the card holder be a U.S. citizen."
realnightmare.org
Date CapturedSunday July 20, 2008 06:48 PM
Anti-Real ID website
Jindal Vetoes His Vote
Date CapturedSunday July 20, 2008 06:12 PM
New Orleans blog, "As a new Republican governor, Jindal signed legislation into law earlier this month that prohibits Louisiana from participating in the very same Real ID Act he voted for as a congressman."

Records Management

NIST DRAFT: Security and Privacy Controls for Federal Information Systems and Organizations
Date CapturedFriday August 19, 2011 06:54 PM
Special Publication 800-53 - Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance; • Establish a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements which may overlap in concept and in implementation within federal information systems, programs, and organizations; • Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment, and monitoring of privacy controls deployed in federal information systems, programs, and organizations; and • Promote closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards, and guidance.
Fordham CLIP Comments on FERPA NPRM May 23, 2011 Docket: ED-2011-OM-0002 1
Date CapturedWednesday June 22, 2011 10:24 PM
Fordham Professor of Law Joel Reidenberg: Proposed Amendments to the FERPA Regulations contradict Congressional Mandates; Impermissible expansion of “Authorized representative” proposed in §99.3; Problematic expansion of “directory information” proposed in §99.3; Impermissible expansion of the “audit and evaluation” provision proposed in § 99.35(a)(2); Questionable Enforcement proposed in §99.35 ;
New York State Student Information Repository System (SIRS) Manual
Date CapturedWednesday December 22, 2010 08:44 PM
New York State Student t Information Repository System (SIRS) Manual; Reporting Data for the 2010–11 School Year (SEE APPENDIX 19)
Cloud Computing: Storm Warning for Privacy?
Date CapturedWednesday July 07, 2010 01:20 PM
[Abstract: “Cloud computing” - the ability to create, store, and manipulate data through Web-based services - is growing in popularity. Cloud computing itself may not transform society; for most consumers, it is simply an appealing alternative tool for creating and storing the same records and documents that people have created for years. However, outdated laws and varying corporate practices mean that documents created and stored in the cloud may not have the same protections as the same documents stored in a filing cabinet or on a home computer. Can cloud computing services protect the privacy of their consumers? Do they? And what can we do to improve the situation?] Ozer, Nicole and Conley, Chris, Cloud Computing: Storm Warning for Privacy? (January 29, 2010). Nicole Ozer & Chris Conley, CLOUD COMPUTING: STORM WARNING FOR PRIVACY, ACLU of Northern California, 2010.
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Date CapturedMonday May 03, 2010 11:04 AM
Recommendations of the National Institute of Standards and Technology - [The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years. Breaches involving PII are hazardous to both individuals and organizations. Individual harms may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or remediation costs. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, "If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds." This document provides guidelines for a risk-based approach to protecting the confidentiality of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies, but other organizations may find portions of the publication useful. Each organization may be subject to a different combination of laws, regulations, and other mandates related to protecting PII, so an organization‘s legal counsel and privacy officer should be consulted to determine the current obligations for PII protection. For example, the Office of Management and Budget (OMB) has issued several memoranda with requirements for how Federal agencies must handle and protect PII. To effectively protect PII, organizations should implement the following recommendations.]
InterPARES
Date CapturedSunday April 18, 2010 08:42 PM
[The International Research on Permanent Authentic Records in Electronic Systems (InterPARES) aims at developing the knowledge essential to the long-term preservation of authentic records created and/or maintained in digital form and providing the basis for standards, policies, strategies and plans of action capable of ensuring the longevity of such material and the ability of its users to trust its authenticity. InterPARES has developed in three phases:]
Help! I’ve Lost My Files
Date CapturedFriday April 02, 2010 06:13 PM
AOL Discover -- [Deleted Files: The good news: if you accidentally (or purposefully) delete a file, chances are it’s not actually gone. Windows often keeps deleted files in the Trash or Recycle Bin. Double-click the Recycle Bin icon on your desktop to see what's inside. You can drag and drop the file to the location you want, or right-click on the file and select Restore, which will automatically return it to the location from which it was deleted. Lost Files: If you’re in the middle of working on a document and your program freezes, crashes or is forced to close before you can save, all may not be lost. Many documents can be partially if not fully recovered. ]
Facebook fights back, disallows the Suicide Machine
Date CapturedThursday January 07, 2010 08:17 PM
Los Angeles Times reports - [The Suicide Machine is a clever Web site out of the Netherlands that was designed to free users from their social network lives on Facebook, Twitter, MySpace and LinkedIn. You just pick one of the networks, start up the machine, and it graphically shows you unfriending your contacts, one by one, and eliminating all your other contacts with your profile. Forever.]
National Forum on Education Statistics. Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies
Date CapturedSaturday March 21, 2009 01:43 PM
National Forum on Education Statistics. Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies, NCES 2004–330. Washington, DC: 2004.
HHS Names David Blumenthal As National Coordinator for Health Information Technology
Date CapturedSaturday March 21, 2009 01:00 PM
The American Recovery and Reinvestment Act includes a $19.5 billion investment in health information technology, which will save money, improve quality of care for patients, and make our health care system more efficient. Dr. Blumenthal will lead the effort at HHS to modernize the health care system by catalyzing the adoption of interoperable health information technology by 2014 thereby reducing health costs for the federal government by an estimated $12 billion over 10 years.
ONLINE BEHAVIORAL ADVERTISING: A CHECKLIST OF PRACTICES THAT IMPACT CONSUMER TRUST
Date CapturedWednesday March 04, 2009 03:09 PM
Truste white paper -- [Self-regulation is a process often preceded by leading companies beginning to strengthen practices and chart advances that are then more widely adopted. In particular, companies should be aware of evolving industry practices in the following areas:4 Application of certain privacy principles to some types of non-personal data, for example, behavioral profiles, cookie IDs or IP addresses. Notices about ad-serving and behavioral targeting being provided in banner ads or on home pages, in addition to within a privacy policy. Choice being provided not only for the sharing of ad-serving data, but with regard to data use by a single company to tailor ads on its own sites. The establishment of specific data retention policies and anonymization techniques for log-file data.]
Cable Companies Target Commercials to Audience
Date CapturedWednesday March 04, 2009 02:53 PM
NY Times STEPHANIE CLIFFORD [Cablevision matches households to demographic data to divide its customers, using the data-collection company Experian. Experian has data on individuals that it collects through public records, registries and other sources. It matches the name and address of the subscriber to what it knows about them, and assigns demographic characteristics to households. (The match is a blind one: advertisers do not know what name and address they are advertising to, Cablevision executives said.) Advertisers can also give their existing customer lists to Experian, and Experian can make matches — so G.M., for example, could direct an ad based on who already owns a G.M. car. Advertisers are willing to pay premiums for ads that go only to audiences they have selected.]
RE: USE OF CLOUD COMPUTING APPLICATIONS AND SERVICES
Date CapturedThursday February 26, 2009 06:07 PM
Associate Director John B. Horrigan (202-419-4500) - September 2008 - Pew/Internet - [Convenience and flexibility are the watchwords for those who engage in cloud computing activities: 51% of internet users who have done a cloud computing activity say a major reason they do this is that it is easy and convenient. 41% of cloud users say a major reason they use these applications is that they like being able to access their data from whatever computer they are using. 39% cite the ease of sharing information as a major reason they use applications in cyberspace or store data there. At the same time, users report high levels of concern when presented with scenarios in which companies may put their data to uses of which they may not be aware. 90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party. 80% say they would be very concerned if companies used their photos or other data in marketing campaigns. 68% of users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.]
Cloud computing takes hold despite privacy fears
Date CapturedThursday February 26, 2009 06:03 PM
Computer Worlds -- Heather Havenstein [Users of online e-mail, storage systems fear the sale of personal data without permission]
Lost Cellphone? Your Carrier Has Your Backup
Date CapturedWednesday February 25, 2009 08:28 PM
Wall Street Journal - Mossberg Solution - KATHERINE BOEHRET [By the time you've left your cellphone in a taxi or dropped it into a pot of soup, it's too late. All those phone numbers you had at your finger tips -- your best friend, your boss, your mom -- are gone. (Well, maybe you'll remember Mom's.) Some companies have tried to soothe backup concerns with gadgets like the $50 Backup-Pal from Advanced Wireless Solutions LLC, or wireless services like Skydeck. But for many for people, it's just as easy to ignore the risk.]
Cloud Computing Privacy Tips
Date CapturedWednesday February 25, 2009 04:11 PM
World Privacy Forum -- February 23, 2009 -- By Robert Gellman and Pam Dixon [Cloud Computing Tips for Consumers: Read the Terms of Service before placing any information in the cloud. If you don’t understand the Terms of Service, consider using a different cloud provider. Don’t put anything in the cloud you would not want the government or a private litigant to see. Pay close attention if the cloud provider reserves rights to use, disclose, or make public your information. Read the privacy policy before placing your information in the cloud. If you don’t understand the policy, consider using a different provider. When you remove your data from the cloud provider, does the cloud provider still retain rights to your information? If so, consider whether that makes a difference to you. Will the cloud provider give advance notice of any change of terms in the terms of service or privacy policy? ]
REPORT: Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing
Date CapturedWednesday February 25, 2009 03:59 PM
Released February 23, 2009 - Author: Robert Gellman: [This report discusses the issue of cloud computing and outlines its implications for the privacy of personal information as well as its implications for the confidentiality of business and governmental information. The report finds that for some information and for some business users, sharing may be illegal, may be limited in some ways, or may affect the status or protections of the information shared. The report discusses how even when no laws or obligations block the ability of a user to disclose information to a cloud provider, disclosure may still not be free of consequences. The report finds that information stored by a business or an individual with a third party may have fewer or weaker privacy or other protections than information in the possession of the creator of the information. The report, in its analysis and discussion of relevant laws, finds that both government agencies and private litigants may be able to obtain information from a third party more easily than from the creator of the information. A cloud provider’s terms of service, privacy policy, and location may significantly affect a user’s privacy and confidentiality interests.] see policy recommendations in full report.
Does Cloud Computing Mean More Risks to Privacy?
Date CapturedWednesday February 25, 2009 03:44 PM
NY Times -- Saul Hansell -- [In the United States, information held by a company on your behalf — be it a bank, an e-mail provider or a social network — is often not protected as much as information a person keeps at home or a business stores in computers it owns. Sometimes that means that a government investigator, or even a lawyer in a civil lawsuit, can get access to records by simply using a subpoena rather than a search warrant, which requires more scrutiny by a court.]
"FACEBOOK INFO FUROR"
Date CapturedWednesday February 18, 2009 08:45 AM
NY Post publishes AP story: -- ["FACEBOOK INFO FUROR" -- Tens of thousands of Facebook users are protesting new policies that they say grant the social-networking site the ability to control their information forever, even after they cancel their accounts. Facebook's new terms of use, updated Feb. 4, largely went unnoticed until the popular consumer-rights advocacy blog Consumerist.com pointed out the changes Sunday.]
FTC Online Privacy Guidelines Faulted
Date CapturedFriday February 13, 2009 01:11 PM
Business Week -- Douglas MacMillan -- [On Feb. 12, the U.S. Federal Trade Commission issued guidelines designed to give consumers more information about how advertisers collect and use data about their Web surfing habits. Among the recommendations: Every site that follows Web-use patterns to tailor marketing messages, a practice known as behavioral targeting, should spell out how it is collecting data and give consumers the ability to opt out of targeting. The report also urges sites to keep collected data "as long as is necessary to fulfill a legitimate business or law enforcement need," inform users of any changes made to privacy policies, and only collect sensitive personal data—such as financial and health records—in cases where the user opts in.]
Response to the 2008 NAI Principles: The Network Advertising Initiative’s Self-Regulatory Code of Conduct for Online Behavioral Advertising
Date CapturedThursday February 12, 2009 06:43 PM
[CDT believes the 2008 NAI Principles, while late in addressing new trends in the industry, demonstrate clear progress over the original code of conduct adopted in 2000. The transparency of the NAI’s revision and compliance process, the approach to sensitive information, and the coverage of advertising practices beyond behavioral advertising all represent important steps forward. While robust self-regulation in the behavioral advertising space does not obviate the need for a baseline federal privacy law covering data collection and usage of all kinds, the NAI has made advances in several areas, yielding what we hope will be better protections for consumer privacy. However, the 2008 NAI Principles still come up short in crucial respects including the opt-out choice requirement, the notice standard, the NAI member accountability model, the failure to address ISP behavioral advertising, the lack of a choice requirement for multi-site advertising, and the data retention principle. Some of these are outstanding issues that have existed within the NAI framework since its inception, while others are new concerns raised by the updates to the principles.]
Center for Democracy & Technology (CDT) Applauds Critical Privacy, Security Provisions in Health IT Stimulus Bill
Date CapturedSunday January 18, 2009 05:59 PM
[The bill's privacy provisions include the following: Stronger protections against the use of personal heath information for marketing purposes; Accountability for all entities that handle personal health information; A federal, individual right to be notified in the event of a breach of identifiable health information; Prohibitions on the sale of valuable patient-identifiable data for inappropriate purposes; Development and implementation of federal privacy and security protections for personal health records; Easy access by patients to electronic copies of their records; and Strengthened enforcement of health privacy rules. The provisions in the bill are similar to those that received bipartisan approval by the House Energy & Commerce Committee in the last Congress.]
Microsoft Offers to Reduce Search Data in Europe
Date CapturedTuesday December 09, 2008 07:08 PM
NY Times KEVIN J. O’BRIEN -- [Microsoft said it made the offer in a letter to the Article 29 Working Party, a European Commission advisory panel made up of data protection commissioners from each of its 27 member countries. In April, the panel recommended that search engines keep search records no longer than six months before making the data untraceable. Microsoft’s MSN Live Search currently retains search data for 18 months. Yahoo keeps data for 13 months and Google for 9 months.]
CNET Employee Data Exposed by Third Party
Date CapturedWednesday June 25, 2008 11:50 PM
In Pictures: Companies That Profit From Your Data
Date CapturedMonday June 23, 2008 03:13 PM
It may be your name, address and phone number. But it's their cash cow. By Andy Greenberg (there are a series of pictures/text with this link
What Privacy Policy?
Date CapturedMonday June 23, 2008 03:06 PM
Forbes reports, "In recent years, passing on sensitive data points like e-mail addresses and credit card codes to marketing partners has also been a frequent source of corporate data breaches--about 40% of all breach incidents were a result of a third party's handling of data, according to another Ponemon study, released in November 2007."
Outbound Email and Data Loss Prevention in Today’s Enterprise, 2008
Date CapturedFriday June 06, 2008 07:23 PM
This report summarizes findings from Proofpoint’s fifth annual study of outbound email security and content security issues in the enterprise. This effort was started in 2004 when enterprise attitudes about inbound messaging issues (e.g., spam and viruses) were much better understood than concerns about outbound email content (e.g., data protection, privacy, regulatory compliance and intellectual property leak protection). This study was designed to examine (1) the level of concern about the content of email (and other forms of electronic messaging) leaving large organizations, (2) the techniques and technologies those organizations have put in place to mitigate risks associated with outbound messaging, (3) the state of messaging-related policy implementation and enforcement in large organizations and (4) the frequency of various types of policy violations and data security breaches.

Regulation

Internet Privacy - this house believes that governments must do far more to protect online privacy.
Date CapturedWednesday August 25, 2010 07:53 PM
Marc Rotenberg Marc Rotenberg President and executive director, Electronic Privacy Information Center [Today there is no meaningful check on private-sector data collection. Companies post "privacy policies" on websites and then do as they wish with the personal information they collect.] THE ECONOMIST - Jim Harper -- Director of information policy studies, Cato Institute: [The internet is not for couch potatoes. It is an interactive medium. While internet users enjoy its offerings, they should be obligated to participate in watching out for themselves.]
Instructions for using the Privacy Notice Online Form Builder:
Date CapturedThursday April 15, 2010 04:28 PM
FEDERAL RESERVE: 1. Select your form, based on (1) whether you provide an opt out and (2) whether you include affiliate marketing: If you provide an opt out and you want to include affiliate marketing, use Form 1. If you provide an opt out and you do not want to include affiliate marketing, use Form 2. If you do not provide an opt out and you want to include affiliate marketing, use Form 3. If you do not provide an opt out and you do not want to include affiliate marketing, use Form 4. 2. The PDF forms have fillable areas, indicated by the shaded boxes outlined in red. Place your cursor in the box and fill in the appropriate text.]
Americans Don't Like Being Tracked on Web
Date CapturedMonday October 05, 2009 06:21 PM
[The Times notes that Representative Rick Boucher, Democrat from Virginia, is planning to introduce privacy legislation that will address on-line tracking, while David Vladeck, head of consumer protection for the The Federal Trade Commission (FTC), is indicating that he is keeping a close watch on consumer privacy protection as well.]
In the garden of Google and evil
Date CapturedMonday May 11, 2009 05:55 PM
Computer World - Robert L. Mitchell -- [As the focus by regulators and privacy advocates intensifies, Google should take a leadership role in developing pro-consumer privacy laws and best practices. If it doesn't, Google could eventually lose the good will it has with its users, and regulators could make it the poster boy for privacy on the Web. Google need look no further than Microsoft to see how quickly public opinion can change for a defacto monopoly. ]

Research

Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting
Date CapturedThursday March 03, 2011 01:36 PM
NCES 2011-603 Building on current best practices, the Brief outlines reporting recommendations. Primarily, the goal of these reporting recommendations is to maximize the reporting of student outcomes while protecting students’ personally identifiable information.
NSF Funds Research to Enable Distributed, Fair, and Privacy-Preserving Collaboration
Date CapturedSaturday September 25, 2010 04:14 PM
Stevens Institute of Technology: [Hoboken, NJ, September 25, 2010 --(PR.com)-- Dr. Susanne Wetzel, Associate Professor of Computer Science, has recently been awarded a $457K research grant from the National Science Foundation (NSF) to investigate privacy and security in the context of enabling collaboration.]
How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies?
Date CapturedThursday April 15, 2010 06:12 PM
Chris Jay Hoofnagle - University of California, Berkeley - School of Law, Berkeley Center for Law & Technology; Jennifer King -UC Berkeley School of Information; Berkeley Center for Law & Technology; Su Li- University of California, Berkeley- School of Law, Center for the Study of Law and Society; Joseph Turow - University of Pennsylvania - Annenberg School for Communication: [Abstract: Media reports teem with stories of young people posting salacious photos online, writing about alcohol-fueled misdeeds on social networking sites, and publicizing other ill-considered escapades that may haunt them in the future. These anecdotes are interpreted as representing a generation-wide shift in attitude toward information privacy. Many commentators therefore claim that young people “are less concerned with maintaining privacy than older people are.” Surprisingly, though, few empirical investigations have explored the privacy attitudes of young adults. This report is among the first quantitative studies evaluating young adults’ attitudes. It demonstrates that the picture is more nuanced than portrayed in the popular media. ] [Among the findings: _ Eighty-eight percent of people of all ages said they have refused to give out information to a business because they thought it was too personal or unnecessary. Among young adults, 82 percent have refused, compared with 85 percent of those over 65. _ Most people — 86 percent — believe that anyone who posts a photo or video of them on the Internet should get their permission first, even if that photo was taken in public. Among young adults 18 to 24, 84 percent agreed — not far from the 90 percent among those 45 to 54. _ Forty percent of adults ages 18 to 24 believe executives should face jail time if their company uses someone's personal information illegally — the same as the response among those 35 to 44 years old.]
Americans Reject Tailored Advertising and Three Activities that Enable It
Date CapturedMonday October 05, 2009 07:01 PM
[First, federal legislation ought to require all websites to integrate the P3P protocols into their privacy policies. That will provide a web-wide computerreadable standard for websites to communicate their privacy policies automatically to people’s computers. Visitors can know immediately when they get to a site whether they feel comfortable with its information policy. An added advantage of mandating P3P is that the propositional logic that makes it work will force companies to be straightforward in presenting their positions about using data. It will greatly reduce ambiguities and obfuscations about whether and where personal information is taken. · Second, federal legislation ought to mandate data-flow disclosure for any entity that represents an organization online. The law would work this way: When an internet user begins an online encounter with a website or commercial email, that site or email should prominently notify the person of an immediately accessible place that will straightforwardly present (1) exactly what information the organization collected about that specific individual during their last encounter, if there was one; (2) whether and how that information was linked to other information; (3) specifically what other organizations, if any, received the information; and (4) what the entity expects will happen to the specific individual’s data during this new (or first) encounter. Some organizations may then choose to allow the individuals to negotiate which of forthcoming data-extraction, manipulation and sharing activities they will or won’t allow for that visit. · Third, the government should assign auditing organizations to verify through random tests that both forms of disclosure are correct—and to reveal the results at the start of each encounter. The organizations that collect the data should bear the expense of the audits. Inaccuracies should be considered deceptive practices by the Federal Trade Commission. The three proposals follow the widely recognized Federal Trade Commission goals of providing users with access, notice, choice, and security over their information. Companies will undoubtedly protest that these activities might scare people from allowing them to track information and raise the cost of maintaining databases about people online. One response is that people, not the companies, own their personal information. Another response is that perhaps consumers’ new analyses of the situation will lead them to conclude that such sharing is not often in their benefit. If that happens, it might lead companies that want to retain customers to change their information tracking-and-sharing approaches. The issues raised here about citizen understanding of privacy policies and data flow are already reaching beyond the web to the larger digital interactive world of personal video recorders (such as TiVo), cell phones, and personal digital assistants. At a time when technologies to extract and manipulate consumer information are becoming ever-more complex, citizens’ ability to control their personal information must be both more straightforward and yet more wide-ranging than previously contemplated.]Turow, Joseph, King, Jennifer, Hoofnagle, Chris Jay, Bleakley, Amy and Hennessy, Michael, Americans Reject Tailored Advertising and Three Activities that Enable It (September 29, 2009). Available at SSRN: http://ssrn.com/abstract=1478214
What Every American Needs to Know about the HIPAA Medical Privacy Rule* -- Updated November 2008
Date CapturedSunday January 18, 2009 09:39 PM
By Sue A. Blevins, president of the Institute for Health