On October 14th, 2005, Google put up a new privacy policy, replacing one that had been in effect since July 1st, 2004 (available here). This fact alone does not seem particularly newsworthy, but what has been interesting to observe is the extensive coverage on the internet of this change. People have been analyzing the changes, comparing the previous policy to the new one, and generally commenting on Google and privacy.

Google has also put up a new section entitled Google Privacy Policy Highlights, which seems to be an attempt to quickly capture the essence of the privacy policy for those who won’t read the entirety of the document. Given that so few people actually read privacy policies, this may be a benefit for consumers and regular internet users in getting them to read anything at all about what they are agreeing to when they use Google services. However, providing these highlights necessarily risks omitting details that may be important to some individuals.

The implications and legal status of a highlights document is also unclear. Just as in the case of the HIPAA Privacy Rule, a privacy policy highlights page may benefit users by making policies more readily accessible and actually read. However, following the Privacy Rule is necessary but not sufficient for HIPAA compliance; likewise, a company adhering to its highlighted privacy policy elements may still be violating other aspects of their policy. Furthermore, while Google still seems to be squarely on the side of good, more devious or uncaring companies may use a privacy policy highlights document to deceptively portray their privacy practices, knowing few (if any) people will take the time to review the longer, more legally significant full policy.

Google has continued to make previous versions of the privacy policy available for review/download, which is a good business practice but could go further. Granted, Google is doing more than most companies in this respect, but the next step would be to actually highlight the changes between two documents. Very few (if any) sites are providing this sort of privacy policy insight, so curious/concerned individuals are left to use other means for such analysis, such as this HTML diff tool. Using this tool, one can view the changes from the old policy to the new one here, although this only provides a literal diff between the documents and no high-level insight. Another text comparison that emphasizes the changes between documents is here.

Read the rest of this entry »

RFID is a super hot topic right now. The potential market is huge. Many chip makers, including Texas Instruments, Intel, AMD, Motorola, etc., are convinced that RFID will become the most prevalent “electronic-based intelligence” technology of the 21st century. RFID will link machines, goods and people, helping companies gauge consumer preferences. RFID has raised a lot of concerns about compromising consumer privacy. Some people even set up a website to raise the public’s awareness on this topic. There is a also new book “Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID” by Katherine Albrecht and Liz McIntyre that was recently published by Nelson Current.

A recent study by Javelin Strategy & Research has found that in 26 percent of all ID theft cases, the victim knew the person responsible for the theft. The same study explains that online identity theft isn’t the largest threat. For those users who are afraid to make purchases online, you may be interested to know that you are more likely to be at risk from dumpster divers. Still, identity theft has tripled in the past couple of years, so make sure you continue to shred personal documents, give out your personal information sparingly, and regularly obtain your credit report.

Click here to read this article.

Compared with the Chicago Bulls (see a blog entry I posted several days ago), IBM Corp., the world’s largest technology employer by revenue, is doing something right and big for the society to help protect employee privacy. IBM will soon announce a work force privacy policy that is promising not to use genetic information in hiring or in determining eligibility for its health care or benefits plans. Genetic tests are not prevalent in the marketplace, but some companies have secretly performed the tests without employees

Video surveillance is very prominent these days and given ThePrivacyPlace.Org’s extensive analyses of privacy documents at Financial Institutions (see: Financial Privacy Policies and the Need for Standardization), I decided to examine whether financial institutions now mention the collection of information via video surveillance in their policy documents. I checked all nine institutions examined in our 2004 IEEE Security & Privacy paper. None of the nine institutions mention video surveillance in any of their privacy, security or legal statements. Given that banks, for example, collect video of all ATM transactions and of patrons that enter their institutions it seems only natural that we, as patrons, have a right to expect that these practices be included in their policy statements. Video surveillance impacts one’s sense of autonomy because the knowledge that one’s actions are being observed may alter one’s behavior, thus resulting in a loss of privacy. There are certainly merits to video surveillance at ATM machines (public safety, deterrence of crime, etc.). However, the loss of autonomy results in a potential invasion of privacy about which patrons need to be informed. This begs the questions: Why are financial institution not including their video surveillance practices in their policy statements? Are patrons not entitled to know how this video is used and whether it is aggregated with other kinds of information about them?

Missouri governor Matt Blunt, signed an insurance audit bill HB 388 on July 12, 2005 that requires the Missouri Department of Insurance to modify the consumer complaint form to include a provision in which consumers can authorize the public release of their file. The bill took effect in September 2005. Of the 377 complaints filed with the department during the first month, 334 consumers chose to not authorize the release of any information. That’s an overwhelmingly 90 percent of the insurance consumers who choose to keep personal information confidential. The new law allows consumers who file a complaint with the state about their insurance company to prevent disclosure of their personal information, including healthcare details. Prior to the new law, Missouri

The Chicago Bulls requested NBA player Eddy Curry to provide his DNA sample for testing his genetic makeup before signing a one-year $5M contract with the Bulls. Curry’s lawyer Alan Milstein says this is an invasion to Curry’s privacy and the implication could go beyond the sports world. “Hand that information to an employer,” he said, “and imagine the implications. If the NBA were to get away with it, what about everyone else in this country looking for a job.” Read the whole story.

California’s governor signed a new anti-phishing bill into law on September 30, 2005. The law “makes it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business” (quoted from Information Week). This law establishes a general rule for penalties in phishing cases: the government can fine convicted phishers for up to $2,500 per violation, while victims can either pursue actual damages or up to $500,000 per violation (whichever is greater).

Phishing is still a growing problem, according to an earlier PC World article and groups such as the Anti-Phishing Working Group. Gartner research indicates that, “between May 2004 and May 2005, roughly 1.2 million U.S. computer users suffered phishing losses valued at $929 million” (quoted from a CSO Online discussion). Clearly phishing is a growing and very real problem, but it remains to be seen whether legislative efforts like the new CA law will have any substantial effect. A PC World article notes that the new law may have a symbolic effect in raising awareness of the issue, and could have real impact starting with the first few phishers that are actually convicted and fined under the law’s provisions.