Saturday, October 30, 2010

Landmark Resolution passed to preserve the Future of Privacy

International data protection commissioners pass Privacy by Design resolution sponsored by Dr. Ann Cavoukian, with a view to protecting privacy for future generations

TORONTO, October 29, 2010 /Canada NewsWire/ - A landmark resolution by Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, was approved by international Data Protection and Privacy Commissioners in Jerusalem today at their annual conference.

The resolution recognizes Commissioner Cavoukian's concept of Privacy by Design - which ensures that privacy is embedded into new technologies and business practices, right from the outset - as an "essential component of fundamental privacy protection." The resolution, which was co-sponsored by Canadian Privacy Commissioner Jennifer Stoddart and Commissioners from Berlin, New Zealand, the Czech Republic, and Estonia, also:

...Encourages the adoption of the principles of Privacy by Design as part of an organization's default mode of operation; and

...Invites Data Protection and Privacy Commissioners to promote Privacy by Design, foster the incorporation of its Foundational Principles in privacy policy and legislation in their respective jurisdictions, and encourage research into Privacy by Design.

"We live in an era of enhanced surveillance: data mining, behavioural profiling, targeted and discriminatory practices, and cloud computing," Commissioner Cavoukian told her counterparts from around the world. "If we want to preserve the privacy that so many of our freedoms rest upon, beyond the next decade, we need to commit to a new approach, and we need to do it now."

Citing ubiquitous connectivity, new paradigms of information sharing, and online social media that have emerged over the last few years, Commissioner Cavoukian called the current moment "a tipping point" for privacy.

"Unless we act now, privacy as we know it will be gone - lost beyond our grasp - by the year 2020," said Commissioner Cavoukian earlier this week during a key plenary address at the 32nd International Conference of Data Protection and Privacy Commissioners.

Today's resolution marks a sea-change in how the international community will go about preserving privacy, well into the future.

"The velocity of the market drives development of new technologies at a dizzying pace, far beyond what legislative efforts can keep up with," Cavoukian stated. "Reactive regulatory measures alone are no longer sustainable as the sole vehicle for ensuring the future of privacy. This resolution is a commitment to taking swift action now to implement the principles of Privacy by Design and make privacy the default, going forward."

Privacy by Design (PbD), a concept developed by Commissioner Cavoukian back in the '90s, is being adopted globally by a growing number of organizations and jurisdictions. It prescribes that privacy be built directly into the design and operation, not only of various technologies, but also of business processes and networked infrastructure. Instead of treating privacy as an after-thought - "bolting it on after the fact" - PbD is proactive and preventative in nature - a highly effective approach in today's world of increasingly interconnected technologies and extensive data collection. (For more information, see

Friday, October 29, 2010

The UPS/FedEx 'Delivery Failure' Scam Con artists try an old phishing tactic

By Florence Klein

We first reported the UPS/FedEx phishing scam in September 2008. The scheme has never completely disappeared, and it's recently been circulating again, probably because the upcoming holiday mailing season makes it more likely that people will open the email and click on its attachment.

The emails are variations on the basic theme of "package delivery failure." Some may include a false "tracking" or "packet" number to add verisimilitude and help trick the unwary.

UPS and FedEx aren't the only companies affected. In March 2009 and September 2010, similar emails purporting to be from DHL and the U.S. Postal Service (USPS), respectively, began to appear. The USPS version reads as follows:


Unfortunately we failed to deliver the postal package you have sent on the 19th of September in time because the recipient's address is erroneous.

Please print out the shipment label attached and collect the package at our office.

United States Postal Service

If you receive such an email, don't be tempted! Clicking on the attachment, which looks like a harmless Word document, opens an executable file that installs malware on your computer. The USPS is also aware of attempts to collect personal information via the phone:

Customers may be receiving email messages or phone calls that allege to be from the U.S. Postal Service that contain fraudulent information about attempted or intercepted package delivery.

For emails: If opened, the messages instruct customers to click on a link to find out more about when they can expect delivery of their "package." Simply delete the message without taking any further action.

For phone calls: Please do not provide any personal information and let the caller know you're not interested and hang-up the phone.

The Postal Inspection Service is aware of the problems and are working hard to resolve the issues and shut down the malicious programs.

We regret any inconvenience this may have caused our customers.

UPS, FedEx, and DHL have all issued warnings to immediately delete these emails and to never click on links contained therein. UPS writes that it “may send official notification messages on occasion, but they rarely include attachments.” FedEx says emails it sends with tracking updates for undeliverable packages “do not include attachments.”

... read more story at

Thursday, October 28, 2010

10 Worst Computer Viruses of All Time

by Jonathan Strickland

There's nothing quite like finding out your computer has a serious virus.

Computer viruses can be a nightmare. Some can wipe out the information on a hard drive, tie up traffic on a computer network for hours, turn an innocent machine into a zombie and replicate and send themselves to other computers. If you've never had a machine fall victim to a computer virus, you may wonder what the fuss is about. But the concern is understandable -- according to Consumer Reports, computer viruses helped contribute to $8.5 billion in consumer losses in 2008 [source: MarketWatch]. Computer viruses are just one kind of online threat, but they're arguably the best known of the bunch.

Computer viruses have been around for many years. In fact, in 1949, a scientist named John von Neumann theorized that a self-replicated program was possible [source: Krebs]. The computer industry wasn't even a decade old, and already someone had figured out how to throw a monkey wrench into the figurative gears. But it took a few decades before programmers known as hackers began to build computer viruses.

While some pranksters created virus-like programs for large computer systems, it was really the introduction of the personal computer that brought computer viruses to the public's attention. A doctoral student named Fred Cohen was the first to describe self-replicating programs designed to modify computers as viruses. The name has stuck ever since.

Old-school Viruses

Some of the earliest viruses to infect personal computers included the Apple Viruses, which attacked Apple II computers and the Brain virus, which could infect PCs.

In the good old days (i.e., the early 1980s), viruses depended on humans to do the hard work of spreading the virus to other computers. A hacker would save the virus to disks and then distribute the disks to other people. It wasn't until modems became common that virus transmission became a real problem. Today when we think of a computer virus, we usually imagine something that transmits itself via the Internet. It might infect computers through e-mail messages or corrupted Web links. Programs like these can spread much faster than the earliest computer mores story at

Thursday, October 21, 2010

Google contravened Canadian privacy law, investigation finds

Google Street View cars inappropriately collected personal information such as e-mails, usernames, passwords, phone numbers and addresses; Commissioner recommends stronger controls and improved privacy training.

OTTAWA, October 19, 2010 /Canada NewsWire/ - Google Inc. contravened Canadian privacy law when it inappropriately collected personal information from unsecured wireless networks in neighbourhoods across the country, an investigation has found.

The Privacy Commissioner's investigation also concluded that the incident was the result of an engineer's careless error as well as a lack of controls to ensure that necessary procedures to protect privacy were followed.

"Our investigation shows that Google did capture personal information - and, in some cases, highly sensitive personal information such as complete e-mails. This incident was a serious violation of Canadians' privacy rights," says Privacy Commissioner Jennifer Stoddart.

"The impact of new and rapidly evolving technologies on modern life is undeniably exciting. However, the consequences for people can be grave if the potential privacy implications aren't properly considered at the development stage of these new technologies."

The personal information collected included complete e-mails, e-mail addresses, usernames and passwords, names and residential telephone numbers and addresses. Some of the captured information was very sensitive, such as a list that provided the names of people suffering from certain medical conditions, along with their telephone numbers and addresses.

It is likely that thousands of Canadians were affected by the incident.

Technical experts from the Office of the Privacy Commissioner travelled to the company's offices in Mountain View, Calif. in order to perform an on-site examination of the data that was collected. They conducted an automated search for data that appeared to constitute personal information.

To protect privacy, the experts manually examined only a small sample of data flagged by the automated search. Therefore, it's not possible to say how much personal information was collected from unencrypted wireless networks.

The Privacy Commissioner launched an investigation under the federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, after Google revealed that its cars - which were photographing neighbourhoods for its Street View map service - had inadvertently collected data transmitted over wireless networks installed in homes and businesses across Canada and around the world over a period of several years. The networks were not password protected or encrypted.

Google collected the personal information because of a particular code integrated into the software used to collect WiFi signals. The code was developed in 2006 by a Google engineer who was taking advantage of Google's policy of allowing its engineers to use 20 per cent of their time to work on projects of interest to them. He developed the code to sample all categories of publicly broadcast WiFi data and included lines that allowed for the collection of "payload data," which refers to the content of the communications.

The code wound up being used in the Google Street View cars when the company decided to collect information about location of publicly broadcast WiFi radio signals in order to feed this information into its location-based services database.

When the decision to use the code was taken, the engineer who created it did identify "superficial privacy implications." Those implications were never assessed by other Google officials because the engineer failed to forward his code design documents to the Google lawyer responsible for reviewing the legal implications of the WiFi project - contrary to company policy.

Google asserts that it was completely unaware of the presence of the payload data collection code when it began using the software for its location-based services. While the code was reviewed before being installed on Street View cars, the review was only to ensure that the code did not interfere with the Street View operations.

"This incident was the result of a careless error - one that could easily have been avoided," says Commissioner Stoddart.

In light of her investigation, the Privacy Commissioner recommended that Google ensure it has a governance model in place to comply with privacy laws. The model should include controls to ensure that necessary procedures to protect privacy are duly followed before products are launched.

The Commissioner has also recommended that Google enhance privacy training to foster compliance amongst all employees. As well, she called on Google to designate an individual or individuals responsible for privacy issues and for complying with the organization's privacy obligations - a requirement under Canadian privacy law.

She also recommended that Google delete the Canadian payload data it collected, to the extent that the company does not have any outstanding obligations under Canadian and American laws preventing it from doing so, such as preserving evidence related to legal proceedings. If the Canadian payload data cannot immediately be deleted, it needs to be secured and access to it must be restricted.

The Privacy Commissioner will consider the matter resolved upon receiving, by February 1, 2011, confirmation from Google that it has implemented her recommendations.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Friday, October 8, 2010

Privacy Commissioner troubled by poor computer disposal practices and lack of controls for wireless devices in government

2009-2010 Annual Report to Parliament on the Privacy Act describes impact of federal policies, practices and incidents on the personal information of Canadians.

OTTAWA, October 5, 2010 /Canada NewsWire/ - The federal government's use of handheld communications devices and its practices for disposing of unneeded paper documents and surplus computers could expose the personal information of Canadians to unauthorized disclosure, Privacy Commissioner of Canada Jennifer Stoddart has warned.

The findings, stemming from two separate privacy audits conducted by the Office of the Privacy Commissioner of Canada (OPC), were highlighted in the organization's 2009-2010 annual report on the Privacy Act, tabled in Parliament today. The Act applies to federal departments, agencies and Crown corporations.

"Our audits turned up some disturbing gaps in the privacy policies and practices of government institutions," Commissioner Stoddart said. "Whether they're using a BlackBerry, shredding old papers or disposing of outdated computer equipment, public servants need to know that the security of people's personal data is a top priority."

The annual report examines how the government's holdings of personal data are affected by technology and considers the impact of full-body airport scanners and other national security measures on the privacy rights of Canadians. The report also summarizes key investigations into privacy complaints and data breaches that the Office conducted under the Privacy Act in 2009-2010.

"Considering the vast amounts of personal information on Canadians that the government holds, problems are relatively rare," the Commissioner acknowledged. But, she noted, the data that the government collects, for purposes such as taxation, income support, the correctional system and international travel, is highly sensitive. Any unauthorized collection, use or disclosure of such data could therefore have serious consequences.

"When it comes to safeguarding the personal information entrusted to it, the government of Canada must always be held to the very highest standards of account."

Here are some highlights of today's reports:

Wireless audit: Of five federal entities examined, none had fully assessed the threats and risks inherent in wireless communications. Gaps in policies and/or practices resulted in weak password protection for smart phones and inadequate encryption for Wi-Fi networks and data stored on mobile devices. Shortcomings were also noted in the disposal of surplus handheld devices and the use of PIN-to-PIN messaging, a form of direct communication between two smart phones that is vulnerable to interception.

Disposal audit: Satisfactory policies and procedural rules were in place for paper shredding and the disposal of surplus computer equipment among the federal institutions audited. There were, however, disturbing deficiencies in practice. For example, tests on a sample of computers donated to a recycling program for schools revealed that 90 percent of the donating institutions had not properly wiped their computers' hard drives, leaving behind data that was confidential, highly sensitive and, in some cases, even classified.

Unauthorized access to tax records: An OPC investigation confirmed that a former Canada Revenue Agency worker had posted to an Internet chat group some personal tax information of high-profile sports figures, which he appears to have gleaned while working at the agency. The investigation further found that other staff still with the agency had similarly accessed tax records without authorization. They were subsequently suspended or fired and new measures were introduced to safeguard the data.

RCMP Automated Licence Plate Recognition Program: A surveillance technology rolled out by the RCMP in British Columbia, which aims to spot stolen or uninsured vehicles, raised concerns about the collection and retention of incidental licence plate data from cars that were lawfully on the roads. In response to OPC recommendations, the RCMP made privacy-sensitive modifications to the program.

Political Impartiality Monitoring Approach: The OPC reviewed a Privacy Impact Assessment for the Political Impartiality Monitoring Approach, a program developed by the Public Service Commission to monitor media outlets, personal websites and social networking sites for signs of inappropriate political activity by government employees and appointees. The review raised concerns about the scope and privacy implications of the initiative. In response, the Commission undertook to modify its approach and to provide the OPC with a new Privacy Impact Assessment in the fall of 2010.

Technical malfunctions: Several investigations turned up mechanical or computer glitches that led to the unauthorized disclosure of personal information by federal institutions. For instance, a programming flaw allowed a hacker to access personal information submitted through the Canada Post Ombudsman's online complaint system.

Federal administrative tribunals: The OPC continues to express concerns about the disclosure of personal information by administrative tribunals and other quasi-judicial bodies. In one case, the Public Service Staffing Tribunal improperly shared sensitive medical information about an individual with hundreds of his former colleagues. In 2009-2010, the Office published guidelines for tribunals on balancing transparency and privacy in the Internet era.

The full annual report and reports on the wireless and disposal audits are available at

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Ontario Amber Alert Program teams up with Facebook to help locate abducted children

TORONTO, October 8, 2010 /Canada NewsWire/ - At a news conference today, members of the Ontario AMBER Alert program launched an effective new broadcast tool and announced an important new partner to help police locate abducted children when an AMBER Alert is initiated anywhere in Ontario.

"The public's help is critical in locating an abducted child and thanks to our new partner Facebook, we now have a special AMBER Alert Facebook page we can use as an important broadcast medium when we issue AMBER Alerts in Ontario." - Chris D. Lewis, Commissioner, Ontario Provincial Police.

Ontario AMBER Alert partners have teamed up with Facebook to create a special AMBER Alert Facebook page on this popular social media network. The Facebook page will now broadcast all AMBER Alerts that are issued in the province, and Facebook users who subscribe to this new page will receive critical AMBER Alert information when police activate the system.

"The expansion of the AMBER Alert program to Facebook will provide police with another tool to help locate abducted children, as well as give the families of these children the additional comfort of knowing that we are able to do more to improve the safety of our children.". - Jim Bradley, Minister of Community Safety and Correctional Services.

This new partnership was forged through the efforts of the New Brunswick-based child safety non-profit Child Safety Research and Innovation Centre along with, a key member of Facebook's Security Advisory Board.

"Protecting children is a responsibility shared by parents, educators, members of the public sector, and companies like Facebook. "As a father of two, I sincerely hope that we never again have to activate an AMBER alert in Ontario or anywhere else in Canada. However, we are thrilled to be part of this important initiative and would like to thank the many AMBER Alert partners for their dedication to it. I'm also proud that Canada is the first country in the world to broadcast AMBER alerts via Facebook." - Jordan Banks, Managing Director, Facebook Canada.

The Ontario Provincial Police facilitates the program under the direction of the Ministry of Community Safety and Correctional Services, and collaborates with its many partners throughout the province to locate children who are abducted in Ontario.

As part of new recommendations that were implemented in 2009, the program now has a dedicated AMBER Alert Coordinator who is responsible for all aspects of the program, including training, education/awareness, communication, ongoing enhancements and expansion of the program.

AMBER Alert Page on website