This is a chronological list of key World Privacy Forum work, as well as joint work with other groups.
A recent item about drones in the GWU
CyberSecurity Policy Newsletter revealed that drones can be hacked
via spoofing the drone GPS systems. Government drones in US airspace are
poised to become a privacy issue of increasing concern. Here is an excerpt
from the newsletter, which is available here.
........."A group of researchers at the University of Texas at Austin Radionavigation Laboratory recently succeeded in hijacking a drone by spoofing the global positioning system (GPS) on board the aircraft. With just around $1,000 in parts, the team took control of an unmanned aerial vehicle owned by the college, all in front of the US Department of Homeland Security. Domestic drones are already being used by the DHS and other governmental agencies, and several small- time law enforcement groups have accumulated UAVs of their own as they await clearance from the Federal Aviation Administration, Reuters reports. Indeed, by 2020 there may be tens of thousands of drones diving and dipping through US airspace. With that futuristic reality only a few years away, this action suggests that the FAA may have their work cut out for them if they think it’s as easy as just approving domestic use anytime soon." CyberSecurity Policy News, July 2, 2012.
07/09/2012 Mobile privacy
WPF urges stakeholders to put the consumer first, focus on what is important
Mobile app privacy is the topic of the multistakeholder process to be undertaken this week under the direction of the US Department of Commerce. Over the weekend, a NYT article revealed that mobile carriers received more than 1.3 million requests by law enforcement for mobile data, including requests for text messages. This article is a focusing event. It is a reminder that in mobile privacy we need to put the consumer first, focus on what is important, and apply responsibility for privacy and transparency throughout the hierarchy of mobile players, from carriers to platforms to app stores to publishers to developers. It is unclear yet what segments of the hierarchy require what amounts of the burden, but what is clear is that carriers will certainly need to do a lot. It is also clear that the idea of just an icon on a screen to communicate the idea of mobile privacy to consumers is a band-aid approach at best when faced with the truth of where some of the real risks are for consumers.
06/15/2012 HIE interactive map
WPF has posted a new interactive map of health information organizations and exchanges in California. This is a map-in-progress, and we will be adding data to the map in stages. See more about HIEs and our California HIE Map here.
06/04/2012 Mobile Apps
Pam Dixon will be speaking in the Privacy Summit Series in dialogue with the leading mobile app developers in Los Angeles and San Diego, both mobile app hotspots. The dialogues are part of a national series aimed at fostering a robust discussion between privacy experts and leading developers. The Los Angeles event is taking place June 5, the San Diego event is June 6. For more information and details about attending, see Privacy Summit Series http://devprivacysummit.com/.
05/30/2012 FTC | Mobile privacy
Pam Dixon spoke at the FTC's May 30 mobile disclosures workshop. The panel focused on exploring privacy in the mobile applications and mobile wireless space. Some of the privacy topics Dixon covered at the workshop included the role and use of unique identifiers in wireless technologies. A snip from the FTC Twitter stream summarizes things well: "The more intrusive the practice, the more robust the disclosure should be." - Dixon #FTCdisclose MAC address not PII, says Kloek; Yes it is, says Dixon. #FTCdisclose.
05/14/2012 Genetic Privacy | Bioethics
WPF filed comments with the Presidential Commission for the Study of Bioethics today urging the Commission to recognize the need for enhanced genetic privacy protections in a digital world. WPF noted that "The increasing identifiability of genetic data presents major privacy issues for research activities that must be acknowledged and addressed." WPF suggested four key ways that Certificate of Confidentiality programs could be enhanced for privacy protection, and urged the Commission to speak out about the importance of protecting patient privacy in research activities involving genetic information. "The Commission should advocate providing patients with reasonable controls over research uses of their data as electronic records develop and spread throughout the health care system." Public comments may be submitted to the Commission until May 25, 2012.
04/26/2012 Google Drive | Cloud computing
Google Drive -- Google's cloud storage service -- has inspired a round of stories about cloud privacy and Google Drive. The stories have reached conflicting conclusions about privacy risks for users of Google Drive, and consumers are approaching us with a lot of questions. Google Drive does have a Terms of Service that is unfriendly. This is a concern for consumers, but it is especially a concern for businesses or people who work with data subject to either regulation, or some sort of privilege. Health data, financial data, attorney-client data, or work produced under non-disclosure agreements all qualify, among other examples. Recently, the US Department of Health and Human Services fined an Arizona health care provider $100,000 for violating HIPAA in part by using Internet-based email and calendaring systems without a specific Business Associate Agreement in place. Cloud storage falls into the same kind of risk scenario. WPF wrote a report that discusses these cloud-based privacy risks in detail, Privacy in the Clouds. The risks we discuss in that report have not changed. If you are a consumer, understand that you need to select the most private sharing option on Google Drive if you use it. (On our Facebook newsfeed, we have a brief discussion of Google Drive share settings with a screenshot. ) Also understand that your information could be subpoenaed without notice to you, including health information if you place it on Google Drive. For business, there is a lot of potential risk that needs to be analyzed prior to business use of Google Drive. See our report for a detailed discussion of risks and potential mitigations.
04/24/2012 Medical ID Theft
WPF has completely updated its landmark medical identity theft tips and advice for patients and consumers. "The new FAQ contains detailed advice for anyone who is a victim of medical ID theft, or is worried about becoming one," says Pam Dixon. "The FAQ and our shorter consumer tips have been updated to reflect our most recent research." In 2006, WPF published the first known report on medical ID theft and coined the term. Since then, WPF has been in the forefront of researching this crime and working to assist victims and those working with victims. The FAQ and tips are free of charge. More medical ID theft materials may be accessed at the WPF medical ID theft page.
04/18/2012 Health Privacy | E-health
In a rare enforcement action of HIPAA, HHS fined an Arizona health care provider $100,000 for a variety of HIPAA violations, especially regarding electronic exchanges of protected health information. The HHS document outlining the reasons for the fine should act as a wake-up call to health care providers using public email, calendaring, and other tools for communication of ePHI. HHS specifically noted that the fined health care provider did not conduct an adequate risk assessment prior to using the email and Internet tools. The full HHS document is a must-read for health care providers. WPF has been warning about the need for full e-risk assessments since 2005 and strongly advocates for medical-identity-theft-specific risk assessments.
04/11/2012 WPF Completes Medical ID Theft Training
Medical ID Theft Training
Pam Dixon of WPF conducted a detailed training for law enforcement and health care professionals on medical identity theft detection, prevention, and cures. The training was held at the campus of the Denver Health Medical Center. Visit the WPF Medical ID Theft page for more information about medical identity theft, including questions and answers for victims, best practices for health care providers, and a geographical map of the crime.
04/02/2012 WPF comments on Multi-Stakeholder Process
WPF filed two sets of comments with the US Department of Commerce regarding the MultiStakeholder Process and the privacy topics to be taken up. The first set of comments were WPF's formal filing of the joint Civil Society MultiStakeholder Principles on behalf of WPF and the American Civil Liberties Union, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers' Union, Consumer Watchdog, Electronic Frontier Foundation, National Consumers' League, Privacy Rights Clearinghouse, and US PIRG. The second set of comments were WPF's own comments to the Department. WPF urged the Department to employ a fair process, choose focused topics, and to apply the full range of the Consumer Privacy Bill of Rights to each topic.
03/26/2012 Data Broker opt out
WPF Strongly Endorses Centralized Data Broker Opt-Out Mechanism
WPF, in 2011 comments to the FTC, urged the FTC to create a centralized place for consumers to opt-out of data broker tracking. This is a long-standing issue WPF has worked on. Previously, WPF filed a petition in 2009 to the FTC regarding mail-in data broker opt outs, which resulted in an FTC action and improvements for consumers. In its new report published today, the FTC has picked up WPF's centralized opt out recommendation, specifically citing WPF's comments. From its report: "The Commission recommends that the data broker industry explore the idea of creating a centralized website where data brokers that compile and sell data for marketing could identify themselves to consumers and describe how they collect consumer data and disclose the types of companies to which they sell the information." The WPF strongly supports this idea and views assistance to consumers in this area as vital.
03/26/2012 FTC privacy report
FTC releases report; picks up two key WPF recommendations in report, numerous cites
The FTC's new privacy report -- a long -awaited planbook for privacy in the digital age - has picked up several key recommendations the WPF has made. First, the report picks up WPF's direct recommendation in its 2011 comments that the FTC set up a centralized web site to allow consumers to opt out of data brokers. The FTC has directly called for this as a primary part of its report. The WPF strongly supports this. Pam Dixon of the WPF originated the Do Not Track idea in 2007, and with a group of privacy experts, submitted the original idea to the FTC that year. Now, DNT has also made it into the final FTC report. The FTC report also acknowledges that privacy self-regulatory efforts have not gone far enough, and cited the WPF comments in this area. The FTC is planning on working with the Department of Commerce's privacy multi stakeholder process. WPF led a coalition of civil liberties, privacy, and consumer groups in drafting civil society guidelines for the privacy multi stakeholder process.
03/14/2012 following WPF on Facebook
WPF maintains an active Facebook page, and it features slightly different content than our home website. For Facebook, we make regular newsfeed postings about WPF activities and also post content for people who want to follow privacy via their Facebook newsfeeds. This past week, stories we've posted include a report on the economics of privacy, the new Pew study on privacy, a privacy-related human interest story, and news about the VZBW lawsuit in Germany against Facebook. It's not the only way to keep up with WPF, but if you are on Facebook a lot, it is a good way. Our page is located here.
02/23/2012 MultiStakeholder Privacy Principles
Leading Civil Society Groups Agree on Key Principles: the Commerce Privacy Process Must be Fair, Transparent, Credible
The World Privacy Forum has led an effort to craft a set of principles with the nation’s leading civil liberties, privacy, and consumer groups. Today, the groups are releasing a set of baseline Multi-Stakeholder Principles in response to the U.S. Department of Commerce’s plan for a multi-stakeholder process on privacy. (The U.S. Department of Commerce is undertaking a representative process for bringing together members of industry and civil society to form new privacy rules.) These leading groups believe that for the multi-stakeholder process to succeed, it must be representative of all stakeholders and must operate under procedures that are fair, transparent, and credible. The World Privacy Forum and the signatories of these baseline principles believe the principles will provide the multi-stakeholder process the legitimacy it needs to succeed. Protecting the online privacy of consumers is crucial to ensuring the availability, utility, and vitality of the Internet. For any approach to privacy to be meaningful, it must reflect fair information practices, including mechanisms to assure accountability. Signatories to the baseline principles include the World Privacy Forum, American Civil Liberties Union, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, National Consumers League, Privacy Rights Clearinghouse and U.S. PIRG. The principles are here.
02/17/2012 Online privacy | NAI |FTC complaint
The World Privacy Forum filed a complaint with the US Federal Trade Commission today regarding the circumvention of users' expressly stated browser privacy choices without notice. "The World Privacy Forum requests that the Federal Trade Commission (FTC) investigate Google, Vibrant Media, Media Innovation Group, and Pointroll for potential violations of Section 5 of the FTC Act. These companies willfully overrode users’ privacy preferences as expressly stated by the users in their browser settings. Overriding privacy preferences and doing so without notice are both unfair and deceptive business practices." The complaint further requests the Commission look into the companies' violations of the NAI code, and in Google's case, violation of its consent agreement with the Commission.
02/17/2012 Online privacy | Apple privacy
Companies caught overriding Safari browser privacy settings
Stanford University has released a study documenting how Google and other companies overrode Safari users' browser privacy settings. The WPF encourages Apple users to download the Firefox browser and use Firefox, if at all possible, instead of Safari. Firefox did not have the same problem, and it allows for additional privacy add-ons, such as AdBlock Plus which are helpful privacy-enhancing tools. Firefox is available here, more about AdBlock Plus is available here. More about Firefox addons here.
02/01/2012 Search engine privacy
Don't put all of your digital activities in one place ....
WPF has updated its search engine privacy tips page to include more tips on how to segregate online activities. This has always been important, and it has become more important in light of Google's announcement that it will be sharing data across its business units. See the WPF updates to its search engine privacy tips page.
01/31/2012 Facial recognition | Digital signage
The World Privacy Forum filed extensive
comments to the FTC today following up on Pam Dixon's testimony at
a December 2011 FTC facial recognition privacy workshop. The WPF comments
noted that "A walk-out opt-out is not a viable way of managing consumer
consent in the area of facial recognition or detection technologies."
The comments discussed the importance of recognizing the Face Print as
a unique biometric, and also discussed the need for finding ways of consumer
consent that are reasonable. Given the ubiquity of cameras in some retail
and public spaces, just walking away will become less and less of an option
for consumers going forward, the comments argued. The comments also included
the WPF's ground breaking report, The
One-Way Mirror Society, and the joint Consumer
Privacy Principles for Digital Signage.These principles were signed
by the nation's leading privacy and consumer groups.
01/30/2012 Consumer financial protection
WPF filed comments with the Consumer Financial Protection Bureau today asking it to make its consumer complaints database available for research. Our comments are here.
01/23/2012 GPS tracking | United States v. Jones
The US Supreme Court unanimously ruled that police must get a warrant before using GPS devices to track criminal suspects. This case was narrow and dealt specifically with a GPS device physically attached to a suspect's vehicle. The concurring opinion of Justice Sotomayor points out that the subtler issues of digital era tracking were not dealt with in this case, for example, cell phone tracking, web site tracking, etc. She wrote: "More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976)." She continued: "This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks."
01/18/2012 SOPA | PIPA
WPF opposes censorship bills; supports right to create and use anonymization tools to protect privacy
The World Privacy Forum is deeply concerned about the profound, far-reaching privacy consequences of two bills, SOPA and PIPA. The bills have many negative aspects. In terms of the privacy impacts, one of the serious consequences is that the right to create and use anonymization software tools would be essentailly criminalized. The very privacy tools that allowed the Arab Spring to flourish through anonymized activist activity would be in legal jeapordy. This is a highly negative outcome, and is negative enough that WPF strongly opposes these two bills. We are encouraging individuals to use the well-developed EFF SOPA/PIPA action center to learn more and to make a stand. The US Department of State has been involved in an Internet freedom initiative that encourages the use of Internet tools to encourage freedom and democracy (21st Century Statecraft paper). Many of the ideas were encapsulated in a speech on the topic in 2010 by Secretary of State Clinton. She wrote:
We couldn't agree more. It is essential that individuals have the freedom to create and use privacy-enhancing software without that activity being criminalized.
12/08/2011 Facial Recognition
WPF testifies at FTC facial recognition hearing
Pam Dixon of WPF testified at the FTC's Facial Recognition workshop, speaking on a panel about the policy implications of facial recognition technology. The World Privacy Forum's report on Digital Signage was mentioned several times at the hearing, as were the collaborative consumer protection principles the WPF led. In her comments, which are available in the FTC's transcript of the hearing panel, Dixon noted that opting out of facial recognition technologies by simply walking away from them was not a solution. "The walkout opt out is just not credible in an environment of ubiquitous collection. How much are consumers going to be asked to walk out of?
10/27/2011 Common Rule | Health Privacy
The World Privacy Forum filed extensive comments with the US Department of Health and Human Services about its proposed changes regarding the rules governing human subject medical research. In the comments, WPF noted that the HHS approach to privacy for research subjects was incomplete and did not use all Fair Information Practices. WPF strongly urged HHS to revise its proposal on a number of issues, including consent and the use of biospecimens in research. The World Privacy Forum is urging HHS to acknowledge that the realm of health data that is truly non-identifiable has shrunken remarkably, for example, biospecimens with DNA cannot be considered non-identifiable anymore. "In our comments, we are requesting that HHS give individuals the opportunity to make choices about the use of their own health data and specimens," said Executive director Pam Dixon. WPF also stated in its comments that "A central database with identifiable information about participants in human subjects research is a terrible idea." (See p. 21 of WPF comments.)
10/14/2011 New Report
The World Privacy Forum has published a report on past self-regulatory efforts in the area of privacy, Many Failures: A brief history of privacy self-regulation. "Privacy self-regulation has been a Potemkin Village of consumer protection," says executive director Pam Dixon. "History shows a pattern of past self-regulatory efforts that have been erected quickly and have faded after regulatory threats fade." The report is authored by Robert Gellman and Pam Dixon. It includes details about programs such as the IRSG, the Privacy Leadership Initiative, the Privacy Alliance, and other programs. A key finding of this report is that the majority of the industry self-regulatory programs that were initiated failed in one or more substantive ways, and many disappeared entirely.
10/13/2011 Internet privacy
The World Privacy Forum's executive director Pam Dixon will testify about online consumer privacy before the House Committee on Energy and Commerce today. Written testimony is posted at the Committee web site, and here.
09/14/2011 Internet privacy
The Trans Atlantic Consumer Dialogue (TACD), which WPF is a member of, has sent a letter regarding Internet privacy to a Congressional subcommittee explaining that European privacy controls are not burdensome, but rather of key importance. The TACD is a forum of more than 80 US and European consumer groups and represents several hundred million consumers in North America and the United States.
08/04/2011 Medical ID Theft
The World Privacy Forum has released a new map that reveals the geography of medical identity theft. This is the first map of its kind, and is based on the Federal Trade Commission Consumer Sentinel data. The map is interactive, and gives details on the cities where medical identity theft occurred over the course of a year. The World Privacy Forum published the first report on medical identity theft in 2006, coining the term in the report and bringing the crime to public attention. WPF continues to actively research this important privacy issue.
08/01/2011 Medical Privacy | HIPAA
The World Privacy Forum today filed its comments on the proposed changes to the HIPAA privacy rule, supporting some proposed changes and suggesting additional changes to enhance patient choice. In particular, the WPF supports the new patient right to an access report that has been added (p. 4) , and has requested that Health Information Exchanges also be required to provide accountings of disclosures to patients (p. 18). The WPF generally argued that HHS needs to look forward and allow changes in information technology to fully benefit patients by providing the facility for more accounting rather than less (pp. 2-3) . If the HIPAA rule gives patients a greater ability to monitor how their information is used and disclosed, patients will pay attention and requests for accounting of disclosures will become more common.
07/15/2011 Online privacy
Digiday Panel Talk
Executive director Pam Dixon will be speaking about online privacy and consumers at the Digiday Data Management Summit on Monday, July 18.
The US Department of Health and Human Services has opened sections of the HIPAA rule for comments. All members of the public may comment on the proposed changes to the rule. Comments are due by August 1. For more information, see the HHS web site.
Related: Patient's Guide to HIPAA
07/12/2011 Facebook Photo Identification
Consumer Tip: Opt Out of Automatic Facebook Facial Recognition
If you have a Facebook account and if you have ever been tagged in a photo of yourself on Facebook, we want to alert you to an important Facebook setting. Unless you have proactively changed your privacy settings, Facebook will use facial recognition tools to compare photos and make tag suggestions. When new photos that look like you have been uploaded, Facebook will suggest tags with your name. To opt out of this, in Facebook go to Account, then choose Privacy Settings from the drop down menu. Click the Customize Settings link, and then scroll down and look for the Suggest Photos of Me to Friends line. To opt out, click Edit Settings, then choose Disable on the drop down menu. Also see the Facebook Photo Tagging help page.
06/27/2011 Medical ID theft
Medical ID theft rising
The World Privacy Forum is quoted in a Marketplace story regarding our most recent medical identity theft research. WPF wrote the first major research on medical ID theft and coined the term. Our consumer resources for detecting, preventing, and resolving the crime are located here.
06/08/2011 Department of Commerce /Cybersecurity
The US Department of Commerce released a green paper on cybersecurity with recommendations for improving cybersecurity via self regulation, or voluntary codes of conduct. The report, Cybersecurity, Innovation, and the Internet Economy also contains a discussion of some privacy issues, such as the impact of data breach notification laws. Comments are due in 45 days.
05/31/2011 Data breach
World Privacy Forum requests more information about Ceridian data breach and the FTC complaint process
The World Privacy Forum filed comments with the Federal Trade Commission regarding its consent decree against Ceridian regarding a substantial data breach. WPF has requested that the Commission present more facts in the case to the public, and has also requested more clarity about the FTC complaint process, noting that it is not a transparent process for the public.
05/23/2011 FERPA, Educational privacy
The WPF filed detailed comments on the U.S. Department of Education's notice of proposed changes to the Family Educational Rights and Privacy Act. WPF has concerns that the increased sharing of student information that the proposed rule will allow will diminish student privacy in a significant and permanent way. WPF is urging the DOE to amend its proposed rule to establish increased privacy protections for sensitive student information held in databases and elsewhere.
05/17/2011 California privacy
California budget plan nixes state's privacy office
The just-published California budget nixes the California Office of Privacy Protection, the first state-level privacy office in the United States and the source of crucial privacy assistance and information for Californians and California businesses. The World Privacy Forum is urging the Governor to reinstate funding for this critical office for Californians. See the proposed budget, page 114for the cuts. WPF will be publishing more about how to save California's privacy office.
05/10/2011 Smartphone privacy update
We have revised our iPhone and iPad privacy tipsheet to reflect Apple's new software update for the iOS4 devices. We encourage all iOS4 device owners to update their software. Some device owners may also want to opt out of location sharing. Read our tipsheet for more details.
04/28/2011 Smartphone privacy update
We have updated our tipsheet to reflect the new information that has been published regarding the Apple smart phone geolocation issue. Apple plans to make changes to its software to improve the privacy problems the tipsheet discusses.
04/21/2011 Apple iPhone and iPad privacy
Some of Apple's products, including iOS 4 iPhones and iPads, have been tracking consumers' detailed location information and storing the data directly on the devices. This raises privacy concerns, as the data on the phones and iPads is unencrypted and may be accessed directly. This tipsheet explains iPhone and iPad iOS4 geolocation privacy issues, including who needs to be most concerned about them, and what to do. Health care providers, overseas human rights workers, members of law enforcement and victims of domestic violence are among those who have special considerations and sensitivities to this privacy issue.
04/18/2011 Pharma privacy
Registrants at GSK product web sites receive breach letter
Pharmaceutical manufacturer GSK, maker of drugs Paxil, Boniva, Advair, and many others, sent a letter to consumers who had registered on one or more of its product websites. Due to the Epsilon data breach, registrants' names, email, and the product they registered for was breached. Information people give to a company via a pharmaceutical product web site such as this is not usually covered under HIPAA. See our Patient's Guide to HIPAA for more on what is covered under HIPAA and what is not. WPF recommends that consumers use a "throwaway" or temporary email address if deciding to register at a Pharmaceutical product web sites.
Patient's Guide to HIPAA: Who Must Comply with HIPAA?| GSK Breach letter via PHI Privacy.
The Family Educational Rights and Privacy Act of 1974, FERPA, has been amended substantially. The proposed amendments have been published and are open for comment until May 23, 2011. The current changes impact students' medical, educational, and informational privacy interests. WPF will be filing detailed comments on FERPA, including how the proposal interacts with California privacy laws. We will be posting additional materials on commenting soon.
04/07/2011 Medical privacy, California HIE
California has proposed regulations for health information exchange projects in the state. WPF has submitted comments encouraging more privacy protections, and we are joined in our comments by Privacy Activism and the Center for Digital Democracy. One key request in the comments is that California not allow patient consent to be waived in HIE projects. We are also requesting that California create a unified web listing of its HIE projects for increased transparency and to facilitate patient access to HIE information and policies.
03/25/2011 Online data broker
WPF complaint to FTC results in online data broker settlement
In April 2009, the World Privacy Forum sent the FTC a complaint regarding a lack of online opt-outs for consumers at some online data broker web sites. Our complaint focused on the difficulties online consumers would have opting out of certain web sites. In our complaint, we noted that online consumers were having difficulties with the opt outs. Today the FTC issued a final decision in this matter, and specifically improved online opt outs for consumers at US Search.
03/24/2011 California HIE
Proposed California regulations for electronic health information exchanges
The California Office of Health Information Integrity has proposed regulations for electronic health information exchange projects based in the state. The regulations are based on several years of policy work done by the CalPSAB, a multi-stakeholder board the WPF has participated in as a co-chair. Comments on the proposed regulations are due April 1. See the CalOHII notice for more information.
The US Department of Commerce has announced that it is supporting privacy legislation and a "stakeholder process" to determine self regulatory rules for Internet privacy. WPF wrote about what a fair stakeholder process needs to include in our comments to the US Department of Commerce. We urge that at a minimum, the stakeholder process will include these items:
1) Consumer and business representation be equal in any multi-stakeholder
6) Participants in the process must chose their own rules and presiding
For more, read our full comments to Commerce
The World Privacy Forum submitted comments today on the European Advertising Standards Alliance's Best Practice Recommendation on Online Behavioural Advertising. Our comments focus upon three key areas: First, the EASA recommendation fails to recognize the protection of consumer privacy in Online Behavioral Advertising (OBA) as a key policy goal. Second, the recommendation's protections are narrow, creating illusory protections for user privacy, whether or not they opt out of OBA. Finally, we critique the oversight and compliance mechanisms, which are not likely to foster consumer confidence nor police the industry. Drawing upon the WPF's 2007 report, The NAI: Failing at Consumer Protection and at Self-Regulation, the comments argue that EASA's approach suffers from the same weaknesses as self-regulatory approaches deployed in the United States, and that European lawmakers should not replicate the failed American approach. Law students from the Samuelson Law, Technology & Public Policy Clinic helped draft the comments as part of an ongoing project on consumer privacy and OBA.
The World Privacy Forum filed comments with the FTC in response to its preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. In our comments, we urge the FTC to take affirmative steps to protect consumer privacy online and offline. Our comments include a brief history of privacy self regulation, and point out how privacy self regulation has consistently failed. The comments also discuss Do Not Track, and urge the FTC to take a broader look at tracking protections for consumers. WPF also specifically requested that the FTC identify credit reporting bureaus subject to Fair Credit Reporting Act regulations and assist consumers in locating those bureaus.
02/01/2011 WPF Facebook page
The World Privacy Forum has begun posting materials to its new Facebook page. "Millions of users are looking for information on Facebook. Our goal is to reach consumers with high-quality privacy materials and information, so it makes sense for us to reach out to people through this medium" said executive director Pam Dixon. The World Privacy Forum Facebook page is located here: http://www.facebook.com/pages/World-Privacy-Forum/166886663345222?ref=sgm.
01/28/2011 Department of Commerce
The World Privacy Forum filed comments on the US Department of Commerce Green Paper today and urged the department to adopt a fair stakeholder input process that included consumers in a robust and meaningful way. WPF outlined seven specific steps for the department to take to ensure a fair process. The comments are available here.
Read the WPF comments (PDF, 6 pages) | Related: See the Nov. 2010 WPF report on the US-EU Safe Harbor program.
12/10/2010 Medical privacy ,
The World Privacy Forum filed comments today about how medical records and other health information is intersecting with online advertising and online activities. The WPF comments were filed with the Department of Health and Human Services in response to its request for comments on personal health records, privacy, and social media.
12/01/2010 FTC Privacy Report
The Federal Trade Commission has published its report on online privacy. The World Privacy Forum will be issuing comments on the report at 2:30 pm Eastern today in a press briefing. Check our Twitter feed for updates. Twitter: @privacyforum
11/22/2010 New Report
The World Privacy Forum published a new report today that evaluates the US Department of Commerce's work on privacy protection for consumers, given its role overseeing such critical programs as the US/EU Safe Harbor data agreement. The report, The US Department of Commerce and International Privacy Activities: Indifference and Neglect, identifies a number of issues of concern regarding the Department's privacy programs, most particularly, the current Safe Harbor framework. The report's analysis find that three separate studies consistently show that many and perhaps most Safe Harbor participants are not in compliance with their obligations under Safe Harbor.
The Federal Trade Commission began sending checks to almost a million consumers who were subscribers to the LifeLock ID theft protection service. LifeLock agreed to pay fines of $11 million to the FTC and $1 million to a group of state attorneys generals to settle charges that had been made against the company. Consumers with questions about this distribution may call 888-288-0783 or see the FTC's web page on this, http://www.ftc.gov/refunds.
11/09/2010 Opt out, online privacy
The popular WPF Top Ten Opt Out List has been newly updated. We have added a new section to our list with step by step details on how to opt out of RapLeaf. We encourage consumers to view any of their profiles that exist at RapLeaf and to opt out of RapLeaf permanently. We have also updated the phone numbers and other information on the rest of our opt out list. To see more, visit our Opt Out List.
10/28/2010 ID theft, legal info
The FTC has published a new ID Theft guide. The new guide is designed to help attorneys and volunteers who assist ID theft victims. The guide covers laws that protect victims, and pro bono legal information. A must-read for those helping victims.
10/27/2010 FTC, Google WiFi
Federal Trade Commission drops Google WiFi case; but tells Google that it's internal review processes are inadequate
The FTC sent a letter to Google today expressing concern about the company's privacy practices, but at the same time, the FTC informed Google that it was dropping its investigation of the Street View WiFi case. The FTC wrote: "FTC staff has concerns about the internal policies and procedures that gave rise to this data collection. ... the company did not discover that it had been collecting payload data until it responded to a request for information from a data protection authority." The FTC told Google it should develop and implement procedures to properly collect, dispose of, and maintain information.
10/26/2010 Resource, case file, Amazon.com v Lay
Amazon.com filed a lawsuit in April to fight the North Carolina Department of Revenue's request for detailed information on Amazon.com customers. The North Carolina tax department requested Amazon.com to hand over "all information for all sales to customers with a North Carolina shipping address" between 2003 to 2010. In the decision, Seattle, Washington U.S. District Court Judge Marsha J. Pechman wrote, "Citizens are entitled to receive information and ideas through books, films, and other expressive materials anonymously." She also stated that "The fear of government tracking and censoring one's reading, listening, and viewing choices chills the exercise of First Amendment rights." This is an important decision for privacy rights, and online privacy in particular.
09/13/2010 HIPAA, medical privacy
The World Privacy Forum filed two sets of detailed regulatory comments on recently proposed changes to HIPAA. The first comments focused on proposed changes to HIPAA in the area of marketing patient information. The proposed changes would be harmful to patient privacy, and are contrary to the law. WPF was joined in the marketing comments by the Center for Digital Democracy, Consumer Action, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy Times. The second set of comments WPF filed included the comments on marketing as well as on additional provisions that would be problematic if enacted.
Read the long comments on HIPAA (15 pages)
8/02/2010 Financial privacy, SEC
The World Privacy Forum filed comments today criticizing the SEC proposed regulations that would release an unprecedented amount of financial details about individual borrowers through the EDGAR database. The WPF was joined by other privacy, consumer, and human rights organizations in its comments, which focused on the privacy issues with the proposed regulations. Pam Dixon, executive director of the WPF, stated in the comments that the SEC's new regulations would "Place on the public record and online the largest amount of personal financial information about borrowers ever disclosed, including information never before made public." The comments also note that the SEC's plan greatly increases the risk of identity theft for individual borrowers whose information will be released publicly.
A press release issued by Connecticut's AG Richard Blumenthal revelaed that 38 states have joined a mulitstate investigation of Google's Street View wi fi sniffing program. Blumenthal stated in the release: “We are asking Google to identify specific individuals responsible for the snooping code and how Google was unaware that this code allowed the Street View cars to collect data broadcast over WiFi networks. Information we are awaiting includes how the spy software was included in Google’s Street View network and specific locations where unauthorized data collection occurred. We will take all appropriate steps -- including potential legal action if warranted -- to obtain complete, comprehensive answers.”
WPF will be speaking at the CFP conference on two panels. On June 15, Pam Dixon will participate in a plenary session on data brokers. On June 16, Dixon will moderate a health care privacy panel. This panel will focus on electronic health care in the state of California and the current privacy issues in electronic health exchange.
The World Privacy Forum, as co-chair of the California Privacy and Security Advisory Board, was pleased to vote on an opt-in privacy standard for Californians in the June CalPSAB board meeting. The standard will be part of a set of guidelines the state of California uses in its development of electronic health care records. This set of guidelines was the culmination of two years of policy work with the CalPSAB board.
5/18/2010 Medical privacy
The World Privacy Forum filed comments with the US Department of Health and Human Services today in response to its Request for Information about possible changes to the HIPAA health privacy rule. WPF strongly supported patients' current right to request a history of disclosures of their medical files, and requested an expansion of this right. WPF noted in its comments to HHS that "An individual cannot fully protect his/her privacy interest in a health record (and most other records) unless he/she has a right of access to the record, the right to propose a correction, and the right to see who has used the record and to whom it has been disclosed. Each of these elements is essential."
2/25/2010 New privacy principles
The nation's leading consumer and privacy groups released a set of baseline consumer privacy principles to be included in digital signage networks. The principles were released at the Digital Signage Expo in Las Vegas, Nevada, where World Privacy Forum executive director Pam Dixon spoke about the principles to a large group of digital signage industry professionals.
1/27/2010 FTC Privacy Roundtable
World Privacy Forum to speak at FTC Privacy Roundtable
Thursday, January 28, WPF Executive Director Pam Dixon will be speaking at the FTC's Privacy Roundtable about the privacy implications of digital signage networks and will be specifically discussing the new report: The One-Way Mirror Society: Privacy Implications of the New Digital Signage Networks. Few consumers, legislators, regulators, or policy makers are aware of the capabilities of digital signs or of the extent of their use. The technology presents new problems and highlights old conflicts about privacy, public spaces, and the need for a meaningful debate.
1/04/2010 Genetic discrimination
The World Privacy Forum filed comments today with the Department of Labor requesting that the DOL expand its protections of how genetic information may be used by health insurance companies or group health plans. The World Privacy Forum urged the DOL to include genetic information posted on social networking sites in its consideration of the GINA regulations.
12/07/2009 FTC Privacy Roundtable
FTC Privacy Roundtable: WPF to testify on information brokers
WPF executive director Pam Dixon will testify at the FTC Privacy Roundtable about information brokers and commercial data practices and they impact consumers. Dixon will be discussing the business models of data brokers, issues with smart grids, and opt-out problems, among other issues.
12/04/2009 Genetic non-discrimination regulations (GINA)
The World Privacy Forum filed comments on proposed regulations for implementing Title I of GINA, the Genetic Non-Discrimination Act. The WPF requested a change to the proposed regulations, asking the Department of Health and Human Services require immediate posting of revised notices of privacy practices on the web sites of affected health plans. Under the proposed regulations, written notice of revised privacy practices to individuals could be delayed due to the cost of postal mailing. The WPF noted that a revised privacy notice posted on a health plan's web site would not incur postal costs, and that regulated entities should take this minimum step to inform consumers of any changes regarding privacy practices affecting genetic non-discrimination.
11/19/2009 Congressional testimony
WPF executive director Pam Dixon testified at a joint subcommittee hearing focused on privacy and the collection and use of online and offline consumer information. Dixon's testimony focused on the new "modern permanent record" and how it is used and created. Dixon said "The merging of offline and online data is creating highly personalized, granular profiles of consumers that affect consumers’ opportunities in the marketplace and in their lives. Consumers are largely unaware of these profiles and their consequences, and they have insufficient legal rights to change things even if they did know." The testimony explored concrete examples of problematic consumer profiling activities.
11/11/2009 FTC "Exploring Privacy" Roundtable Series
WPF to speak at FTC Exploring Privacy Roundtable
The World Privacy Forum has been invited to speak at the Federal Trade Commission's first Privacy Roundtable, to be held December 7, 2009 in Washington DC.
11/06/2009 FTC Privacy Roundtable
The World Privacy Forum filed comments last week for the FTC Privacy Roundtables, the first of which will be held December 7, 2009. The WPF comments urged the FTC to consider the Fair Credit Reporting Act as a key privacy model to apply to additional areas, to use the full version of Fair Information Practices, and discussed how a rights-based framework was the key to advancing consumers' interests. The comments discussed list brokers at length, and explained how even the most informationally cautious consumer will land on numerous marketing lists and databases. The WPF comments noted that not all marketing lists are used to target ads to consumers; some lists and databases are used to deny consumers goods and services. The comments contain a detailed section on privacy frameworks, a section on direct marketing, and an appendix with supporting information.
11/03/2009 Madrid Declaration
A significant civil society document with more than 100 signatories worldwide has been published in conjunction with the 31st annual meeting of the International Conference of Privacy and Data Protection Commissioners. The document, known as the Madrid Declaration, affirms support for the complete canon of fair information practices as expressed by the OECD, affirms support of privacy as a fundamental human right, and warns that "the failure to safeguard privacy jeopardizes associated freedoms, including freedom of expression, freedom of assembly, freedom of access to information, non-discrimination, and ultimately the stability of constitutional democracies."
11/02/2009 Red Flag Rule
The Federal Trade Commission has delayed the enforcement date of the Red Flag Rule until June 1, 2010.
10/26/2009 Data Breach | HHS HITECH Breach Notification
Medical data breach rule needs more work; World Privacy Forum files comments with HHS requesting changes
The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.
10/22/2009 Security freeze | Financial privacy | identity theft
The World Privacy Forum has updated its credit freeze (security freeze) page to reflect changes in some state-level laws.
09/28/2009 Red Flag | Identity theft
The World Privacy Forum has updated its Red Flag report, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers. The update reflects the new effective date of the Red Flag Rule, (November 1, 2009) and incorporates other minor updates in the text. This report replaces the original Red Flag report published September 2008.
08/24/2009 Financial privacy | Privacy Act
The World Privacy Forum filed comments today urging the U.S. Treasury Department to obtain consumers' consent before checking their credit reports. Consumers who participate in the government's Home Affordable Modification Program (HAMP) -- an Obama administration program created to help consumers renegotiate their mortgages so they can keep their homes -- must allow the Federal Government to check their credit reports without first obtaining consent. This procedure sets a negative precedent, and is at odds with consumer expectations of privacy. The Treasury gave itself this power in an obscure set of "Routine Uses" in a Privacy Act notice published along with the proposed system of records for the program. The World Privacy Forum has objected to this, and has filed detailed comments with the Treasury about the lack of consumer consent. The public comment period on this program is open until September 4, 2009.
08/19/2009 Health IT
The Health IT Standards Committee will be meeting tomorrow, August 20, from 9 a.m. to 3 p.m. in Washington DC. Those interested in this meeting can participate in person, or via the phone and web. The privacy and security workgroup will report at 1:30 pm Eastern. Location and call-in information is available at the HHS web site.
08/17/2009 Data breach rules
The Federal Trade Commission has issued its final Health Breach Notification Rule for vendors of Personal Health Records and related entities, as required under ARRA, The American Recovery and Reinvestment Act of 2009. The initial proposed Health Breach Notification Rule was generally thoughtful and thorough. The World Privacy Forum submitted extensive comments on the proposed rule both supporting parts of it and making some suggestions for changes. The FTC incorporated several specific WPF suggestions into the final rule. In particular, the FTC incorporated the applicability of the rule to foreign entities with U.S. customers (Final Rule p. 17), and the applicability of the rule to search engines appearing on Personal Health Record web sites (Final Rule p. 34). The new rule will be published in the Federal Register shortly; until then, it is available at the FTC web site. Also available is a form that entities covered under this rule can use to report data breaches to the FTC. The Health Breach Notification Rule will be effective 30 days after publication in the Federal Register, and full compliance with the rule will be required beginning 180 days after publication.
08/10/2009 Web tracking
The World Privacy Forum filed comments with the Office of Management and Budget regarding its proposal to begin to allow the use of tracking cookies on government web sites. The proposal was published in the Federal Register, and outlined a three-tiered plan for how web tracking technologies might be used. The Forum's comments focused on methods of opt-out, data retention, secondary use, user authentication, new tracking technologies such as Flash cookies, and the need for new opt-out mechanisms. The Forum also urged the federal government to not allow third party tracking of consumers' use of government web sites, and to guard against any discrimination against consumers who do not want to be tracked.
07/17/2009 Cloud computing
The World Privacy Forum sent a letter to Los Angeles Mayor Villaraigosa today expressing concerns and questions about a proposed contract to move the city of Los Angeles' email and some other computing tasks to a cloud-based system. The Forum expressed concerns in particular about the lack of contractual protection for health data, AIDs data, genetic information, domestic violence and sexual assault victim information, among other sensitive information. The Forum suggested the city undertake an independent and thorough risk assessment prior to completing the contract, and suggested a robust public comment process that includes all stakeholders. The City will take up the issue of this contract at a city council Information Technology Committee meeting on Tuesday July 21. The World Privacy Forum published a detailed analysis of the privacy issues of cloud computing in February which outlines the challenges and ambiguities that governments and others face as they make decisions about what data to put in the cloud.
07/14/2009 Social networks
Facebook, MySpace, Xing receive warning letters from EU consumer group
07/13/2009 Behavioral advertising
IAB releases flawed guidelines for controlling behavioral advertising practices
The Interactive Advertising Bureau has released its self-regulatory guidelines for online advertisers. The guidelines are inadequate to protect consumers, and in some cases, create loopholes for significant consumer harm. In the area of sensitive information, the guidelines are especially weak. The IAB definition of sensitive information is much weaker than the definition of sensitive information already adopted by industry in the formal NAI agreement, which is still in effect today. Additionally, the new IAB guidelines rely on weak accountability standards; a World Privacy Forum report analyzed the NAI accountabilty and reporting, and found that the Network Advertising Initiative (NAI) accountability mechanisms had failed. The IAB accountability mechanisms do not improve on the NAI accountability mechanisms, and as such, are problematic at best.
06/19/2009 Social Networking
EU: Article 29 Working Party releases Opinion on social networking sites
The Article 29 Working Party has adopted an important Opinion regarding social networking sites as of June 12. The opinion covers privacy, advertising, sensitive information, and other issues relating to online social networking. Regarding sensitive data, the Article 29 Working Party stated: "Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data concerning health or sex life is considered sensitive. Sensitive personal data may only be published on the Internet with the explicit consent from the data subject or if the data subject has made the data manifestly public himself." Regarding use of sensitive data to target advertising, the Article 29 opinion stated: "The Working Party recommends not using sensitive data in behavioral advertising models, unless all legal requirements are met." The opinion also stated that the EU Data Protection Directive generally applies to the processing of personal data by social networking services, even when their headquarters are outside of the EEA, and that social networking service providers are considered data controllers under the Data Protection Directive.
World Privacy Forum at TACD meeting
The World Privacy Forum participated in the Trans Atlantic Consumer Dialogue meetings in Brussels this June, and is pleased to announce that WPF is now a full member of the TACD. The TACD is a network of 80 EU and U.S. consumer organizations that develop joint consumer policy recommendations for the EU and U.S. in an effort to promote the consumer interest in transatlantic policymaking.
06/01/2009 Data Breach of Health Records - FTC
World Privacy Forum files comments with the FTC regarding proposed rules for health care-related data breaches
The World Privacy Forum filed extensive comments with the Federal Trade Commission today regarding its notice of proposed rulemaking for data breaches of information containing actual health care information or health care-related information. The FTC rulemaking will apply to a variety of record holders, especially vendors of personal health records. The Forum supported much of the FTC's proposed rulemaking, finding the rulemaking generally thoughtful and careful. In some areas, the Forum urged the FTC to narrow and further define and strengthen the proposed rule. The World Privacy Forum urged the FTC to tighten language around scope, the definition of "personal health record," law enforcement delays of consumer notification, and urged the FTC to further clarify the definition of what falls under the category of "de-identified data." Citing the research of Dr. LaTanya Sweeney and others, the Forum urged the FTC to require commercial companies and others holding health care data that has been partially de-identified to still report those breaches to the FTC and the public, and to monitor for re-identification.
05/21/2009 Health Record Data Breaches - HHS
World Privacy Forum files comments with HHS regarding data breach guidance
The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for "limited data set" breaches.
05/08/2009 Job Search Privacy
The World Privacy Forum's popular and long-standing Job Searcher's Guide has been completely updated. We have a site-by-site comparison of the privacy practices of online job search sites. This guide was originally posted in 2003, and has been updated regularly. This was a major update of this resource. The World Privacy Forum publishes extensive job search privacy resources in addition to the Guide, including a very popular guide to resume posting privacy.
05/07/2009 Credit Freeze
We have updated the World Privacy Forum's state-by-state guide on how to place a credit, or security, freeze. Only a few states are lacking a security or credit freeze law now.
05/01/2009 Genetic Privacy | GINA
The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loopholes in consumer protection in the proposed regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way so as to prevent information leakage through billing and other activities.
04/16/2009 Online privacy | FTC
When opting out is hard to do: World Privacy Forum sends letter to FTC about companies offering mail-based opt outs
The World Privacy Forum sent a letter to the Federal Trade Commission asking it to look into four companies offering online consumers the ability to opt out, then asking those consumers to use a variety of postal-mail-based methods to do so.
03/31/2009 New Consumer Resource
The Patient's Guide to HIPAA is the first comprehensive guide to medical privacy written expressly for patients with a practical eye as to how to use the law to protect privacy. It is a major privacy resource for patients, written directly and without legalese. The Patient's Guide to HIPAA is easy to navigate and digest; the guide is in the form of Frequently Asked Questions & answers. All of the key points in HIPAA are included, from the 7 basic patient rights to how and when to get copies of health care records. Difficult situations that patients often encounter are included in the guide. The Patient's Guide to HIPAA was written by Robert Gellman, with assistance from Pam Dixon, John Fanning, and Dr. Lewis Lorton.
03/27/2009 CVS Caremark | FTC proposed consent agreement
The World Privacy Forum filed comments with the Federal Trade Commission in response to its proposed consent agreement with the CVS Caremark pharmacy chain. The proposed agreement is in resonse to a CVS data breach. The agreement does not impose a monetary penalty on CVS, and does not provide remedies for consumers affected by the data breach.
03/27/2009 CHILI - California Health Information Identification data base
A substantial new resource for individuals seeking to research California laws and regulations regarding health information has come online. The CHILI database is a project of the California Office of Health Information Integrity, and has interfaced with the California Privacy and Security Advisory Board, which the World Privacy Forum co-chairs. The CHILI database can be searched by HIPAA section, California Code section, California health information law keywords, or by statutory scheme.
02/23/2009 New Report
The World Privacy Forum's newest report examines the privacy and confidentiality issues of cloud computing that have been largely overlooked to date. It is a thorough analysis with policy findings. Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing was written by Robert Gellman for the World Privacy Forum. Cloud computing tips for consumers and business are also available.
02/18/2009 Medical privacy | HIPAA | FTC
CVS Caremark pharmacy chain agrees to pay $2.25 million to settle charges of HIPAA violations; also settles with the FTC
According to a legal complaint, CVS pharmacies -- the largest pharmacy chain in the United States -- did not take appropriate steps to protect its customers' and employees' sensitive information when it improperly disposed of documents, labels, prescription bottles, and other items with clearly identifiable and highly sensitive personal information such as SSNs, prescription information, driver's license numbers, and other information still on those materials. CVS agreed to pay $2.25 million to settle its violations of HIPAA as part of a Resolution Agreement with the Department of Health and Human Services. CVS has also signed a consent agreement with the FTC; the public can comment on this agreement until March 20, 2009. The World Privacy Forum will be filing comments with the FTC on the consent agreement with CVS, which we will post here.
02/12/2009 Internet privacy
FTC releases its online advertising principles; Commissioner Harbour urges FTC to go beyond self-regulation
The Federal Trade Commission released its self-regulatory principles for behaviorally-targeted advertising today. The World Privacy Forum will be holding a press conference responding to the principles at 12:30 p.m. Eastern.
World Privacy Forum opposes California DMV plan
The California DMV (Division of Motor Vehicles) has proposed, through an expedited 30- day process, that it begin taking detailed facial scans of drivers and storing the scans in a state-wide database. This change, among other proposed DMV changes, represents a substantial policy shift for the state of California. The World Privacy Forum has urged that this process goes through normal legislative procedures so that there is adequate time for public input and for formal hearings.
01/28/2009 International Privacy Day
The World Privacy Forum celebrated International Privacy Day by joining other privacy and civil liberties organizations in encouraging the U.S. Senate to adopt the Council of Europe Privacy Convention. The U.S. has already ratified the Council of Europe Convention on Cybercrime. International Privacy Day was founded three years ago by the Council of Europe, and is celebrated by privacy, civil liberties, and consumer groups in Europe, North America and elsewhere.
01/27/2009 Monster.com | Consumer Alert | Job search privacy
According to the job site Monster.com, its users' IDs and passwords, email addresses, names, phone numbers, and some "basic demographic data" were compromised in a data breach. Monster notified victims of the security breach through its web site on Friday, January 23, 2009. It is unclear how many people this notice impacts, as Monster.com did not give an estimate. In press reports, however, Monster has admitted that the breach is global, with Asia Pacific and Eastern Europe being spared. Job seekers' information can be used like a road map for criminal ventures, including identity theft, phishing and spamming. User passwords, which Monster.com says were compromised in this breach, are especially valuable as they can potentially be used to access other sites or email accounts, especially if a person regularly uses the same passwords. The World Privacy Forum has published a consumer alert about this data breach with tips for victims. This data breach also impacts USAjobs.com, the government job search site affiliated wiith Monster.com.
01/05/2009 School privacy | FERPA
New privacy rules for schools released; World Privacy Forum comments had positive impact for student and parent privacy
In May 2008 the World Privacy Forum submitted detailed comments on proposed changes to the Family Educational Rights and Privacy Act regulations (FERPA). The FERPA regulations are the rules that control how schools treat and release student information. The final FERPA regulations have now been published and reveal that the World Privacy Forum comments had a positive impact. The new regulations agreed with WPF's comment that if a school requests a Federal tax return from a parent, that the parent has the right to redact all financial information from the form, and affirmed that the school does not have a requirement to ask for the tax form in the first place. The regulations also agreed with the WPF comment that the risk of re-identification of published student information is cumulative, and made recommendations that educational institutions take into account all releases of student information it has made, not just new releases.
12/12/2008 GINA - Genetic Information Nondiscrimination Act
World Privacy Forum urges more clarification and privacy protection regarding "incidental collection" of genetic information in GINA
In comments regarding the recently passed GINA (Genetic Information Nondiscrimination Act), the World Privacy Forum said that some aspects of GINA need clarification to enhance privacy. The comments focus on a number of privacy issues the RFI raised, including model privacy notices and the issue of what the GINA statute calls "incidental collection" of genetic information. Currently, GINA states that some kinds of information are exempted from being considered as regulated for medical underwriting purposes. For example, medical information gleaned about patients for underwriting purposes from medical databases is regulated. But medical information gleaned about patients for underwriting purposes from, for example, marketing lists containing robust patient information may be unregulated if the law is not clarified in the regulatory process. The World Privacy Forum urged HHS and the Department of Labor to substantially clarify what constitutes "incidental collection," and urged the agencies to consider lists containing identifiable patient information to be considered in the same category as a "medical database."
12/10/2008 Genetic privacy
Keep my genes private: World Congress panel presentation
The World Privacy Forum presented a talk at the World Congress in Washington D.C. today on the intersection between genetic privacy and marketing, and on genetic issues and medical identity theft. The presentation exposed the list marketing activities surrounding health care data, and examined how the current loopholes in the recently passed Genetic Information Nondiscrimination Act (GINA) would not necessarily ease issues with incidental collection and use of genetic information.
World Privacy Forum elected to HITSP board
World Privacy Forum executive director Pam Dixon was elected to be the consumer representative on the HITSP board (Health Information Technology Standards Panel). HITSP is a national standards-setting body that is part of ANSI (The American National Standards Institute) and is working on specifications and standards for the National Health Information Network. The term will begin in January of 2009.
12/01/2008 Telemarketing | Top Ten Opt Out List
Beginning today, pre-recorded telemarketing phone calls must come with an easy opt-out for consumers. If a pre-recorded telemarketing call is left on an answering machine, it must also include opt-out information. These rules will apply to telemarketers already subject to the Federal Trade Commission's Telemarketing Sales Rule and Do Not Call List. There are some exemptions to the rule. For more details about the changes, see our Top Ten Opt Out List, which has been updated with the new information.
11/11/2008 IPSC2008 Day One
The World Privacy Forum is co-hosting the 1st International Privacy and Security Conference (IPSC2008) in Tokyo, Japan. The conference focuses on examining and discussing a range of privacy and security issues from a global perspective. Today was conference day one at Belle Salle Kudan in central Tokyo. The conference hall was packed, and the sessions were excellent. Prof. Masao Horibe, Prof. Ryoichi Sasaki, and Peter Cullen opened the conference with overviews and a keynote. Session One included a panel of prominent experts and focused on information security and privacy both technically and legally from a Japanese, US, and EU perspective.
11/03/2008 Upcoming lecture, consumer privacy and security
WPF Executive Director Pam Dixon will be speaking at the Center for Ethics in Science and Technology's monthly lecture series in San Diego, California Wednesday, Nov. 5th at 5:30 pm. The lecture will focus on the big-picture view of the health care and patient privacy landscape, and will explore how electronic health care records are set to shift into prominence in the coming months and years. The lecture will be held at the Reuben H. Fleet Science Center in San Diego's Balboa Park.
10/22/2008 Red Flag Rule - ID Theft
FTC delays Red Flag Rule enforcement until May 1, 2009
The Federal Trade Commission announced that it will delay by 6 months the enforcement of its Red Flag Rule that requires certain businesses to have a written identity theft prevention program. The Red Flag rule still goes into effect November 1, 2008, but the new date for enforcement of the rule is May 1, 2009. The FTC issued a "Enforcement Policy Statement" Oct. 22, 2008 regarding its reasons for the delay, which is available here.
10/17/2008 Medical ID theft
World Privacy Forum speaks at medical identity theft town hall meeting
The Department of Health and Human Services held a town hall meeting Oct. 15 about medical identity theft in the FTC's Washington DC conference center. Pam Dixon of the World Privacy Forum spoke at the event, noting that the problems and harms of medical identity theft were not theoretical, but are present now, and create profound harm in the lives of victims. Dixon also emphasized that the crime had gone unnoticed for years before the World Privacy Forum's 2006 report on the issue, and that solutions to the crime must include the perspective and input of individual victims and provide real remedies from the harms. Dixon also discussed the current focus on patient authentication and noted that patient authentication did not resolve the problems of systemic medical identity theft committed by insiders. Dixon also noted that some forms of patient authentication, if implemented improperly, could potentially increase risk rather than decrease it.
10/07/2008 Transatlantic Consumer Dialogue (TACD)
World Privacy Forum joins Transatlantic Consumer Dialogue
The World Privacy Forum is pleased to announce it is now a member of the Transatlantic Consumer Dialogue (TACD), a forum of US and EU consumer organizations. TACD develops joint consumer policy recommendations to the European Commission and the US government. TACD was founded in 1998 and is organized by Consumers International. The European Commission provides financial and coordination support for the TACD.
10/03/2008 National Health Information Network
At the December National Health Information Network meeting noted in the updated WPF chronology, the health care providers and others who have built the trial versions of the NHIN will give their progress reports. For those who are not yet familiar with the ambitious plans for a national health information network, see the World Privacy Forum's NHIN background information page. This is a critical time in the development of the NHIN; in 2004 it was nothing more than a thought; in December, it will be partially implemented at the trial level. The World Privacy Forum has consistently voiced concerns about the need to ensure robust patient privacy protections in the NHIN.
10/01/2008 New privacy and security laws and regulations
New requirements for protecting consumer information
A new law in Nevada and new regulations in Massachusetts increase the requirements for protection of consumer information. A Nevada law that took effect Oct. 1, 2008 (NRS 597.970: Restrictions on transfer of personal information through electronic transmission) requires that businesses in the state of Nevada must encrypt customers' personal information when transferred via an electronic transmission, excluding faxes. In Massachusetts, new regulations that take effect Jan. 1, 2009 spell out specific security measures that businesses owning, storing, or maintaining consumers' personal information in paper or electronic form must take (201 CMR 17.03: Duty to Protect and Standards for Protecting Personal Information).
09/24/2008 Report: Red Flag Rules and Medical ID theft prevention programs
The World Privacy Forum published a new report today, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers. The report discusses the applicability of the new FTC Red Flag regulations to the health care sector along with suggestions for providers. The recently issued regulations by the FTC require financial institutions and creditors to develop and implement written identity theft prevention programs. The rules take effect Nov. 1. Health care providers -- whether they are for-profit, non-profit, or governmental entities -- may have obligations under the new rules. Medical identity theft is a real concern in the health care sector, and is included expressly in the Red Flag Rules Guidelines.
09/22/2008 Human Subjects Research Protection (OHRP)
The World Privacy Forum filed comments today with the Office of Human Research Protection urging the office to do more to protect the privacy of people who are subjects of research. The comments urge the OHRP to focus more attention on providing privacy-specific training for boards overseeing research, which are often weak in knowledge about the breadth of privacy issues in research. The WPF also voiced its strong support for certificates of confidentiality for research involving human subjects, stating that "nearly all research that involves identifiable health data or other personal data about individuals should have a certificate of confidentiality unless a researcher can state a substantive reason why a certificate is not appropriate for the study." OHRP will be accepting comments until Sept. 29.
08/27/2008 National Health Information Network (NHIN)
The National Health Information Network timeline and chronology that the World Privacy Forum maintains has been updated. Materials from the April/May public forum in Dallas are now online and linked, as are key upcoming events regarding the NHIN. Notably, in September the nine existing NHIN trial implementation projects that have been running and exchanging health data in California, North Carolina, New York, and other states are set to be demonstrated in Washington DC. These demonstrations are pivotal for the NHIN and how it takes shape going forward.
08/21/2008 Border Crossing Information System, DHS
Comments of the World Privacy Forum regarding the Border Crossing Information System; Some proposed routine uses of the system directly contravene the Privacy Act of 1974
The World Privacy Forum submitted public comments today to the Department of Homeland Security regarding its proposed Border Crossing Information System. The BCI system would set up a database of all border crossings via car, rail, air and other means, including collecting identifiable data on the activities of American citizens. Information collected includes biographical and other information such as name, date of birth, gender, a photograph, itinerary information, and the time and location of the border crossing. The WPF comments focus entirely on the proposed Routine Uses of the system. As currently written, the DHS proposal contains some Routine Uses that directly contravene the Privacy Act of 1974 and are illegal. Other Routine Uses are overbroad and vague, and still others contravene guidance from the Office of Management and Budget (OMB). One example of an overbroad Routine Use is Routine Use J, which will allow DHS to release data collected for the Border Crossing Information System for hiring decisions or contract awards. This information may be requested by Federal, state, local, tribal, foreign, or international agencies. Another Routine Use, G, impermissibly duplicates and weakens the Privacy Act's condition of requirement for notice when information is disclosed in certain circumstances.
08/19/2008 Privacy and the class of 2012
Perceptions of privacy by the class of 2012
Each year Beloit College publishes a "Mindset List" to share incoming college students' rapidly changing cultural frames of reference with the faculty. For the class of 2012, several privacy-related items made the Mindset List for the first time. The list notes that these students' frames of privacy references are that "Personal privacy has always been threatened" (#43) and "Employers have always been able to do credit checks on employees" (# 39).
See the Beloit College Mindset List
08/07/2008 IPSC2008 Conference
The World Privacy Forum is co-hosting the first International Privacy and Security Conference 2008 (IPSC2008), to be held in Tokyo, Japan on November 11-12, 2008. Also co-hosting the conference are the Japan-based Institute of Electronics, Information and Communication Engineers (IEICE), Social Implications of Technology and Information Ethics, and the Japan Society of Security Management. This conference brings together Japan's leading privacy and security experts and scholars as well as experts from the US and the EU.
08/04/2008 Medical privacy
Some recent articles about the sale of patients' prescription histories to insurance companies have raised many consumer questions about this practice. Ingenix and Milliman -- two companies engaged in this practice -- were the subject of a Federal Trade Commission enforcement action which was published for comment in September 2007. The World Privacy Forum provided formal comments to the Federal Trade Commission last year about this enforcement action; the WPF sought to have all affected consumers notified of adverse actions taken based on the information, and asked the FTC to modify its enforcement action to include an appropriate monetary penalty against the two companies.
07/14/2008 European Privacy Seal
First EU Privacy Seal granted to search engine
Ixquick.com is the first search engine to receive formal EU privacy approval. The EuroPriSe (European Privacy Seal) was awarded to Ixquick after a lengthy certification process. Ixquick deletes its users' IP addresses after 48 hours.
07/12/2008 Security freeze
More than 45 states now have credit freeze laws, sometimes called security freeze laws. The World Privacy Forum security freeze page discusses what a security freeze is, who can place a freeze, and is newly updated with links to state-by-state laws and when available, tips for consumers from the relevant Attorney General web site.
07/10/2008 Do Not Call Registry
FTC reports more than 145 million telephone numbers are in the National Do Not Call Registry
In its fourth annual report to Congress on the Do Not Call Registry, the Federal Trade Commission released some interesting new statistics. As of September 2007, there were 145,498,656 telephone numbers in the Do Not Call Registry. The FTC also reported that 6,242 entities paid over $21 million for access to the DNC Registry in 2007. The report also details the FTC's enforcement actions against businesses violating the DNC Registry rules. As of September 30, 2007, the FTC had filed 25 cases regarding DNC Registry violations and had settled 22 of the cases.
07/09/2008 Financial privacy
U.S. consumers have the right to order one free credit report per year from each of the three national credit bureaus. The World Privacy Forum's landing page about federally-mandated free Annual Credit Reports and the consumer tips for ordering a free annual credit report have been fully updated.
07/08/2008 Internet privacy
The World Privacy Forum's guide on how to opt-out of tracking cookies has undergone a complete update. We have added new cookie opt-outs and have updated all of our descriptions of where and how to opt out of online ad tracking.
07/02/2008 Job search privacy
The World Privacy Forum's popular resume posting guide, 12 Resume Posting Truths, has been updated. This update is part of an ongoing project on job search privacy. The World Privacy Forum has extensive materials on job search privacy and job scams.
06/30/2008 Consumer Excellence Award
World Privacy Forum receives 2008 Consumer Excellence Award
World Privacy Forum executive director Pam Dixon has received a 2008 Consumer Excellence Award for her leadership and work in the area of medical identity theft and consumer privacy from Consumer Action. Also honored was Herb Weisbaum, a 5-time Emmy-winner who is a consumer contributor to NBC's Today Show. Consumer Action was founded in 1971 and is a national non-profit organization focused on consumer education and advocacy. The awards ceremony was held in San Francisco on June 26th. The World Privacy Forum is honored to accept this award.
06/20/2008 OECD | Fair Information Practices
OECD reaffirms its support for the 1980 OECD principles on privacy, or "Fair Information Practices"
At a key meeting of the OECD on the future of the Internet economy, the OECD Secretary General Angel Gurria reaffirmed support of the 1980 OECD Privacy Principles. Also, Secretary General Angel Gurria expressed support for formalizing the participation of civil society in OECD going forward and for paying more attention to information security and identity theft problems. Secretary General Gurria noted that "A more decentralised, networked approach to policy formulation for the Internet Economy that includes the active participation of stakeholders needs to be the norm." Many parts of the recent OECD meeting may be viewed online.
Related: OECD 1980 Guidelines | Related: World Privacy Forum Fair Information Practices Page
06/19/2008 Genetic privacy
Council for Responsible Genetics convenes experts and the public for database and genetics conference
The World Privacy Forum participated in a Council for Responsible Genetics (CRG) conference on genetic databases at New York University. The groundbreaking conference focused on key issues of race and genetic databases, fairness, accuracy, and privacy. The World Privacy Forum discussed a paper by Dr. Harry G. Levine, Drug Arrests and DNA, noting that innocent victims of medical identity theft may be arrested for the "drug seeking behavior" of the criminals impersonating them.
06/18/2008 Financial privacy
World Privacy Forum files comments with FTC regarding credit -based insurance scoring
The World Privacy Forum filed comments with the Federal Trade Commission today about its proposed study of credit -based pricing practices for homeowners insurance. The World Privacy Forum requested that the FTC ask insurers if there are specific procedures in place for detecting, mitigating, and responding to consumers who have been victims of identity theft. The WPF noted its support for the FTC's use of the FTC Act Section 6(b) authority to acquire robust information from the insurance companies.
06/03/2008 Internet privacy
05/08/2008 SACGHS | Oversight of genetic testing
Key genetic oversight report released; includes changes based on World Privacy Forum comments
The Secretary's Advisory Committee on Genetics, Health and Society (SACGHS) released its final report on Oversight of Genetic Testing (U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of Health and Human Services, April 2008, PDF, 276 pages). This is a substantial, thoughtful report that is likely to have a long-term impact on the field. The World Privacy Forum submitted formal written comments regarding this report when it was in draft form, and also appeared before the Committee in person in February of 2008 to discuss additional information relevant to the report. The final report reflects the World Privacy Forum comments and testimony. The report now includes a discussion about Direct to Consumer advertising and marketing as well as related privacy issues. The discussion in the final report also now acknowledges the implications of Direct to Consumer marketing of genetic tests regarding online privacy. The final report also reflects generally increased attention to privacy issues.
World Privacy Forum files comments on proposed changes to FERPA; requests changes to protect student and parent privacy
The U.S. Department of Education has published proposed changes to its FERPA regulations, FERPA standing for the Family Educational Rights and Privacy Act. FERPA is a significant regulation that controls how students' school records and "directory" information may be shared. The proposed regulations have one item the WPF is supporting, which is that SSNs are not considered part of the directory information. However, other aspects of the proposed regulation still need work to adequately protect students' and parents' privacy interests. The WPF commented in particular that schools should not be allowed to request and then store a full tax refund from parents in order to prove students' eligibility. The Forum also requested that students' electronic identifiers are not included in the definition of directory information. One area of substantial concern is that the Department of Education has not expressly provided that students who opt-out of having their directory information shared should not be penalized for opting out. Currently, the proposed regulations may be read to suggest that schools may be able to deny benefits, services, or even required activities to students who have exercised the right to opt-out of the publication of directory information. FERPA comments may be filed until close of business Eastern time May 8, 2008.
04/22/2008 Health Care Innovations workshop
World Privacy Forum to speak at Federal Trade Commission health workshop
The World Privacy Forum will be speaking at an upcoming FTC workshop on the topics of medical identity theft, personal health records, and direct-to-consumer genetic tests and marketing. The workshop is April 24, 2008. Workshop information is available at the FTC web site.
04/11/2008 Behaviorally targeted advertising | FTC proposed rules
World Privacy Forum files comments on behaviorally targeted ads online; requests separate rulemaking for sensitive medical information
The World Privacy Forum filed comments in response to the Federal Trade Commission's proposed self-regulatory guidelines for companies targeting online advertising to consumers based on consumer behaviors. The WPF requested a separate, formal rulemaking process for determining how sensitive medical information should be handled online regarding behaviorally targeted advertisements. The WPF also discussed genetic data and requests for genetic tests, and noted that genetic information should be included in any definition of sensitive medical information. The WPF reiterated that the definition of personally identifiable information should include IP address, and encouraged the FTC to work from a rights-based approach regarding online advertising. The WPF also urged the FTC to include all fair information practices in any self-regulatory regime, and to enforce the regime directly.
04/04/2008 Patient Safety Organizations | Proposed rulemaking
The World Privacy Forum filed extensive comments today regarding privacy protections for patients whose health care information will be shared with patient safety safety organizations under newly proposed Department of Health and Human Services regulations. After a landmark Institute of Medicine report on the prevalence of medical errors and their harmful impact on patients (To Err is Human), the U.S. Congress eventually passed the Patient Safety Act (2005). The Patient Safety Act allows extensive health care data of patients to go to patient safety organizations. The idea is to provide a form of quality control. The Agency for Healthcare Research and Quality (AHRQ), part of HHS, has published its proposed regulations implementing the Act. The World Privacy Forum has made 14 recommendations for substantive changes in the proposed rules to protect patient privacy. The World Privacy Forum asked the Agency to expressly mandate that all patient data be de-identified or anonymized to the greatest extent possible, that the proposed rule should expressly require data use agreements for any data sharing, that the patient information be labeled as subject to the Patient Safety Act, and strongly urged that patient safety organizations be required to maintain an accounting of disclosures at least equal to HIPAA, among other recommendations. The full set of recommendations is available in the WPF comments. The proposed rulemaking will be open for public comments until April 14, 2008.
03/31/2008 Genetic privacy | medical privacy
The World Privacy Forum has published a new page on genetic privacy outlining basic policy issues and collecting World Privacy Forum work in the area. The page also links to key external research being done in privacy and genetics, and also links to key organizations doing work in this area in the U.S. and the U.K.
03/18 Medical ID theft
Based on interviews with numerous victims and others involved in the crime of medical identity theft, and based on our own work with victims, the World Privacy Forum has added some new information to its 2006 consumer tips for medical identity theft. We have also slightly updated some of the older tips based on new information. The Forum has also updated its medical identity theft landing page to reflect our new and ongoing work in this area.
02/20/2008 New publication | PHRs and privacy
The World Privacy Forum has published a new legal and policy analysis examining Personal Health Records -- or PHRs -- and the privacy issues associated with them. This analysis, Personal Health Records: Why Many PHRs Threaten Privacy, was prepared by Robert Gellman for the World Privacy Forum. The analysis finds that significant, serious threats to privacy exist in some PHRs.
02/20/2008 Consumer advisory | PHRs and privacy
WPF Consumer Advisory: The Potential Privacy Risks in Personal Health Records Every Consumer Needs to Know About
The World Privacy Forum has issued a consumer advisory about the privacy of PHRs to help consumers understand and approach the complex privacy issues PHRs can raise. Consumers need to know that not all PHRs protect privacy in the same way, and some PHR systems can undermine consumer privacy in serious ways that consumers may not be expecting.
02/13/2008 Genetic privacy | SACGHS
The World Privacy Forum gave testimony to the Secretary's Advisory Committee on Genetics Health and Society regarding privacy issues stemming from direct-to-consumer advertising and consumer-initiated genetic testing. The World Privacy Forum noted that a great deal of consumer health data circulates outside the protections of HIPAA, and a substantial market for this kind of consumer health data already exists. Genetic data about consumers that is acquired outside the clinical context and is not subject to the protections of HIPAA (for example, through consumer-initiated genetic testing) will likely not be any more protected than other forms of consumers' health-related information from the current demands of the market. However, the consequences of leakage of genetic information about consumers into the marketing stream could have potentially negative consequences for both those consumers and their blood relatives. The World Privacy Forum urged the committee to include specific recommendations about privacy in its upcoming report to the Secretary, and also urged the committee to work with other federal agencies to set up a pre-market oversight structure that includes significant and meaningful privacy protections for genetic testing occurring outside of the protections of HIPAA.
02/11/2008 Financial privacy / credit reports
World Privacy Forum, NCLC, and Consumer's Union file extensive comments regarding accuracy of credit reports
The NCLC, Consumer's Union, and the World Privacy Forum filed extensive joint comments today regarding the proposed rulemaking, Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies under Section 312 of the Fair and Accurate Credit Transactions Act. The results of the proposed rulemaking will have a significant impact on how the accuracy of credit reports is defined for consumers, and will have a substantive influence over how consumers may handle credit report disputes directly with those who furnish information for the reports.
01/28/2008 Financial privacy / credit reports
Opportunity for public comment on the accuracy of credit reports
Consumers and organizations have an opportunity to submit public comments about the accuracy and integrity of credit reports. Until February 11, the Federal Reserve Board, the Federal Trade Commission and other banking agencies will be accepting comments on their draft rulemaking regarding how creditors and other furnishers provide information to consumer reporting agencies, and which types of direct disputes they must handle. This proposed rulemaking is a key one; it defines what accuracy and integrity of information provided to consumer reporting agencies means, how disputes may be handled directly with the furnishers, and which types of direct disputes furnishers may ignore. The NCLC, Consumer's Union, and the World Privacy Forum have written a sample letter that may be downloaded and used or modified for the comments. To file your letter, submit your comments to the Board of Governors of the Federal Reserve System by mailing the comments to email@example.com with the subject line "Docket No. R–1300."
01/28/2008 Opt-out / Financial privacy
The World Privacy Forum has updated its popular Top Ten Opt Out list to reflect several new change made to the Direct Marketing Association opt outs. In the past, some of the DMA opt-outs, like the Direct Marketing Association's mailing preference lists, used to cost $1. That fee has now been removed for people opting out online. Please see item #3 on the Opt Out list for the complete update.
12/19/2007 Genetic privacy / SACGHS
World Privacy Forum files public comments regarding oversight of genetic testing; warns about the privacy risks related to unregulated commercial genetic tests and the need to prevent phantom genetic tests from becoming a new business model for fraudsters
The World Privacy Forum filed extensive comments with the Secretary's Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS. The World Privacy Forum requested SACGHS pay more attention in its final report to the privacy consequences of unregulated genetic testing that occurs outside the health care sector. The WPF comments note that current and proposed remedies for the misuse of genetic information tend to focus on the use of the information within the health care treatment, payment, and insurance systems. What is crucially important is to analyze how to protect genetic information in the realm of commercial collection, maintenance, use and disclosures. Another area the comments discuss is the potential for new forms of fraudulent activity related to genetic testing (Phantom genetic testing, that is, genetic tests marketed to consumers that are not even real or viable genetic tests.) The World Privacy Forum specifically recommended that the National Committee on Vital and Health Statistics be tasked with looking at this matter, that an independent pre-market assessment mechanism is created for genetic tests offered outside the clinical setting, and that privacy be expressly discussed in the overarching recommendations in the final report.
12/19/2007 Fair Information Practices
The World Privacy Forum has updated its page on Fair Information Practices to include the new work by Robert Gellman in this area. His article, Fair Information Practices: A Basic History, December 2007, is an important history of the development of Fair Information Practices. It includes information that even experts familiar with FIPs may not know.
11/29/2007 Medical identity theft update
New FTC statistics affirm World Privacy Forum's 2006 Medical Identity Theft report; give first robust medical identity theft statistics
The Federal Trade Commission released its national ID theft survey, which for the first time contains statistics specific to medical identity theft. According to the FTC report (p. 21), 3 percent of all identity theft victims in 2005 were victims of medical identity theft, which means of 8.3 million ID theft victims, approximately 250,000 people were victimized by medical identity theft in that year alone. The purpose of the World Privacy Forum 2006 report was to prove that medical identity theft existed, and was already occurring in large numbers. At the time the report was published, the crime of medical identity theft had not been specifically studied, nor was it understood to exist. The FTC statistics abundantly affirm the thesis and conclusions of the WPF report.
11/05/2007 Security Freeze update | Financial privacy
As of November 1, 2007, the ability to place a security freeze is available nationwide at the three major credit reporting bureaus. To date, 39 states and the District of Columbia have some form of security freeze law. But now, even in the states that did not pass security freeze legislation, consumers will be able to place a security freeze. A security freeze lets you stop the disclosure of your credit report by a credit bureau. A security freeze can be especially helpful to individuals who are having persistent problems with identity theft. For more information:
11/05/2007 Announcement | CalPSAB
World Privacy Forum appointed to California Security and Privacy Advisory Board
WPF executive director Pam Dixon has been appointed by California Secretary of Health and Human Services Kim Belshe to the California Security and Privacy Advisory Board. Dixon will serve as interim co-chair of the board, which is tasked with addressing health information exchange (HIE) privacy and security efforts in California. The board's meetings will be open to the public. For more information see: CalPSAB's web site.
11/02/2007 Report | Internet privacy | NAI
WPF Report: The Network Advertising Initiative: Failing at Consumer Protection and at Self-Regulation
The World Privacy Forum published a new report today, The Network Advertising Initiative: Failing at Consumer Protection and at Self-Regulation. The report is an in-depth analysis of the history and current operations of the National Advertising Initiative (NAI) self-regulatory agreement. The NAI was created to protect consumers' online privacy in the behavioral advertising arena. The report finds that the NAI has failed. The report discusses the failure of the NAI opt-out cookie, the uses of persistent consumer tracking technologies that go beyond cookies, such as Flash cookies, browser cache cookies, XML super cookies, and other issues. The report also discusses the practice of re-setting cookies after cookie deletion. The report gathers the details of the difficult membership history of the NAI, as well as the enforcement history of TRUSTe regarding NAI.
Executive director Pam Dixon will be testifying before the FTC eHavioral
Town Hall meeting Nov. 2 to discuss the findings of this report, which
will be submitted to the FTC.
10/30/2007 Consensus document | Consumer rights and protections
Privacy and consumer groups unveil consensus document recommending expanded consumer rights and protections in the behavioral advertising sector; call for a Do Not Track list, access, limits of the use of sensitive medical and financial information, expanded notice, accessibility for people with disabilities, and other rights
Nine privacy and consumer groups, including the World Privacy Forum, unveiled a consensus document outlining key consumer rights and protections in the behavioral advertising sector. The document is directed toward the Federal Trade Commission, and urges the FTC to take proactive steps to adequately protect consumers as online and other forms of behavioral tracking and targeting become more ubiquitous. The consensus document was filed with the Secretary of the FTC and its commissioners. Behavioral advertising is the focus of the FTC's eHavioral Advertising Town Hall meeting taking place November 1-2 in Washington, D.C. The network advertising sector has a self-regulatory plan, the Network Advertising Initiative, in place, and has had this plan in place since 2000. The consensus document addresses the many areas where the NAI plan has failedto protect consumers.
10/16/2007 Medical identity theft / AHIMA
World Privacy Forum gives keynote speech to AHIMA on medical identity theft; outlines 8 best-practice responses to the crime
Executive director Pam Dixon spoke to thousands of AHIMA delegates in Philadelphia sharing the latest information on medical identity theft and outlining 8 best practice responses to the crime for the health care sector. Dixon specifically asked for the creation of national guidelines for helping medical identity theft victims, the ability for victims to set red flag alerts in their health care files, that providers train and have dedicated personnel to help medical identity theft victims, "john and jane doe" file extractions, a focus on addressing insider access to patient information, risk assessments specifically for medical identity theft, and educational efforts. The information in the speech was based on the latest World Privacy Forum research in the area of medical identity theft.
10/16/2007 Medical identity theft | Best practice responses
World Privacy Forum outlines 8 best practice responses to medical identity theft for the healthcare sector
The World Privacy Forum has outlined 8 best practice responses to medical identity theft for the health care sector. The best practice responses are based on research the Forum is conducting for its second report on medical identity theft, and is a work in progress. The 8 best practice responses were presented to AHIMA delegates October 9; the Forum is soliciting and accepting feedback on the 8 best practices.
10/12/2007 Medicare / CMS
World Privacy Forum files comments on CMS plan to allow release of patients' protected health information from Medicare database in some circumstances; benefits do not outweigh the risks
The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.
09/17/2007 NHIN update
The National Health Information Network, or NHIN, is part of a major undertaking to digitize and network the health care sector. From electronic health records to multi-state health information hubs, the U.S. government's goal is to modernize and move health care information from paper to digital. The Department of Health and Human Services is the primary mover behind this initiative, which is complex and multi-faceted. The World Privacy Forum keeps a chronology of NHIN events as a public service. The NHIN timeline has been updated to reflect changes in AHIC, a group that is charged in part with ensuring privacy and confidentiality in the NHIN and other aspects of health care modernization. AHIC is set to transition to a "public-private partnership," a move that will need to be watched closely to ensure robust consumer involvement.
09/07/2007 AHIC successor / health care privacy
World Privacy Forum requests adoption of a "no stakeholders left behind" policy in AHIC successor plans
The World Privacy Forum offered public comments on HHS' American Health Information Community (AHIC) successor plans, urging that HHS adopt a "no stakeholders left behind" policy as it forms the new public/private AHIC. The Forum's analysis of the AHIC Successor White Paper concluded that the current succession plans lack processes and checks that would ensure meaningful consumer participation, and that the AHIC successor plans as they currently stand do not bode well for a robust role for privacy or consumer groups in the new AHIC. Specific issues the World Privacy Forum discussed in its comments included fee structures, membership, handling conflicts of interest, stakeholder issues, privacy and identifiability issues, and the need for the new AHIC to achieve credibility.
08/30/2007 Consumer alert update
Update: Monster.com saying data breach may impact all users of Monster.com, official Federal job site USAJobs.com impacted
Monster.com posted a warning on its site stating that all users of Monster.com may have been impacted by the data breach of its systems by hackers. All job seekers need to be aware of potential phishing attacks that are sophisticated and highly targeted, and job seekers with safety considerations need to be aware that their information has likely been compromised. The U.S. Office of Personnel Management has announced that the Federal job site USAJobs (which is outsourced to Monster.com) has also been impacted by the breach. The World Privacy Forum has updated its job seeking tips, and its consumer alert.
08/24/2007 Data breach / GAO data breach study
The World Privacy Forum made an information request to the GAO asking for a copy of the single, non-duplicative list of data breaches its June, 2007 data breach report (GAO -07-737) refers to and was based on. The list was not included in the GAO report. The GAO used a figure in its report of "more than 570 data breaches" from January 2005 to December 2006 based on this non-duplicative breach list. The GAO breach list is straightforward, it tallies data breaches chronologically from January 1, 2005 to December 31, 2006 from three organizations that maintain data breach lists. If the breach appeared on at least one of the three lists, it was apparently included in the final tally. The GAO states that the list was based on a February 15, 2007 download of the lists. Note: the WPF scan of the GAO list includes the first page twice. The front page of the scan is of the GAO list as it looks in the original document, and then the list was scanned for maximum readability into PDF format.
08/23/2007 AHRQ / databases / medical privacy
In June, the Agency for Healthcare Research and Quality (AHRQ) published a request for information about its plan to create a "public/private" national database of healthcare information tentatively called the "National Health Data Stewardship entity." WPF and EFF raised questions about ownership and management of the proposed database (Would this database fall under HIPAA? Would it fall under the Privacy Act of 1974?), questions about identifiability of patients in the database, and suggested that a full-time, independent privacy officer should be established for the program from the inception of the planning stages. The comments also discussed the numerous questions relating to data security (including medical identity theft) and data quality, as well as consent, access, and opt-out procedures for patients that the proposed national database raises.
08/22/2007 Consumer Alert / Internet privacy / Job search safety and privacy
Consumer Alert: Monster.com data breach impacts hundreds of thousands of job seekers; job seekers who have safety concerns may be especially at risk
The World Privacy Forum issued a consumer alert today warning about a data breach at Monster.com. Security firms that analyzed the breach have stated the breach impacts hundreds of thousands of job seekers. The immediate information that was stolen included job seekers' home address, phone numbers, email address, and resume IDs. Some victims may have received further phishing emails. Job seekers who have safety concerns such as law enforcement professionals, victims of domestic violence and other victims of crimes such as stalking -- who typically do not make their home addresses or personal phone numbers public -- have an immediate need to know if their personal information may be in the hands of criminals. The consumer alert contains tips for victims and links to resources and more information.
08/08/2007 Medical privacy / NCVHS / HIPAA
World Privacy Forum responds to June 2007 NCVHS recommendations to the Secretary of HHS regarding health care information at non-HIPAA covered entities
The World Privacy Forum has sent a letter to Dr. Simon P. Cohn, Chairman of the National Committee on Vital and Health Statistics, supporting the Committee's formal conclusion that all entities that create, compile, store, transmit, or use personally identifiable health information should be covered by a federal privacy law. More needs to be done about health care data that is left unprotected by HIPAA. The Forum's letter included a discussion of two HHS programs that operate outside of HIPAA: FDA RiskMAPS, and the National Institutes of Health, which is not a covered entity under HIPAA. Read the World Privacy Forum letter to NCVHS here (PDF). The NCVHS letter to the Secretary on HIPAA and non-covered entities is available here (PDF, at the NCVHS web site). For more about RiskMAPs, see WPF testimony from August 1, 2007 (PDF) and June 26, 2007 (PDF).
08/01/2007 iPledge Program / FDA
World Privacy Forum testifies at FDA advisory committee hearing on the iPledge program; requests attention to privacy issues
07/26/2007 National Disaster Medical System / Privacy Act of 1974
World Privacy Forum requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA
The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require. Read the comments (PDF).
07/22/2007 Top ten opt out list
This is a list of what top things to opt out of, and how to opt out. Millions of people have heard about the Do Not Call list, an opt out list that gets people off of telemarketing lists. But many fewer people have heard about the other opt outs that are available, like those that can take people out of data broker lists or opt outs that can stop schools from giving out directory information like email and home addresses. Opting out can range from the not-too-difficult (the Do Not Call list is a fairly simple opt out) to the challenging. This list is meant to simplify the information about which opt out does what, to help decide if a particular opt out is the right choice, and how to go about opting out. See the WPF Top Ten Opt Out List.
07/22/2007 Security freeze / identity theft / financial privacy
A credit freeze (sometimes called a security freeze) lets you stop the disclosure of your credit report by a credit bureau. A credit freeze can be especially helpful to individuals who are having persistent problems with identity theft. If you live in a state with a security freeze law, then you may be able to place a security freeze on your files. This World Privacy Forum resource gives general background on security freezes, lists the states with security freeze laws, and links to more information for each state. See the Security Freeze page.
07/10/2007 FDA privacy standards - RiskMAPs
06/07/2007 Genetic privacy
World Privacy Forum makes presentation at National Academy of Sciences' Institute of Medicine
Executive director Pam Dixon presented key issues and potential solutions regarding privacy and Genome Wide Association Studies at the Institute of Medicine's Board on Health Sciences Policy meeting. Her presentation included recommendations to engage in a comprehensive study of certificates of confidentiality, to encourage standards of identifiability, to encourage study of what more uniform standards of privacy and security for researchers might look like, and a recommendation to work toward broad solutions that extend beyond GWAS activities.
06/04/2007 AHIC - National Health Information Network
The American Health Information Community Workgroup on Confidentiality, Privacy and Security requested public feedback regarding its working hypothesis. WPF responded to the request with public comments encouraging the adoption of a unified policy architecture and encouraging AHIC to focus on enforcement mechanisms that are intended to directly benefit consumers. WPF also encouraged AHIC to look comprehensively at the demands a new national electronic health exchange network will make on privacy in the health care sector. Read the comments (PDF). See also the National Health Information Network Page for more about the NHIN, and the WPF medical privacy page.
05/24/2007 Genetic privacy / PGx
World Privacy Forum files public comments and recommendations on pharmacogenomics privacy: all patient-specific PGx research should require certificates of confidentiality
The World Privacy Forum believes that the capability of identifying individuals from subsets of genetic information will expand greatly in the future. In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not. The WPF also urged the NIH to require strong data use agreements to protect individuals' privacy. The WPF also urged NIH and the Department of Health and Human Services to reinstate the position of "privacy advocate" so as to provide oversight in this area. Read the comments (PDF). For more information, see the genetic section of the WPF Medical Privacy Page. Related note: Executive director Pam Dixon will be speaking about genetic research and privacy at the Institute of Medicine on June 7.
05/08/2007 REAL ID /National ID
The World Privacy Forum and the Electronic Frontier Foundation (EFF) filed joint comments with the Department of Homeland Security about the proposed national ID system, REAL ID. The comments discuss the substantial flaws in the proposed REAL ID system including concerns about the overall structure of the program, the cards, the databases attached to the cards, the lack of controls on "function creep," the possibilities for discrimination, the potential for increased risk of identity theft, issues related to potential gaps in coverage for recipients on Federal programs, among other issues. Read the comments (PDF). See the EFF REAL ID pages for background about REAL ID.
05/04/2007 REAL ID
REAL ID is a national ID card program. Currently, the Department of Homeland Security is accepting public comments on the REAL ID plan. Comments will be accepted until Tuesday, May 8. The World Privacy Forum has joined with a large coalition of groups to solicit public comments on REAL ID; to file comments, please visit the Speak Out Against REAL ID coalition page for more information. http://www.privacycoalition.org/stoprealid/
04/20/2007 Discussion Forum: Consent and Privacy
World Privacy Forum launches its Discussion Forum with an inaugural paper by Robert Gellman on the complexities of consent in the privacy sphere. Gellman's analysis focuses on the core privacy issues underlying "The Maine Incident," that is, Maine's historic 1998 passage of medical privacy legislation, and the subsequent repealing of key aspects of that legislation two weeks after it was enacted. Issues related to consent were key factors in the Maine events. Read Gellman's paper in the WPF discussion forum, or jump directly to Gellman's paper: Consent for Disclosures of Health Records: Lessons from the Past (PDF).
04/03/2007 National Health Information Network
Recently, the first live prototypes of the NHIN were demonstrated in Washington, D.C. This was a milestone event in the development of the planned network. The National Health Information Network is an ambitious project the U.S. government undertook in 2004 to digitize and network patient health records across the nation. This project raises challenging confidentiality, privacy, and security issues. See the World Privacy Forum's updated NHIN page and NHIN Timeline for more information. Also see the Forum's Medical ID theft report for an analysis of the potential impact of an NHIN on medical ID theftissues.
03/21/2007 Medical privacy / Department of Transportation
Commercial drivers' license applicants requesting exemption from the diabetes standard have their personal medical information, name, age, and more published in the Federal Register; World Privacy Forum urges changes to the practice
The World Privacy Forum filed comments with the Department of Transportation today regarding the department's publicationof the detailed personal medical information of individuals subject to DOT regulations in the Federal Register along with their names, ages, and other identifying information. The WPF comments argue that personal medical information combined with name, age, etc. does not belong in the Federal Register, where it can have potentially far-reaching consequences for those individuals who are named as well as their family members. The comment period closes April 2. Read the WPF comments (PDF).
02/05/2007 Genetic privacy
World Privacy Forum comments about the ethical, legal, and social implications of using genetic health care data in electronic health records
The World Privacy Forum filed public comments with the Department of Health and Human services in response to an HHS request for information regarding the use of patients' genetic data for research, health care, and for use in electronic health records. The World Privacy Forum is requesting that HHS use all Fair Information Principles in any personalized health care projects, and is requesting that a formal ELSI (ethical, legal, and social implications) committee be set up to oversee any projects, among other requests. Read the comments (PDF). Also see: WPF Fair Information Practices page.
01/19/2007 Identity Theft
President's Identity Theft Task Force: World Privacy Forum requests that medical identity theft be added to task force agenda
The World Privacy Forum filed comments and recommendations with the President's Identity Theft Task Force. The task force's draft report and recommendations did not include or contemplate medical identity theft solutions for victims; the WPF has requested and recommended that this be corrected. Medical identity theft victims need more help, more recourse, and agency attention. Read the WPF task force comments (PDF). Also see the WPF Medical ID Theft Page, which links to the WPF report, consumer tips, and FAQs for victims.
12/15 2006 e-Government /CIPSEA
WPFcomments on proposed guidance on Confidential Information Protection and Efficiency Act of 2002 (CIPSEA)
The World Privacy Forum submitted comments to the Office of Management and Budget regarding proposed guidance on Title V of the e-Government Act. The proposed guidance did not address the relationship between CIPSEA and the USA PATRIOT Act Section 215, and guidance regarding identifiability and the Privacy Act of 1974 needs to be further refined. WPF suggests that OMB consider developing a formal statistical confidentiality seal controlled by a federal agency. The purpose would be to provide an identifiable marker that would tell individuals if the information they provide will receive the highest degree of confidentiality protection available under law. Read the WPF comments (PDF).
12/14/2006 Medical privacy / Medicare Part D
World Privacy Forum Requests That CMS Bring Its Medicare Part D Data Activities Under HIPAA and Require Certificates of Confidentiality to Protect Patient Privacy
In comments filed with the Centers for Medicare and Medicaid Services, the World Privacy Forum requested that CMS give effect to data restrictions that Congress has expressly included in the law. WPF also requested that CMS include in its standard agreements for use of CMS data a requirement that the recipient obtain a certification of confidentiality for all identifiable CMS data. WPF also requested that CMS perform a regulatory impact analysis and publish a system of records notice. Read the comments (PDF).
12/06/2006 Identity theft / Consumer Alert
The Federal Trade Commission has set up a new web site and phone number for identity theft victims of the Choicepoint data breach. The new site and phone number gives victims information on how to file claims for monetary reimbursement if out- of- pocket losses accrued as a result of the ID theft. A fund of $5 million is available to victims, the deadline for filing is February 4, 2007. The site is <http://www.ftc.gov/choicepoint>, the data breach hotline phone number is 1-888-884-8772.
11/27/2006 Privacy Act of 1974
Department of Justice Proposes Making Changes to Routine Uses of its Systems and Databases; World Privacy Forum Files Comments on Problematic Privacy Act Issues with the Proposed Changes
The Department of Justice published a notice proposing to update the Routine Uses of its systems and databases under the Privacy Act of 1974. The proposal was not precise enough, and was written in such a way as to allow sensitive Privacy Act systems such as the Criminal Division Witness Security File (CRM-002), the Witness Immunity Records (CRM-022), and the National Instant Criminal Background Check System (NICS, FBI-018) to be disclosed to almost anyone in certain circumstances, including to individuals working outside of law enforcement. The World Privacy Forum is requesting that the DOJ significantly tighten its language in the proposal, and to specify what individuals or entities may have access to these sensitive records, under what specific conditions. The World Privacy Forum is also requesting the DOJ republish all of its up-to-date system of records notices in their entirety immediately and at least every two years thereafter. Read the comments (PDF).
10/31/2006 Genetic privacy
Genome-wide association studies present complex and challenging privacy issues. The National Institutes of Health, in a published request for information, asked for public comment on its proposed policy regarding its support and management of a central genomic repository for genome-wide association studies. In comments filed with the National Institutes of Health, the World Privacy Forum raised concerns about the proposed NIH policy in the specific areas of genetic identifiability, secondary uses of the genetic data, oversight, legal protections, and informed consent. Read the comments (PDF).
09/27/2006 Privacy Act of 1974
World Privacy Forum Files Comments on a Proposed DHS rulemaking; asks the Department to make a Commitment to Transparency and Accountability
In response to a proposed Department of Homeland Security rulemaking regarding a system of records, the World Privacy Forum filed comments requesting changes. The primary objections are that the proposed system of records commingles records and functions, the proposed exemption is inconsistent with the system notice, and DHS's proposed exemption from civil remedies was not correct, among other issues. The World Privacy Forum stated in its comments that the Department of Homeland Security should demonstrate its commitment to accountability and transparency in the rulemaking. Read the comments (PDF).
09/18/2006 Identity theft, medical identity theft
World Privacy Forum Comments on "Red Flag" Guidelines for Identity Theft, Requests Addition of Medical Identity Theft to Red Flag Rule
The World Privacy Forum filed comments with the Federal Trade Commission, the Treasury, and other federal agencies today regarding the joint draft rule on "Red Flags" for identity theft. In its comments, the World Privacy Forum requested that medical identity theft be added to several aspects and portions of the proposed rule. Adding medical identity theft to the rule is essential to help close gaps in protection for consumers and to encourage health care providers to attend to victims' challenges and needs regarding medical identity theft. Read the comments (PDF). For more on medical identity theft, also see the Forum's medical identity theft report and tips on the Medical Identity Theft page.
08/16/2006 Internet privacy
The World Privacy Forum filed a complaint today with the Federal Trade Commission regarding AOL's multiple releases of portions of its users' search query histories. The complaint discusses AOL search query releases from 2004 and 2006. The complaint alleges that the data release was intentional, and due to significant identifiability issues of the data subjects, that the releases are harming some AOL customers, and that AOL customers did not know their search histories would be made available to the public. The World Privacy Forum urges consumers to take precautions when using search engines. For more see the complaint (PDF). Also see the World Privacy Forum Search Engine Privacy Tips.
08/08/2006 Internet privacy
The World Privacy Forum announced today that it would be filing a complaint with the Federal Trade Commission about the posting by AOL of a portion of its users’ search data on the Internet. While the data was not expressly identified by name, the search queries themselves included in some cases personally identifiable information such as individuals’ names, Social Security Numbers, and myriad other personal information. The World Privacy Forum urges consumers to take precautions when using search engines. For more see the Press Release. Also see the World Privacy Forum Search Engine Privacy Tips.
07/20/2006 Genetic privacy
The collection of DNA material from 500,000 to 1,000,000 or more individuals as part of a large U.S. medical research project raises many challenging ethical, legal, and privacy issues. An advisory committee reporting to the Office of the Secretary of Health and Human Services ( the Secretary's Advisory Committee on Genetics, Health and Society) has published a detailed analysis of the issues such a project and its associated databases and biobanks would raise in a draft report. The committee's final report and policy recommendations will be submitted to the Secretary of HHS. The World Privacy Forum has submitted public comments on the draft; the comments include key policy recommendations.
06/30/2006 Medical records privacy and how-to
Following its report on medical identity theft, the World Privacy Forum has responded to the need for specialized advice for victims of medical identity theft. The Access, Amendment, and Accounting of Disclosures: FAQs for Medical ID Theft Victims is the first resource of its kind, and is intended to help victims navigate the complicated process of correcting medical files and recovering from the unique harms of medical identity theft. The FAQ includes sample letters to use, as well as step-by-step advice on how to get a copy of health records, ask for changes to health records from healthcare providers, and ask for a history of disclosures of health records. Read the FAQs. For more see the Medical ID Theft page.
06/15/2006 Agency comments / Medical privacy
World Privacy Forum comments on Medicaid Program and State Children's Health Insurance Program Systems Notice; requests changes
The World Privacy Forum submitted comments to the Centers for Medicare & Medicaid Services requesting that it amend a Systems of Records Notice to address an oversight and address other privacy issues. The Forum requested that CMS add a reference in the system notice to Executive Order 13181 of December 20, 2000, “To Protect the Privacy of Protected Health Information in Oversight Investigations.” The Forum also requested that the routine uses be revised to reflect the HIPAA requirements as appropriate when the disclosures involve HIPAA records. Read the comments in PDF.
06/05/2006 National Health Information Network
This timeline charts the major developments of the National Health Information Network. This network, usually called the NHIN, is a project underway led by the U.S. government. The goal is to transition from a paper-based health care system to a digitally based one, with electronic medical files to be shared over a network. The NHIN is intended to be a sophisticated network that hospitals, insurers, doctors, and others could potentially access. Such a network brings patient privacy, security, and confidentiality issues into sharp relief. The NHIN now has pilot projects underway in multiple U.S. cities. This timeline charts the NHIN from its start to the present. See the timeline on the web. See the NHIN page for other NHIN news and updates.
06/05/2006 Fair Information Practices
This is a short introduction to the eight principles known as "Fair Information Practices." These eight principles and practices describe how an information-based society may approach information handling, storage, management, and flows with a view toward maintaining fairness, privacy, and security in a rapidly evolving global technology environment.
05/03/2006 Medical privacy
This new World Privacy Forum report (PDF Executive Summary) (PDF Full Report) describes what medical identity theft is, discusses victim experiences, and why this crime is important to detect. Victims of medical identity theft may not know that they have medical files that have been falsified by imposters, and can receive improper medical treatment based on these errors. The report estimates that between a quarter and a half million people have been victims of medical identity theft. See the Medical identity theft page for the report, for updates, and for consumer tips.
03/08/2006 Financial privacy
Comments to IRS on Tax Information Sharing
Joint comments filed by EPIC, Privacy Rights Clearinghouse, and World Privacy Forum. Comments are available at the EPIC site: <http://www.epic.org/privacy/tax/irscom3806.html>.
02/08/2006 Medical privacy / HIPAA
Five groups joined the World Privacy Forum in asking for changes to be made to a proposed rule on how medical healthcare claims attachments are handled electronically. The World Privacy Forum and the EFF, EPIC, Privacy Rights Clearinghouse, Privacy Activism and U.S. Public Interest Research Group (U.S. PIRG) asked that physicians be given more control over what parts of health records they send electronically to insurance companies, that psychotherapy notes not be included when sending health records for insurance payment, and that the HIPAA Privacy Rule be rigorously applied to scanned health records. Read the comments in PDF format.
01/31/2006 Domestic surveillance
World Privacy Forum Requests NSA Domestic Surveillance Inquiry
The World Privacy Forum joined a coalition of 41 civil liberties, privacy, and trans-political organizations in a letter requesting a thorough and comprehensive inquiry by the Committee on the Judiciary into domestic surveillance program(s). Read the letter in PDF format.
01/20/2006 Internet privacy
Working to proactively prevent problems related to the use of search engines is preferable to trying to clean up privacy problems after the fact. Here are some tips and resources for enhancing search engine privacy. Read the tips.
01/04/2006 Identity theft
The World Privacy Forum submitted comments in response to the Federal Trade Commission's request for feedback on its upcoming identity theft survey. The FTC identity theft survey is one of the most quoted surveys on the subject. The World Privacy Forum requested changes and clarifications to the survey, including adding questions about security breach notices and clarifying existing questions about medical identity theft, among other issues. Read the comments in PDF format.
11/04/2005 Medical privacy
World Privacy Forum Comments to HHS on Protecting Patient Choice and Expanding Medical Privacy Rights
The World Privacy Forum filed comments with Health and Human Services this week asking the agency to protect patient choice and privacy. The World Privacy Forum asked that patients continue to be able to receive accounting of disclosures under HIPAA, and asked that this important patient right under HIPAA not be removed or weakened. The World Privacy Forum also asked HHS to review how patients' records can be amended under HIPAA, and recommended that in light of the coming National Health Information Network, that changes to enhance patient choice may be needed in this area. Read the comments on the Web or in PDF format. For more on the National Health Information Network, see our NHIN page.
9/30/2005 Medical privacy
The World Privacy Forum testified before the National Committee on Vital Health Statistics in August regarding the importance of patient choice in the area of Electronic Health Records. The testimony stressed the importance of building security, patient privacy, and choice into EHRs and any form of the proposed National Health Information Network (NHIN). Read the testimony on the Web or in PDF format.
Also see the Forum's NHIN page.
In official comments filed with the Federal Communications Commission, the World Privacy Forum urged the Commission to maintain state telemarketing regulations. (PDF Comments.)
This new report (PDF Complete Report) (HTML Exec Summary ) is a complete update on the Forum's original February 25 report on AnnualCreditreport.com. Since the publication of the first Call Don't Click report, the number of imposter sites has increased by 124 percent. Some of the imposter sites have become more aggressive, improperly asking for consumers' Social Security Numbers. Other imposter domains lead to commercial data broker sites. The report lists and discusses the sites, the new findings, and recommendations. See the AnnualCreditReport.com page.
7/11/2005 Resume and jobsearching privacy
Before you post your resume online, read these twelve resume posting truths to help minimize resume privacy problems such as identity theft. Job Seekers Guide to Resume Databases: Twelve Resume Posting Truths . For more resources on job search privacy, see the World Privacy Forum's Workplace Privacy Project.
6/07/2005 Medical privacy
HIPAA News and National Health Information Network News
In HIPAA news, the Department of Justice has released a new ruling regarding HIPAA. The opinion is available here (PDF). Also, the HHS report summarizing the 500 + comments on the RFI for the National Health Information Network has been posted. The HHS report is available here. The World Privacy Forum and the Electronic Frontier Foundation submitted joint comments for the NHIN RFI, those comments are available here (PDF).
5/26/2005 Financial and Internet privacy
Before you call, click, or mail away for your federally mandated free credit report, read these tips to help you avoid potential problems. This consumer tip sheet includes graphics to show you what problematic "fake" free credit sites look like, and includes consumer-tested tips for safely receiving your free reports. The tip sheet also includes resources with information, phone numbers, and addresses for ordering your report. See the AnnualCreditReport.com page for more.
2/15/2005 Medical Privacy / Infrastructure & Databases
The World Privacy Forum and the Electronic Frontier Foundation have submitted official comments in response to the U.S. government's "Request for Information" about its plan to digitize all patient medical records and create an electronic "National Health Information Network" or NHIN. The comments urge caution in designing the NHIN and call for the government to build privacy, security, and open source technologies into the system from the beginning of the project. NHIN Joint Comments PDF . Also see the NHIN page.
1/19/2005 Workplace Surveillance and Privacy
The World Privacy Forum testified on January 19 regarding the need to build reasonable privacy and security protections into the proposed "smart"Federal ID cards. The testimony included recommendations on making the mandated employee background checks equitable, careful implementation of the Privacy Act, and conducting a Privacy Impact Assessment. Other key issues included setting limits on card use and protecting the mandated source documents, such as birth certificates, that will be required to obtain a card. WPF and other testimony is available at the National Institute of Standards and Technology site: <http://csrc.nist.gov/piv-project/workshop-Jan19-2005/presentations.html>.
12/23/2004 Workplace Surveillance and Privacy
WPF, EFF, Privacy Rights Clearinghouse, and PrivacyActivism call for greater attention to privacy provisions of the proposed new Federal ID card, which will be "contactless."
9/07/04 Job Applicant Privacy
Originally created for the 2003 Job Search Privacy Study in PDF format, the Guide has been made into an easy to use Web page. Job seekers can now click through the guide as they look for job sites that are pro-privacy.
9/07/04 Internet Privacy
Some computer cookies are harmless, but others can track your moves across many Web sites, eventually building a detailed dossier of your preferences. This new consumer tips article discusses the difference, and links to "opt out" cookies that will stop the tracking.
7/08/04 Internet Privacy and Security; Job Applicant Rights and Privacy
This new report tracks a widespread online job scam over the course of a year from July 2003 to July 2004. The report contains findings, recommendations, critical new tips for job seekers, and examples and explanations of the scam in action (emails to victims, contracts, etc.) The report examines the intersection between job fraud and job seeker privacy. Responses from job sites about what they are doing about job fraud are included in the report. Report HTML | Report PDF
7/08/04 Internet Privacy and Security; Job Applicant Rights and Privacy
This visual timeline chronicles a year of a job scam. The timeline documents the cities the fake jobs were targeting, dates the jobs posted, the various company names the scam operated under, and the contact names used in the scam. The job scam timeline is documented with screen shots of the job listings and how they looked as posted. The scam is still active. Timeline HTML
7/08/04 Internet Privacy and Security; Job Applicant Rights and Privacy
These reality-based consumer tips are simple and are based on research from the key findings in the World Privacy Forum Job Scam Report. The Consumer Tips include "Red flags" to recognize scams and a step-by-step explanation and illustration using real examples of how one type of scam operates. Tips HTML
7/5/04 Database Privacy
In comments submitted to ICANN's Task Forces 1 and 2 on the WHOIS Database, the World Privacy Forum has asked for tiered access to domain registry information. This would allow domain registrants the ability to keep home phone numbers, addresses, and email addresses private. The WPF has also asked that personal information in the WHOIS database not be made available to marketers. Comments PDF
|© WORLD PRIVACY FORUM | CONTACT | RESOURCES|