Uncategorized

Security Freeze update: as of November 1, security freeze now available to consumers in all states

Security Freeze update | Financial privacy -- As of November 1, 2007, the ability to place a security freeze is available nationwide at the three major credit reporting bureaus. To date, 39 states and the District of Columbia have some form of security freeze law. But now, even in the states that did not pass security freeze legislation, consumers will be able to place a security freeze. A security freeze lets you stop the disclosure of your credit report by a credit bureau. A security freeze can be especially helpful to individuals who are having persistent problems with identity theft. For more information:

World Privacy Forum appointed to California Security and Privacy Advisory Board

Announcement | CalPSAB -- WPF executive director Pam Dixon has been appointed by California Secretary of Health and Human Services Kim Belshe to the California Security and Privacy Advisory Board. Dixon will serve as interim co-chair of the board, which is tasked with addressing health information exchange (HIE) privacy and security efforts in California. The board's meetings will be open to the public.

The National Advertising Initiative: Difficulties with the NAI

Roadmap: The National Advertising Initiative – Failing at Consumer Protection and at Self-Regulation: Difficulties with the NAI When people sit at their computers and browse for new car information or to learn about the latest treatment for diabetes, when people walk down the street reading stock quotes on their mobile phones, and when people text a response for more information based on a television commercial they saw, their actions speak louder than words. A new realm of consumer tracking has grown up to translate these activities into advertisements. This kind of advertising is behaviorally targeted advertising. Behaviorally targeted advertising is as controversial as it is lucrative.

The National Advertising Initiative: The Beginnings of the NAI

In 1999, when online advertising was still a fresh segment of the advertising sector, widespread concerns arose about the ways that consumers could be tracked and targeted online for advertising purposes. The Federal Trade Commission held a workshop on online profiling in November 1999. [6] The concerns of the day were distilled in a FTC report to Congress in June 2000, Online Profiling: A Report to Congress. In that report, the FTC found that online profiling presented privacy problems for consumers. The FTC found that online profiling was primarily accomplished through banner ads, cookies, and web bugs, also called web beacons. [7] The Commission also concluded that online profiling was largely invisible to consumers:

The National Advertising Initiative: The NAI is Broken and Does Not Protect Consumers

Although it is possible to identify many aspects of the NAI that are broken, this report focuses on four areas in particular: 1) the effectiveness of the NAI opt-out cookie as the primary tool for stopping tracking; 2) the applicability of the NAI to types of tracking that extend beyond the traditional cookie and to business models not expressly covered by the NAI; 3) the constantly shifting membership of the NAI; and 4) auditing and enforcement of the NAI.

The National Advertising Initiative: Beyond Cookies - Tracking Technologies are not Always Exposed or Visible to Consumers

A traditional cookie as defined by the NAI is not the only persistent identifier and tracker available to network advertisers and marketers anymore. New technologies and techniques have become routine business practice since the original NAI was written, particularly in the area of persistent identifiers and tracking technologies. A rich array of browser cache cookies, Flash cookies, and other non-NAI-covered tracking techniques not only exist, but are in use today.

The National Advertising Initiative: Notice - Still Not Clear or Conspicuous

One of the issues raised in the FTC reports to Congress about online behavioral profiling was notice. The FTC and the NAI promised “robust” enforcement of notice. Unfortunately, because the foundational understandings of the NAI are out of date, the NAI ideas of notice that flow from those understandings are also out of date.

The National Advertising Initiative: TRUSTe’s Systematic March From NAI Transparency

TRUSTe began reporting on NAI complaints in March 2002. It used its Watchdog Reports to do this. In the intervening years, TRUSTe public reports regarding the NAI reveal a troubling, systematic reduction of transparency regarding the NAI. (See Appendix B for a complete listing of all TRUSTe NAI complaints.)

The National Advertising Initiative: Oversight of NAI is a Failure

Oversight of the NAI has been neglected. As a result, there are many things the public simply does not know about the program, in particular, its effectiveness. To date, the public does not know how many consumers participate in the program. The public does not have numbers comparing consumers who have visited opt-out pages with consumers who have successfully opted out. How many consumers actually have opt-out cookies, and for how long? Where are the reports on whether or not it is effective for those who do opt-out? Are NAI members actually complying with the obligations?

The National Advertising Initiative: Conclusion

The NAI has failed. The agreement is foundationally flawed in its approach to what online means and in its choice of the opt-out cookie as a core feature. The NAI opt-out does not work consistently and fails to work at all far too often. Further, the opt-out is counter-intuitive, difficult to accomplish, easily deleted by consumers, and easily circumvented. The NAI opt-out was never a great idea, and time has shown both that consumers have not embraced it and that companies can easily evade its purpose.

The National Advertising Initiative: Appendix B - Listing of TRUSTe Complaints Regarding NAI From 2000 – 2007

Roadmap: The National Advertising Initiative – Failing at Consumer Protection and at Self-Regulation: Appendix B - Listing of TRUSTe Complaints Regarding NAI From 2000 – 2007 Note: The World Privacy Forum relied on the TRUSTe WatchDog reports to compile this table. For the reports, see: <http://www.truste.org/consumers/watchdog_reports.php>.

Privacy and consumer groups unveil consensus document recommending expanded consumer rights and protections in the behavioral advertising sector

Consensus document | Consumer rights and protections -- Nine privacy and consumer groups, including the World Privacy Forum, unveiled a consensus document outlining key consumer rights and protections in the behavioral advertising sector. The document is directed toward the Federal Trade Commission, and urges the FTC to take proactive steps to adequately protect consumers as online and other forms of behavioral tracking and targeting become more ubiquitous. The consensus document was filed with the Secretary of the FTC and its commissioners. Behavioral advertising is the focus of the FTC's eHavioral Advertising Town Hall meeting taking place November 1-2 in Washington, D.C. The network advertising sector has a self-regulatory plan, the Network Advertising Initiative, in place, and has had this plan in place since 2000. The consensus document addresses the many areas where the NAI plan has failedto protect consumers.

World Privacy Forum outlines 8 best practice responses to medical identity theft for the healthcare sector

Medical identity theft | Best practice responses -- The World Privacy Forum has outlined 8 best practice responses to medical identity theft for the health care sector. The best practice responses are based on research the Forum is conducting for its second report on medical identity theft, and is a work in progress. The 8 best practice responses were presented to AHIMA delegates October 9; the Forum is soliciting and accepting feedback on the 8 best practices.

Pam Dixon's keynote speech on medical identity theft at the AHIMA National Convention

Medical identity theft is a crime that harms people and it is a crime that hides itself. This combination makes medical identity theft an insidious crime. It can cause extraordinary damages and harms to its individual and institutional victims. And once begun, the harmful effects of this crime can linger in the lives of its victims for years or even decades.

Public Comments: October 2007 - Centers for Medicare and Medicaid Services (CMS) System of Records Notice regarding substantive changes to the Medicare database release policy

The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.

Update: World Privacy Forum's NHIN Timeline updated to reflect changes in AHIC

NHIN update -- The National Health Information Network, or NHIN, is part of a major undertaking to digitize and network the health care sector. From electronic health records to multi-state health information hubs, the U.S. government's goal is to modernize and move health care information from paper to digital. The Department of Health and Human Services is the primary mover behind this initiative, which is complex and multi-faceted. The World Privacy Forum keeps a chronology of NHIN events as a public service. The NHIN timeline has been updated to reflect changes in AHIC, a group that is charged in part with ensuring privacy and confidentiality in the NHIN and other aspects of health care modernization. AHIC is set to transition to a "public-private partnership," a move that will need to be watched closely to ensure robust consumer involvement.

World Privacy Forum requests adoption of a "no stakeholders left behind" policy in AHIC successor plans

AHIC successor | health care privacy -- The World Privacy Forum offered public comments on HHS' American Health Information Community (AHIC) successor plans, urging that HHS adopt a "no stakeholders left behind" policy as it forms the new public/private AHIC. The Forum's analysis of the AHIC Successor White Paper concluded that the current succession plans lack processes and checks that would ensure meaningful consumer participation, and that the AHIC successor plans as they currently stand do not bode well for a robust role for privacy or consumer groups in the new AHIC. Specific issues the World Privacy Forum discussed in its comments included fee structures, membership, handling conflicts of interest, stakeholder issues, privacy and identifiability issues, and the need for the new AHIC to achieve credibility.

Public Comments: September 2007 - American Health Information Community Successor White Paper (August 2007)

The World Privacy Forum offered public comments on HHS' American Health Information Community (AHIC) successor plans, urging that HHS adopt a "no stakeholders left behind" policy as it forms the new public/private AHIC. The Forum's analysis of the AHIC Successor White Paper concluded that the current succession plans lack processes and checks that would ensure meaningful consumer participation, and that the AHIC successor plans as they currently stand do not bode well for a robust role for privacy or consumer groups in the new AHIC. Specific issues the World Privacy Forum discussed in its comments included fee structures, membership, handling conflicts of interest, stakeholder issues, privacy and identifiability issues, and the need for the new AHIC to achieve credibility.

Update: Monster.com saying data breach may impact all users of Monster.com, official Federal job site USAJobs.com impacted

Consumer alert update -- Monster.com posted a warning on its site stating that all users of Monster.com may have been impacted by the data breach of its systems by hackers. All job seekers need to be aware of potential phishing attacks that are sophisticated and highly targeted, and job seekers with safety considerations need to be aware that their information has likely been compromised. The U.S. Office of Personnel Management has announced that the Federal job site USAJobs (which is outsourced to Monster.com) has also been impacted by the breach. The World Privacy Forum has updated its job seeking tips, and its consumer alert.

Consumer Alert: Monster.com data breach impacts hundreds of thousands of job seekers; job seekers who have safety concerns may be especially at risk

Consumer Alert | Internet privacy | Job search safety and privacy -- The World Privacy Forum issued a consumer alert today warning about a data breach at Monster.com. Security firms that analyzed the breach have stated the breach impacts hundreds of thousands of job seekers. The immediate information that was stolen included job seekers' home address, phone numbers, email address, and resume IDs. Some victims may have received further phishing emails. Job seekers who have safety concerns such as law enforcement professionals, victims of domestic violence and other victims of crimes such as stalking -- who typically do not make their home addresses or personal phone numbers public -- have an immediate need to know if their personal information may be in the hands of criminals. The consumer alert contains tips for victims and links to resources and more information.

World Privacy Forum responds to June 2007 NCVHS recommendations to the Secretary of HHS regarding health care information at non-HIPAA covered entities

Medical privacy | NCVHS | HIPAA -- The World Privacy Forum has sent a letter to Dr. Simon P. Cohn, Chairman of the National Committee on Vital and Health Statistics, supporting the Committee's formal conclusion that all entities that create, compile, store, transmit, or use personally identifiable health information should be covered by a federal privacy law. More needs to be done about health care data that is left unprotected by HIPAA. The Forum's letter included a discussion of two HHS programs that operate outside of HIPAA: FDA RiskMAPS, and the National Institutes of Health, which is not a covered entity under HIPAA.

World Privacy Forum testifies at FDA advisory committee hearing on the iPledge program; requests attention to privacy issues

iPledge Program | FDA -- The World Privacy Forum testified before the Dermatologic and Ophthalmic Drugs Advisory Committee and the Drug Safety and Risk Management Advisory Committee of the Food and Drug Administration regarding privacy issues related to iPledge, a mandatory program for patients taking the drug Accutane or isotretinoin generics. The FDA has stated that the program, which it requires four drug manufacturers to have in place, does not fall under HIPAA. The program collects substantive amounts of patient information. The Forum urged the FDA to set privacy standards for all RiskMAPs in general, and to resolve privacy issues in the iPledge program specifically. The Forum requested that all marketing provisions of the iPledge program privacy policy be removed, that patients be expressly informed the program does not fall under HIPAA, and that patients be given a printed copy of the iPledge program privacy policy, among other requests.