Social Networking Site Tagged Pays $500,000 to Settle Privacy Violations

New York had accused Tagged.com of sending more than 60 million emails stating that friends had sent some photos, which in fact did not exist, and that recipients were told to sign up for Tagged.com to access them. The company would then use these contacts to send out more misleading emails.

Big Companies Sign Draft Privacy Agreement at Conference in Madrid

At an annual gathering of data protection officials in Madrid, attended by more than 50 countries and 100 representatives and – significantly – some of the biggest corporate data gatherers including Google and Facebook, experts signed off on a draft agreement for basic international data protections.

The Council of the European Union Set to Require Web users to consent to Internet cookies
But once the law goes into effect, users must provide consent to cookies being stored on their computers, meaning that they could be bombarded with annoying pop-ups or pages asking for permission. The new legislation does offer an exception for when a cookie is “strictly necessary.”

Survey: Online users becoming less anxious privacy

Concerns over security in everything from online shopping and banking to safety from computer viruses, as well as national security along with personal and financial security, were significantly down over what was recorded half a year ago for populations in the United States, the United Kingdom, Germany, Belgium, Brazil, Netherlands, Spain, Australia and New Zealand.

UK Information Commissioner's Office Reports 'Unacceptable' level of data loss

The number of incidents of loss or theft of personal data has risen to an "unacceptable" level in the past year, the privacy watchdog has warned.

The Windows Live team blogs writes:

Thanks to coordinated efforts across the tech industry, and partnerships between industry players who are a part of the Anti-Phishing working group, over the years most web services, users and other applications have become smarter at spotting tricks like link manipulation, phone phishing, and forged websites. Cybercriminals have adapted to improved vigilance by focusing on the consumers as easier targets than battling technology.

Unfortunately, even technologically unsophisticated attacks can be successful because people traditionally underestimate the value of their online identities, and the gates that this information can open.

In most cases, this type of phishing attack is carried out by sending a simple e-mail that appears to be from someone you know. It might appear to be from the customer support department of Hotmail or another webmail provider, or it may even appear to come from a friend of yours (most likely, the message went to their entire contact list) and asks you to provide the credentials for your webmail service or it instructs you to click a link. Probably every one of us has seen an attack like this by now!

Some of the most common types of phishing attacks... (There's More)

Peter Cullen here. 

The concept of “accountability” has certainly become a recent catch-cry in the wake of the global economic crisis but it has long been an established principle of privacy and data protection. In fact, the concept was first established in data protection by the Organisation for Economic Co-operation and Development (OECD) back in the early 1980s and the principle of accountability is a core principle of the Canadian Data Protection Act (PIPEDA), the APEC Privacy Framework and is a key guiding tenet of the US Safeguards Rule. So too, the accountability principle is inferred in the privacy laws of the European Union and its member states.

Last week, a significant policy paper was publicly released by the Centre for Information Policy Leadership (CIPL) entitled, “Data Protection Accountability: The Essential Elements,” which seeks to reinvigorate the discussion around accountability and data privacy and represents the collective thinking of more than 40 privacy experts from around the world representing industry, government, academia and civil society.  The paper, which Microsoft contributed to, not only helps further crystallize the key elements of accountability as a mechanism for global governance of data but also frames the discussion around how an accountability-based system might be designed.  Under such a governance model, the Company is responsible for understanding the risks to individuals that comes with the processing of that individual’s data and is also responsible for mitigating those risks.  Furthermore, as proposed in this paper,  the company is responsible for ensuring that those processes do indeed safeguard their customer’s data.  So, in many ways, accountability requires more diligence and vigilance from an organization than basic compliance with the law.

While the concept of accountability for data protection and privacy may not be new, what has changed dramatically over the past few decades is the technology-enabled use and transfer of information since modern-day concepts of privacy or data protection were first advanced. Privacy remains personal and local yet is challenged with today’s collection and global flow of information. Today, the Fair Information Principles, or “FIPs” tend to prioritize the lens for the consumer around individual control and “notice and choice” – a prioritization which is becoming increasingly challenging in the current information environment.

Currently, the “management” of global data flows are governed by law and guidance, which are enacted and enforced by individual governments, through regional or self-regulatory frameworks or by through commonly accepted principles.  Yet, under the present scheme, the burden is currently on the consumer who is expected to carry much of the responsibility for policing the appropriate use of their data. Regulators, where data protection laws exist, are charged with ensuring that companies implement the principles of fair information practices that form the basis of law and guidance.

However, this approach is neither well-suited nor sufficient to serve the new information economy. Collection of information from or about individuals has become more ubiquitous and perhaps less transparent, and information about them may be obtained from sources other than the individual. The concept of “primary and secondary use” that underpins traditional privacy governance quickly breaks down when information is used for dozens of purposes across many organizations. New technologies and business models that offer benefits to individuals rely on the use of information in ways that may not always be anticipated at the time the information is collected. Thus, in addition, the complexity of information collection is difficult to explain to even the most well-informed consumer. 

Neither companies nor their customers are well-served by the proliferation of complex and potentially conflicting laws that attempt to protect individuals from the misuse of their information. In the end, current governance models do not necessarily afford individuals the protections that they deserve and that would foster increased trust in the marketplace. Yet, the consumer is due fair processing and accountable use of information no matter where it is obtained and whether or not he or she is in a position to control its use. 

This is why Microsoft believes that policymakers and other relevant stakeholders need to take a closer look at how accountability might work within existing legal regimes, how organizations can do more to advance accountability and what role third party accountability agents and programs might play in this evolving paradigm.  So too, much consideration must be given to how accountability is measured and ultimately enforced.  We believe that this paper, which represents some of the collective thinking of some of the most prolific privacy thinkers around the globe, puts an important stake in the ground to ignite further discussion around the role of accountability in privacy and data protection schemes going forward.

In the first week of November, hundreds of representatives from government, industry and civil society will be descending upon Madrid for the 31^st International Conference of Data Protection and Privacy Commissioners to discuss a range of issues related to privacy, security, emerging technologies and the changing nature of global data flows.  Microsoft looks forward to engaging in this multi-stakeholder dialogue and will directly be involved in discussions around children’s privacy as well as safeguarding privacy in the cloud computing era.

Another important dialogue will ensue around the “Joint Proposal for a Draft International Standard on the Protection of Privacy with Regard to the Processing of Personal Data,” a laudable effort which has been spearheaded by the conference’s host, Mr. Artemi Rallo Lombarte, Director of the Spanish Data Protection Agency (AEPD) based on a resolution  adopted at the 30^th International Conference of Data Protection and Privacy Commissioners  The proposal was developed in consultation with other data protection authorities,  leaders of business and members of civil society. It  seeks to encourage the development of a universal and binding legal instrument for the guarantee of privacy, or a “global privacy standard.”

As the patchwork of worldwide laws has become increasingly difficult to navigate, Microsoft has repeatedly called for a comprehensive, workable global privacy framework that is consistent, flexible, transparent and principles-based.  Doing so will not be an easy task; some of the regulatory models in place today are outdated, while others take a piecemeal approach, with still new privacy models emerging in the developing world.  That said, there are certainly common, over-lapping principles in all of these approaches can help inform a comprehensive approach that can provide greater legal certainty to information providers while enhancing protections for the rights of individuals and their data. However, a global framework or consistent, principles are just part of the puzzle. Any principles or standards will need to be implemented in a consistent way to avoid creating further regulatory differences.

With the evolution  of cloud computing, in particular, global data flows have changed to become continuous and multi-point rather than linear and point-to-point.  Chances are that data will flow differently in ten years than it does today, and privacy rules will need to anticipate these inevitable changes. At the same time, privacy laws, by their very nature, are local.  This dynamic creates inherent tension.  As such, new privacy paradigms and governance models, such as one governed by accountability need to be considered in the context of global such frameworks.

We thank the Spanish Authority for its vision and leadership around this important debate and look forward to continued collaboration in promoting consistent global data privacy structures.  The theme of this year’s conference is “Privacy: Today is Tomorrow,” which is apt given the imperative for all of us to address the data protection needs of the future, while helping to facilitate the rich benefits of our information age. 

Peter Cullen, Microsoft Chief Privacy Strategist

 Last week, Microsoft announced on the Bing blog that Bing would be incorporating Twitter search results:

Today at Web 2.0 we announced that working with those clever birds over at Twitter, we now have access to the entire public Twitter feed and have a beta of Bing Twitter search for you to play with (in the US, for now). Try it out. The Bing and Twitter teams want to know what you think.

Bing also announced that bringing tweets to Bing will respect the existing privacy settings of Twitter users:

By the way, you won’t see any of your tweets if you protected or deleted them, and tweets don’t last more than 7 days in our index

Chuck Cosson, Microsoft Senior Policy Counsel writes on the Microsoft on the Issues Blog:

Cyberbullying was in the news again last week as local authorities try to crack down on the problem. At Microsoft, we believe the best way to prevent cyberbullying is through education. We’d like to see it included in Internet safety curricula in schools.

Cyberbullying methods may be virtual, but the pain is real, especially for young people whose social lives depend heavily on their online connections. Communities are searching for the right boundaries to set when the rough-and-tumble of online discussion turns cruel and even harassing. Context and individual judgment are important in setting limits that protect healthy child development and personal reputations without inhibiting free expression of critical opinion, political and cultural discussion.

Education is not the single solution, but it has proven effective against cyberbullying, it doesn’t impinge on free expression, and it receives broad support around the world as an important and appropriate response. Education was mentioned by nearly all of the witnesses at a recent Congressional hearing on cyberbullying. Reports from safety experts note the importance of education, particularly as part of child development and as a means to more effectively target high-risk situations. Education can help individuals distinguish appropriate social boundaries, identify ways to protect their privacy and reputation, and learn how to be civil while speaking candidly.

Yet many schools do not include online safety in the curriculum, and of those that do, many omit cyberbullying and other aspects of online citizenship. We believe that comprehensive Internet safety curricula should become an integral part of society’s efforts to help students achieve technological literacy, learn job skills, and participate constructively in civil and democratic societies. Schools can take advantage of the many free curricular materials and other tools that are available to support this effort.

You can go here to read more about Microsoft’s views on safety education, here for basic tips on prevention of cyberbullying, and here for perspectives on the importance of free expression online. We encourage you to post your thoughts about cyberbullying and education. And please, encourage your community and legislature to make online safety a part of local school curricula.

Steve Crown, Deputy General Counsel and Vice President, Entertainment & Devices blogs on the Microsoft on the Issues Blog:

 

I recently spent time in Washington, D.C., meeting with leading child safety experts who focus on addressing technology’s impact on kids. I was eager to gain new insights as we build out our Get Game Smart public education initiative, which we launched in January. I also wanted to hear these experts’ thoughts on ways we can improve Microsoft products and platforms to better meet parents’ needs, a topic I spoke about at a panel hosted by the Progress and Freedom Foundation during my visit (you can listen to it here).

These child safety leaders gave me a great level-set about the challenges we’re all working to address. They confirmed that while parents want their families to embrace the digital age and all the advantages it can bring, many remain uncertain how to do it safely and appropriately. Whether it’s a lack of awareness, our busy lifestyles or the intimidation of new technology, too many parents are not taking advantage of parental controls that can help prevent kids from interacting with strangers online or viewing inappropriate content.

With the rise of handheld devices and increased access to the Internet, it’s harder than ever for parents to monitor what their children see and who they talk to online. It’s no longer enough to keep the PC in the family room. “Sexting,” cyber-bullying and “digital reputations” have come to the fore as some of the toughest issues to manage. As a result, child safety experts are turning their focus to helping kids deal with each other.

We talked about ways to ensure that kids understand that the information they share, the pictures they post and the messages they leave on social networks have a long shelf-life. Inappropriate use of social networks can harm young adults’ social standing, their experiences in college and even their chances in the job market. There is no single response to these challenges. I shared some of the ways we at Microsoft are trying to reach families through our Get Game Smart site, in schools, via retailers, and by engaging with community organizations and social networks.

Throughout my visit, child safety experts noted that schools are one of the most important venues for engaging kids. Microsoft and others have developed curricula for use in schools to highlight these issues and to get children and young adults thinking about how their online actions can have unintended consequences.

We netted out agreeing that we are in this together and we need to keep working together. The most promising opportunities appear to be fine-tuning our outreach to parents and redoubling our efforts to reach kids through schools. I look forward to continuing our discussions with child safety experts and finding more ways we can all keep the digital world as safe and healthy as possible.

Thousands of Usernames and Passwords Posted Online.

Dark Reading reports that “Lists containing tens of thousands of stolen email account usernames and passwords have shown up online during the past few days in what researchers say likely came out of multiple phishing attacks.”  The account were from Hotmail,  Google's Gmail, Yahoo, Comcast, and Earthlink.   

Survey on Behavioral Advertising Draws Attention
The New York Times reports, “About two-thirds of Americans object to online tracking by advertisers — and that number rises once they learn the different ways marketers are following their online movements, according to a new survey from professors at the University of Pennsylvania and the University of California, Berkeley.”  The Progress & Freedom Foundation posted a response on their blog, saying that “What does this tell us about whether, and how, government should further regulate online advertising? Precious little: Not only does this poll overstate the costs of targeted advertising, understate its benefits, and ignore the tools available to users to address their privacy concerns but, like any opinion poll, this one tells us more about the psychology of decision-making under the artificial uncertainty of polls than about the choices users would actually make in the real world.”

EU Information Society Commissioner Calls for More Internet Privacy
UPI reports, “EU Information Society Commissioner Viviane Reding said during a debate in Brussels on the future of the Internet that minors are putting a lot of personal information online on social networking Web sites such as Facebook, and legislation may be needed to force the sites to keep children's profiles private, the EUobserver reported.”

53 Changed in Massive Global Phishing Ring

Daily News reports, “Authorities charged dozens of suspects, including a 19-year-old Palmdale man, with running an online banking scam that spanned from Los Angeles to Egypt and allegedly bilked countless victims out of millions of dollars, the FBI said Wednesday.  James Michael Viorato was one of 53 suspects named in the 51-count indictment for conspiracy to commit wire and bank fraud through an Internet-based "phishing" scheme uncovered in a two-year international investigation dubbed "Operation Phish Phry."

From the Microsoft Security Tips & Talk Blog:

Malvertising might sound like a fancy kind of dry cleaning, but it’s really fake online advertising designed to trick you into downloading malicious software onto your computer. The most common kind of fake ad is for security software that you don’t need and that could harm your computer. This is often called “rogue security software” or  “scareware.”

This month Microsoft continued its efforts to combat malvertising by filing five civil lawsuits against companies who allegedly create these fake ads.

For more information about the lawsuits, see Bad Ad: Going  After the Malvertising Threat and Microsoft Advertising and Internet Safety Enforcement Team To Fight Malvertisers.

To help protect yourself against malvertising or scareware:

Install a firewall and keep it turned on.

Use automatic updating to keep your operating system and software up to date.

Install antivirus and antispyware software such as Microsoft Security Essentials and keep it updated.

If your antivirus software does not include antispyware software, you should install a separate antispyware program such as Windows Defender and keep it updated. (Windows Defender is available as a free download for Windows XP and is included in Windows Vista.)

Use caution when you click links in e-mail messages or on social networking Web sites.

Familiarize yourself with common phishing scams.

The Windows Live Team Blog writes:

Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts.

Phishing is an industry-wide problem and Microsoft is committed to helping consumers have a safe, secure and positive online experience. Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software.”  If you believe you’ve been a victim of a phishing scheme, it’s very important that you update your account information and change your password as soon as possible. More information on what to do is available on this page at our support community.

Microsoft recommends customers use the following protective security measures:

• Renew their passwords for Windows Live IDs every 90 days
• For administrators, make sure you approve and authenticate only users that you know and can verify credentials
• As phishing sites can also pose additional threats, please install and keep anti-virus software up to date

Answers to a few general questions about phishing scams...

Eric Wenger, Microsoft Policy Counsel for Cyber Security, Standards and Interoperability writes on the Microsoft on the Issues Blog:

This morning, I had the privilege of attending the 2009 launch event for National Cyber Security Awareness Month, which featured Homeland Security Secretary Janet Napolitano as well as senior leaders from the White House, Department of Defense, U.S. Secret Service and FBI. The event was hosted by the National Cyber Security Alliance, of which Microsoft was an original member. 

President Obama today issued a proclamation recognizing the importance of this effort, and earlier this week, the U.S. Senate agreed to a resolution supporting the goals of National Cyber Security Awareness month.

We all rely on computers and the Internet every day to organize our lives, conduct business, communicate with our government and socialize.  Given how important these electronic resources have become, we all need to be vigilant about cyber security throughout the year.  However, having a month dedicated to cyber security allows us to elevate awareness of the role each of us must play to keep our data and our networks secure. And so, every year since 2001, the Alliance mounts a national public awareness campaign in October to encourage individuals and businesses to protect their computers and our nation’s critical cyber infrastructure.

This year’s theme is, “Our Shared Responsibility.” The Internet is a network of networks.  We connect to it from computers in our homes, schools, libraries -- even from the phones in our pockets.  What makes the resulting network so resilient and powerful is that no individual, business, or government owns or controls it. But that also means there is no one person or entity responsible for securing it.  The responsibility is shared among all of us who connect to the Internet. We each need to secure the part of the network and those devices we own or control. 

Microsoft is working hard to protect our shared digital future by designing, assessing, and updating our products to make them as safe and secure as possible.  We are also taking concrete steps to help you do your part:

1)      Microsoft has been providing online safety information for over a decade.  We have recently redesigned our Consumer Online Safety Education site to focus on current topics that are of concern to the public.

2)      Earlier this week, Microsoft, in collaboration with the Federal Trade Commission, the U.S. Postal Inspection Service and Western Union announced a series of online public service announcements (PSAs) to help protect consumers from scams related to mortgage foreclosure rescue offers, credit repair and fake lotteries. The search advertising-driven PSAs will appear on Bing when users conduct searches using terms that could expose them to online scams.

3)      This week, Microsoft also announced that it is making available a free download to help users protect home PCs that are running Windows.  Microsoft Security Essentials provides real-time protection that helps guard against viruses, spyware, and other malicious software. It takes minutes to install, is easy to use is updated regularly with the latest technology as new threats emerge.

We look forward to participating in additional events throughout the month.  For additional information about keeping your family safe online, please visit www.StaySafeOnline.org and www.onguardonline.gov.

Frank Torres, Director, Consumer Affairs writes on the Microsoft on the Issues blog:

After years of vigorous debate, it looks like we are close to seeing the introduction of  comprehensive federal legislation establishing privacy protections for Internet users.
 
The framework set out by Virginia Congressman Rick Boucher in an editorial today in The Hill shows leadership in an area that is vitally important to consumers.
 
Microsoft Chairman Bill Gates and General Counsel Brad Smith voiced Microsoft’s support for a federal privacy bill more than three years ago.  For our part, Microsoft stands by that commitment.  We hope this Congress will join Rep. Boucher and support his legislation.

Targeted Ads Targeted by Congress

The long-running battle over behavioral ads is heating up again on Capitol Hill.  Forbes reports that, “Rep. Rick Boucher, D-Va., the chairman of the House Energy and Commerce Subcommittee on Communications, Technology and the Internet, says he is working on a bill that would outline broad restrictions on certain types of data collection and ad targeting. Speaking in front of Congress this month, Boucher said he hopes to draft a bill of rights, of sorts, regarding online ads.  Meanwhile, the Federal Trade Commission is studying existing behavior marketing practices and whether it needs to make its principles legally binding.

Facebook’s Beacon Goes Dim

The long running saga over Facebook’s Beacon, a feature that shared information such as online purchases through a user’s social network , ended when Facebook announced it was discontinuing the service.    According to Computerworld, this brought a shout out from privacy advocates: “Privacy advocates are applauding Facebook's willingness to shut down its controversial Beacon service as a part of a broader settlement in a class-action lawsuit against the company. The move signals an overdue acknowledgement by the popular social-networking site of the need to give users more control over their personal data and how it is shared, they said.”

Netflix Prize 2 Gets Mixed Review Among Some Privacy Researchers

Network World reports, “At least one privacy expert is concerned that Netflix may be on the brink of a major data breach. As a follow-up to its hugely successful Netflix Prize -- a contest to help improve Netflix's software that suggests movies a user might like -- the movie rental company will release anonymous information from 100 million Netflix users to allow researchers to try and predict their movie preferences based on their age, gender, and where they live, according to The New York Times. The problem is, there's a concern that the information Netflix releases could make it very easy to identify specific individuals.”

Med Student Overshare Syndrome Diagnosed by Time Magazine
Last week, The New York Times reported on young lawyers violating legal ethics with judicial overshares.  This week, Time reports on doctor oversharing: “A new survey of medical-school deans finds that unprofessional conduct on blogs and social-networking sites is common among medical students. Although med students fully understand patient-confidentiality laws and are indoctrinated in the high ethical standards to which their white-coated profession is held, many of them still use Facebook, YouTube, Twitter, Flickr and other sites to depict and discuss lewd behavior and sexual misconduct, make discriminatory statements and discuss patient cases in violation of confidentiality laws, according to the survey, which was published this week in the Journal of the American Medical Association.”

As part of our redesigned Microsoft.com/Protect site we’ve produced 13 new  topical online safety brochures, that provide Microsoft’s guidance on many computing and Internet issues today.  Visit http://www.microsoft.com/protect/

·        Microsoft Family Safety Settings

·        Protecting Kids From Cyberbullying

·        Protecting Youth on the Internet

·        Protecting “Tweens” & Teens on the Internet

·        Safer Online Gaming

·        How to E-mail / IM Safely

·        Protecting Your Information On the Go

·        Protecting Yourself from Identity Theft

·        Safer Online Transactions

·        Protecting Yourself from Phishing Scams

·        Protecting Your Privacy Online

·        Internet Safety for Seniors