The Council of Europe’s Committee of Ministers adopted a declaration Wednesday urging its 47 member nations to ask ICANN to strengthen its mechanisms for respecting freedom of expression and privacy in top-level domain (TLD) decisions. The council said it adopted the resolution in response to concerns that ICANN decisions on the use of particular words or characters in TLDs, such as .xxx or .sucks, affect the right to freedom of expression. The Council of Europe’s member states should encourage ICANN to create “an explicit policy statement” committing to respect internationally recognized human rights standards and to use “due diligence mechanisms and human rights impact assessments to identify, prevent, mitigate and account for any harm ICANN may cause,” the Committee of Ministers said in the declaration. The council also urged in the resolution its member nations to work with ICANN to “ensure that a more attentive approach towards human rights and corporate responsibility contributes to the development of more transparent and accountable policy-development processes, with measurable standards and in full respect of the public interest.” The Committee of Ministers separately adopted a declaration reaffirming the Council of Europe’s support for multistakeholder Internet governance and asking the U.N. General Assembly to extend the Internet Governance Forum’s mandate through 2025.
The federal government launched a new site to be a “one-stop resource for identity theft victims,” a USA.gov email update said Monday. The website, IdentityTheft.gov, offers step-by-step checklists of what to do immediately and down the road when an individual’s private information has been compromised, depending on what information was stolen or exposed. The website also lists warning signs that an individual’s identity may have been stolen, the websites and phone numbers for organizations that individuals should contact when their identity is stolen, and has sample letters for disputing fraudulent charges, correcting credit report information and obtaining business records related to the theft.
The FTC approved its final orders resolving its complaints against TES Franchising and American International Mailing for “deceiving consumers about their participation in international privacy frameworks” Friday, after a public comment period, an FTC news release said. The settlements were first announced in April (see 1504070026). The commission vote to approve the final orders was 5-0. The FTC alleged the websites for TES Franchising and American International Mailing “indicated they were currently certified” under the safe harbor frameworks, enabling U.S. companies to transfer consumer data from the European Union to the U.S. in compliance with EU law, “when in fact their certifications had lapsed years earlier,” the FTC said. In its complaint against TES, the FTC also alleged TES “deceived consumers about the nature of its dispute resolution procedures,” and “deceptively claimed to be a licensee of the TRUSTe Privacy program,” the FTC said. TES Project Manager Marissa Ruderman previously told us the company hadn't complied with the safe harbor laws because information about renewing the safe harbor subscription had been sent to an individual who was no longer with the company (see 1504090029). Once Ruderman was notified TES was out of compliance, she said, she contacted safe harbor officials and resolved the issue within a week or two. Ruderman said the settlement with the FTC is not monetary, but involves the company's acknowledging it missed the deadline to renew its safe harbor subscription and pledging to not let it happen again. TES and American International Mailing had no immediate comment Friday.
Google rolled out two “significant improvements” to its privacy and security tools Monday, the company said in a blog post, with a “new hub for managing your Google settings called My Account, and a new site that answers important questions about privacy and security on Google.” With the new My Account tool, a user has quick access to the settings and tools that help safeguard privacy and can decide what information is used, Google Product Manager-Account Controls and Settings Guemmy Kim wrote. Users can also get a privacy and security checkup, manage ad settings, control apps that connect to a Google account and more, Kim said. Google’s new privacy site privacy.google.com “candidly” answers questions such as what data Google collects, what Google does with data, what tools users have to control their Google experience, as well as answers how to encrypt and spam filter data, Kim said. “When you trust your personal information with us, you should expect powerful controls that keep it safe and private as well as useful answers to your questions,” Kim said. “Today’s launches are just the latest in our ongoing efforts to protect you and your information on Google.”
Caution should be used by those who use a credit card at a local retailer, gas station, restaurant or bar, because the black market demand for user and credit card data has made point-of-sale (PoS) system compromises a lucrative business, said a blog post from Level 3 Threat Research Labs Friday. “As PoS systems are targeted with greater frequency, new families of malware are developed and extended at a breakneck pace.” High-profile compromises are often either a result of lax security policies and procedures or a very sophisticated targeted attack, the blog said. “With PoS malware continuously evolving and becoming more difficult to detect, the security community, as well as retailers, has a real challenge on its hands.” Merchants should have their PoS and support systems behind a properly configured firewall, with logs and alerts enabled, the blog said. Merchants should also disallow remote access to PoS networks, control access within local networked environments and ensure their software is up to date, it said. PoS malware is lucrative for malware developers around the globe and U.S. merchants are transitioning to chip and PIN technology at a slow pace, it said. “As more American merchants implement chip and PIN for credit card transactions it will be interesting to see how the malware developers adapt.”
Reps. Luke Messer, R-Ind., and Jared Polis, D-Colo., will speak at a Center for Democracy & Technology hosted event on Tuesday on privacy issues for data collected by education technologies, CDT said in a news release Thursday. “Technology in education has the potential to revolutionize learning,” the release said, but the “adoption of new technology requires consumer trust,” it said. More than 170 state student privacy bills have been introduced in 2015, the White House announced its student privacy legislative proposal in January, and now Congress is considering multiple student privacy bills, it said. Following Messer and Polis’ speeches, CDT President Nuala O’Connor will moderate a panel on student privacy; panelists are White House Policy Adviser for the Office of the Chief Technology Officer Dipayan Ghosh, Data Quality Campaign CEO Aimee Guidera, Public Policy Lead for Google's strategy and programs on youth and technology Sarah Holland, Director of Education Policy and Programs at Microsoft Allyson Knox, and Vice President-Policy at Common Sense Media Joni Lupovitz.
The Washington state Supreme Court ruled unanimously that the state’s broad anti-SLAPP (Strategic Lawsuits Against Public Participation) statute violates the constitutional right to a jury trial, Davis Wright attorneys Bruce Johnson, Eric Shahl and Ambika Kumar Doran wrote in a blog post. The Thursday decision in Davis v. Cox is the “first in the nation to hold an anti-SLAPP statute unconstitutional,” the post said. “The court held that the requirement that a plaintiff ‘establish by clear and convincing evidence a probability of prevailing on the claim’ meant that the trial court had to weigh and decide disputed factual evidence, which is the purview of a jury,” they said. “Other courts, in Washington and elsewhere, have held that this provision is akin to a summary judgment procedure,” they said. Davis Wright represented the defendants in the case brought by members of the Olympia Food Co-op against co-op board members “because of their stance on a boycott of Israeli goods,” the blog said. The case will now be sent back to the trial court, they said. The attorneys called the decision significant because the statute “cannot be applied in any circumstance,” so for now “media defendants and others have lost an important protection against baseless lawsuits targeting their First Amendment activities,” they said.
The New Jersey Office of Attorney General dropped its investigation of Tidbit, said a consent order filed Tuesday in Essex County Superior Court in New Jersey. Tidbit was a project of four Massachusetts Institute of Technology students who developed the software for a hackathon in November 2013. The software was envisioned as a substitute for website advertisements, allowing sites to instead monetize visits by using visitors’ computers to mine for bitcoins. Tidbit’s developer is prohibited from accessing or attempting to access New Jerseyans’ computers without clearly and conspicuously notifying the owners and obtaining their verifiable consent, the order said. The consent order also includes a $25,000 settlement that will be suspended and automatically vacated within two years, provided the software developer complies with the settlement terms. “We do not believe Tidbit was created for the purpose of invading privacy,” said Division of Consumer Affairs Acting Director Steve Lee in a news release. “However, this potentially invasive software raised significant questions about user privacy and the ability to gain access to and potentially damage privately owned computers without the owners’ knowledge and consent. As privacy threats become more and more sophisticated, State law requires us to protect the interests and safety of New Jersey consumers.”
The Open Interconnect Consortium added 25 member organizations from around the world in sectors ranging from energy and engineering to gaming and education, a news release said Wednesday. New organizations include the China Academy of Information and Communications Technology, Honeywell International, MIT-Kerberos & Internet Trust Consortium and the Telecommunications Technology Association. OIC also established liaison agreements with the Digital Living Network Alliance and UPnP Forum to “maintain compatibility and ensure common usages are covered,” the release said. “The addition of these organizations expands our scope well beyond consumer electronics and the smart home, all while accelerating toward our goal -- interoperability for connected solutions worldwide,” said Executive Director Mike Richmond, newly named executive director (see separate report below in this issue).
The Department of Homeland Security Office of Operations Coordination and Planning (OPS) is accepting comments until June 26 on its proposed changes to update and reissue its Publicly Available Social Media Monitoring and Situational Awareness Initiative system of records document, a notice in the Federal Register said Wednesday. OPS is updating this Privacy Impact Assessment (PIA) to address the privacy impact of using geospatial information offered by mobile media to enhance situational awareness, the update said. OPS and the National Operations Center (NOC) monitor publicly available online forums, blogs, public websites, Twitter and message boards to collect information to “provide situational awareness and establish a common operating picture,” DHS said. DHS’ Privacy Office said OPS/NOC uses GPS and geographic location features offered through social media and mobile applications to enhance its search and reporting capabilities. “With the widespread use of online services and applications on mobile devices that are equipped with GPS, OPS is updating the Initiative PIA to address the privacy impact of the availability of geospatial functions within mobile media to enhance DHS situational awareness,” DHS said. Depending on the size of a search radius, OPS/NOC or the Media Monitoring Center (MMC) may inadvertently collect personally identifiable information, DHS said. To mitigate the risk OPS/NOC will redact PII if “collected inappropriately,” but DHS said the groups monitor only public sites where users post information voluntarily.