.

 

Chronology

This is a chronological list of key World Privacy Forum work, as well as joint work with other groups.

 

 

 

 

 

07/10/2012 Drones

Drones can be hacked, say security researchers

A recent item about drones in the GWU CyberSecurity Policy Newsletter revealed that drones can be hacked via spoofing the drone GPS systems. Government drones in US airspace are poised to become a privacy issue of increasing concern. Here is an excerpt from the newsletter, which is available here.

........."A group of researchers at the University of Texas at Austin Radionavigation Laboratory recently succeeded in hijacking a drone by spoofing the global positioning system (GPS) on board the aircraft. With just around $1,000 in parts, the team took control of an unmanned aerial vehicle owned by the college, all in front of the US Department of Homeland Security. Domestic drones are already being used by the DHS and other governmental agencies, and several small- time law enforcement groups have accumulated UAVs of their own as they await clearance from the Federal Aviation Administration, Reuters reports. Indeed, by 2020 there may be tens of thousands of drones diving and dipping through US airspace. With that futuristic reality only a few years away, this action suggests that the FAA may have their work cut out for them if they think it’s as easy as just approving domestic use anytime soon." CyberSecurity Policy News, July 2, 2012.

 

 

07/09/2012 Mobile privacy

WPF urges stakeholders to put the consumer first, focus on what is important

Mobile app privacy is the topic of the multistakeholder process to be undertaken this week under the direction of the US Department of Commerce. Over the weekend, a NYT article revealed that mobile carriers received more than 1.3 million requests by law enforcement for mobile data, including requests for text messages. This article is a focusing event. It is a reminder that in mobile privacy we need to put the consumer first, focus on what is important, and apply responsibility for privacy and transparency throughout the hierarchy of mobile players, from carriers to platforms to app stores to publishers to developers. It is unclear yet what segments of the hierarchy require what amounts of the burden, but what is clear is that carriers will certainly need to do a lot. It is also clear that the idea of just an icon on a screen to communicate the idea of mobile privacy to consumers is a band-aid approach at best when faced with the truth of where some of the real risks are for consumers.

Multistakeholder meeting info | NYT article on mobile privacy issues

 

 

06/15/2012 HIE interactive map

Health Information Exchange in California

WPF has posted a new interactive map of health information organizations and exchanges in California. This is a map-in-progress, and we will be adding data to the map in stages. See more about HIEs and our California HIE Map here.

 

 

06/04/2012 Mobile Apps

WPF dialogues with App developers at Privacy Summit in Los Angeles, San Diego

Pam Dixon will be speaking in the Privacy Summit Series in dialogue with the leading mobile app developers in Los Angeles and San Diego, both mobile app hotspots. The dialogues are part of a national series aimed at fostering a robust discussion between privacy experts and leading developers. The Los Angeles event is taking place June 5, the San Diego event is June 6. For more information and details about attending, see Privacy Summit Series http://devprivacysummit.com/.

 

 

05/30/2012 FTC | Mobile privacy

WPF speaks at FTC workshop

Pam Dixon spoke at the FTC's May 30 mobile disclosures workshop. The panel focused on exploring privacy in the mobile applications and mobile wireless space. Some of the privacy topics Dixon covered at the workshop included the role and use of unique identifiers in wireless technologies. A snip from the FTC Twitter stream summarizes things well: "The more intrusive the practice, the more robust the disclosure should be." - Dixon #FTCdisclose MAC address not PII, says Kloek; Yes it is, says Dixon. #FTCdisclose.

See the FTC workshop agenda, transcripts, and video. | FTC Twitter stream of workshop:

 

 

05/14/2012 Genetic Privacy | Bioethics

WPF Asks Presidential Commission to Protect Genetic Privacy

WPF filed comments with the Presidential Commission for the Study of Bioethics today urging the Commission to recognize the need for enhanced genetic privacy protections in a digital world. WPF noted that "The increasing identifiability of genetic data presents major privacy issues for research activities that must be acknowledged and addressed." WPF suggested four key ways that Certificate of Confidentiality programs could be enhanced for privacy protection, and urged the Commission to speak out about the importance of protecting patient privacy in research activities involving genetic information. "The Commission should advocate providing patients with reasonable controls over research uses of their data as electronic records develop and spread throughout the health care system." Public comments may be submitted to the Commission until May 25, 2012.

Read WPF's Comments to the Presidential Commission for the Study of Bioethics (PDF)

 

 

04/26/2012 Google Drive | Cloud computing

Google Drive Privacy Confusion

Google Drive -- Google's cloud storage service -- has inspired a round of stories about cloud privacy and Google Drive. The stories have reached conflicting conclusions about privacy risks for users of Google Drive, and consumers are approaching us with a lot of questions. Google Drive does have a Terms of Service that is unfriendly. This is a concern for consumers, but it is especially a concern for businesses or people who work with data subject to either regulation, or some sort of privilege. Health data, financial data, attorney-client data, or work produced under non-disclosure agreements all qualify, among other examples. Recently, the US Department of Health and Human Services fined an Arizona health care provider $100,000 for violating HIPAA in part by using Internet-based email and calendaring systems without a specific Business Associate Agreement in place. Cloud storage falls into the same kind of risk scenario. WPF wrote a report that discusses these cloud-based privacy risks in detail, Privacy in the Clouds. The risks we discuss in that report have not changed. If you are a consumer, understand that you need to select the most private sharing option on Google Drive if you use it. (On our Facebook newsfeed, we have a brief discussion of Google Drive share settings with a screenshot. ) Also understand that your information could be subpoenaed without notice to you, including health information if you place it on Google Drive. For business, there is a lot of potential risk that needs to be analyzed prior to business use of Google Drive. See our report for a detailed discussion of risks and potential mitigations.

Read Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing | See our Cloud Privacy Page for tips for consumers and business

 

 

04/24/2012 Medical ID Theft

WPF Republishes Landmark Medical ID Theft Tips and FAQ for Consumers

WPF has completely updated its landmark medical identity theft tips and advice for patients and consumers. "The new FAQ contains detailed advice for anyone who is a victim of medical ID theft, or is worried about becoming one," says Pam Dixon. "The FAQ and our shorter consumer tips have been updated to reflect our most recent research." In 2006, WPF published the first known report on medical ID theft and coined the term. Since then, WPF has been in the forefront of researching this crime and working to assist victims and those working with victims. The FAQ and tips are free of charge. More medical ID theft materials may be accessed at the WPF medical ID theft page.

Updated Medical ID Theft FAQ | Updated Consumer Tips | Medical ID Theft page

 

 

04/18/2012 Health Privacy | E-health

US Department of Health and Human Services fines Arizona provider $100,000 for HIPAA violations

In a rare enforcement action of HIPAA, HHS fined an Arizona health care provider $100,000 for a variety of HIPAA violations, especially regarding electronic exchanges of protected health information. The HHS document outlining the reasons for the fine should act as a wake-up call to health care providers using public email, calendaring, and other tools for communication of ePHI. HHS specifically noted that the fined health care provider did not conduct an adequate risk assessment prior to using the email and Internet tools. The full HHS document is a must-read for health care providers. WPF has been warning about the need for full e-risk assessments since 2005 and strongly advocates for medical-identity-theft-specific risk assessments.

Read the HHS enforcement agreement | Read WPFs best practice document for medical ID theft

 

 

04/11/2012 WPF Completes Medical ID Theft Training

Medical ID Theft Training

Pam Dixon of WPF conducted a detailed training for law enforcement and health care professionals on medical identity theft detection, prevention, and cures. The training was held at the campus of the Denver Health Medical Center. Visit the WPF Medical ID Theft page for more information about medical identity theft, including questions and answers for victims, best practices for health care providers, and a geographical map of the crime.

Visit the WPF Medical ID Theft Page

 

 

04/02/2012 WPF comments on Multi-Stakeholder Process

WPF asks that the full Consumer Privacy Bill of Rights be applied to MS Process

WPF filed two sets of comments with the US Department of Commerce regarding the MultiStakeholder Process and the privacy topics to be taken up. The first set of comments were WPF's formal filing of the joint Civil Society MultiStakeholder Principles on behalf of WPF and the American Civil Liberties Union, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers' Union, Consumer Watchdog, Electronic Frontier Foundation, National Consumers' League, Privacy Rights Clearinghouse, and US PIRG. The second set of comments were WPF's own comments to the Department. WPF urged the Department to employ a fair process, choose focused topics, and to apply the full range of the Consumer Privacy Bill of Rights to each topic.

Read the WPF comments | See the joint Civil Society MultiStakeholder Principles

 

 

03/26/2012 Data Broker opt out

WPF Strongly Endorses Centralized Data Broker Opt-Out Mechanism

WPF, in 2011 comments to the FTC, urged the FTC to create a centralized place for consumers to opt-out of data broker tracking. This is a long-standing issue WPF has worked on. Previously, WPF filed a petition in 2009 to the FTC regarding mail-in data broker opt outs, which resulted in an FTC action and improvements for consumers. In its new report published today, the FTC has picked up WPF's centralized opt out recommendation, specifically citing WPF's comments. From its report: "The Commission recommends that the data broker industry explore the idea of creating a centralized website where data brokers that compile and sell data for marketing could identify themselves to consumers and describe how they collect consumer data and disclose the types of companies to which they sell the information." The WPF strongly supports this idea and views assistance to consumers in this area as vital.

WPF April 2009 Data Broker Complaint | FTC 2010 settlement and response to WPF data broker complaint

 

 

03/26/2012 FTC privacy report

FTC releases report; picks up two key WPF recommendations in report, numerous cites

The FTC's new privacy report -- a long -awaited planbook for privacy in the digital age - has picked up several key recommendations the WPF has made. First, the report picks up WPF's direct recommendation in its 2011 comments that the FTC set up a centralized web site to allow consumers to opt out of data brokers. The FTC has directly called for this as a primary part of its report. The WPF strongly supports this. Pam Dixon of the WPF originated the Do Not Track idea in 2007, and with a group of privacy experts, submitted the original idea to the FTC that year. Now, DNT has also made it into the final FTC report. The FTC report also acknowledges that privacy self-regulatory efforts have not gone far enough, and cited the WPF comments in this area. The FTC is planning on working with the Department of Commerce's privacy multi stakeholder process. WPF led a coalition of civil liberties, privacy, and consumer groups in drafting civil society guidelines for the privacy multi stakeholder process.

WPF's 2011 formal recommendations to the FTC | Final FTC report | Civil Society guidelines for multistakeholder process

 

 

03/14/2012 following WPF on Facebook

WPF Facebook Page

WPF maintains an active Facebook page, and it features slightly different content than our home website. For Facebook, we make regular newsfeed postings about WPF activities and also post content for people who want to follow privacy via their Facebook newsfeeds. This past week, stories we've posted include a report on the economics of privacy, the new Pew study on privacy, a privacy-related human interest story, and news about the VZBW lawsuit in Germany against Facebook. It's not the only way to keep up with WPF, but if you are on Facebook a lot, it is a good way. Our page is located here.

WPF Facebook page

 

02/23/2012 MultiStakeholder Privacy Principles

Leading Civil Society Groups Agree on Key Principles: the Commerce Privacy Process Must be Fair, Transparent, Credible

The World Privacy Forum has led an effort to craft a set of principles with the nation’s leading civil liberties, privacy, and consumer groups. Today, the groups are releasing a set of baseline Multi-Stakeholder Principles in response to the U.S. Department of Commerce’s plan for a multi-stakeholder process on privacy. (The U.S. Department of Commerce is undertaking a representative process for bringing together members of industry and civil society to form new privacy rules.) These leading groups believe that for the multi-stakeholder process to succeed, it must be representative of all stakeholders and must operate under procedures that are fair, transparent, and credible. The World Privacy Forum and the signatories of these baseline principles believe the principles will provide the multi-stakeholder process the legitimacy it needs to succeed. Protecting the online privacy of consumers is crucial to ensuring the availability, utility, and vitality of the Internet. For any approach to privacy to be meaningful, it must reflect fair information practices, including mechanisms to assure accountability. Signatories to the baseline principles include the World Privacy Forum, American Civil Liberties Union, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, National Consumers League, Privacy Rights Clearinghouse and U.S. PIRG. The principles are here.

 

 

02/17/2012 Online privacy | NAI |FTC complaint

WPF files FTC complaint against Google and others over Safari privacy settings circumvention

The World Privacy Forum filed a complaint with the US Federal Trade Commission today regarding the circumvention of users' expressly stated browser privacy choices without notice. "The World Privacy Forum requests that the Federal Trade Commission (FTC) investigate Google, Vibrant Media, Media Innovation Group, and Pointroll for potential violations of Section 5 of the FTC Act. These companies willfully overrode users’ privacy preferences as expressly stated by the users in their browser settings. Overriding privacy preferences and doing so without notice are both unfair and deceptive business practices." The complaint further requests the Commission look into the companies' violations of the NAI code, and in Google's case, violation of its consent agreement with the Commission.

Read the WPF Complaint to the FTC

 

 

02/17/2012 Online privacy | Apple privacy

Companies caught overriding Safari browser privacy settings

Stanford University has released a study documenting how Google and other companies overrode Safari users' browser privacy settings. The WPF encourages Apple users to download the Firefox browser and use Firefox, if at all possible, instead of Safari. Firefox did not have the same problem, and it allows for additional privacy add-ons, such as AdBlock Plus which are helpful privacy-enhancing tools. Firefox is available here, more about AdBlock Plus is available here. More about Firefox addons here.

 

 

02/01/2012 Search engine privacy

Don't put all of your digital activities in one place ....

WPF has updated its search engine privacy tips page to include more tips on how to segregate online activities. This has always been important, and it has become more important in light of Google's announcement that it will be sharing data across its business units. See the WPF updates to its search engine privacy tips page.

 

 

01/31/2012 Facial recognition | Digital signage

WPF says a "walk-out opt-out" is not enough for consumer protection for facial recognition

The World Privacy Forum filed extensive comments to the FTC today following up on Pam Dixon's testimony at a December 2011 FTC facial recognition privacy workshop. The WPF comments noted that "A walk-out opt-out is not a viable way of managing consumer consent in the area of facial recognition or detection technologies." The comments discussed the importance of recognizing the Face Print as a unique biometric, and also discussed the need for finding ways of consumer consent that are reasonable. Given the ubiquity of cameras in some retail and public spaces, just walking away will become less and less of an option for consumers going forward, the comments argued. The comments also included the WPF's ground breaking report, The One-Way Mirror Society, and the joint Consumer Privacy Principles for Digital Signage.These principles were signed by the nation's leading privacy and consumer groups.
Read the comments | Read the One Way Mirror Society Report | See the Consumer Privacy Principles for Digital Signage

 

 

01/30/2012 Consumer financial protection

WPF asks CFPB to keep data open

WPF filed comments with the Consumer Financial Protection Bureau today asking it to make its consumer complaints database available for research. Our comments are here.

 

 

01/23/2012 GPS tracking | United States v. Jones

US Supreme Court delivers opinion about GPS tracking

The US Supreme Court unanimously ruled that police must get a warrant before using GPS devices to track criminal suspects. This case was narrow and dealt specifically with a GPS device physically attached to a suspect's vehicle. The concurring opinion of Justice Sotomayor points out that the subtler issues of digital era tracking were not dealt with in this case, for example, cell phone tracking, web site tracking, etc. She wrote: "More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976)." She continued: "This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks."

Read the opinion, United States v. Jones

 

 

01/18/2012 SOPA | PIPA

WPF opposes censorship bills; supports right to create and use anonymization tools to protect privacy

The World Privacy Forum is deeply concerned about the profound, far-reaching privacy consequences of two bills, SOPA and PIPA. The bills have many negative aspects. In terms of the privacy impacts, one of the serious consequences is that the right to create and use anonymization software tools would be essentailly criminalized. The very privacy tools that allowed the Arab Spring to flourish through anonymized activist activity would be in legal jeapordy. This is a highly negative outcome, and is negative enough that WPF strongly opposes these two bills. We are encouraging individuals to use the well-developed EFF SOPA/PIPA action center to learn more and to make a stand. The US Department of State has been involved in an Internet freedom initiative that encourages the use of Internet tools to encourage freedom and democracy (21st Century Statecraft paper). Many of the ideas were encapsulated in a speech on the topic in 2010 by Secretary of State Clinton. She wrote:

"In the last year, we’ve seen a spike in threats to the free flow of information. China, Tunisia, and Uzbekistan have stepped up their censorship of the internet. In Vietnam, access to popular social networking sites has suddenly disappeared. And last Friday in Egypt, 30 bloggers and activists were detained. One member of this group, Bassem Samir, who is thankfully no longer in prison, is with us today. So while it is clear that the spread of these technologies is transforming our world, it is still unclear how that transformation will affect the human rights and the human welfare of the world’s population.


On their own, new technologies do not take sides in the struggle for freedom and progress, but the United States does. We stand for a single internet where all of humanity has equal access to knowledge and ideas. And we recognize that the world’s information infrastructure will become what we and others make of it. Now, this challenge may be new, but our responsibility to help ensure the free exchange of ideas goes back to the birth of our republic. The words of the First Amendment to our Constitution are carved in 50 tons of Tennessee marble on the front of this building. And every generation of Americans has worked to protect the values etched in that stone.


Franklin Roosevelt built on these ideas when he delivered his Four Freedoms speech in 1941. Now, at the time, Americans faced a cavalcade of crises and a crisis of confidence. But the vision of a world in which all people enjoyed freedom of expression, freedom of worship, freedom from want, and freedom from fear transcended the troubles of his day. And years later, one of my heroes, Eleanor Roosevelt, worked to have these principles adopted as a cornerstone of the Universal Declaration of Human Rights. They have provided a lodestar to every succeeding generation, guiding us, galvanizing us, and enabling us to move forward in the face of uncertainty.

So as technology hurtles forward, we must think back to that legacy. We need to synchronize our technological progress with our principles. In accepting the Nobel Prize, President Obama spoke about the need to build a world in which peace rests on the inherent rights and dignities of every individual. And in my speech on human rights at Georgetown a few days later, I talked about how we must find ways to make human rights a reality. Today, we find an urgent need to protect these freedoms on the digital frontiers of the 21st century." (Remarks on Internet Freedom, Secretary of State Hillary Rodham Clinton, Jan. 21, 2010.)

We couldn't agree more. It is essential that individuals have the freedom to create and use privacy-enhancing software without that activity being criminalized.

 

EFF information about SOPA | Full Text of Secretary Clinton's speech on Internet Freedom

 

12/30/2011 Facebook

WPF urges more consumer protection and redress in the Facebook FTC settlement

In response to the FTC's proposed settlement with Facebook over the company's multiple privacy violations, the World Privacy Forum has asked the FTC to make key changes. "We applaud the FTC for its work on the Facebook case," said executive director Pam Dixon. "We support many parts of the settlement. However, we urge the FTC to provide full redress for affected consumers by rolling back the privacy controls to the 2009 defaults, and we also urge the FTC to follow the 2004 Gateway Learning, Corp. precedent and require Facebook to disgorge profits they made from violating their privacy policy retroactively." The comment period is open to the public until December 30.

Read the WPF comments on the Facebook settlement | FTC Facebook settlement page | Read all comments on the Facebook settlement (comments due Dec. 30, 2011.)

 

 

12/08/2011 Facial Recognition

WPF testifies at FTC facial recognition hearing

Pam Dixon of WPF testified at the FTC's Facial Recognition workshop, speaking on a panel about the policy implications of facial recognition technology. The World Privacy Forum's report on Digital Signage was mentioned several times at the hearing, as were the collaborative consumer protection principles the WPF led. In her comments, which are available in the FTC's transcript of the hearing panel, Dixon noted that opting out of facial recognition technologies by simply walking away from them was not a solution. "The walkout opt out is just not credible in an environment of ubiquitous collection. How much are consumers going to be asked to walk out of?

FTC facial recognition workshop| WPF report: One Way Mirror Society | Consumer Privacy Principles for facial recognition technology

 

 

10/27/2011 Common Rule | Health Privacy

WPF urges HHS to do more to protect the privacy of medical research subjects

The World Privacy Forum filed extensive comments with the US Department of Health and Human Services about its proposed changes regarding the rules governing human subject medical research. In the comments, WPF noted that the HHS approach to privacy for research subjects was incomplete and did not use all Fair Information Practices. WPF strongly urged HHS to revise its proposal on a number of issues, including consent and the use of biospecimens in research. The World Privacy Forum is urging HHS to acknowledge that the realm of health data that is truly non-identifiable has shrunken remarkably, for example, biospecimens with DNA cannot be considered non-identifiable anymore. "In our comments, we are requesting that HHS give individuals the opportunity to make choices about the use of their own health data and specimens," said Executive director Pam Dixon. WPF also stated in its comments that "A central database with identifiable information about participants in human subjects research is a terrible idea." (See p. 21 of WPF comments.)

Read the WPF comments on the Common Rule proposal (PDF, 22 pages)

 

 

10/14/2011 New Report

Many Failures: New WPF report on history of privacy self-regulation

The World Privacy Forum has published a report on past self-regulatory efforts in the area of privacy, Many Failures: A brief history of privacy self-regulation. "Privacy self-regulation has been a Potemkin Village of consumer protection," says executive director Pam Dixon. "History shows a pattern of past self-regulatory efforts that have been erected quickly and have faded after regulatory threats fade." The report is authored by Robert Gellman and Pam Dixon. It includes details about programs such as the IRSG, the Privacy Leadership Initiative, the Privacy Alliance, and other programs. A key finding of this report is that the majority of the industry self-regulatory programs that were initiated failed in one or more substantive ways, and many disappeared entirely.

Read the Report (PDF)

 

 

10/13/2011 Internet privacy

World Privacy Forum to testify before Congress

The World Privacy Forum's executive director Pam Dixon will testify about online consumer privacy before the House Committee on Energy and Commerce today. Written testimony is posted at the Committee web site, and here.

 

 

09/14/2011 Internet privacy

TACD letter to Congress on European privacy

The Trans Atlantic Consumer Dialogue (TACD), which WPF is a member of, has sent a letter regarding Internet privacy to a Congressional subcommittee explaining that European privacy controls are not burdensome, but rather of key importance. The TACD is a forum of more than 80 US and European consumer groups and represents several hundred million consumers in North America and the United States.

Read the TACD letter

 

 

08/04/2011 Medical ID Theft

New medical identity theft map

The World Privacy Forum has released a new map that reveals the geography of medical identity theft. This is the first map of its kind, and is based on the Federal Trade Commission Consumer Sentinel data. The map is interactive, and gives details on the cities where medical identity theft occurred over the course of a year. The World Privacy Forum published the first report on medical identity theft in 2006, coining the term in the report and bringing the crime to public attention. WPF continues to actively research this important privacy issue.

Interactive map | Medical ID theft page

 

 

08/01/2011 Medical Privacy | HIPAA

WPF files substantive comments on HIPAA

The World Privacy Forum today filed its comments on the proposed changes to the HIPAA privacy rule, supporting some proposed changes and suggesting additional changes to enhance patient choice. In particular, the WPF supports the new patient right to an access report that has been added (p. 4) , and has requested that Health Information Exchanges also be required to provide accountings of disclosures to patients (p. 18). The WPF generally argued that HHS needs to look forward and allow changes in information technology to fully benefit patients by providing the facility for more accounting rather than less (pp. 2-3) . If the HIPAA rule gives patients a greater ability to monitor how their information is used and disclosed, patients will pay attention and requests for accounting of disclosures will become more common.

Read the WPF comments

 

 

07/15/2011 Online privacy

Digiday Panel Talk

Executive director Pam Dixon will be speaking about online privacy and consumers at the Digiday Data Management Summit on Monday, July 18.

Panel Information

 

 

07/15/2011 HIPAA

HIPAA Countdown

The US Department of Health and Human Services has opened sections of the HIPAA rule for comments. All members of the public may comment on the proposed changes to the rule. Comments are due by August 1. For more information, see the HHS web site.

Related: Patient's Guide to HIPAA

 

 

07/12/2011 Facebook Photo Identification

Consumer Tip: Opt Out of Automatic Facebook Facial Recognition

If you have a Facebook account and if you have ever been tagged in a photo of yourself on Facebook, we want to alert you to an important Facebook setting. Unless you have proactively changed your privacy settings, Facebook will use facial recognition tools to compare photos and make tag suggestions. When new photos that look like you have been uploaded, Facebook will suggest tags with your name. To opt out of this, in Facebook go to Account, then choose Privacy Settings from the drop down menu. Click the Customize Settings link, and then scroll down and look for the Suggest Photos of Me to Friends line. To opt out, click Edit Settings, then choose Disable on the drop down menu. Also see the Facebook Photo Tagging help page.

 

 

06/27/2011 Medical ID theft

Medical ID theft rising

The World Privacy Forum is quoted in a Marketplace story regarding our most recent medical identity theft research. WPF wrote the first major research on medical ID theft and coined the term. Our consumer resources for detecting, preventing, and resolving the crime are located here.

Listen to the Marketplace story | Visit the WPF medical ID theft page

 

 

 

06/08/2011 Department of Commerce /Cybersecurity

US Department of Commerce requests comments on its new cybersecurity report

The US Department of Commerce released a green paper on cybersecurity with recommendations for improving cybersecurity via self regulation, or voluntary codes of conduct. The report, Cybersecurity, Innovation, and the Internet Economy also contains a discussion of some privacy issues, such as the impact of data breach notification laws. Comments are due in 45 days.

Read the DOC report | Related: WPF report on Department of Commerce's privacy programs

 

 

05/31/2011 Data breach

World Privacy Forum requests more information about Ceridian data breach and the FTC complaint process

The World Privacy Forum filed comments with the Federal Trade Commission regarding its consent decree against Ceridian regarding a substantial data breach. WPF has requested that the Commission present more facts in the case to the public, and has also requested more clarity about the FTC complaint process, noting that it is not a transparent process for the public.

Read the WPF Ceridian comments

 

 

05/23/2011 FERPA, Educational privacy

World Privacy Forum files comments on deeply flawed FERPA proposal

The WPF filed detailed comments on the U.S. Department of Education's notice of proposed changes to the Family Educational Rights and Privacy Act. WPF has concerns that the increased sharing of student information that the proposed rule will allow will diminish student privacy in a significant and permanent way. WPF is urging the DOE to amend its proposed rule to establish increased privacy protections for sensitive student information held in databases and elsewhere.

Read the WPF comments on FERPA

 

 

05/17/2011 California privacy

California budget plan nixes state's privacy office

The just-published California budget nixes the California Office of Privacy Protection, the first state-level privacy office in the United States and the source of crucial privacy assistance and information for Californians and California businesses. The World Privacy Forum is urging the Governor to reinstate funding for this critical office for Californians. See the proposed budget, page 114for the cuts. WPF will be publishing more about how to save California's privacy office.

CA proposed budget (See page 114.)

 

 

05/10/2011 Smartphone privacy update

Apple iPhone and iPad software update available

We have revised our iPhone and iPad privacy tipsheet to reflect Apple's new software update for the iOS4 devices. We encourage all iOS4 device owners to update their software. Some device owners may also want to opt out of location sharing. Read our tipsheet for more details.

 

 

04/28/2011 Smartphone privacy update

Updated consumer tipsheet

We have updated our tipsheet to reflect the new information that has been published regarding the Apple smart phone geolocation issue. Apple plans to make changes to its software to improve the privacy problems the tipsheet discusses.

Read the updated tipsheet

 

04/21/2011 Apple iPhone and iPad privacy

New WPF Consumer tipsheet for Apple iPhone and iPad users

Some of Apple's products, including iOS 4 iPhones and iPads, have been tracking consumers' detailed location information and storing the data directly on the devices. This raises privacy concerns, as the data on the phones and iPads is unencrypted and may be accessed directly. This tipsheet explains iPhone and iPad iOS4 geolocation privacy issues, including who needs to be most concerned about them, and what to do. Health care providers, overseas human rights workers, members of law enforcement and victims of domestic violence are among those who have special considerations and sensitivities to this privacy issue.

Read the WPF Apple iPhone and iPad consumer tipsheet

 

 

04/18/2011 Pharma privacy

Registrants at GSK product web sites receive breach letter

Pharmaceutical manufacturer GSK, maker of drugs Paxil, Boniva, Advair, and many others, sent a letter to consumers who had registered on one or more of its product websites. Due to the Epsilon data breach, registrants' names, email, and the product they registered for was breached. Information people give to a company via a pharmaceutical product web site such as this is not usually covered under HIPAA. See our Patient's Guide to HIPAA for more on what is covered under HIPAA and what is not. WPF recommends that consumers use a "throwaway" or temporary email address if deciding to register at a Pharmaceutical product web sites.

Patient's Guide to HIPAA: Who Must Comply with HIPAA?| GSK Breach letter via PHI Privacy.

 

 

04/16/2011 FERPA

Major changes weakening FERPA proposed

The Family Educational Rights and Privacy Act of 1974, FERPA, has been amended substantially. The proposed amendments have been published and are open for comment until May 23, 2011. The current changes impact students' medical, educational, and informational privacy interests. WPF will be filing detailed comments on FERPA, including how the proposal interacts with California privacy laws. We will be posting additional materials on commenting soon.

FERPA notice of proposed rulemaking

 

 

04/07/2011 Medical privacy, California HIE

WPF Files Joint Comments on California Health Information Exchanges

California has proposed regulations for health information exchange projects in the state. WPF has submitted comments encouraging more privacy protections, and we are joined in our comments by Privacy Activism and the Center for Digital Democracy. One key request in the comments is that California not allow patient consent to be waived in HIE projects. We are also requesting that California create a unified web listing of its HIE projects for increased transparency and to facilitate patient access to HIE information and policies.

Read WPF's comments | Related: Proposed CA regulations

 

 

03/25/2011 Online data broker

WPF complaint to FTC results in online data broker settlement

In April 2009, the World Privacy Forum sent the FTC a complaint regarding a lack of online opt-outs for consumers at some online data broker web sites. Our complaint focused on the difficulties online consumers would have opting out of certain web sites. In our complaint, we noted that online consumers were having difficulties with the opt outs. Today the FTC issued a final decision in this matter, and specifically improved online opt outs for consumers at US Search.

Read the WPF data broker complaint | Read the FTC announcement and decision

(Full docket here.) | Permalink

 

 

03/24/2011 California HIE

Proposed California regulations for electronic health information exchanges

The California Office of Health Information Integrity has proposed regulations for electronic health information exchange projects based in the state. The regulations are based on several years of policy work done by the CalPSAB, a multi-stakeholder board the WPF has participated in as a co-chair. Comments on the proposed regulations are due April 1. See the CalOHII notice for more information.

 

 

03/19/2011 Commerce

WPF urges fair privacy stakeholder process

The US Department of Commerce has announced that it is supporting privacy legislation and a "stakeholder process" to determine self regulatory rules for Internet privacy. WPF wrote about what a fair stakeholder process needs to include in our comments to the US Department of Commerce. We urge that at a minimum, the stakeholder process will include these items:

 

1) Consumer and business representation be equal in any multi-stakeholder process.
2) Approval of consumer representatives must be a necessary element in any formal decisions, just as the approval of business will be necessary.
3) Consumers must select their own representatives through a process yet to be determined, and consumer representatives may not be designated or limited by business or government.
4) Consumer organization that require financial assistance to participate in the multi- stakeholder process should receive support for travel and other expenses (but not for staff support).
5) Government agencies may participate in the process, but no agency may have a vote.

6) Participants in the process must chose their own rules and presiding officer.
7) Certifiers of accountability with codes of conduct should be not-for-profit organizations that are wholly independent of business, consumers, and government.

 

For more, read our full comments to Commerce

 

 

02/25/2011 EASA

WPF on EASA: Self-Regulation on Online Behavioral Advertising No Longer Credible

The World Privacy Forum submitted comments today on the European Advertising Standards Alliance's Best Practice Recommendation on Online Behavioural Advertising. Our comments focus upon three key areas: First, the EASA recommendation fails to recognize the protection of consumer privacy in Online Behavioral Advertising (OBA) as a key policy goal. Second, the recommendation's protections are narrow, creating illusory protections for user privacy, whether or not they opt out of OBA. Finally, we critique the oversight and compliance mechanisms, which are not likely to foster consumer confidence nor police the industry. Drawing upon the WPF's 2007 report, The NAI: Failing at Consumer Protection and at Self-Regulation, the comments argue that EASA's approach suffers from the same weaknesses as self-regulatory approaches deployed in the United States, and that European lawmakers should not replicate the failed American approach. Law students from the Samuelson Law, Technology & Public Policy Clinic helped draft the comments as part of an ongoing project on consumer privacy and OBA.

Read the WPF comments to EASA (PDF, 13 pages) | Related: WPF 2007 NAI report | Related: EASA's Best Practices Recommendations |Permalink

 

 

02/18/2011 FTC

WPF responds to FTC's Report on Privacy

The World Privacy Forum filed comments with the FTC in response to its preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. In our comments, we urge the FTC to take affirmative steps to protect consumer privacy online and offline. Our comments include a brief history of privacy self regulation, and point out how privacy self regulation has consistently failed. The comments also discuss Do Not Track, and urge the FTC to take a broader look at tracking protections for consumers. WPF also specifically requested that the FTC identify credit reporting bureaus subject to Fair Credit Reporting Act regulations and assist consumers in locating those bureaus.

Read the WPF comments to the FTC. (PDF, 18 pages) | Related: FTC Roundtable series | Related: FTC staff report

 

 

02/01/2011 WPF Facebook page

WPF launches Facebook page

The World Privacy Forum has begun posting materials to its new Facebook page. "Millions of users are looking for information on Facebook. Our goal is to reach consumers with high-quality privacy materials and information, so it makes sense for us to reach out to people through this medium" said executive director Pam Dixon. The World Privacy Forum Facebook page is located here: http://www.facebook.com/pages/World-Privacy-Forum/166886663345222?ref=sgm.

 

 

01/28/2011 Department of Commerce

WPF asks US Department of Commerce to make stakeholder process fair

The World Privacy Forum filed comments on the US Department of Commerce Green Paper today and urged the department to adopt a fair stakeholder input process that included consumers in a robust and meaningful way. WPF outlined seven specific steps for the department to take to ensure a fair process. The comments are available here.

Read the WPF comments (PDF, 6 pages) | Related: See the Nov. 2010 WPF report on the US-EU Safe Harbor program.

 

 

12/10/2010 Medical privacy ,

WPF comments about Personal Health Records and online advertising

The World Privacy Forum filed comments today about how medical records and other health information is intersecting with online advertising and online activities. The WPF comments were filed with the Department of Health and Human Services in response to its request for comments on personal health records, privacy, and social media.

Read the full comments | Related: PHR privacy page | Related: Patient's Guide to HIPAA

 

 

12/01/2010 FTC Privacy Report

FTC Issues long-awaited privacy report

The Federal Trade Commission has published its report on online privacy. The World Privacy Forum will be issuing comments on the report at 2:30 pm Eastern today in a press briefing. Check our Twitter feed for updates. Twitter: @privacyforum

Read the FTC report

 

 

11/22/2010 New Report

New Report on US Department of Commerce's Privacy Track Record

The World Privacy Forum published a new report today that evaluates the US Department of Commerce's work on privacy protection for consumers, given its role overseeing such critical programs as the US/EU Safe Harbor data agreement. The report, The US Department of Commerce and International Privacy Activities: Indifference and Neglect, identifies a number of issues of concern regarding the Department's privacy programs, most particularly, the current Safe Harbor framework. The report's analysis find that three separate studies consistently show that many and perhaps most Safe Harbor participants are not in compliance with their obligations under Safe Harbor.

Download the report (PDF, 22 pages) | Permalink

 

 

 

11/18/2010 LifeLock

FTC starts sending out checks to LifeLock victims

The Federal Trade Commission began sending checks to almost a million consumers who were subscribers to the LifeLock ID theft protection service. LifeLock agreed to pay fines of $11 million to the FTC and $1 million to a group of state attorneys generals to settle charges that had been made against the company. Consumers with questions about this distribution may call 888-288-0783 or see the FTC's web page on this, http://www.ftc.gov/refunds.

Read the FTC's full press release | Visit the FTC's LifeLock Refund Page

 

 

11/09/2010 Opt out, online privacy

Top Ten Opt Out List updated; now includes RapLeaf opt out

The popular WPF Top Ten Opt Out List has been newly updated. We have added a new section to our list with step by step details on how to opt out of RapLeaf. We encourage consumers to view any of their profiles that exist at RapLeaf and to opt out of RapLeaf permanently. We have also updated the phone numbers and other information on the rest of our opt out list. To see more, visit our Opt Out List.

See the Top Ten Opt Out List | Related: Internet privacy landing page

 

 

10/28/2010 ID theft, legal info

New ID Theft guide for those assisting victims

The FTC has published a new ID Theft guide. The new guide is designed to help attorneys and volunteers who assist ID theft victims. The guide covers laws that protect victims, and pro bono legal information. A must-read for those helping victims.

New FTC ID Theft Guide - pro-bono

 

 

10/27/2010 FTC, Google WiFi

Federal Trade Commission drops Google WiFi case; but tells Google that it's internal review processes are inadequate

The FTC sent a letter to Google today expressing concern about the company's privacy practices, but at the same time, the FTC informed Google that it was dropping its investigation of the Street View WiFi case. The FTC wrote: "FTC staff has concerns about the internal policies and procedures that gave rise to this data collection. ... the company did not discover that it had been collecting payload data until it responded to a request for information from a data protection authority." The FTC told Google it should develop and implement procedures to properly collect, dispose of, and maintain information.

Read the full FTC letter to Google

 

 

10/26/2010 Resource, case file, Amazon.com v Lay

Good privacy decision in Amazon customer information fight

Amazon.com filed a lawsuit in April to fight the North Carolina Department of Revenue's request for detailed information on Amazon.com customers. The North Carolina tax department requested Amazon.com to hand over "all information for all sales to customers with a North Carolina shipping address" between 2003 to 2010. In the decision, Seattle, Washington U.S. District Court Judge Marsha J. Pechman wrote, "Citizens are entitled to receive information and ideas through books, films, and other expressive materials anonymously." She also stated that "The fear of government tracking and censoring one's reading, listening, and viewing choices chills the exercise of First Amendment rights." This is an important decision for privacy rights, and online privacy in particular.

Read the decision (PDF, 26 pages)

 

 

09/13/2010 HIPAA, medical privacy

World Privacy Forum files two sets of regulatory comments on HIPAA

The World Privacy Forum filed two sets of detailed regulatory comments on recently proposed changes to HIPAA. The first comments focused on proposed changes to HIPAA in the area of marketing patient information. The proposed changes would be harmful to patient privacy, and are contrary to the law. WPF was joined in the marketing comments by the Center for Digital Democracy, Consumer Action, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy Times. The second set of comments WPF filed included the comments on marketing as well as on additional provisions that would be problematic if enacted.

Read the joint marketing comments on HIPAA (8 pages)
Read the long comments on HIPAA (15 pages)

 

 

8/02/2010 Financial privacy, SEC

WPF files comments on deeply flawed SEC plan

The World Privacy Forum filed comments today criticizing the SEC proposed regulations that would release an unprecedented amount of financial details about individual borrowers through the EDGAR database. The WPF was joined by other privacy, consumer, and human rights organizations in its comments, which focused on the privacy issues with the proposed regulations. Pam Dixon, executive director of the WPF, stated in the comments that the SEC's new regulations would "Place on the public record and online the largest amount of personal financial information about borrowers ever disclosed, including information never before made public." The comments also note that the SEC's plan greatly increases the risk of identity theft for individual borrowers whose information will be released publicly.

Read the SEC comments

 

 

07/21/2010

State AGs press Google on Wi-Fi debacle

A press release issued by Connecticut's AG Richard Blumenthal revelaed that 38 states have joined a mulitstate investigation of Google's Street View wi fi sniffing program. Blumenthal stated in the release: “We are asking Google to identify specific individuals responsible for the snooping code and how Google was unaware that this code allowed the Street View cars to collect data broadcast over WiFi networks. Information we are awaiting includes how the spy software was included in Google’s Street View network and specific locations where unauthorized data collection occurred. We will take all appropriate steps -- including potential legal action if warranted -- to obtain complete, comprehensive answers.”

See the complete press release

 

 

06/15-16/2010

WPF at Computers. Freedom, Privacy Conference

WPF will be speaking at the CFP conference on two panels. On June 15, Pam Dixon will participate in a plenary session on data brokers. On June 16, Dixon will moderate a health care privacy panel. This panel will focus on electronic health care in the state of California and the current privacy issues in electronic health exchange.

CFP conference web site

 

 

06/09/2010

WPF votes on key California medical privacy guidelines

The World Privacy Forum, as co-chair of the California Privacy and Security Advisory Board, was pleased to vote on an opt-in privacy standard for Californians in the June CalPSAB board meeting. The standard will be part of a set of guidelines the state of California uses in its development of electronic health care records. This set of guidelines was the culmination of two years of policy work with the CalPSAB board.

See the complete guidelines | Related: Patient's Guide to HIPAA

 

 

5/18/2010 Medical privacy

WPF comments on possible changes to HIPAA privacy rule; requests more patient access to audit logs

The World Privacy Forum filed comments with the US Department of Health and Human Services today in response to its Request for Information about possible changes to the HIPAA health privacy rule. WPF strongly supported patients' current right to request a history of disclosures of their medical files, and requested an expansion of this right. WPF noted in its comments to HHS that "An individual cannot fully protect his/her privacy interest in a health record (and most other records) unless he/she has a right of access to the record, the right to propose a correction, and the right to see who has used the record and to whom it has been disclosed. Each of these elements is essential."

Read the full WPF comments | Related: Patient's Guide to HIPAA

 

 

2/25/2010 New privacy principles

Nation's leading privacy and consumer groups release privacy principles for digital signage

The nation's leading consumer and privacy groups released a set of baseline consumer privacy principles to be included in digital signage networks. The principles were released at the Digital Signage Expo in Las Vegas, Nevada, where World Privacy Forum executive director Pam Dixon spoke about the principles to a large group of digital signage industry professionals.

Download the DS principles document with signatories

 

 

1/27/2010 FTC Privacy Roundtable

World Privacy Forum to speak at FTC Privacy Roundtable

Thursday, January 28, WPF Executive Director Pam Dixon will be speaking at the FTC's Privacy Roundtable about the privacy implications of digital signage networks and will be specifically discussing the new report: The One-Way Mirror Society: Privacy Implications of the New Digital Signage Networks. Few consumers, legislators, regulators, or policy makers are aware of the capabilities of digital signs or of the extent of their use. The technology presents new problems and highlights old conflicts about privacy, public spaces, and the need for a meaningful debate.

More about the FTC event | Read the Report

 

 

1/04/2010 Genetic discrimination

World Privacy Forum files comments with Department of Labor regarding genetic regulations

The World Privacy Forum filed comments today with the Department of Labor requesting that the DOL expand its protections of how genetic information may be used by health insurance companies or group health plans. The World Privacy Forum urged the DOL to include genetic information posted on social networking sites in its consideration of the GINA regulations.

See the WPF comments to the DOL | More on genetic privacy at the WPF

 

 

12/07/2009 FTC Privacy Roundtable

FTC Privacy Roundtable: WPF to testify on information brokers

WPF executive director Pam Dixon will testify at the FTC Privacy Roundtable about information brokers and commercial data practices and they impact consumers. Dixon will be discussing the business models of data brokers, issues with smart grids, and opt-out problems, among other issues.

See the WPF written comments to the FTC | Related: WPF FTC petition re: data broker opt-outs | Related: Smart Grids and Privacy

 

 

12/04/2009 Genetic non-discrimination regulations (GINA)

World Privacy Forum comments on genetic non-discrimination to HHS

The World Privacy Forum filed comments on proposed regulations for implementing Title I of GINA, the Genetic Non-Discrimination Act. The WPF requested a change to the proposed regulations, asking the Department of Health and Human Services require immediate posting of revised notices of privacy practices on the web sites of affected health plans. Under the proposed regulations, written notice of revised privacy practices to individuals could be delayed due to the cost of postal mailing. The WPF noted that a revised privacy notice posted on a health plan's web site would not incur postal costs, and that regulated entities should take this minimum step to inform consumers of any changes regarding privacy practices affecting genetic non-discrimination.

See the WPF comments on Title I of GINA | Related: WPF Genetic privacy page

 

 

 

11/19/2009 Congressional testimony

World Privacy Forum testifies before the House Energy and Commerce Committee

WPF executive director Pam Dixon testified at a joint subcommittee hearing focused on privacy and the collection and use of online and offline consumer information. Dixon's testimony focused on the new "modern permanent record" and how it is used and created. Dixon said "The merging of offline and online data is creating highly personalized, granular profiles of consumers that affect consumers’ opportunities in the marketplace and in their lives. Consumers are largely unaware of these profiles and their consequences, and they have insufficient legal rights to change things even if they did know." The testimony explored concrete examples of problematic consumer profiling activities.

Read the full testimony (PDF)

 

 

11/11/2009 FTC "Exploring Privacy" Roundtable Series

WPF to speak at FTC Exploring Privacy Roundtable

The World Privacy Forum has been invited to speak at the Federal Trade Commission's first Privacy Roundtable, to be held December 7, 2009 in Washington DC.

More on the FTC Exploring Privacy Roundtables | See the WPF comments to the FTC for the Roundtable (First filing).

 

 

11/06/2009 FTC Privacy Roundtable

WPF files comments for FTC Roundtables on privacy standards, consumer expectations of privacy

The World Privacy Forum filed comments last week for the FTC Privacy Roundtables, the first of which will be held December 7, 2009. The WPF comments urged the FTC to consider the Fair Credit Reporting Act as a key privacy model to apply to additional areas, to use the full version of Fair Information Practices, and discussed how a rights-based framework was the key to advancing consumers' interests. The comments discussed list brokers at length, and explained how even the most informationally cautious consumer will land on numerous marketing lists and databases. The WPF comments noted that not all marketing lists are used to target ads to consumers; some lists and databases are used to deny consumers goods and services. The comments contain a detailed section on privacy frameworks, a section on direct marketing, and an appendix with supporting information.

See WPF's FTC comments | Related: WPF Intro to Fair Information Practices page

 

 

11/03/2009 Madrid Declaration

Madrid Declaration published; global privacy standards for a global world; WPF is signatory

A significant civil society document with more than 100 signatories worldwide has been published in conjunction with the 31st annual meeting of the International Conference of Privacy and Data Protection Commissioners. The document, known as the Madrid Declaration, affirms support for the complete canon of fair information practices as expressed by the OECD, affirms support of privacy as a fundamental human right, and warns that "the failure to safeguard privacy jeopardizes associated freedoms, including freedom of expression, freedom of assembly, freedom of access to information, non-discrimination, and ultimately the stability of constitutional democracies."

See the Madrid Declaration | Related: WPF Intro to Fair Information Practices page

 

 

11/02/2009 Red Flag Rule

Red Flag Rule enforcement delayed until 2010

The Federal Trade Commission has delayed the enforcement date of the Red Flag Rule until June 1, 2010.

FTC announcement of Red Flag delay

 

 

10/26/2009 Data Breach | HHS HITECH Breach Notification

Medical data breach rule needs more work; World Privacy Forum files comments with HHS requesting changes

The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.

Read the WPF comments on HITECH Breach Notification | Related: Medical ID theft page

 

 

10/22/2009 Security freeze | Financial privacy | identity theft

WPF Credit Freeze information page updated

The World Privacy Forum has updated its credit freeze (security freeze) page to reflect changes in some state-level laws.

See the updated security freeze page

 

 

09/28/2009 Red Flag | Identity theft

WPF updates Red Flag report

The World Privacy Forum has updated its Red Flag report, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers. The update reflects the new effective date of the Red Flag Rule, (November 1, 2009) and incorporates other minor updates in the text. This report replaces the original Red Flag report published September 2008.

Read the updated Red Flag report | Related: Medical ID Theft Page

 

 

08/24/2009 Financial privacy | Privacy Act

WPF asks Treasury to get consumers' consent before checking their credit reports

The World Privacy Forum filed comments today urging the U.S. Treasury Department to obtain consumers' consent before checking their credit reports. Consumers who participate in the government's Home Affordable Modification Program (HAMP) -- an Obama administration program created to help consumers renegotiate their mortgages so they can keep their homes -- must allow the Federal Government to check their credit reports without first obtaining consent. This procedure sets a negative precedent, and is at odds with consumer expectations of privacy. The Treasury gave itself this power in an obscure set of "Routine Uses" in a Privacy Act notice published along with the proposed system of records for the program. The World Privacy Forum has objected to this, and has filed detailed comments with the Treasury about the lack of consumer consent. The public comment period on this program is open until September 4, 2009.

Read the WPF comments to the Treasury | Read the Treasury System of Records Notice | See other WPF Agency comments at our Agency Comment Page

 

 

08/19/2009 Health IT

Health IT standards meeting

The Health IT Standards Committee will be meeting tomorrow, August 20, from 9 a.m. to 3 p.m. in Washington DC. Those interested in this meeting can participate in person, or via the phone and web. The privacy and security workgroup will report at 1:30 pm Eastern. Location and call-in information is available at the HHS web site.

Get more information and details about the meeting (HHS) | WPF Medical Privacy page

 

 

08/17/2009 Data breach rules

FTC issues final rule on health data breaches

The Federal Trade Commission has issued its final Health Breach Notification Rule for vendors of Personal Health Records and related entities, as required under ARRA, The American Recovery and Reinvestment Act of 2009. The initial proposed Health Breach Notification Rule was generally thoughtful and thorough. The World Privacy Forum submitted extensive comments on the proposed rule both supporting parts of it and making some suggestions for changes. The FTC incorporated several specific WPF suggestions into the final rule. In particular, the FTC incorporated the applicability of the rule to foreign entities with U.S. customers (Final Rule p. 17), and the applicability of the rule to search engines appearing on Personal Health Record web sites (Final Rule p. 34). The new rule will be published in the Federal Register shortly; until then, it is available at the FTC web site. Also available is a form that entities covered under this rule can use to report data breaches to the FTC. The Health Breach Notification Rule will be effective 30 days after publication in the Federal Register, and full compliance with the rule will be required beginning 180 days after publication.

See the FTC's final Health Breach Notification Rule (PDF)| See the FTC data breach notice form (PDF) | Related: WPF Personal Health Record page

 

 

08/10/2009 Web tracking

World Privacy Forum files comments on government use of web tracking technologies

The World Privacy Forum filed comments with the Office of Management and Budget regarding its proposal to begin to allow the use of tracking cookies on government web sites. The proposal was published in the Federal Register, and outlined a three-tiered plan for how web tracking technologies might be used. The Forum's comments focused on methods of opt-out, data retention, secondary use, user authentication, new tracking technologies such as Flash cookies, and the need for new opt-out mechanisms. The Forum also urged the federal government to not allow third party tracking of consumers' use of government web sites, and to guard against any discrimination against consumers who do not want to be tracked.

WPF comments about web tracking on government sites | Federal Register notice about the program | Related: WPF Internet privacy landing page

 

 

07/17/2009 Cloud computing

World Privacy Forum sends letter to Los Angeles Mayor regarding proposed cloud computing contract

The World Privacy Forum sent a letter to Los Angeles Mayor Villaraigosa today expressing concerns and questions about a proposed contract to move the city of Los Angeles' email and some other computing tasks to a cloud-based system. The Forum expressed concerns in particular about the lack of contractual protection for health data, AIDs data, genetic information, domestic violence and sexual assault victim information, among other sensitive information. The Forum suggested the city undertake an independent and thorough risk assessment prior to completing the contract, and suggested a robust public comment process that includes all stakeholders. The City will take up the issue of this contract at a city council Information Technology Committee meeting on Tuesday July 21. The World Privacy Forum published a detailed analysis of the privacy issues of cloud computing in February which outlines the challenges and ambiguities that governments and others face as they make decisions about what data to put in the cloud.

WPF letter to Mayor Villaraigosa | WPF Cloud Computing Page | WPF report: Privacy in the Clouds

 

 

07/14/2009 Social networks

Facebook, MySpace, Xing receive warning letters from EU consumer group

In the wake of Europe's Article 29 Working Party Opinion on Social Network Providers adopted in June, the Federation of German Consumer Organizations (VZBV) has sent out warning letters to five social networking providers in Germany, including Facebook and MySpace. The letters focus on the excessive rights the companies allow themselves in their respective Terms of Use agreements, and on shortcomings in the privacy policies. VZBV is comprised of 41 German consumer associations.

VZBV press release (in German) | Related: Article 29 Working Party Opinion on Social Network Providers

 

 

07/13/2009 Behavioral advertising

IAB releases flawed guidelines for controlling behavioral advertising practices

The Interactive Advertising Bureau has released its self-regulatory guidelines for online advertisers. The guidelines are inadequate to protect consumers, and in some cases, create loopholes for significant consumer harm. In the area of sensitive information, the guidelines are especially weak. The IAB definition of sensitive information is much weaker than the definition of sensitive information already adopted by industry in the formal NAI agreement, which is still in effect today. Additionally, the new IAB guidelines rely on weak accountability standards; a World Privacy Forum report analyzed the NAI accountabilty and reporting, and found that the Network Advertising Initiative (NAI) accountability mechanisms had failed. The IAB accountability mechanisms do not improve on the NAI accountability mechanisms, and as such, are problematic at best.

IAB industry guidelines | Privacy groups' proposal on behavioral advertising | WPF report on the failure of online advertising self-regulation

 

 

06/19/2009 Social Networking

EU: Article 29 Working Party releases Opinion on social networking sites

The Article 29 Working Party has adopted an important Opinion regarding social networking sites as of June 12. The opinion covers privacy, advertising, sensitive information, and other issues relating to online social networking. Regarding sensitive data, the Article 29 Working Party stated: "Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data concerning health or sex life is considered sensitive. Sensitive personal data may only be published on the Internet with the explicit consent from the data subject or if the data subject has made the data manifestly public himself." Regarding use of sensitive data to target advertising, the Article 29 opinion stated: "The Working Party recommends not using sensitive data in behavioral advertising models, unless all legal requirements are met." The opinion also stated that the EU Data Protection Directive generally applies to the processing of personal data by social networking services, even when their headquarters are outside of the EEA, and that social networking service providers are considered data controllers under the Data Protection Directive.

Article 29 WP Opinion on Social Networking sites and press release | TACD press release on opinion | TACD May 2009 Resolution on Social Networks

 

 

06/10/2009 TACD

World Privacy Forum at TACD meeting

The World Privacy Forum participated in the Trans Atlantic Consumer Dialogue meetings in Brussels this June, and is pleased to announce that WPF is now a full member of the TACD. The TACD is a network of 80 EU and U.S. consumer organizations that develop joint consumer policy recommendations for the EU and U.S. in an effort to promote the consumer interest in transatlantic policymaking.

TACD web site

 

 

06/01/2009 Data Breach of Health Records - FTC

World Privacy Forum files comments with the FTC regarding proposed rules for health care-related data breaches

The World Privacy Forum filed extensive comments with the Federal Trade Commission today regarding its notice of proposed rulemaking for data breaches of information containing actual health care information or health care-related information. The FTC rulemaking will apply to a variety of record holders, especially vendors of personal health records. The Forum supported much of the FTC's proposed rulemaking, finding the rulemaking generally thoughtful and careful. In some areas, the Forum urged the FTC to narrow and further define and strengthen the proposed rule. The World Privacy Forum urged the FTC to tighten language around scope, the definition of "personal health record," law enforcement delays of consumer notification, and urged the FTC to further clarify the definition of what falls under the category of "de-identified data." Citing the research of Dr. LaTanya Sweeney and others, the Forum urged the FTC to require commercial companies and others holding health care data that has been partially de-identified to still report those breaches to the FTC and the public, and to monitor for re-identification.

Read the comments | Related: Medical privacy page | PHR Page | Medical ID Theft page

 

 

05/21/2009 Health Record Data Breaches - HHS

World Privacy Forum files comments with HHS regarding data breach guidance

The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for "limited data set" breaches.

Read the comments | Related: Patient's Guide to HIPAA | Medical Privacy Page | NHIN Page

 

 

05/08/2009 Job Search Privacy

Job Searcher's Guide to Job Search Sites

The World Privacy Forum's popular and long-standing Job Searcher's Guide has been completely updated. We have a site-by-site comparison of the privacy practices of online job search sites. This guide was originally posted in 2003, and has been updated regularly. This was a major update of this resource. The World Privacy Forum publishes extensive job search privacy resources in addition to the Guide, including a very popular guide to resume posting privacy.

Visit the Job Searcher's Guide | Related: Visit the job search privacy page or visit the resume posting privacy tips

 

 

05/07/2009 Credit Freeze

Credit Freeze Guide How-To Guide updated

We have updated the World Privacy Forum's state-by-state guide on how to place a credit, or security, freeze. Only a few states are lacking a security or credit freeze law now.

Visit the credit freeze page

 

 

05/01/2009 Genetic Privacy | GINA

World Privacy Forum files comments on proposed genetic discrimination regulations

The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loopholes in consumer protection in the proposed regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way so as to prevent information leakage through billing and other activities.

Read the comments | Related: WPF Genetic Privacy Page

 

 

04/16/2009 Online privacy | FTC

When opting out is hard to do: World Privacy Forum sends letter to FTC about companies offering mail-based opt outs

The World Privacy Forum sent a letter to the Federal Trade Commission asking it to look into four companies offering online consumers the ability to opt out, then asking those consumers to use a variety of postal-mail-based methods to do so.

Read the letter to the FTC | Related: WPF Top Ten Opt Out page

 

 

03/31/2009 New Consumer Resource

Patient's Guide to HIPAA

The Patient's Guide to HIPAA is the first comprehensive guide to medical privacy written expressly for patients with a practical eye as to how to use the law to protect privacy. It is a major privacy resource for patients, written directly and without legalese. The Patient's Guide to HIPAA is easy to navigate and digest; the guide is in the form of Frequently Asked Questions & answers. All of the key points in HIPAA are included, from the 7 basic patient rights to how and when to get copies of health care records. Difficult situations that patients often encounter are included in the guide. The Patient's Guide to HIPAA was written by Robert Gellman, with assistance from Pam Dixon, John Fanning, and Dr. Lewis Lorton.

Go directly to the Patient's Guide to HIPAA

 

03/27/2009 CVS Caremark | FTC proposed consent agreement

World Privacy Forum asks FTC to reconsider proposed consent agreement with CVS

The World Privacy Forum filed comments with the Federal Trade Commission in response to its proposed consent agreement with the CVS Caremark pharmacy chain. The proposed agreement is in resonse to a CVS data breach. The agreement does not impose a monetary penalty on CVS, and does not provide remedies for consumers affected by the data breach.

Read the WPF comments | Related: FTC consent agreement with CVS

 

03/27/2009 CHILI - California Health Information Identification data base

California CHILI database now online

A substantial new resource for individuals seeking to research California laws and regulations regarding health information has come online. The CHILI database is a project of the California Office of Health Information Integrity, and has interfaced with the California Privacy and Security Advisory Board, which the World Privacy Forum co-chairs. The CHILI database can be searched by HIPAA section, California Code section, California health information law keywords, or by statutory scheme.

See the CHILI database home page

 

02/23/2009 New Report

Privacy in the Clouds

The World Privacy Forum's newest report examines the privacy and confidentiality issues of cloud computing that have been largely overlooked to date. It is a thorough analysis with policy findings. Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing was written by Robert Gellman for the World Privacy Forum. Cloud computing tips for consumers and business are also available.

Go directly to the report (PDF) | See the report and the consumer tips on the World Privacy Forum Cloud Privacy Page | Read the press release

 

02/18/2009 Medical privacy | HIPAA | FTC

CVS Caremark pharmacy chain agrees to pay $2.25 million to settle charges of HIPAA violations; also settles with the FTC

According to a legal complaint, CVS pharmacies -- the largest pharmacy chain in the United States -- did not take appropriate steps to protect its customers' and employees' sensitive information when it improperly disposed of documents, labels, prescription bottles, and other items with clearly identifiable and highly sensitive personal information such as SSNs, prescription information, driver's license numbers, and other information still on those materials. CVS agreed to pay $2.25 million to settle its violations of HIPAA as part of a Resolution Agreement with the Department of Health and Human Services. CVS has also signed a consent agreement with the FTC; the public can comment on this agreement until March 20, 2009. The World Privacy Forum will be filing comments with the FTC on the consent agreement with CVS, which we will post here.

Read the FTC complaint against CVS | Read the FTC consent agreement with CVS | Read the HHS Resolution Agreement with CVS

 

02/12/2009 Internet privacy

FTC releases its online advertising principles; Commissioner Harbour urges FTC to go beyond self-regulation

The Federal Trade Commission released its self-regulatory principles for behaviorally-targeted advertising today. The World Privacy Forum will be holding a press conference responding to the principles at 12:30 p.m. Eastern.

Read the text of the FTC statements | See the WPF Behavioral Advertising Page for our resources and documents on behavioral advertising

 

2/05/2009 Biometrics

World Privacy Forum opposes California DMV plan

The California DMV (Division of Motor Vehicles) has proposed, through an expedited 30- day process, that it begin taking detailed facial scans of drivers and storing the scans in a state-wide database. This change, among other proposed DMV changes, represents a substantial policy shift for the state of California. The World Privacy Forum has urged that this process goes through normal legislative procedures so that there is adequate time for public input and for formal hearings.

Read the backgrounder

 

01/28/2009 International Privacy Day

World Privacy Forum celebrates International Privacy Day

The World Privacy Forum celebrated International Privacy Day by joining other privacy and civil liberties organizations in encouraging the U.S. Senate to adopt the Council of Europe Privacy Convention. The U.S. has already ratified the Council of Europe Convention on Cybercrime. International Privacy Day was founded three years ago by the Council of Europe, and is celebrated by privacy, civil liberties, and consumer groups in Europe, North America and elsewhere.

See the proposed U.S. Senate resolution | Read more about the Council of Europe Privacy Convention | Related: WPF's Fair Information Practices page

 

01/27/2009 Monster.com | Consumer Alert | Job search privacy

Consumer Alert: Monster.com announces another big data breach

According to the job site Monster.com, its users' IDs and passwords, email addresses, names, phone numbers, and some "basic demographic data" were compromised in a data breach. Monster notified victims of the security breach through its web site on Friday, January 23, 2009. It is unclear how many people this notice impacts, as Monster.com did not give an estimate. In press reports, however, Monster has admitted that the breach is global, with Asia Pacific and Eastern Europe being spared. Job seekers' information can be used like a road map for criminal ventures, including identity theft, phishing and spamming. User passwords, which Monster.com says were compromised in this breach, are especially valuable as they can potentially be used to access other sites or email accounts, especially if a person regularly uses the same passwords. The World Privacy Forum has published a consumer alert about this data breach with tips for victims. This data breach also impacts USAjobs.com, the government job search site affiliated wiith Monster.com.

See the new Consumer Alert with safety tips | See more job search privacy resources

 

 

01/05/2009 School privacy | FERPA

New privacy rules for schools released; World Privacy Forum comments had positive impact for student and parent privacy

In May 2008 the World Privacy Forum submitted detailed comments on proposed changes to the Family Educational Rights and Privacy Act regulations (FERPA). The FERPA regulations are the rules that control how schools treat and release student information. The final FERPA regulations have now been published and reveal that the World Privacy Forum comments had a positive impact. The new regulations agreed with WPF's comment that if a school requests a Federal tax return from a parent, that the parent has the right to redact all financial information from the form, and affirmed that the school does not have a requirement to ask for the tax form in the first place. The regulations also agreed with the WPF comment that the risk of re-identification of published student information is cumulative, and made recommendations that educational institutions take into account all releases of student information it has made, not just new releases.

Read the new FERPA regulations (PDF) | See the World Privacy Forum FERPA comments

 
2008

 

12/12/2008 GINA - Genetic Information Nondiscrimination Act

World Privacy Forum urges more clarification and privacy protection regarding "incidental collection" of genetic information in GINA

In comments regarding the recently passed GINA (Genetic Information Nondiscrimination Act), the World Privacy Forum said that some aspects of GINA need clarification to enhance privacy. The comments focus on a number of privacy issues the RFI raised, including model privacy notices and the issue of what the GINA statute calls "incidental collection" of genetic information. Currently, GINA states that some kinds of information are exempted from being considered as regulated for medical underwriting purposes. For example, medical information gleaned about patients for underwriting purposes from medical databases is regulated. But medical information gleaned about patients for underwriting purposes from, for example, marketing lists containing robust patient information may be unregulated if the law is not clarified in the regulatory process. The World Privacy Forum urged HHS and the Department of Labor to substantially clarify what constitutes "incidental collection," and urged the agencies to consider lists containing identifiable patient information to be considered in the same category as a "medical database."

Read the World Privacy Forum GINA comments | Related: Genetic Privacy Page

 

 

12/10/2008 Genetic privacy

Keep my genes private: World Congress panel presentation

The World Privacy Forum presented a talk at the World Congress in Washington D.C. today on the intersection between genetic privacy and marketing, and on genetic issues and medical identity theft. The presentation exposed the list marketing activities surrounding health care data, and examined how the current loopholes in the recently passed Genetic Information Nondiscrimination Act (GINA) would not necessarily ease issues with incidental collection and use of genetic information.

 

 

12/01/2008 HITSP

World Privacy Forum elected to HITSP board

World Privacy Forum executive director Pam Dixon was elected to be the consumer representative on the HITSP board (Health Information Technology Standards Panel). HITSP is a national standards-setting body that is part of ANSI (The American National Standards Institute) and is working on specifications and standards for the National Health Information Network. The term will begin in January of 2009.

More on the NHIN | ANSI's HITSP page

 

 

12/01/2008 Telemarketing | Top Ten Opt Out List

New telemarketing rules take effect today: more power over pre-recorded telemarketing calls

Beginning today, pre-recorded telemarketing phone calls must come with an easy opt-out for consumers. If a pre-recorded telemarketing call is left on an answering machine, it must also include opt-out information. These rules will apply to telemarketers already subject to the Federal Trade Commission's Telemarketing Sales Rule and Do Not Call List. There are some exemptions to the rule. For more details about the changes, see our Top Ten Opt Out List, which has been updated with the new information.

More on WPF Top Ten Opt Out List; see item #1.

 

 

11/11/2008 IPSC2008 Day One

International Privacy and Security Conference in Tokyo, Japan begins

The World Privacy Forum is co-hosting the 1st International Privacy and Security Conference (IPSC2008) in Tokyo, Japan. The conference focuses on examining and discussing a range of privacy and security issues from a global perspective. Today was conference day one at Belle Salle Kudan in central Tokyo. The conference hall was packed, and the sessions were excellent. Prof. Masao Horibe, Prof. Ryoichi Sasaki, and Peter Cullen opened the conference with overviews and a keynote. Session One included a panel of prominent experts and focused on information security and privacy both technically and legally from a Japanese, US, and EU perspective.

More info on IPSC 2008 | IPSC2008 conference web site

 

 

11/03/2008 Upcoming lecture, consumer privacy and security

Electronic health records: the good the bad, and the future

WPF Executive Director Pam Dixon will be speaking at the Center for Ethics in Science and Technology's monthly lecture series in San Diego, California Wednesday, Nov. 5th at 5:30 pm. The lecture will focus on the big-picture view of the health care and patient privacy landscape, and will explore how electronic health care records are set to shift into prominence in the coming months and years. The lecture will be held at the Reuben H. Fleet Science Center in San Diego's Balboa Park.

See more about the lecture from the Center for Ethics in Science and Technology | Related: PHR Page

 

 

10/22/2008 Red Flag Rule - ID Theft

FTC delays Red Flag Rule enforcement until May 1, 2009

The Federal Trade Commission announced that it will delay by 6 months the enforcement of its Red Flag Rule that requires certain businesses to have a written identity theft prevention program. The Red Flag rule still goes into effect November 1, 2008, but the new date for enforcement of the rule is May 1, 2009. The FTC issued a "Enforcement Policy Statement" Oct. 22, 2008 regarding its reasons for the delay, which is available here.

Read the WPF Red Flag report | Read the FTC press release announcing the delay

 

 

10/17/2008 Medical ID theft

World Privacy Forum speaks at medical identity theft town hall meeting

The Department of Health and Human Services held a town hall meeting Oct. 15 about medical identity theft in the FTC's Washington DC conference center. Pam Dixon of the World Privacy Forum spoke at the event, noting that the problems and harms of medical identity theft were not theoretical, but are present now, and create profound harm in the lives of victims. Dixon also emphasized that the crime had gone unnoticed for years before the World Privacy Forum's 2006 report on the issue, and that solutions to the crime must include the perspective and input of individual victims and provide real remedies from the harms. Dixon also discussed the current focus on patient authentication and noted that patient authentication did not resolve the problems of systemic medical identity theft committed by insiders. Dixon also noted that some forms of patient authentication, if implemented improperly, could potentially increase risk rather than decrease it.

See the World Privacy Forum 2006 Medical ID Theft report | See the WPF medical identity theft page | See the HHS town hall site

 

 

10/07/2008 Transatlantic Consumer Dialogue (TACD)

World Privacy Forum joins Transatlantic Consumer Dialogue

The World Privacy Forum is pleased to announce it is now a member of the Transatlantic Consumer Dialogue (TACD), a forum of US and EU consumer organizations. TACD develops joint consumer policy recommendations to the European Commission and the US government. TACD was founded in 1998 and is organized by Consumers International. The European Commission provides financial and coordination support for the TACD.

TACD web site | European Commission archives of TACD recommendations

 

 

10/03/2008 National Health Information Network

National Health Information Network chronology updated

At the December National Health Information Network meeting noted in the updated WPF chronology, the health care providers and others who have built the trial versions of the NHIN will give their progress reports. For those who are not yet familiar with the ambitious plans for a national health information network, see the World Privacy Forum's NHIN background information page. This is a critical time in the development of the NHIN; in 2004 it was nothing more than a thought; in December, it will be partially implemented at the trial level. The World Privacy Forum has consistently voiced concerns about the need to ensure robust patient privacy protections in the NHIN.

See the updated NHIN chronology | See the NHIN background information page

 

 

10/01/2008 New privacy and security laws and regulations

New requirements for protecting consumer information

A new law in Nevada and new regulations in Massachusetts increase the requirements for protection of consumer information. A Nevada law that took effect Oct. 1, 2008 (NRS 597.970: Restrictions on transfer of personal information through electronic transmission) requires that businesses in the state of Nevada must encrypt customers' personal information when transferred via an electronic transmission, excluding faxes. In Massachusetts, new regulations that take effect Jan. 1, 2009 spell out specific security measures that businesses owning, storing, or maintaining consumers' personal information in paper or electronic form must take (201 CMR 17.03: Duty to Protect and Standards for Protecting Personal Information).

See the Nevada law | See the Massachusetts regulation

 

 

09/24/2008 Report: Red Flag Rules and Medical ID theft prevention programs

New World Privacy Forum Report: Red Flag suggestions for hospitals and providers

The World Privacy Forum published a new report today, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers. The report discusses the applicability of the new FTC Red Flag regulations to the health care sector along with suggestions for providers. The recently issued regulations by the FTC require financial institutions and creditors to develop and implement written identity theft prevention programs. The rules take effect Nov. 1. Health care providers -- whether they are for-profit, non-profit, or governmental entities -- may have obligations under the new rules. Medical identity theft is a real concern in the health care sector, and is included expressly in the Red Flag Rules Guidelines.

Read the World Privacy Forum's Red Flag report | See the WPF medical identity theft page for more information and to sign up for the latest medical ID theft news

 

 

09/22/2008 Human Subjects Research Protection (OHRP)

World Privacy Forum urges more attention to the protection of research study participants

The World Privacy Forum filed comments today with the Office of Human Research Protection urging the office to do more to protect the privacy of people who are subjects of research. The comments urge the OHRP to focus more attention on providing privacy-specific training for boards overseeing research, which are often weak in knowledge about the breadth of privacy issues in research. The WPF also voiced its strong support for certificates of confidentiality for research involving human subjects, stating that "nearly all research that involves identifiable health data or other personal data about individuals should have a certificate of confidentiality unless a researcher can state a substantive reason why a certificate is not appropriate for the study." OHRP will be accepting comments until Sept. 29.

See the WPF comments on human subject research | Related: WPF Medical privacy project page | Related: OHRP request for comments page

 

 

08/27/2008 National Health Information Network (NHIN)

Updates to NHIN timeline

The National Health Information Network timeline and chronology that the World Privacy Forum maintains has been updated. Materials from the April/May public forum in Dallas are now online and linked, as are key upcoming events regarding the NHIN. Notably, in September the nine existing NHIN trial implementation projects that have been running and exchanging health data in California, North Carolina, New York, and other states are set to be demonstrated in Washington DC. These demonstrations are pivotal for the NHIN and how it takes shape going forward.

See the NHIN timeline | Related: World Privacy Forum NHIN page

 

 

08/21/2008 Border Crossing Information System, DHS

Comments of the World Privacy Forum regarding the Border Crossing Information System; Some proposed routine uses of the system directly contravene the Privacy Act of 1974

The World Privacy Forum submitted public comments today to the Department of Homeland Security regarding its proposed Border Crossing Information System. The BCI system would set up a database of all border crossings via car, rail, air and other means, including collecting identifiable data on the activities of American citizens. Information collected includes biographical and other information such as name, date of birth, gender, a photograph, itinerary information, and the time and location of the border crossing. The WPF comments focus entirely on the proposed Routine Uses of the system. As currently written, the DHS proposal contains some Routine Uses that directly contravene the Privacy Act of 1974 and are illegal. Other Routine Uses are overbroad and vague, and still others contravene guidance from the Office of Management and Budget (OMB). One example of an overbroad Routine Use is Routine Use J, which will allow DHS to release data collected for the Border Crossing Information System for hiring decisions or contract awards. This information may be requested by Federal, state, local, tribal, foreign, or international agencies. Another Routine Use, G, impermissibly duplicates and weakens the Privacy Act's condition of requirement for notice when information is disclosed in certain circumstances.

See the World Privacy Forum comments on the DHS Border Crossing Information System | Related: See the proposed BCI notice | Related: WPF Agency Comment Page

 

 

08/19/2008 Privacy and the class of 2012

Perceptions of privacy by the class of 2012

Each year Beloit College publishes a "Mindset List" to share incoming college students' rapidly changing cultural frames of reference with the faculty. For the class of 2012, several privacy-related items made the Mindset List for the first time. The list notes that these students' frames of privacy references are that "Personal privacy has always been threatened" (#43) and "Employers have always been able to do credit checks on employees" (# 39).

See the Beloit College Mindset List

 

 

08/07/2008 IPSC2008 Conference

World Privacy Forum Announces IPSC2008 Conference in Tokyo, Japan

The World Privacy Forum is co-hosting the first International Privacy and Security Conference 2008 (IPSC2008), to be held in Tokyo, Japan on November 11-12, 2008. Also co-hosting the conference are the Japan-based Institute of Electronics, Information and Communication Engineers (IEICE), Social Implications of Technology and Information Ethics, and the Japan Society of Security Management. This conference brings together Japan's leading privacy and security experts and scholars as well as experts from the US and the EU.

See more about IPSC2008 here, including venue, registration, and other conference details.

 
08/04/2008 Medical privacy

Comments of the World Privacy Forum to the FTC re: Ingenix and Milliman FCRA enforcement action

Some recent articles about the sale of patients' prescription histories to insurance companies have raised many consumer questions about this practice. Ingenix and Milliman -- two companies engaged in this practice -- were the subject of a Federal Trade Commission enforcement action which was published for comment in September 2007. The World Privacy Forum provided formal comments to the Federal Trade Commission last year about this enforcement action; the WPF sought to have all affected consumers notified of adverse actions taken based on the information, and asked the FTC to modify its enforcement action to include an appropriate monetary penalty against the two companies.

World Privacy Forum letter to the FTC | FTC letter responding to the World Privacy Forum | Related: FTC Case files for Ingenix and Milliman

 

07/14/2008 European Privacy Seal

First EU Privacy Seal granted to search engine

Ixquick.com is the first search engine to receive formal EU privacy approval. The EuroPriSe (European Privacy Seal) was awarded to Ixquick after a lengthy certification process. Ixquick deletes its users' IP addresses after 48 hours.

European Privacy Seal (EuroPriSe) | Related: Search Engine Privacy Page

 

07/12/2008 Security freeze

Security Freeze Page updated with new states

More than 45 states now have credit freeze laws, sometimes called security freeze laws. The World Privacy Forum security freeze page discusses what a security freeze is, who can place a freeze, and is newly updated with links to state-by-state laws and when available, tips for consumers from the relevant Attorney General web site.

See the updated World Privacy Forum Security Freeze page | Related: Top Ten Opt Out List

 

07/10/2008 Do Not Call Registry

FTC reports more than 145 million telephone numbers are in the National Do Not Call Registry

In its fourth annual report to Congress on the Do Not Call Registry, the Federal Trade Commission released some interesting new statistics. As of September 2007, there were 145,498,656 telephone numbers in the Do Not Call Registry. The FTC also reported that 6,242 entities paid over $21 million for access to the DNC Registry in 2007. The report also details the FTC's enforcement actions against businesses violating the DNC Registry rules. As of September 30, 2007, the FTC had filed 25 cases regarding DNC Registry violations and had settled 22 of the cases.

Read the FTC's report to Congress | To register for the Do Not Call list, see WPF's Top Ten Opt-Out List, #1. | Permalink

 

07/09/2008 Financial privacy

Call Don't Click: WPF's Free Annual Credit Report page and tips updated

U.S. consumers have the right to order one free credit report per year from each of the three national credit bureaus. The World Privacy Forum's landing page about federally-mandated free Annual Credit Reports and the consumer tips for ordering a free annual credit report have been fully updated.

See the "Call Don't Click" landing page about free Annual Credit Reports | Read the consumer tips for ordering a free Annual Credit Report

 

07/08/2008 Internet privacy

Major update to cookie opt-out page

The World Privacy Forum's guide on how to opt-out of tracking cookies has undergone a complete update. We have added new cookie opt-outs and have updated all of our descriptions of where and how to opt out of online ad tracking.

See the Tracking Cookies Opt Out Page | Related: Internet Privacy Page

 

07/02/2008 Job search privacy

Resume posting guide updated

The World Privacy Forum's popular resume posting guide, 12 Resume Posting Truths, has been updated. This update is part of an ongoing project on job search privacy. The World Privacy Forum has extensive materials on job search privacy and job scams.

Read the updated 12 Resume Posting Truths | See the Job Search Privacy landing page for more job search privacy resources

 

06/30/2008 Consumer Excellence Award

World Privacy Forum receives 2008 Consumer Excellence Award

World Privacy Forum executive director Pam Dixon has received a 2008 Consumer Excellence Award for her leadership and work in the area of medical identity theft and consumer privacy from Consumer Action. Also honored was Herb Weisbaum, a 5-time Emmy-winner who is a consumer contributor to NBC's Today Show. Consumer Action was founded in 1971 and is a national non-profit organization focused on consumer education and advocacy. The awards ceremony was held in San Francisco on June 26th. The World Privacy Forum is honored to accept this award.

 

06/20/2008 OECD | Fair Information Practices

OECD reaffirms its support for the 1980 OECD principles on privacy, or "Fair Information Practices"

At a key meeting of the OECD on the future of the Internet economy, the OECD Secretary General Angel Gurria reaffirmed support of the 1980 OECD Privacy Principles. Also, Secretary General Angel Gurria expressed support for formalizing the participation of civil society in OECD going forward and for paying more attention to information security and identity theft problems. Secretary General Gurria noted that "A more decentralised, networked approach to policy formulation for the Internet Economy that includes the active participation of stakeholders needs to be the norm." Many parts of the recent OECD meeting may be viewed online.

Statement of the Secretary General | OECD Seoul Declaration on roadmap for the future of the Internet economy

Related: OECD 1980 Guidelines | Related: World Privacy Forum Fair Information Practices Page

 

06/19/2008 Genetic privacy

Council for Responsible Genetics convenes experts and the public for database and genetics conference

The World Privacy Forum participated in a Council for Responsible Genetics (CRG) conference on genetic databases at New York University. The groundbreaking conference focused on key issues of race and genetic databases, fairness, accuracy, and privacy. The World Privacy Forum discussed a paper by Dr. Harry G. Levine, Drug Arrests and DNA, noting that innocent victims of medical identity theft may be arrested for the "drug seeking behavior" of the criminals impersonating them.

CRG page | World Privacy Forum genetic privacy page | Related: Medical identity theft page

 

06/18/2008 Financial privacy

World Privacy Forum files comments with FTC regarding credit -based insurance scoring

The World Privacy Forum filed comments with the Federal Trade Commission today about its proposed study of credit -based pricing practices for homeowners insurance. The World Privacy Forum requested that the FTC ask insurers if there are specific procedures in place for detecting, mitigating, and responding to consumers who have been victims of identity theft. The WPF noted its support for the FTC's use of the FTC Act Section 6(b) authority to acquire robust information from the insurance companies.

Read the FTC's request for public comment

 

06/03/2008 Internet privacy

World Privacy Forum, Privacy Rights Clearinghouse, EPIC, and other consumer groups urge Google to post a link to its privacy policy from its home page

The World Privacy Forum, Privacy Rights Clearinghouse and EPIC were joined by California-based EFF, the ACLU of Northern California, Consumer Action, Consumer Federation of California and other national groups in asking Google's CEO Eric Schmidt to provide a prominent link to the Google privacy policy directly from its home page. Google has recently been criticized for not providing a link to its privacy policy from its home page, as the California Online Privacy Protection Act requires. The groups noted that linking to a privacy policy on a home page is considered a widespread best practice.

Read the letter to Google | Related: WPF Internet Privacy Page

 

05/08/2008 SACGHS | Oversight of genetic testing

Key genetic oversight report released; includes changes based on World Privacy Forum comments

The Secretary's Advisory Committee on Genetics, Health and Society (SACGHS) released its final report on Oversight of Genetic Testing (U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of Health and Human Services, April 2008, PDF, 276 pages). This is a substantial, thoughtful report that is likely to have a long-term impact on the field. The World Privacy Forum submitted formal written comments regarding this report when it was in draft form, and also appeared before the Committee in person in February of 2008 to discuss additional information relevant to the report. The final report reflects the World Privacy Forum comments and testimony. The report now includes a discussion about Direct to Consumer advertising and marketing as well as related privacy issues. The discussion in the final report also now acknowledges the implications of Direct to Consumer marketing of genetic tests regarding online privacy. The final report also reflects generally increased attention to privacy issues.

Read the SACGHS report | Read the WPF comments on the draft SACGHS report | Related: Genetic Privacy Page | Related: WPF behavioral advertising comments

 

05/07/2008 FERPA

World Privacy Forum files comments on proposed changes to FERPA; requests changes to protect student and parent privacy

The U.S. Department of Education has published proposed changes to its FERPA regulations, FERPA standing for the Family Educational Rights and Privacy Act. FERPA is a significant regulation that controls how students' school records and "directory" information may be shared. The proposed regulations have one item the WPF is supporting, which is that SSNs are not considered part of the directory information. However, other aspects of the proposed regulation still need work to adequately protect students' and parents' privacy interests. The WPF commented in particular that schools should not be allowed to request and then store a full tax refund from parents in order to prove students' eligibility. The Forum also requested that students' electronic identifiers are not included in the definition of directory information. One area of substantial concern is that the Department of Education has not expressly provided that students who opt-out of having their directory information shared should not be penalized for opting out. Currently, the proposed regulations may be read to suggest that schools may be able to deny benefits, services, or even required activities to students who have exercised the right to opt-out of the publication of directory information. FERPA comments may be filed until close of business Eastern time May 8, 2008.

Read the WPF FERPA comments | Read the Notice of Proposed Rulemaking, FERPA

 

04/22/2008 Health Care Innovations workshop

World Privacy Forum to speak at Federal Trade Commission health workshop

The World Privacy Forum will be speaking at an upcoming FTC workshop on the topics of medical identity theft, personal health records, and direct-to-consumer genetic tests and marketing. The workshop is April 24, 2008. Workshop information is available at the FTC web site.

See the FTC HCI workshop web page | World Privacy Forum PHR page | WPF genetic privacy page | WPF medical identity theft page

 

04/11/2008 Behaviorally targeted advertising | FTC proposed rules

World Privacy Forum files comments on behaviorally targeted ads online; requests separate rulemaking for sensitive medical information

The World Privacy Forum filed comments in response to the Federal Trade Commission's proposed self-regulatory guidelines for companies targeting online advertising to consumers based on consumer behaviors. The WPF requested a separate, formal rulemaking process for determining how sensitive medical information should be handled online regarding behaviorally targeted advertisements. The WPF also discussed genetic data and requests for genetic tests, and noted that genetic information should be included in any definition of sensitive medical information. The WPF reiterated that the definition of personally identifiable information should include IP address, and encouraged the FTC to work from a rights-based approach regarding online advertising. The WPF also urged the FTC to include all fair information practices in any self-regulatory regime, and to enforce the regime directly.

Read the WPF comments on the FTC proposed self-regulatory rules (PDF ) | WPF Internet privacy page

 

04/04/2008 Patient Safety Organizations | Proposed rulemaking

World Privacy Forum files comments on proposed rules regarding Patient Safety Organizations

The World Privacy Forum filed extensive comments today regarding privacy protections for patients whose health care information will be shared with patient safety safety organizations under newly proposed Department of Health and Human Services regulations. After a landmark Institute of Medicine report on the prevalence of medical errors and their harmful impact on patients (To Err is Human), the U.S. Congress eventually passed the Patient Safety Act (2005). The Patient Safety Act allows extensive health care data of patients to go to patient safety organizations. The idea is to provide a form of quality control. The Agency for Healthcare Research and Quality (AHRQ), part of HHS, has published its proposed regulations implementing the Act. The World Privacy Forum has made 14 recommendations for substantive changes in the proposed rules to protect patient privacy. The World Privacy Forum asked the Agency to expressly mandate that all patient data be de-identified or anonymized to the greatest extent possible, that the proposed rule should expressly require data use agreements for any data sharing, that the patient information be labeled as subject to the Patient Safety Act, and strongly urged that patient safety organizations be required to maintain an accounting of disclosures at least equal to HIPAA, among other recommendations. The full set of recommendations is available in the WPF comments. The proposed rulemaking will be open for public comments until April 14, 2008.

Read the WPF patient safety comments (PDF) | Permalink | Related: See the HHS press release on its proposed regulation

 

03/31/2008 Genetic privacy | medical privacy

Genetic Privacy Page

The World Privacy Forum has published a new page on genetic privacy outlining basic policy issues and collecting World Privacy Forum work in the area. The page also links to key external research being done in privacy and genetics, and also links to key organizations doing work in this area in the U.S. and the U.K.

See the Genetic Privacy page | Related: Medical privacy page

 

03/18 Medical ID theft

Updated Consumer Tips for Medical ID Theft

Based on interviews with numerous victims and others involved in the crime of medical identity theft, and based on our own work with victims, the World Privacy Forum has added some new information to its 2006 consumer tips for medical identity theft. We have also slightly updated some of the older tips based on new information. The Forum has also updated its medical identity theft landing page to reflect our new and ongoing work in this area.

See the updated consumer tips | See the updated medical identity theft page

 

02/20/2008 New publication | PHRs and privacy 

Legal and Policy Analysis: Personal Health Records: Why Many PHRs Threaten Privacy

The World Privacy Forum has published a new legal and policy analysis examining Personal Health Records -- or PHRs -- and the privacy issues associated with them. This analysis, Personal Health Records: Why Many PHRs Threaten Privacy, was prepared by Robert Gellman for the World Privacy Forum. The analysis finds that significant, serious threats to privacy exist in some PHRs.

Read the legal analysis (PDF) | Related: PHR Page | Related: PHR Consumer Advisory (PDF)

 

02/20/2008 Consumer advisory |  PHRs  and privacy

WPF Consumer Advisory: The Potential Privacy Risks in Personal Health Records Every Consumer Needs to Know About

The World Privacy Forum has issued a consumer advisory about the privacy of PHRs to help consumers understand and approach the complex privacy issues PHRs can raise. Consumers need to know that not all PHRs protect privacy in the same way, and some PHR systems can undermine consumer privacy in serious ways that consumers may not be expecting.

Read the Consumer Advisory (PDF) | Related: PHR Page | Related: PHR legal analysis (PDF)

 

02/13/2008 Genetic privacy  | SACGHS

World Privacy Forum testifies on genetic privacy and consumer data marketing issues

The World Privacy Forum gave testimony to the Secretary's Advisory Committee on Genetics Health and Society regarding privacy issues stemming from direct-to-consumer advertising and consumer-initiated genetic testing. The World Privacy Forum noted that a great deal of consumer health data circulates outside the protections of HIPAA, and a substantial market for this kind of consumer health data already exists. Genetic data about consumers that is acquired outside the clinical context and is not subject to the protections of HIPAA (for example, through consumer-initiated genetic testing) will likely not be any more protected than other forms of consumers' health-related information from the current demands of the market. However, the consequences of leakage of genetic information about consumers into the marketing stream could have potentially negative consequences for both those consumers and their blood relatives. The World Privacy Forum urged the committee to include specific recommendations about privacy in its upcoming report to the Secretary, and also urged the committee to work with other federal agencies to set up a pre-market oversight structure that includes significant and meaningful privacy protections for genetic testing occurring outside of the protections of HIPAA.

Read the detailed written statement to the committee (PDF) | Related: Genetic Privacy Section of WPF Medical Privacy Page

 

02/11/2008 Financial privacy / credit reports

World Privacy Forum, NCLC, and Consumer's Union file extensive comments regarding accuracy of credit reports

The NCLC, Consumer's Union, and the World Privacy Forum filed extensive joint comments today regarding the proposed rulemaking, Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies under Section 312 of the Fair and Accurate Credit Transactions Act. The results of the proposed rulemaking will have a significant impact on how the accuracy of credit reports is defined for consumers, and will have a substantive influence over how consumers may handle credit report disputes directly with those who furnish information for the reports.

Read the joint comments (PDF) | See the original proposed rulemaking from the FTC

 

01/28/2008 Financial privacy / credit reports

Opportunity for public comment on the accuracy of credit reports

Consumers and organizations have an opportunity to submit public comments about the accuracy and integrity of credit reports. Until February 11, the Federal Reserve Board, the Federal Trade Commission and other banking agencies will be accepting comments on their draft rulemaking regarding how creditors and other furnishers provide information to consumer reporting agencies, and which types of direct disputes they must handle. This proposed rulemaking is a key one; it defines what accuracy and integrity of information provided to consumer reporting agencies means, how disputes may be handled directly with the furnishers, and which types of direct disputes furnishers may ignore. The NCLC, Consumer's Union, and the World Privacy Forum have written a sample letter that may be downloaded and used or modified for the comments. To file your letter, submit your comments to the Board of Governors of the Federal Reserve System by mailing the comments to regs.comments@federalreserve.gov with the subject line "Docket No. R–1300."

See the Sample Letter | See the FTC's Notice of Proposed Rulemaking

 

01/28/2008 Opt-out / Financial privacy

Updates to Top Ten Opt-Out List

The World Privacy Forum has updated its popular Top Ten Opt Out list to reflect several new change made to the Direct Marketing Association opt outs. In the past, some of the DMA opt-outs, like the Direct Marketing Association's mailing preference lists, used to cost $1. That fee has now been removed for people opting out online. Please see item #3 on the Opt Out list for the complete update.

See updated WPF Top Ten Opt Out List

 

2007
12/19/2007 Genetic privacy / SACGHS

World Privacy Forum files public comments regarding oversight of genetic testing; warns about the privacy risks related to unregulated commercial genetic tests and the need to prevent phantom genetic tests from becoming a new business model for fraudsters

The World Privacy Forum filed extensive comments with the Secretary's Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS. The World Privacy Forum requested SACGHS pay more attention in its final report to the privacy consequences of unregulated genetic testing that occurs outside the health care sector. The WPF comments note that current and proposed remedies for the misuse of genetic information tend to focus on the use of the information within the health care treatment, payment, and insurance systems. What is crucially important is to analyze how to protect genetic information in the realm of commercial collection, maintenance, use and disclosures. Another area the comments discuss is the potential for new forms of fraudulent activity related to genetic testing (Phantom genetic testing, that is, genetic tests marketed to consumers that are not even real or viable genetic tests.) The World Privacy Forum specifically recommended that the National Committee on Vital and Health Statistics be tasked with looking at this matter, that an independent pre-market assessment mechanism is created for genetic tests offered outside the clinical setting, and that privacy be expressly discussed in the overarching recommendations in the final report.

See the World Privacy Forum SACGHS comments (PDF) | Permalink | Related: see the draft SACGHS report | WPF medical privacy page

 

12/19/2007 Fair Information Practices

Fair Information Practices (FIPS) page update

The World Privacy Forum has updated its page on Fair Information Practices to include the new work by Robert Gellman in this area. His article, Fair Information Practices: A Basic History, December 2007, is an important history of the development of Fair Information Practices. It includes information that even experts familiar with FIPs may not know.

See updated WPF Fair Information Practices page | Related: see Robert Gellman's article Fair Information Practices: A Basic History

 

11/29/2007 Medical identity theft update

New FTC statistics affirm World Privacy Forum's 2006 Medical Identity Theft report; give first robust medical identity theft statistics

The Federal Trade Commission released its national ID theft survey, which for the first time contains statistics specific to medical identity theft. According to the FTC report (p. 21), 3 percent of all identity theft victims in 2005 were victims of medical identity theft, which means of 8.3 million ID theft victims, approximately 250,000 people were victimized by medical identity theft in that year alone. The purpose of the World Privacy Forum 2006 report was to prove that medical identity theft existed, and was already occurring in large numbers. At the time the report was published, the crime of medical identity theft had not been specifically studied, nor was it understood to exist. The FTC statistics abundantly affirm the thesis and conclusions of the WPF report.

See the new FTC ID theft report | See the WPF 2006 Medical Identity Theft Report

 

11/05/2007 Security Freeze update | Financial privacy

Security Freeze update: as of November 1, security freeze now available to consumers in all states

As of November 1, 2007, the ability to place a security freeze is available nationwide at the three major credit reporting bureaus. To date, 39 states and the District of Columbia have some form of security freeze law. But now, even in the states that did not pass security freeze legislation, consumers will be able to place a security freeze. A security freeze lets you stop the disclosure of your credit report by a credit bureau. A security freeze can be especially helpful to individuals who are having persistent problems with identity theft. For more information:

See the updated WPF Security Freeze page | Related: Top Ten Opt-Out list

 

11/05/2007 Announcement | CalPSAB

World Privacy Forum appointed to California Security and Privacy Advisory Board

WPF executive director Pam Dixon has been appointed by California Secretary of Health and Human Services Kim Belshe to the California Security and Privacy Advisory Board. Dixon will serve as interim co-chair of the board, which is tasked with addressing health information exchange (HIE) privacy and security efforts in California. The board's meetings will be open to the public. For more information see: CalPSAB's web site.

 

11/02/2007 Report | Internet privacy | NAI

WPF Report: The Network Advertising Initiative: Failing at Consumer Protection and at Self-Regulation

The World Privacy Forum published a new report today, The Network Advertising Initiative: Failing at Consumer Protection and at Self-Regulation. The report is an in-depth analysis of the history and current operations of the National Advertising Initiative (NAI) self-regulatory agreement. The NAI was created to protect consumers' online privacy in the behavioral advertising arena. The report finds that the NAI has failed. The report discusses the failure of the NAI opt-out cookie, the uses of persistent consumer tracking technologies that go beyond cookies, such as Flash cookies, browser cache cookies, XML super cookies, and other issues. The report also discusses the practice of re-setting cookies after cookie deletion. The report gathers the details of the difficult membership history of the NAI, as well as the enforcement history of TRUSTe regarding NAI.

Executive director Pam Dixon will be testifying before the FTC eHavioral Town Hall meeting Nov. 2 to discuss the findings of this report, which will be submitted to the FTC.
Read the report (PDF)

 

10/30/2007 Consensus document | Consumer rights and protections

Privacy and consumer groups unveil consensus document recommending expanded consumer rights and protections in the behavioral advertising sector; call for a Do Not Track list, access, limits of the use of sensitive medical and financial information, expanded notice, accessibility for people with disabilities, and other rights

Nine privacy and consumer groups, including the World Privacy Forum, unveiled a consensus document outlining key consumer rights and protections in the behavioral advertising sector. The document is directed toward the Federal Trade Commission, and urges the FTC to take proactive steps to adequately protect consumers as online and other forms of behavioral tracking and targeting become more ubiquitous. The consensus document was filed with the Secretary of the FTC and its commissioners. Behavioral advertising is the focus of the FTC's eHavioral Advertising Town Hall meeting taking place November 1-2 in Washington, D.C. The network advertising sector has a self-regulatory plan, the Network Advertising Initiative, in place, and has had this plan in place since 2000. The consensus document addresses the many areas where the NAI plan has failedto protect consumers.

Read the consensus document | Permalink | Illustration of Do Not Track List

 

10/16/2007 Medical identity theft / AHIMA

World Privacy Forum gives keynote speech to AHIMA on medical identity theft; outlines 8 best-practice responses to the crime

Executive director Pam Dixon spoke to thousands of AHIMA delegates in Philadelphia sharing the latest information on medical identity theft and outlining 8 best practice responses to the crime for the health care sector. Dixon specifically asked for the creation of national guidelines for helping medical identity theft victims, the ability for victims to set red flag alerts in their health care files, that providers train and have dedicated personnel to help medical identity theft victims, "john and jane doe" file extractions, a focus on addressing insider access to patient information, risk assessments specifically for medical identity theft, and educational efforts. The information in the speech was based on the latest World Privacy Forum research in the area of medical identity theft.

Read the speech Medical Identity Theft: Issues and Responses (PDF) | See the medical identity theft page | Read tips on what to do if you are a medical identity theft victim | Permalink

 

10/16/2007 Medical identity theft | Best practice responses

World Privacy Forum outlines 8 best practice responses to medical identity theft for the healthcare sector

The World Privacy Forum has outlined 8 best practice responses to medical identity theft for the health care sector. The best practice responses are based on research the Forum is conducting for its second report on medical identity theft, and is a work in progress. The 8 best practice responses were presented to AHIMA delegates October 9; the Forum is soliciting and accepting feedback on the 8 best practices.

Read Eight best practices for helping victims of medical identity theft | See the medical identity theft page | Tips for medical identity theft victims | Permalink

 

10/12/2007 Medicare / CMS

World Privacy Forum files comments on CMS plan to allow release of patients' protected health information from Medicare database in some circumstances; benefits do not outweigh the risks

The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.

Read the comments (PDF) | Permalink

 

09/17/2007 NHIN update

Update: World Privacy Forum's NHIN Timeline updated to reflect changes in AHIC

The National Health Information Network, or NHIN, is part of a major undertaking to digitize and network the health care sector. From electronic health records to multi-state health information hubs, the U.S. government's goal is to modernize and move health care information from paper to digital. The Department of Health and Human Services is the primary mover behind this initiative, which is complex and multi-faceted. The World Privacy Forum keeps a chronology of NHIN events as a public service. The NHIN timeline has been updated to reflect changes in AHIC, a group that is charged in part with ensuring privacy and confidentiality in the NHIN and other aspects of health care modernization. AHIC is set to transition to a "public-private partnership," a move that will need to be watched closely to ensure robust consumer involvement.

See the NHIN timeline | Also: See the NHIN page for background on NHIN | Related: Read more on AHIC transition plans

 

09/07/2007 AHIC successor / health care privacy

World Privacy Forum requests adoption of a "no stakeholders left behind" policy in AHIC successor plans

The World Privacy Forum offered public comments on HHS' American Health Information Community (AHIC) successor plans, urging that HHS adopt a "no stakeholders left behind" policy as it forms the new public/private AHIC. The Forum's analysis of the AHIC Successor White Paper concluded that the current succession plans lack processes and checks that would ensure meaningful consumer participation, and that the AHIC successor plans as they currently stand do not bode well for a robust role for privacy or consumer groups in the new AHIC. Specific issues the World Privacy Forum discussed in its comments included fee structures, membership, handling conflicts of interest, stakeholder issues, privacy and identifiability issues, and the need for the new AHIC to achieve credibility.

Read the WPF AHIC Successor comments (PDF) | Permalink | Related: World Privacy Forum's NHIN page .... more on the AHIC Successor at HHS.gov

 

08/30/2007 Consumer alert update

Update: Monster.com saying data breach may impact all users of Monster.com, official Federal job site USAJobs.com impacted

Monster.com posted a warning on its site stating that all users of Monster.com may have been impacted by the data breach of its systems by hackers. All job seekers need to be aware of potential phishing attacks that are sophisticated and highly targeted, and job seekers with safety considerations need to be aware that their information has likely been compromised. The U.S. Office of Personnel Management has announced that the Federal job site USAJobs (which is outsourced to Monster.com) has also been impacted by the breach. The World Privacy Forum has updated its job seeking tips, and its consumer alert.

View the Monster.com consumer alert | Read the updated WPF job seeker's tips

 

08/24/2007 Data breach / GAO data breach study

GAO's data breach list from its June 2007 report

The World Privacy Forum made an information request to the GAO asking for a copy of the single, non-duplicative list of data breaches its June, 2007 data breach report (GAO -07-737) refers to and was based on. The list was not included in the GAO report. The GAO used a figure in its report of "more than 570 data breaches" from January 2005 to December 2006 based on this non-duplicative breach list. The GAO breach list is straightforward, it tallies data breaches chronologically from January 1, 2005 to December 31, 2006 from three organizations that maintain data breach lists. If the breach appeared on at least one of the three lists, it was apparently included in the final tally. The GAO states that the list was based on a February 15, 2007 download of the lists. Note: the WPF scan of the GAO list includes the first page twice. The front page of the scan is of the GAO list as it looks in the original document, and then the list was scanned for maximum readability into PDF format.

View the GAO breach list | Related: GAO data breach report June 2007 | Permalink

 

08/23/2007 AHRQ / databases / medical privacy

World Privacy Forum and EFF submit comments on AHRQ plan for national healthcare database

In June, the Agency for Healthcare Research and Quality (AHRQ) published a request for information about its plan to create a "public/private" national database of healthcare information tentatively called the "National Health Data Stewardship entity." WPF and EFF raised questions about ownership and management of the proposed database (Would this database fall under HIPAA? Would it fall under the Privacy Act of 1974?), questions about identifiability of patients in the database, and suggested that a full-time, independent privacy officer should be established for the program from the inception of the planning stages. The comments also discussed the numerous questions relating to data security (including medical identity theft) and data quality, as well as consent, access, and opt-out procedures for patients that the proposed national database raises.

Read the joint comments (PDF) | Permalink

 

08/22/2007 Consumer Alert / Internet privacy / Job search safety and privacy

Consumer Alert: Monster.com data breach impacts hundreds of thousands of job seekers; job seekers who have safety concerns may be especially at risk

The World Privacy Forum issued a consumer alert today warning about a data breach at Monster.com. Security firms that analyzed the breach have stated the breach impacts hundreds of thousands of job seekers. The immediate information that was stolen included job seekers' home address, phone numbers, email address, and resume IDs. Some victims may have received further phishing emails. Job seekers who have safety concerns such as law enforcement professionals, victims of domestic violence and other victims of crimes such as stalking -- who typically do not make their home addresses or personal phone numbers public -- have an immediate need to know if their personal information may be in the hands of criminals. The consumer alert contains tips for victims and links to resources and more information.

See: Consumer Alert web page

Related: World Privacy Forum tips for using resume databases

 

08/08/2007 Medical privacy / NCVHS / HIPAA

World Privacy Forum responds to June 2007 NCVHS recommendations to the Secretary of HHS regarding health care information at non-HIPAA covered entities

The World Privacy Forum has sent a letter to Dr. Simon P. Cohn, Chairman of the National Committee on Vital and Health Statistics, supporting the Committee's formal conclusion that all entities that create, compile, store, transmit, or use personally identifiable health information should be covered by a federal privacy law. More needs to be done about health care data that is left unprotected by HIPAA. The Forum's letter included a discussion of two HHS programs that operate outside of HIPAA: FDA RiskMAPS, and the National Institutes of Health, which is not a covered entity under HIPAA. Read the World Privacy Forum letter to NCVHS here (PDF). The NCVHS letter to the Secretary on HIPAA and non-covered entities is available here (PDF, at the NCVHS web site). For more about RiskMAPs, see WPF testimony from August 1, 2007 (PDF) and June 26, 2007 (PDF).

 

08/01/2007 iPledge Program / FDA

World Privacy Forum testifies at FDA advisory committee hearing on the iPledge program; requests attention to privacy issues

The World Privacy Forum testified before the Dermatologic and Ophthalmic Drugs Advisory Committee and the Drug Safety and Risk Management Advisory Committee of the Food and Drug Administration regarding privacy issues related to iPledge, a mandatory program for patients taking the drug Accutane or isotretinoin generics. The FDA has stated that the program, which it requires four drug manufacturers to have in place, does not fall under HIPAA. The program collects substantive amounts of patient information. The Forum urged the FDA to set privacy standards for all RiskMAPs in general, and to resolve privacy issues in the iPledge program specifically. The Forum requested that all marketing provisions of the iPledge program privacy policy be removed, that patients be expressly informed the program does not fall under HIPAA, and that patients be given a printed copy of the iPledge program privacy policy, among other requests. Read the written testimony (PDF). Related: earlier WPF testimony to FDA/AHRQ regarding RiskMAPs.

 

07/26/2007 National Disaster Medical System / Privacy Act of 1974

World Privacy Forum requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA

The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require. Read the comments (PDF).

 

07/22/2007 Top ten opt out list

World Privacy Forum's Top Ten Opt Out List

This is a list of what top things to opt out of, and how to opt out. Millions of people have heard about the Do Not Call list, an opt out list that gets people off of telemarketing lists. But many fewer people have heard about the other opt outs that are available, like those that can take people out of data broker lists or opt outs that can stop schools from giving out directory information like email and home addresses. Opting out can range from the not-too-difficult (the Do Not Call list is a fairly simple opt out) to the challenging. This list is meant to simplify the information about which opt out does what, to help decide if a particular opt out is the right choice, and how to go about opting out. See the WPF Top Ten Opt Out List.

 

07/22/2007 Security freeze / identity theft / financial privacy

How to place a security freeze (credit freeze)

A credit freeze (sometimes called a security freeze) lets you stop the disclosure of your credit report by a credit bureau. A credit freeze can be especially helpful to individuals who are having persistent problems with identity theft. If you live in a state with a security freeze law, then you may be able to place a security freeze on your files. This World Privacy Forum resource gives general background on security freezes, lists the states with security freeze laws, and links to more information for each state. See the Security Freeze page.

 

07/10/2007 FDA privacy standards - RiskMAPs

The FDA needs to set privacy standards to protect patients in drug risk programs

World Privacy Forum executive director Pam Dixon testified at an FDA/AHRQ joint public workshop about the need for the FDA to set robust privacy standards for drug risk minimization programs, which are put in place for drugs the FDA has determined to be high risk in some way. Drug risk minimization programs (like the iPledge program for the acne drug Accutane) are not typically covered by HIPAA, and some programs have a privacy policy that allows marketing use of patient information collected as part of the risk program. This kind of marketing activity would not be allowable if the programs fell under HIPAA, and Dixon's testimony stated that patients in these programs should have the same kinds of privacy protections as HIPAA covered programs, and that marketing activities involving patient information should not be allowable in these programs. Read the testimony (PDF).

 

06/07/2007 Genetic privacy

World Privacy Forum makes presentation at National Academy of Sciences' Institute of Medicine

Executive director Pam Dixon presented key issues and potential solutions regarding privacy and Genome Wide Association Studies at the Institute of Medicine's Board on Health Sciences Policy meeting. Her presentation included recommendations to engage in a comprehensive study of certificates of confidentiality, to encourage standards of identifiability, to encourage study of what more uniform standards of privacy and security for researchers might look like, and a recommendation to work toward broad solutions that extend beyond GWAS activities.

 

06/04/2007 AHIC -  National Health  Information Network

World Privacy Forum Comments on AHIC Confidentiality, Privacy, Security Workgroup Hypothesis

The American Health Information Community Workgroup on Confidentiality, Privacy and Security requested public feedback regarding its working hypothesis. WPF responded to the request with public comments encouraging the adoption of a unified policy architecture and encouraging AHIC to focus on enforcement mechanisms that are intended to directly benefit consumers. WPF also encouraged AHIC to look comprehensively at the demands a new national electronic health exchange network will make on privacy in the health care sector. Read the comments (PDF). See also the National Health Information Network Page for more about the NHIN, and the WPF medical privacy page.

 

05/24/2007 Genetic privacy / PGx

World Privacy Forum files public comments and recommendations on pharmacogenomics privacy: all patient-specific PGx research should require certificates of confidentiality

The World Privacy Forum believes that the capability of identifying individuals from subsets of genetic information will expand greatly in the future. In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not. The WPF also urged the NIH to require strong data use agreements to protect individuals' privacy. The WPF also urged NIH and the Department of Health and Human Services to reinstate the position of "privacy advocate" so as to provide oversight in this area. Read the comments (PDF). For more information, see the genetic section of the WPF Medical Privacy Page. Related note: Executive director Pam Dixon will be speaking about genetic research and privacy at the Institute of Medicine on June 7.

 

05/08/2007 REAL ID /National ID

World Privacy Forum and Electronic Frontier Foundation File Public Comments on REAL ID

The World Privacy Forum and the Electronic Frontier Foundation (EFF) filed joint comments with the Department of Homeland Security about the proposed national ID system, REAL ID. The comments discuss the substantial flaws in the proposed REAL ID system including concerns about the overall structure of the program, the cards, the databases attached to the cards, the lack of controls on "function creep," the possibilities for discrimination, the potential for increased risk of identity theft, issues related to potential gaps in coverage for recipients on Federal programs, among other issues. Read the comments (PDF). See the EFF REAL ID pages for background about REAL ID.

 

05/04/2007 REAL ID

Stop REAL ID

REAL ID is a national ID card program. Currently, the Department of Homeland Security is accepting public comments on the REAL ID plan. Comments will be accepted until Tuesday, May 8. The World Privacy Forum has joined with a large coalition of groups to solicit public comments on REAL ID; to file comments, please visit the Speak Out Against REAL ID coalition page for more information. http://www.privacycoalition.org/stoprealid/

 

04/20/2007 Discussion Forum: Consent and Privacy

Launch of the WPF Discussion Forum: The Paradox of Consent, analysis by Bob Gellman

World Privacy Forum launches its Discussion Forum with an inaugural paper by Robert Gellman on the complexities of consent in the privacy sphere. Gellman's analysis focuses on the core privacy issues underlying "The Maine Incident," that is, Maine's historic 1998 passage of medical privacy legislation, and the subsequent repealing of key aspects of that legislation two weeks after it was enacted. Issues related to consent were key factors in the Maine events. Read Gellman's paper in the WPF discussion forum, or jump directly to Gellman's paper: Consent for Disclosures of Health Records: Lessons from the Past (PDF).

 

04/03/2007 National Health Information Network

Update: World Privacy Forum's National Health Information Network Timeline

Recently, the first live prototypes of the NHIN were demonstrated in Washington, D.C. This was a milestone event in the development of the planned network. The National Health Information Network is an ambitious project the U.S. government undertook in 2004 to digitize and network patient health records across the nation. This project raises challenging confidentiality, privacy, and security issues. See the World Privacy Forum's updated NHIN page and NHIN Timeline for more information. Also see the Forum's Medical ID theft report for an analysis of the potential impact of an NHIN on medical ID theftissues.

 

03/21/2007 Medical privacy / Department of Transportation

Commercial drivers' license applicants requesting exemption from the diabetes standard have their personal medical information, name, age, and more published in the Federal Register; World Privacy Forum urges changes to the practice

The World Privacy Forum filed comments with the Department of Transportation today regarding the department's publicationof the detailed personal medical information of individuals subject to DOT regulations in the Federal Register along with their names, ages, and other identifying information. The WPF comments argue that personal medical information combined with name, age, etc. does not belong in the Federal Register, where it can have potentially far-reaching consequences for those individuals who are named as well as their family members. The comment period closes April 2. Read the WPF comments (PDF).

 

02/05/2007 Genetic privacy

World Privacy Forum comments about the ethical, legal, and social implications of using genetic health care data in electronic health records

The World Privacy Forum filed public comments with the Department of Health and Human services in response to an HHS request for information regarding the use of patients' genetic data for research, health care, and for use in electronic health records. The World Privacy Forum is requesting that HHS use all Fair Information Principles in any personalized health care projects, and is requesting that a formal ELSI (ethical, legal, and social implications) committee be set up to oversee any projects, among other requests. Read the comments (PDF). Also see: WPF Fair Information Practices page.

 
01/19/2007 Identity Theft

President's Identity Theft Task Force: World Privacy Forum requests that medical identity theft be added to task force agenda

The World Privacy Forum filed comments and recommendations with the President's Identity Theft Task Force. The task force's draft report and recommendations did not include or contemplate medical identity theft solutions for victims; the WPF has requested and recommended that this be corrected. Medical identity theft victims need more help, more recourse, and agency attention. Read the WPF task force comments (PDF). Also see the WPF Medical ID Theft Page, which links to the WPF report, consumer tips, and FAQs for victims.

 

2006
12/15 2006 e-Government /CIPSEA

WPFcomments on proposed guidance on Confidential Information Protection and Efficiency Act of 2002 (CIPSEA)

The World Privacy Forum submitted comments to the Office of Management and Budget regarding proposed guidance on Title V of the e-Government Act. The proposed guidance did not address the relationship between CIPSEA and the USA PATRIOT Act Section 215, and guidance regarding identifiability and the Privacy Act of 1974 needs to be further refined. WPF suggests that OMB consider developing a formal statistical confidentiality seal controlled by a federal agency. The purpose would be to provide an identifiable marker that would tell individuals if the information they provide will receive the highest degree of confidentiality protection available under law. Read the WPF comments (PDF).

 

12/14/2006 Medical privacy /  Medicare Part D

World Privacy Forum Requests That CMS Bring Its Medicare Part D Data Activities Under HIPAA and Require Certificates of Confidentiality to Protect Patient Privacy

In comments filed with the Centers for Medicare and Medicaid Services, the World Privacy Forum requested that CMS give effect to data restrictions that Congress has expressly included in the law. WPF also requested that CMS include in its standard agreements for use of CMS data a requirement that the recipient obtain a certification of confidentiality for all identifiable CMS data. WPF also requested that CMS perform a regulatory impact analysis and publish a system of records notice. Read the comments (PDF).

 

12/06/2006 Identity theft / Consumer Alert

Identity Theft Victims of Choicepoint Data Breach May Now File Reimbursement Claims

The Federal Trade Commission has set up a new web site and phone number for identity theft victims of the Choicepoint data breach. The new site and phone number gives victims information on how to file claims for monetary reimbursement if out- of- pocket losses accrued as a result of the ID theft. A fund of $5 million is available to victims, the deadline for filing is February 4, 2007. The site is <http://www.ftc.gov/choicepoint>, the data breach hotline phone number is 1-888-884-8772.

 

11/27/2006 Privacy Act of 1974

Department of Justice Proposes Making Changes to Routine Uses of its Systems and Databases; World Privacy Forum Files Comments on Problematic Privacy Act Issues with the Proposed Changes

The Department of Justice published a notice proposing to update the Routine Uses of its systems and databases under the Privacy Act of 1974. The proposal was not precise enough, and was written in such a way as to allow sensitive Privacy Act systems such as the Criminal Division Witness Security File (CRM-002), the Witness Immunity Records (CRM-022), and the National Instant Criminal Background Check System (NICS, FBI-018) to be disclosed to almost anyone in certain circumstances, including to individuals working outside of law enforcement. The World Privacy Forum is requesting that the DOJ significantly tighten its language in the proposal, and to specify what individuals or entities may have access to these sensitive records, under what specific conditions. The World Privacy Forum is also requesting the DOJ republish all of its up-to-date system of records notices in their entirety immediately and at least every two years thereafter. Read the comments (PDF).

 

10/31/2006 Genetic privacy

World Privacy Forum Comments on Proposed Policy for Genetic Database

Genome-wide association studies present complex and challenging privacy issues. The National Institutes of Health, in a published request for information, asked for public comment on its proposed policy regarding its support and management of a central genomic repository for genome-wide association studies. In comments filed with the National Institutes of Health, the World Privacy Forum raised concerns about the proposed NIH policy in the specific areas of genetic identifiability, secondary uses of the genetic data, oversight, legal protections, and informed consent. Read the comments (PDF).

 

09/27/2006 Privacy Act of 1974

World Privacy Forum Files Comments on a Proposed DHS rulemaking; asks the Department to make a Commitment to Transparency and Accountability

In response to a proposed Department of Homeland Security rulemaking regarding a system of records, the World Privacy Forum filed comments requesting changes. The primary objections are that the proposed system of records commingles records and functions, the proposed exemption is inconsistent with the system notice, and DHS's proposed exemption from civil remedies was not correct, among other issues. The World Privacy Forum stated in its comments that the Department of Homeland Security should demonstrate its commitment to accountability and transparency in the rulemaking. Read the comments (PDF).

 

09/18/2006 Identity theft, medical identity theft  

World Privacy Forum Comments on "Red Flag" Guidelines for Identity Theft, Requests Addition of Medical Identity Theft to Red Flag Rule

The World Privacy Forum filed comments with the Federal Trade Commission, the Treasury, and other federal agencies today regarding the joint draft rule on "Red Flags" for identity theft. In its comments, the World Privacy Forum requested that medical identity theft be added to several aspects and portions of the proposed rule. Adding medical identity theft to the rule is essential to help close gaps in protection for consumers and to encourage health care providers to attend to victims' challenges and needs regarding medical identity theft. Read the comments (PDF). For more on medical identity theft, also see the Forum's medical identity theft report and tips on the Medical Identity Theft page.

 

08/16/2006 Internet privacy

World Privacy Forum Files FTC Complaint About AOL Data Releases

The World Privacy Forum filed a complaint today with the Federal Trade Commission regarding AOL's multiple releases of portions of its users' search query histories. The complaint discusses AOL search query releases from 2004 and 2006. The complaint alleges that the data release was intentional, and due to significant identifiability issues of the data subjects, that the releases are harming some AOL customers, and that AOL customers did not know their search histories would be made available to the public. The World Privacy Forum urges consumers to take precautions when using search engines. For more see the complaint (PDF). Also see the World Privacy Forum Search Engine Privacy Tips.

 

 

 08/08/2006 Internet privacy

World Privacy Forum Announces Plans to File FTC Complaint About AOL Search Data Release

The World Privacy Forum announced today that it would be filing a complaint with the Federal Trade Commission about the posting by AOL of a portion of its users’ search data on the Internet. While the data was not expressly identified by name, the search queries themselves included in some cases personally identifiable information such as individuals’ names, Social Security Numbers, and myriad other personal information. The World Privacy Forum urges consumers to take precautions when using search engines. For more see the Press Release. Also see the World Privacy Forum Search Engine Privacy Tips.

 

 

07/20/2006 Genetic privacy

World Privacy Forum Comments on Privacy Issues Relating to a Nationwide Genetic Research Project

The collection of DNA material from 500,000 to 1,000,000 or more individuals as part of a large U.S. medical research project raises many challenging ethical, legal, and privacy issues. An advisory committee reporting to the Office of the Secretary of Health and Human Services ( the Secretary's Advisory Committee on Genetics, Health and Society) has published a detailed analysis of the issues such a project and its associated databases and biobanks would raise in a draft report. The committee's final report and policy recommendations will be submitted to the Secretary of HHS. The World Privacy Forum has submitted public comments on the draft; the comments include key policy recommendations.

 

The Forum's recommendations include the need to provide protection from compelled disclosure of information, the necessity for a full-time project privacy officer with enforcement power, the need to address identifiability issues, and the need for a far-reaching and robust privacy policy that exceeds the requirements of HIPAA, among other recommendations. Read the WPF comments and recommendations (PDF) or read the WPF comments on the web. Also, see the Medical Privacy Project page.

 

 

06/30/2006 Medical records privacy and how-to

Step-by-step FAQ for victims of medical identity theft

Following its report on medical identity theft, the World Privacy Forum has responded to the need for specialized advice for victims of medical identity theft. The Access, Amendment, and Accounting of Disclosures: FAQs for Medical ID Theft Victims is the first resource of its kind, and is intended to help victims navigate the complicated process of correcting medical files and recovering from the unique harms of medical identity theft. The FAQ includes sample letters to use, as well as step-by-step advice on how to get a copy of health records, ask for changes to health records from healthcare providers, and ask for a history of disclosures of health records. Read the FAQs. For more see the Medical ID Theft page.

 

06/15/2006 Agency comments / Medical privacy

World Privacy Forum comments on Medicaid Program and State Children's Health Insurance Program Systems Notice; requests changes

The World Privacy Forum submitted comments to the Centers for Medicare & Medicaid Services requesting that it amend a Systems of Records Notice to address an oversight and address other privacy issues. The Forum requested that CMS add a reference in the system notice to Executive Order 13181 of December 20, 2000, “To Protect the Privacy of Protected Health Information in Oversight Investigations.” The Forum also requested that the routine uses be revised to reflect the HIPAA requirements as appropriate when the disclosures involve HIPAA records. Read the comments in PDF.

 

06/05/2006 National Health Information Network 

National Health Information Network Timeline

This timeline charts the major developments of the National Health Information Network. This network, usually called the NHIN, is a project underway led by the U.S. government. The goal is to transition from a paper-based health care system to a digitally based one, with electronic medical files to be shared over a network. The NHIN is intended to be a sophisticated network that hospitals, insurers, doctors, and others could potentially access. Such a network brings patient privacy, security, and confidentiality issues into sharp relief. The NHIN now has pilot projects underway in multiple U.S. cities. This timeline charts the NHIN from its start to the present. See the timeline on the web. See the NHIN page for other NHIN news and updates.

 

06/05/2006 Fair Information Practices

A Brief Introduction to Fair Information Practices

This is a short introduction to the eight principles known as "Fair Information Practices." These eight principles and practices describe how an information-based society may approach information handling, storage, management, and flows with a view toward maintaining fairness, privacy, and security in a rapidly evolving global technology environment.

 

05/03/2006 Medical privacy

Medical Identity Theft: The Information Crime That Can Kill

This new World Privacy Forum report (PDF Executive Summary) (PDF Full Report) describes what medical identity theft is, discusses victim experiences, and why this crime is important to detect. Victims of medical identity theft may not know that they have medical files that have been falsified by imposters, and can receive improper medical treatment based on these errors. The report estimates that between a quarter and a half million people have been victims of medical identity theft. See the Medical identity theft page for the report, for updates, and for consumer tips.

 

03/08/2006 Financial privacy

Comments to IRS on Tax Information Sharing

Joint comments filed by EPIC, Privacy Rights Clearinghouse, and World Privacy Forum. Comments are available at the EPIC site:  <http://www.epic.org/privacy/tax/irscom3806.html>.

 

02/08/2006 Medical privacy / HIPAA

World Privacy Forum Files Comments About Proposed Changes to HIPAA

Five groups joined the World Privacy Forum in asking for changes to be made to a proposed rule on how medical healthcare claims attachments are handled electronically. The World Privacy Forum and the EFF, EPIC, Privacy Rights Clearinghouse, Privacy Activism and U.S. Public Interest Research Group (U.S. PIRG) asked that physicians be given more control over what parts of health records they send electronically to insurance companies, that psychotherapy notes not be included when sending health records for insurance payment, and that the HIPAA Privacy Rule be rigorously applied to scanned health records. Read the comments in PDF format.

 

01/31/2006 Domestic surveillance

World Privacy Forum Requests NSA Domestic Surveillance Inquiry

The World Privacy Forum joined a coalition of 41 civil liberties, privacy, and trans-political organizations in a letter requesting a thorough and comprehensive inquiry by the Committee on the Judiciary into domestic surveillance program(s). Read the letter in PDF format.

 

01/20/2006 Internet privacy

Search Engine Privacy Tips

Working to proactively prevent problems related to the use of search engines is preferable to trying to clean up privacy problems after the fact. Here are some tips and resources for enhancing search engine privacy. Read the tips.

 

01/04/2006 Identity theft

FTC to Conduct New Identity Theft Survey; World Privacy Forum Submits Comments

The World Privacy Forum submitted comments in response to the Federal Trade Commission's request for feedback on its upcoming identity theft survey. The FTC identity theft survey is one of the most quoted surveys on the subject. The World Privacy Forum requested changes and clarifications to the survey, including adding questions about security breach notices and clarifying existing questions about medical identity theft, among other issues. Read the comments in PDF format.

 

2005

 

11/04/2005 Medical privacy

World Privacy Forum Comments to HHS on Protecting Patient Choice and Expanding Medical Privacy Rights

The World Privacy Forum filed comments with Health and Human Services this week asking the agency to protect patient choice and privacy. The World Privacy Forum asked that patients continue to be able to receive accounting of disclosures under HIPAA, and asked that this important patient right under HIPAA not be removed or weakened. The World Privacy Forum also asked HHS to review how patients' records can be amended under HIPAA, and recommended that in light of the coming National Health Information Network, that changes to enhance patient choice may be needed in this area. Read the comments on the Web or in PDF format. For more on the National Health Information Network, see our NHIN page.

 

9/30/2005 Medical privacy

World Privacy Forum Testifies on Electronic Health Records and Privacy

The World Privacy Forum testified before the National Committee on Vital Health Statistics in August regarding the importance of patient choice in the area of Electronic Health Records. The testimony stressed the importance of building security, patient privacy, and choice into EHRs and any form of the proposed National Health Information Network (NHIN). Read the testimony on the Web or in PDF format.

Also see the Forum's NHIN page.

 

8/4/2005 Telemarketing

World Privacy Forum Comments to the FCC on Telemarketing

In official comments filed with the Federal Communications Commission, the World Privacy Forum urged the Commission to maintain state telemarketing regulations. (PDF Comments.)

 

7/14/2005 Report

Call Don't Click Update: Still be smart about ordering federally mandated free credit reports

This new report (PDF Complete Report) (HTML Exec Summary ) is a complete update on the Forum's original February 25 report on AnnualCreditreport.com. Since the publication of the first Call Don't Click report, the number of imposter sites has increased by 124 percent. Some of the imposter sites have become more aggressive, improperly asking for consumers' Social Security Numbers. Other imposter domains lead to commercial data broker sites. The report lists and discusses the sites, the new findings, and recommendations. See the AnnualCreditReport.com page.

 

7/11/2005 Resume and jobsearching privacy

Updated Resume Posting Tips for Jobseekers

Before you post your resume online, read these twelve resume posting truths to help minimize resume privacy problems such as identity theft. Job Seekers Guide to Resume Databases: Twelve Resume Posting Truths . For more resources on job search privacy, see the World Privacy Forum's Workplace Privacy Project.

 

6/07/2005 Medical privacy

HIPAA News and National Health Information Network News

In HIPAA news, the Department of Justice has released a new ruling regarding HIPAA. The opinion is available here (PDF). Also, the HHS report summarizing the 500 + comments on the RFI for the National Health Information Network has been posted. The HHS report is available here. The World Privacy Forum and the Electronic Frontier Foundation submitted joint comments for the NHIN RFI, those comments are available here (PDF).

 

5/26/2005 Financial and Internet privacy

Call Don't Click: Updated Consumer tips for retrieving your federally mandated free credit report

Before you call, click, or mail away for your federally mandated free credit report, read these tips to help you avoid potential problems. This consumer tip sheet includes graphics to show you what problematic "fake" free credit sites look like, and includes consumer-tested tips for safely receiving your free reports. The tip sheet also includes resources with information, phone numbers, and addresses for ordering your report. See the AnnualCreditReport.com page for more.

 

2/15/2005 Medical Privacy /  Infrastructure  & Databases

WPF and EFF Submit Comments on the National Health Information Network

The World Privacy Forum and the Electronic Frontier Foundation have submitted official comments in response to the U.S. government's "Request for Information" about its plan to digitize all patient medical records and create an electronic "National Health Information Network" or NHIN. The comments urge caution in designing the NHIN and call for the government to build privacy, security, and open source technologies into the system from the beginning of the project. NHIN Joint Comments PDF . Also see the NHIN page.

 

1/19/2005 Workplace Surveillance and Privacy

World Privacy Forum Testifies about Federal ID Card

The World Privacy Forum testified on January 19 regarding the need to build reasonable privacy and security protections into the proposed "smart"Federal ID cards. The testimony included recommendations on making the mandated employee background checks equitable, careful implementation of the Privacy Act, and conducting a Privacy Impact Assessment. Other key issues included setting limits on card use and protecting the mandated source documents, such as birth certificates, that will be required to obtain a card. WPF and other testimony is available at the National Institute of Standards and Technology site: <http://csrc.nist.gov/piv-project/workshop-Jan19-2005/presentations.html>.

 

2004

 

12/23/2004 Workplace Surveillance and Privacy

Joint Comments on the Proposed Federal ID Standard

WPF, EFF, Privacy Rights Clearinghouse, and PrivacyActivism call for greater attention to privacy provisions of the proposed new Federal ID card, which will be "contactless."

Joint comments PDF.   Related: January 19 public meeting testimony on the Federal ID standard. See Events or About Us for meeting details.

 

9/07/04 Job Applicant Privacy

Consumer's Privacy Guide to Job Searching Online

Originally created for the 2003 Job Search Privacy Study in PDF format, the Guide has been made into an easy to use Web page. Job seekers can now click through the guide as they look for job sites that are pro-privacy.

 

9/07/04 Internet Privacy

How to Say No to Cookies that Track You

Some computer cookies are harmless, but others can track your moves across many Web sites, eventually building a detailed dossier of your preferences. This new consumer tips article discusses the difference, and links to "opt out" cookies that will stop the tracking.

 

7/08/04 Internet Privacy and Security; Job Applicant Rights and Privacy

A Year in the Life of a Job Scam: Pt. 1 of the World Privacy Forum Job Scam Report

This new report tracks a widespread online job scam over the course of a year from July 2003 to July 2004. The report contains findings, recommendations, critical new tips for job seekers, and examples and explanations of the scam in action (emails to victims, contracts, etc.) The report examines the intersection between job fraud and job seeker privacy. Responses from job sites about what they are doing about job fraud are included in the report. Report HTML  | Report PDF

 

7/08/04 Internet Privacy and Security; Job Applicant Rights and Privacy

Timeline: The Evolution of an Online Job Scam

This visual timeline chronicles a year of a job scam. The timeline documents the cities the fake jobs were targeting, dates the jobs posted, the various company names the scam operated under, and the contact names used in the scam. The job scam timeline is documented with screen shots of the job listings and how they looked as posted. The scam is still active. Timeline HTML

 

7/08/04 Internet Privacy and Security; Job Applicant Rights and Privacy

Consumer Tips to Help Combat Job Scams

These reality-based consumer tips are simple and are based on research from the key findings in the World Privacy Forum Job Scam Report. The Consumer Tips include "Red flags" to recognize scams and a step-by-step explanation and illustration using real examples of how one type of scam operates. Tips HTML

 

7/5/04 Database Privacy

WPF Calls for WHOIS Database Privacy Improvements

In comments submitted to ICANN's Task Forces 1 and 2 on the WHOIS Database, the World Privacy Forum has asked for tiered access to domain registry information. This would allow domain registrants the ability to keep home phone numbers, addresses, and email addresses private. The WPF has also asked that personal information in the WHOIS database not be made available to marketers. Comments PDF

 

2003
12/12/03 updated 7/08/04 Consumer Privacy, Financial Privacy, Job Applicant Privacy

Consumer Fraud Alert: Bogus Jobs Attempt to Obtain Consumer Bank Account Information

The World Privacy Forum and the Privacy Rights Clearinghouse have become aware of a nationwide job scam currently in action. We are advising job seekers to avoid any response to job ads coming from Unk Electronics, Macrocommerce Intersales , and Nanjing Panada Electronics , and to be aware of the high potential for financial fraud and /or identity theft if they have already responded to job ads from these companies. Fraud Alert HTML

 

11 November 2003 Job search privacy / Inaugural report

2003 Job Search Privacy Study -- Job Searching in the Networked Environment: Consumer Benchmarks

The World Privacy Forum officially launches with this inaugural report, a study a year in its research on the job search sector. This study, The 2003 Job Search Privacy Study: Job Searching in the Networked Environment: Consumer Benchmarks , documents job applicant privacy across the job search industry from resume writers to job search sites to resume blasters and other parts of the job search infrastructure.

Read the full study: 2003 Job Search Privacy Study

Read the executive summary: Executive Summary 2003 Job Search Privacy Study

Read the consumer guide: Consumer Guide to Job Search Privacy

This consumer guide lists 50 + Web job search sites and gives information about the levels of their privacy for consumers. The guide is now in HTML format for easy use.