The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Private Flickr Photos Made Public

According to this recent article at, a few months ago, a woman uploaded some pictures of her children skinny-dipping, along with about 50 other photos, to the online photo site Flickr. The woman was careful to mark those pictures of her children as "private". However, a couple of weeks ago she noticed that the private pictures had been viewed thousands of times, while the other photos only had about 20 hits.

Different photo-sharing websites have different policies regarding the privacy of photos. Flickr, for example, automatically designates all online photos as public unless otherwise specified. Other sites such as Shutterfly and Snapfish keep photos private unless the user indicates that they can be shared.

It turns out strangers can access a photo- whether public or private- if they have the full URL. Figuring out the exact URL, which usually contains random numbers and letters, is difficult but not impossible.

Leave a comment

EU decision on IP addresses, search engines and privacy

As expected, the EU’s Article 29 Working Party has released a decision that search engines are subject to the obligations of the Data Protection Directive. The Working Party explains that the data search engines collect — IP address and a search profile — is considered personal information in Europe, not purely anonymous data as the search engines have maintained. It issued a preliminary release on the subject, and is expected to issue a full report in the next few months.

Leave a comment

Google Health opens potential loophole in HIPAA protections

Valleywag reports on the pending introduction of Google Health’s pilot program, in which they’ll store the health records of of 1500 to 10,000 patients at the Cleveland Clinic. But Valleywag (and, for more information, this SF Chronicle article) discusses the privacy implications of Google’s plan: As a non-healthcare provider, Google (and any other third-party provider of these kinds of services) isn’t subject to the privacy protections of HIPAA. The lack of one protection in particular, the requirement that health care providers notify a subject when his or her health records are subpoena’d, means that it will be easier for third parties to gain access to your medical data in ways that could be detrimental to you.

Microsoft and AOL have their own portable health information products in the works.

Leave a comment

FTC and Congress unlikely to act on behavioral targeting?

Another of Harrington’s pronouncements at the DMA conference (as reported by Mediapost) was on the FTC’s recent foray into regulation of behavioral targeting. She indicated that the FTC may not be convinced that behavioral advertising is in and of itself a privacy violation for consumers. Congress’s declining to consider legislation on the matter may indicate that the FTC should focus on cases where the harm to consumers is more clear. But she stated that industry groups must come up with self regulatory principles for greater transparency and meaningful choice.

Leave a comment

FTC says data security is its top concern

Deputy Director of Consumer Protection Eilieen Harrington’s appearance before the Direct Marketing Association’s Email Evolution conference provided a wealth of information about the FTC’s orientation on current hot topics in privacy on Tuesday. Mediapost reported her pronouncement that the FTC considers security of consumer data to be "of the greatest and highest concern" for enforcement, pointing to its pursuit of big-name companies like Microsoft for security breaches.

Leave a comment

China may move forward on EU-model data protection law

Privacy Laws & Business reports that this may be the year China enacts its proposed EU-model data protection law, covering both public and private sectors. The proposed law addresses the transfer of personal data to other countries and establishes subject access rights and remedies.

Leave a comment

Eli Lilly & Co.’s E-mail Blunder

When Eli Lilly & Co. saw that its confidential settlement talks with the government made front-page news in the New York Times, they accused federal officials of leaking the information. However, an investigation by the company found that the source of the leak was one of its outside lawyers. Apparently the lawyer writing the e-mail meant to send the confidential information to her co-counsel at another firm, but instead sent the e-mail to a reporter at the New York Times. The reporter claims that, although he did receive an e-mail from the firm, it did not contain a detailed description of the status of the settlement talks, and that he actually got his information from other sources.
Eli Lilly & Co. is in negotiations with the government over alleged marketing improperties. They are accused of improperly marketing their most popular drug, Zyprexa, for schizophrenia. 
In an unrelated but similar incident in 2002, Eli Lilly settled with the FTC and eight state attorneys general after an employee unintentionally released e-mail address of nearly 700 subscribers to its e-mail alert.

Leave a comment

US demanding additional passenger data from EU

The Guardian reports that the US government is asking individual EU member states to sign a memorandum of understanding committing to provide additional personal information about air passengers and associated individuals, or lose their rights to visa-free travel to the US.

Under the existing PNR (passenger name record) program, airlines provide 19 items of information on every traveler flying from the EU to the US. Approval of the existing program was quite controversial in the US (the Article 29 Working Party devised an appropriate framework for the transfer). The additional information the US is requesting includes data on all air passengers flying over (and not landing in) the US and data about non-travelers who may be let beyond security to assist in boarding. This information would be combined with the data in the PNR to build out profiles of travelers to assist in detecting and preventing terrorism.

Greece and the Czech Republic have expressed interest in participating, because their citizens are currently subject to visa requirements for travel to the US. But Brussels is pressing for a united bargaining position and urging individual countries not to sign.

Leave a comment

Washington Post on TSA’s electronics searches and privacy

The Washington Post reported yesterday that TSA agents have been seizing and searching electronics in US airports, with some privacy implications for the travelers subject to their actions. They report that some companies have implemented policies to safeguard sensitive information by having laptop hard drives cleared before international travel. Other individuals have had to hand over passwords to TSA agents, who searched their histories of websites visited. Some travelers have had electronics seized and not returned for long periods of time.

In response to the TSA’s searches, EFF and the Asian Law Caucus filed suit (complaint available here), asking DHS to clarify its policies on – among other First Amendment issues – searching laptops and electronic devices. EFF Staff Attorney Marcia Hofmann explained,  "Laptops, phones, and other gadgets include vast amounts of personal information. When will agents read your email? When do they copy data, where is it stored, and for how long? How will this information follow you throughout your life? The secrecy surrounding border search policies means that DHS has no accountability to America’s travelers."

Leave a comment

FTC Settles with Online Retailer for Failure to Safeguard Consumer Information

This past January, the FTC settled with Life is good, Inc., a retail apparel and accessories outfit that operates the web site,, for making deceptive claims regarding the privacy and security of consumer information it collected and stored through its website in violation of federal law, including the FTC Act.  According to the FTC’s complaint, the web site’s privacy policy claimed, "We are committed to maintaining our customers’ privacy. We collect and store information you share with us – name, address, credit card and phone numbers along with information about products and services you request. All information is kept in a secure file and is used to tailor our communications with you."  
The FTC alleged that Life is good did not in practice provide sufficient safeguards for the sensitive consumer information that it collected and stored through its web site (which included credit card numbers, credit card expiration dates and credit card security codes).  Life is good’s alleged failures and inadequacies specifically included, among other things, indefinitely storing credit card information, credit card security codes and other consumer information in clear readable text on its network without a business need, failing to assess and monitor the vulnerability of its networks and systems to commonly known and reasonably foreseeable attacks (such as SQL injection attacks), failing to implement low cost, readily available security defenses to such attacks, and failing to employ reasonable measures to detect unauthorized access to consumer information. 
As a result, the FTC claimed that the web site fell victim to SQL injection attacks exposing the sensitive information of thousands of its customers to hackers. 
The settlement agreement between the parties prohibits Life is good from making further deceptive claims about its privacy and security practices, and requires, among other things, that the retailer implement and maintain a data security and privacy program to protect the sensitive information it collects from consumers.  To see the FTC’s Press Release on this matter, click here.
More and more, companies are being held accountable for the statements and promises of safety and security that they make on their websites and in their privacy policies.  In September of 2007, the New York Attorney General announced investigations into online social networking site, Facebook, stating that "Facebook’s promise of a safe website is not consistent with its performance in policing its site and responding to complaints."  According to the AG’s Press Release, while Facebook made various claims and "reassuring statements" on its website regarding the site’s safety controls and response to complaints, undercover investigations revealed that the company was slow (and at times unresponsive) to complaints filed regarding inappropriate content or communications on the site. 
Also, the new set of privacy rules recently adopted by MySpace pursuant to an agreement with 49 state Attorneys General, the goal of which is to help foster online safety and security on social networking sites and online in general, included an agreement on the part of MySpace to better implement procedures for managing and responding to consumer complaints.