Federal Privacy Law

New federal regulations to address identity theft go into effect November 1, 2008, and are likely to affect colleges and universities in nuanced ways. Compliance will require careful study and collaboration among business officers, human resources, legal counsel, student services, IT, and other affected campus units. The rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency. They also require that institutions develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts.

As the temperatures rise in a typical Washington summer, so grows the pressure on some online advertising firms. 

Yesterday the House Energy and Commerce Committee’s Telecommunications and the Internet Subcommittee held a hearing on the questionable methods for advertising currently being used by some Internet service providers (ISPs).  The hearing was entitled, “What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies.”   Panelists included: Bob Dykes, the CEO for NebuAd, David Reed, an early Internet pioneer and professor at MIT, Alissa Cooper, the Chief Computer Scientist for the Center for Democracy and Technology, Scott Cleland, President of Precursor, LLC, and Bijan Sabet, a General Partner at Spark Capital. 

Released one day before the Senate Commerce Committee held its hearing on the privacy implications of online advertising, a new report says targeted ads may involve practices that violate state and federal wiretap laws.

On Tuesday, the Center for Democracy and Technology (CDT) issued a memo, saying Internet service providers (ISPs) that allow an advertising network to copy [their] customers' Web traffic contents are defying "reasonable consumer expectations and may [be violating] communications privacy laws."

Currently, some ISPs are working with third party advertising agencies, which are copying consumer data in order to target specific ads at users. One such firm, NebuAD, testifed before the Senate Commerce Committee yesterday. NebuAd claims it does not violate any laws because they do not collect personally identifiable information. Some, though, argue that any collection of data can ultimately be tied to an individual and disagree with NebuAd's assertion that privacy is completely protected. CDT's memo says the practice most likely violates legal protections provided in the Electronic Communications Privacy Act.

EDUCAUSE joined the American Council on Education (ACE) in comments to respond to a Notice of Proposed Rulemaking regarding the Family Educational Rights and Privacy Act (FERPA). The EDUCAUSE contribution addressed the proposed rules treatment of Social Security Numbers (SSN's), Student ID Numbers, and Student User ID's in the context of "directory information." The comments state:

This 41 minute podcast features a speech from the EDUCAUSE 2007 Policy Conference. The speech is by Jim Harper, Director of Information Policy Studies at The Cato Institute, and is titled, "Identity Crisis: How Identification Is Overused and Misunderstood".

In this 55 minute podcast, we present a general session from the EDUCAUSE 2007 Policy Conference entitled, “Security Breaches and Identity Theft”. This is a panel discussion moderated by EDUCAUSE Government Relations Officer and Security Task Force Coordinator, Rodney Peterson. The discussion features: 

Michael Atleson, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission

Liz Gasster, General Counsel and Acting Executive Director of the Cyber Security Industry Alliance

In response to the tragic shootings at Virginia Tech, President George W. Bush directed the secretaries of the Department of Health and Human Services and Department of Education along with the Attorney General to meet with educators, mental health experts, law enforcement and state and local officials to discus the broader issues raised by this tragedy.  In their “Report to the President,” they conclude, “The Virginia Tech tragedy and similar violent events that have occurred in recent years . . . make us ask whether the complex balancing of fundamental interest in our communities – interests of protecting privacy and civil liberties, ensuring that our communities are safe, and helping people get the care they need – is appropriately calibrated.”  The report contained several recommendations relevant to emergency planning, preparedness, and notifications:

EDUCAUSE will co-sponsor an Information Technology Association of America event, “Defining the Acceptable Balance: A Reasoned Approach to Data Retention,” on September 27, 2006, inWashington, D.C. This seminar will assemble subject matter experts from Congress, law enforcement agencies, the privacy community, and high tech companies to answer such questions as: What data needs to be collected? How long should data be stored? How can data searches be conducted in a manner that does not risk wholesale sacrifice of customer privacy? Learn more about the event and register.

 

 

An interesting way for the FBI and Defense Department to get around laws that limit their surveillance powers, hire someone else to do it. Remeber Chlicepoint? NPR story on their security breach: http://www.npr.org/templates/story/story.php?storyId=4507687

US gov't buys info from ChoicePoint

http://govexec.com/story_page.cfm?articleid=32802&printerfriendlyVers=1"To help the government track suspected terrorists and spies who may be visiting or residing in this country, the FBI and the Defense Department for the past three years have been paying a Georgia-based company for access to its vast databases that contain billions of personal records about nearly every person -- citizens and noncitizens alike -- in the United States.According to federal documents obtained by National Journal and Government Executive, among the services that ChoicePoint provides to the government is access to a previously undisclosed, and vaguely described, "exclusive" data-searching system. This system in effect gives law en