Monday, June 30, 2008

Honesty can cost in auto policies

AB 2800, a bill by Assemblyman Jared Huffman, supported by California insurance lobbyists and one environmental group (Environmental Defense Fund), is seeking to let insurers charge drivers differently based on whether they use a GPS "technological device" to verify their mileage. The concept is that drivers that use these devices would be encouraged to drive less, therebye reducing their emission levels while saving money. However, there is more to AB 2800 than meets the eye.

The Consumer Federation of California has decided to oppose this legislation on a number of grounds, most notably that of privacy, but also on the basis that it would discriminate against a certain "class" of driver in favor of another.

As Consumer Watchdog's Carmen Balber writes (who are also opposed to the bill): This would also create a unfair system where two drivers who are otherwise the same would pay a different premium. Take one driver who installs a GPS monitor in his car that tells his insurance company that he drove 5,000 miles at the end of the year. A second driver verifies the 5000 miles he drove by having his odometer checked by his insurance agent at the end of the year.

Especially in the case of technology, which a driver may not want because of privacy concerns, or may not be able to use because his car is too old, it is unfair to penalize one for verifying his mileage in a different way. Creating two classes of insurance customers who are otherwise equal (as both of these plans would) is illegal under Proposition 103’s fair rate requirements. In fact, either of these programs – either discounts based on the use of technology, or based on whether a driver estimates or verifies – could easily create a situation where a driver who verifies or accepts the technology could drive more, but pay less, than a driver who reduces her mileage but estimates or doesn't use the device.

The possibility of installing technology in peoples' cars also brings up a host of privacy concerns: Should Californians be forced to pay higher premiums if they want to protect their privacy and reject technology?

(AB 2800)...would invite the spyware in. What kind of data do insurance companies really want to collect? They're already using a huge range of information - like speed, location and time of day - in different parts of the country and across the world.

The Sacramento Bee got wind of this bill and the growing debate around it:

Ultimately, passage of AB 2800 could set the stage for battles over whether the state should allow insurers to require high-tech devices for tracking mileage and whether to encourage pay-as-you-go policies that charge drivers for each mile traveled.


Opponents counter that the push for AB 2800 exaggerates insurers' woes and piggybacks onto environmental activism to achieve corporate gain."I think there's always sort of a credibility gap between the industry's claims and its actual performance," said Richard Holober of the Consumer Federation of California.


Opponents contend the legislation is a thinly veiled push toward allowing insurance companies to require use of satellite technology – known as GPS – that can track not only how far you drive, but where and how aggressively. "That's a huge invasion of privacy," Holober (executive director of the Consumer Federation of California) said. "It's nobody's business."

"I should not be required to give up my privacy in order to pay fair insurance rates," added Carmen Balber of Consumer Watchdog, an industry watchdog group.

I will be posting more on this bill and the larger debate over privacy in the coming days and weeks.

Friday, June 27, 2008

Preying on Patients

I've posted a lot here regarding the myriad of privacy pitfalls associated with electronic, online medical records. Now the Wall Street Journal is on the issue with a major expose on medical identity theft, and how it can imperil ones health care, insurance, and job prospects.

Just one more thing to keep in mind as we see new products like Google health rolled out, and/or other proposals I've commented on here in California, such as the Attorney General's massive prescription drug database sharing idea, or giving third party drug marketers and pharmaceutical companies access to patient prescription records. By the least, they do open the door to the increased threat of identity theft.

The Wall Street Journal reports:

An imposter who takes over your financial life leaves a trail of harm -- and that harm can include changes to your health-care records in some cases. Identity theft in the health-care arena adds a layer of complexity because a thief can tap your medical information to get care or make false claims, potentially altering the course of your future treatments if you don't catch and reverse the damage, experts say.

For example, a thief could have a different blood type or drug allergies than you do, and a doctor, nurse or hospital may not detect the mixed patient files before administering treatment based on the imposter's medical history instead of your own. Or victims may find they hit their insurance caps or become uninsurable or unemployable based on medical problems they never had.

That's the scenario privacy experts are concerned about as hospitals and health-care providers increasingly exchange digital information or seek ways to do so. But it's not just high-tech developments that are sparking worries.


But state and national lawmakers are beginning to take notice. Starting this year, California extended its security breach law to require companies that handle medical and health-insurance information to notify people when the security of their medical data has been compromised.


Victims often realize they have a problem when they receive their insurer's explanation of benefits for services they never received, collections companies come calling for charges they didn't incur or their credit report shows changes, Dixon said.

"Right now where we are with medical identity theft is where we were at the beginning of financial identity theft," she said. "We're starting at square one with this crime. The good news here is financial identity theft laws are going to help these victims for debt collection and credit report issues."

Still, some victims have trouble getting collections agencies to believe their predicament, even with a police report in hand, she said. Getting access to and correcting health-care files falls under a federal law called the Health Insurance Portability and Accountability Act, or HIPAA, which is designed to protect privacy but often creates headaches for people who've had their medical IDs stolen. "Because of the fractured nature of the health-care sector, it's not so easy to get positive change moving for victims," she said.


On an individual level, being alert to unauthorized address changes or strange entries on your insurer's explanation of benefits is essential to catching medical ID theft early, Dixon said. Consumers who receive a security-breach notice are wise to get credit monitoring and copies of their medical records. "You're not obligated to tell a health-care provider why you want your files," Dixon said. She advises people who know they're victims of medical ID theft to avoid disclosing the situation so they have a better chance of getting their records. "Gather all the information and then start taking action."

Click here to read the article in its entirety.

Wednesday, June 25, 2008

ACLU files lawsuit on behalf of Virginia privacy advocate + My personal correspondence with her

I just received a very interesting email from none other than BJ Ostergren, the Virginia-based privacy advocate who has been fighting to stop county and state governments from posting public records containing Social Security numbers on their Web sites.

I posted about her situation on March 19th of this year. The "good" news is that she, with the help of the ACLU, is preparing to do battle (as in sue the government) against an amendment to a Virginia law that bars individuals from disseminating any of those SSN numbers, even if they obtain them legally from public records.

For a brief refresher: In recent years, Ms. Ostergren has chronicled dozens of cases in which local governments have inadvertently exposed Social Security numbers and other personal data through their Web sites. As part of her strategy to highlight the seriousness of the issue, she started posting the Social Security numbers of public figures that she accessed via government sites on her Web site.

You know, people like Jeb Bush and Colin Powell for instance. As one might surmise, this didn't make "the government" too happy. One reason being they were being exposed for gross negligence by their putting at risk the identities of tens of thousands of American citizens, but also that they were being made to look even more foolish by Ms. Ostergren's posting of THEIR "private" information (which remember, is already accessible to everyone...hence the problem...its NOT private).

So what was the courageous reaction of Virginia government officials? As one might expect, they immediately went after the critic rather than the problem. So they passed a law banning the posting of such data by a private citizen, rather than oh, BANNING THE GOVERNMENT from doing the very same thing!

Ms. Ostergren and the ACLU are now contending, and which I wholeheartedly agree, that this new law violates her free-speech rights and does nothing to stop county governments in the state from posting documents without first redacting Social Security numbers and other sensitive data. More than that, the measure really seems to have been specifically designed to curtail her campaign to publicize and end that practice!

Ostergren and other privacy advocates have since shown that this problem goes far beyond the borders of Virginia, and in fact, county government around the U.S. have become veritable treasure troves of sensitive data for identity thieves and fraudsters.

So now let's get back to my recent correspondence with this privacy rights hero. Apparently, months ago she wrote me a message (that was mistakenly sent to my junkmail) saying that in my celebration of the passage of AB 1168 (Jones), which requires state and local government agencies, as well as all colleges and universities in California, to honor consumer expectations of personal privacy by safeguarding Social Security numbers, I was giving people a false sense of security.

The reason? As she noted in her first email to me (I made sure it was okay with her that I share her comments):

"There is no law that requires COURTS in CA to remove SSNS off records. I have been fighting with the Riverside Superior Court in CA to no avail to get them to remove SSNs off that site where there are still 10s of thousands of SSNs in court documents. Go to the Riverside Court site.

Type in the word GUEST nothing else and then on next page hunt up case by this CASE NUMBER 405018 Find the first “complaint” filed and then open it. There will be 12 pages and go to page 7. SSN etc. showing. Think that person knows their SSN is online? NOPE! And there are 10s of thousands more SSNs on that site.

Go to my NEWS ARTICLES link on my website

And find the April and May articles about the Riverside mess. They are NOT the only ones doing this in CA. There are more websites spoon feeding criminals as I call it in CA. At least in LA County Superior Court’s website they are charging per search which will slow down an identity thief.

The VA legislature thinks apparently that it is okay for PUBLIC BODIES as defined under Code of VA 2.2-3701 to be able to put SSNs on the internet but not ME.

As our correspondence went back and forth, she also noted her role in the Jones bill, saying:

I played apart in that and I am the one who got Jones involved to the point he got the SOS to shut the site down. I spoke to his aide back then and gave him a "tour" of sites and then he showed Jones. The aide got me to read the legislation before he put it in. If you read it I think you find it mainly applies to RECORDERS....not Judges and courts.

I did not see court records like the ones on the Riverside Superior Court site mentioned. I'd like to show you and take you on a "tour". Once you see what I see, you'll be astounded and also shocked. That Riverside site is literally spoon feeding SSNs to the world...The Superior Court Judge in Riverside says it would be a shame to shut that site down and hasn't. But they could put online a SUMMARY if you will and that would definitely help. They don't have to show the actual filings in cases.

I am currently dealing with Little Rock AR's Pulaski County where there are hundreds of thousands of SSNs on that site. I am trying to get them to shut down...Too much to be gotten off a home computer...or an internet cafe computer in Nigeria or Pakistan or in another state.

The point in all this is, as Computerworld reported just two weeks ago, Ms. Ostergren and the ACLU's lawsuit is now underway, and we should be watching its development very closely. In the meantime, Ostergren has offered to "take me on a tour" in the next few days to see firsthand just how vulnerable our identities are to thieves. I'm afraid what I'll find out already...

Read Computerworld's report on the lawsuit:

The American Civil Liberties Union (ACLU) of Virginia this week filed a federal lawsuit (download PDF) challenging a recently amended state law that prohibits individuals from disseminating public records containing Social Security numbers, even if the records are publicly available to anyone on county government Web sites.

The lawsuit was filed on behalf of Betty "BJ" Ostergren, a Virginia-based privacy advocate who has been fighting to stop county and state government offices from posting public records containing Social Security numbers and other personal records on their sites. As part of her campaign to publicize the issue, Ostergren has routinely downloaded documents containing Social Security numbers from county Web sites and reposted them on her own site.


Rebecca Glenburg, legal director for the ACLU of Virginia, said the Virginia law violates the First Amendment right to free speech.

"Under the First Amendment, people have the right to publish truthful information that is publicly available," she said. "The Supreme Court has held over and over again that when the government chooses to make information public, it can't then punish other people who obtain that information legally and distribute it to others," Glenburg said.


The statute challenged by the ACLU was signed by Gov. Timothy Kaine in March and prohibits the spreading of Social Security numbers obtained from public records. It expands on a previous restriction that only applies to numbers contained in private documents.

The law is scheduled to go into effect July 1, the same date on which county clerks across Virginia are required to make all land records -- such as deeds and mortgage information -- available online. The lawsuit is seeking an injunction preventing the statute from going into effect, Ostergren said.

As I wrote in my original post on this issue on March 19th, "I don't know what's the most disturbing aspect of this story":

  • that social security numbers are this easily available to would be identity thieves...on our own government's websites no less!;
  • that this proposed law now being challenged is so utterly useless in dealing with the stated problem, but instead targets the critic of that problem;
  • that the Virginia state legislature and Governor appear to be targeting Ms. Ostergren because of her efforts to draw attention to the privacy rights being jeopardized by the government...not her;
  • or that this law might have had something to do with the fact she's posting Social Security numbers of powerful people like Jeb Bush and Colin Powell...versus say, doing something to stop fraudsters from stealing the identities of everyday people?!

Click here to go to Ms. Ostergren's "The Virginia Watchdog".

Dems Who Flipped On FISA Immunity See More Telecom Cash

Does this really surprise anyone? Nonetheless, I feel obligated to get this information out in the hope that at the very least, voters will hold these Democrats responsible for their cowardly "shift" from protecting the constitution and the people of this country, to protecting this Administration and the Telecom industry.

It goes without saying that the Republicans are in a league of their own on this near UNANIMOUS support for this FISA abomination.

So, here's the latest data on the telecom's pay off of key Democrats who "flipped" positions. CBS News reports:

The 94 Democrats who changed their positions received on average $8,359 in contributions from Verizon, AT&T and Sprint from January, 2005, to March, 2008, according to the analysis by MAPLight, a nonpartisan organization that tracks the connection between campaign contributions and legislative outcomes.

Retroactive immunity could squash about 40 lawsuits pending against telecommunication companies that helped the government monitor the telecommunications traffic of Americans without warrants. The telecom industry has lobbied hard to insure that the provision is included in the Foreign Intelligence Surveillance Act update Congress is currently considering.


The 116 Democrats who remained opposed to telecom immunity received an average of $4,987 from the telecoms during the three-year period, the analysis showed...The members who voted yes on June 20 received, on average, $9,659 from the big three phone companies while those who opposed the bill received an average of $4,810, MAPLight found.

If only us civil liberties folks could just payoff these legislators in a similar way? Can you imagine: "Good evening Congressman, while I know that you pledged an OATH to protect the Constitution when you became an elected representative, here's $100,000 for your campaign from (put in group name here) to keep that oath and take the side of the 4th Amendment over the Telecoms. Thanks."

One can dream...:)

Monday, June 23, 2008

The New Surveillance Bill: The Worst of Both Worlds

As long as it looks like we're going to be stuck as a nation with the abysmal new FISA law currently before the Senate we may as well take a closer look at some of its most Constitution crushing aspects.

As we know, far too many Democrats in the House capitulated to White House and Republican fear-mongering and granted telecoms retroactive immunity and expanded surveillance powers. Unfortunately, prospects of defeating the bill don't look much better in the Senate, particularly in light of Obama's reversal on the issue. He now says he will vote for the bill but wants to try to amend the part that grants telecoms immunity.

This effort will of course fail, and therefore really does nothing to appease those of us who feel strongly that the rule of law matters, the Constitution matters, and this administration must be held accountable. The fact is, unless Obama is willing to mount a vigorous campaign to explain to the public why this bill must be defeated, including a filibuster, talk is meaningless.

I suppose the optimist in me, based on indications from Obama earlier in the year, is that even if this bill does become law, and Obama does vote for it, as President he will still be open to conducting a Justice Department led investigation into the telecoms...which this legislation DOES NOT prohibit.

But politics aside - but please urge Obama, Dodd, and Feingold to filibuster it here - let's get into some of the bill's details with Aziz Huq, co-author of a new book on national security and the separation of powers called "Unchecked and Unbalanced".

He writes:

Hailed in some quarters as a "compromise" after the capitulation of the Protect America Act of 2006, the new surveillance bill is nothing of the kind: on core issues of privacy and accountability, there is no compromise, since little in the measure honors those two values


Begin with accountability...They argue that protection is necessary to ensure future cooperation, even though the telecoms were not deterred by the fact their past actions were clearly in violation of federal law.

In fact, immunity is on the White House front burner for wholly different reasons: pending lawsuits against the telecoms are the best opportunity for the American public to learn what kind of illegal surveillance occurred under Bush's watch, and how existing law against warrantless wiretapping was circumvented. As bad as the telecoms will look, the Administration will look worse as more of its cynical and results-oriented reasoning and contempt for constitutional rights is fully aired.


...the court can only look to see if the defendant has the piece of paper described in the law, and if it does, the court must dismiss the case. By interposing a certification requirement, and directing judicial attention to a piece of paper, the bill fends off judicial scrutiny of what in fact occurred...And there is every reason to believe that the telecom defendants will have the necessary piece of paper.


The bill, in short, is worse than granting absolute immunity: it is an effort to suborn the legitimacy of the federal courts by having a judge rubber-stamp the dismissal of cases against the telecoms without looking at the substance of what, in fact, was done. It reduces the separation of powers to a check-the-box exercise.


Under the bill, the government can create new surveillance programs, each lasting a year, that focus on "persons reasonably believed to be located outside the United States." Provided that spying agencies do not "intentionally target" someone "known" to be in the United States, or intend to target "a particular, known person reasonably believed to be in the United States" (and with some other minor caveats), large-scale acquisition of data is permitted.

...the courts will not examine the actual surveillance programs, let alone individual cases of surveillance. Again, the bill interposes a certification requirement between the court and the facts.


This is a radical break from the FISA regime created in 1978, and risks severe harm to Americans' privacy interests. The most important break with FISA is the absence of any individualized warrant requirement: it is now whole collection programs that are authorized and reviewed. And the abandonment of discrete, individualized legislative authorization and judicial review is only the first of the bill's troubling features.

The new provisions also allow the government to create sweeping new programs that are formally targeted at overseas persons, but that predictably sweep in large. The provision's loose language about targets -- who do not in fact have to be overseas, only reasonably believed to be overseas -- gives the government substantial latitude in crafting the parameters of its searches.

As True Majority's action alert points out, "It's hard to overstate how much is at stake in this battle. Passing retroactive immunity would put an end once and for all to lawsuits which have the potential to expose the full extent of Bush's illegal wiretapping program. This is literally one of the last avenues we have to hold the Bush administration accountable before they leave office. On this question, there can be no doubt, immunity for phone companies is the same as immunity for George Bush and Dick Cheney."

Click here to read the article in its entirety.

Friday, June 20, 2008

Democrats AND Obama Capitulate on FISA

Frankly I'm almost too disgusted and angry to even write about the Democrats, and worse, Obama's capitulation on the telecom immunity giving, privacy eviscerating, Constitution burning, and Bush protecting FISA law.

That's right, the Democratic-controlled House just passed the "compromise" FISA/telecom amnesty bill by a vote of 293-129. As expected, the Republicans supported the bill virtually in lockstep (188 - 1...that 1 being Ron Paul), while Democrats split (105-128). Nancy Pelosi spoke in favor of the bill, so the whole top layer of House Democratic leadership supported the bill. This new FISA law essentially guarantees telecommunications total immunity for their crimes, actually expands the government's ability to wiretap American citizens, and eviscerates the 4th Amendment. Bye bye 4th Amendment, you were cool while you lasted!

I'm just going to turn it over to some of the most respected defenders of the Constitution that we have in the country today for analysis. But first, here's my ode to the Fourth...which simply gave us the following rights:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Now let's take a look at the contrast between profiles in courage (actually I don't think its courageous to stand up for the Constitution, its simply right) and profiles in cowardice.

First up, Senator Russ Feingold:

The proposed FISA deal is not a compromise; it is a capitulation. The House and Senate should not be taking up this bill, which effectively guarantees immunity for telecom companies alleged to have participated in the President’s illegal program, and which fails to protect the privacy of law-abiding Americans at home.

Allowing courts to review the question of immunity is meaningless when the same legislation essentially requires the court to grant immunity. And under this bill, the government can still sweep up and keep the international communications of innocent Americans in the U.S. with no connection to suspected terrorists, with very few safeguards to protect against abuse of this power. Instead of cutting bad deals on both FISA and funding for the war in Iraq, Democrats should be standing up to the flawed and dangerous policies of this administration.”

Next up, Senator Chris Dodd:

I cannot support the so-called ‘compromise’ legislation announced today. This bill would not hold the telecommunications companies that participated in the President’s warrantless wiretapping program accountable for their actions. Instead, it would simply offer retroactive immunity by another name.

“As I have said time and time again, the President should not be above the rule of law, nor should the telecommunications companies who supported his quest to spy on American citizens. I remain strongly opposed to this deeply flawed bill, and I urge my colleagues in Congress to join me in supporting American’s civil liberties by rejecting this measure.”

Now to Senator Barack Obama (sigh...):

It is not all that I would want. But given the legitimate threats we face, providing effective intelligence collection tools with appropriate safeguards is too important to delay. So I support the compromise, but do so with a firm pledge that as President, I will carefully monitor the program, review the report by the Inspectors General, and work with the Congress to take any additional steps I deem necessary to protect the lives -– and the liberty –- of the American people.

Watch constitutional law professor Jonathan Turley discuss the new FISA "compromise" on Countdown.

And finally, here are some choice clips from Glenn Greenwal, the best in the business on this issue:

It's bad enough watching the likes of Steny Hoyer, Rahm Emanuel and a disturbingly disoriented Nancy Pelosi eviscerate the Fourth Amendment, exempt their largest corporate contributors from the rule of law, and endorse the most radical aspects of the Bush lawbreaking regime. But it's downright pathetic to see them try to depict their behavior as some sort of bipartisan "compromise" whereby they won meaningful concessions...


...the GOP couldn't even wait for the ink to dry on this "compromise" before publicly -- and accurately -- boasting that they not only got everything they want, but got even more than they dreamed they would get. To The New York Times' Eric Lichtblau, GOP House Whip Roy Blunt derided the telecom amnesty provision as nothing more than a "formality" which would inevitably lead to the immediate and automatic dismissal of all lawsuits against the telecoms, while Sen. Kit Bond taunted the Democrats for giving away even more than they had to in order to get a deal: "I think the White House got a better deal than they even had hoped to get."

Lichtblau himself noted that "the White House immediately endorsed the proposal" and wrote that the bill "represents a major victory for the White House after months of dispute."


This scandal began by revelations that the President broke the law -- committed felonies -- when spying on our calls and emails without warrants, because he believes he has the power to break the law. The scandal all but concluded yesterday, with the Democratic Congress (a) protecting the President, (b) permanently blocking the lawsuits which would have revealed what he did and would have ruled that he broke the law, and (c) legalizing the very illegal spying regime that he secretly ordered in 2001. Only in the twisted world of Washington can that be described as a "compromise."

On that note, here's how you can help urge the Senate to stand up and fight this bill. ACT Blue, along with Color for Change, and others are asking for contributions to fight this legislation through targeted advertising against Democratic capitulators.

Go here to contribute.

Thursday, June 19, 2008

Dems to Buckle on FISA? SB 1096 Farewell

In a final act of gratuitous self promotion regarding the defeat of SB 1096, I leave you with this quote of mine in today's SF Chronicle :

"This is a victory for California consumers," said Zack Kaldveer of CFC. "It's also a victory for our state's Constitution, which explicitly protects the individual's right to privacy. When it comes to medical prescriptions, there is nothing more private. This bill crossed the line."

Now onto the illegal wiretapping/FISA/Telecom Immunity debate that has taken a dark and disappointing turn.

As you may have heard, the Democrats in the house appear to be close to cutting a deal (meaning giving in to Bush demands). Yes, the same telecom companies that gave our government the green light to listen in on our phone calls now could be immune from any lawsuits filed by us "regular folks". Of course, the issue has never been how much money they may or may not lose, the issue is what information they know that the Bush administration doesn't want to come out in court.

Yet, unbelievably, inexplicably, and despicably, enough Democrats are still, even though they have the majority, the next President, and are on the popular side of the issue itself, ready to buckle under the pressure to do the wrong thing...again! I'd also like to mention, where the hell is Obama on this? He teaches constitutional law for gosh sakes!!

Here's today's NY Timed editorial which hits the nail on the head: Bush vs. The Bill of Rights:

This week, the White House and Democratic and Republican leaders on Capitol Hill hope to announce a “compromise” on a domestic spying bill. If they do, it will be presented as an indispensable tool for protecting the nation’s security that still safeguards our civil liberties. The White House will paint opponents as weak-kneed liberals who do not understand and cannot stand up to the threat of terrorism.

The bill is not a compromise. The final details are being worked out, but all indications are that many of its provisions are both unnecessary and a threat to the Bill of Rights. The White House and the Congressional Republicans who support the bill have two real aims. They want to undermine the power of the courts to review the legality of domestic spying programs. And they want to give a legal shield to the telecommunications companies that broke the law by helping Mr. Bush carry out his warrantless wiretapping operation.


Lawsuits against those companies are the best hope of finding out the extent of Mr. Bush’s lawless spying. But Democratic leaders in Congress are reported to have agreed to a phony compromise drafted by Senator Christopher Bond, the Republican vice chairman of the Intelligence Committee.

Under the so-called compromise, the question of immunity would be decided by a federal district court — a concession by Mr. Bond, who originally wanted the FISA court, which meets in secret and is unsuited to the task, to decide. What is unacceptable, though, is that the district court would be instructed to decide based solely on whether the Bush administration certifies that the companies were told the spying was legal. If the aim is to allow a court hearing on the president’s spying, the lawsuits should be allowed to proceed — and the courts should be able to resolve them the way they resolve every other case. Republicans, who complain about judges making laws from the bench, should not be making judicial decisions from Capitol Hill.


The new bill has other problems. It gives the government too much leeway to acquire communications in the United States without individual warrants or even a showing of probable cause. It greatly reduces judicial review, and it would remain in force for six years, which is too long.

Can't the Democratic majority in Congress just extend the temporary authorization until the next President (i.e. Barack Obama)? Why would there be a rush to pass this abomination while a known and proven enemy of the Constitution - George W. Bush - is still President?

As the Times points out, Senator Barack Obama opposes immunity and voted against the temporary expansion of FISA. They also agree with me on this: its time for him to take a leadership role on this issue...he's the new captain of this party, and boy do they need one right now.

On that note, here's a Action Alert from the ACLU today...Congress needs to hear how we feel!:

Despite the outrage coming from a broad coalition of concerned citizens, by tomorrow night the House of Representatives will vote on whether or not to gut the Constitution and give immunity to phone companies who broke the law and spied on Americans.

We have to act now. Even if you’ve emailed, called or visited your members of Congress about FISA, we need you to contact them again today. Congress is moving so fast and so secretively that we only got a copy of this bill this morning. I can tell you it’s horrible. It contains vacuum cleaner style surveillance that sweeps up the phone calls and emails of Americans.

And it’s blatantly unconstitutional. The bottom line is that this is legislation that benefits a few of our country’s largest corporations while taking away basic rights from the rest of us. And it is unacceptable.

Put Congress on notice that the American people don’t want a "compromise" that sells out our rights. Act now. We’re hearing the vote is tomorrow, so we could have less than 24 hours.

Wednesday, June 18, 2008

SB 1096 DFEATED!! - Bill would have allowed drugstores to share customer prescription records

I have posted a lot about SB 1096 in recent weeks and am pleased to report that the roller coaster ride is over! The final score of the battle to keep prescription drug records private reads California consumers 1 - drug stores, pharmaceutical companies, and drug marketers 0.

To briefly recap: The bill was temporarily defeated in the Senate a few weeks back only to rear its ugly head again and win a razor thin, one vote victory a few days later. As we now know, this "victory" turned out to really be the beginning of it's end. The question is why did the Assembly Health Committee so soundly reject the bill? What changed in recent days?

Here's my theory: The media's increasing scrutiny of the bill's claims (particularly by David Lazarus of the LA Times and Elizabeth Fernandez of the SF Chronicle), the effective and outspoken opposition of advocacy groups like CFC and Consumer Watchdog (among others), and the public outcry this attention generated AGAINST the legislation in the past week created a kind of legislative "perfect storm". And thankfully, our lawmakers were listening, as evidenced by the legislation's near unanimous and bipartisan defeat in the Assembly Health Committee.

SB 1096 failed to garner a single "Yes" vote on Tuesday. Voting against the bill were Committee Chairman Mervyn Dymally (D-Compton), Vice Chairman Nakanishi (R-Lodi), Patty Berg (D-Eureka), Ted Gaines (R-Roseville), Sally Lieber (D-Mountain View), Fiona Ma (D-San Francisco), Mary Salas (D-Chula Vista), and Jim Silva (R-Huntington Beach). All other members either didn't vote or were absent (8 in total).

CFC opposed SB 1096 (Calderon) because it raised significant privacy and health care concerns for patients. The bill would have created an exception to California's Medical Information Act, and allow the sharing (and essentially the selling) of confidential patient drug prescription information without a patient's consent. The bill's main backer, Adheris Inc., is a subsidiary of inVentiv Health Inc., a drug marketing company (currently being sued for privacy breaches related to patient prescription records!).

With that brief rehash of the past, let's get right to another great piece by David Lazarus...this time discussing the bill's rather stunning, and overwhelming defeat yesterday:

The bill's "source" was a company called Adheris Inc., which used to be known as Elensys Care Services Inc. The company changed its name after it came to light in 1998 that CVS and other pharmacies were sending people's medical info to Elensys without their permission.


One problem with Calderon's bill was its lack of transparency about who would pay for the reminder letters, and which patients would get them. Calderon originally told me that Adheris is paid by drugstores to handle communications on their behalf. He acknowledged Tuesday that drug companies "at times" reimburse pharmacies for their expenses.

That's putting it mildly. Adheris Chairman Mike Evanisko testified before the state Senate's Health Committee in March that funding for the company's activities frequently comes from drug makers.

"The pharmaceutical companies sponsor these programs and [on] some occasions they pay us and we reimburse the chains for their expenses," he said. "And in some cases, the pharmaceutical companies who sponsor these pay the chains, and the chains pay us for providing the service."


Jeff Krinsk, a San Diego attorney who is suing Adheris on behalf of consumers whose prescription information was provided by Albertsons Inc., told me that not only are drug companies paying Adheris and drugstores to fund the letters, they're also choosing which patients receive reminders.

"They only do it for the drugs that are most profitable," he said. "The decision is made by the pharmaceutical companies."

The reason, Krinsk said, is that pharmaceutical companies want to maintain brand awareness among patients taking expensive drugs and deter them from seeking lower-priced generic alternatives.

Here's my favorite piece of the article, apparently Senator Calderon, the bill's author, blames us "conspiracy theorists" for its unfair defeat. Rather than blame the facts for his loss, the Senator should instead take a look at our State's Constitution and maybe ask California consumers if they are okay with their prescription records being shared and sold without consent.

In a statement, Calderon blamed the demise of his bill on "a deceptive campaign of misinformation." "I've read so many inaccuracies in the press and heard so many conspiracy theories about SB 1096 that if I believed it all, I too would have voted against it," he said.

According to public records, Calderon has received at least $89,000 in contributions from drug companies and pharmacy chains since 2002.

Click here to read the article in its entirety.

Tuesday, June 17, 2008

Real ID, Real Problem

What can I say, I love it when a really good op-ed gets in a major daily newspaper regarding a topic that has been as "hidden" from public view as has REAL ID.

Cynthia Boersma - the legislative director for the American Civil Liberties Union of Maryland - got this piece published in the Baltimore Sun today:

“No. Nope. No way.” So exclaimed Democratic Gov. Brian Schweitzer of Montana when asked whether his state would participate in the federal Real ID program.

Frustration with this misguided, expensive and unworkable federal mandate also compelled another governor, Republican Mark Sanford of South Carolina, to call Real ID “the worst piece of legislation I have seen during the 15 years I have been engaged in the political process.” If Real ID has any friends in the states, they’re not speaking up.

This sentiment is now percolating through the halls of Congress. In recent hearings before the U.S. Senate Homeland Security and Governmental Affairs Committee, senators from both sides of the aisle were blistering in their criticism of Real ID.


Under the Real ID Act, the federal government requires states to issue uniform driver’s licenses - essentially a national ID card - with insecure, unecrypted personal information on machine-readable strips. That means three bad things: huge costs of time and money for Marylanders, an easier task for identity thieves, and less, not more, security for our state.


Real ID then requires these documents to be electronically stored in a database accessible to the federal government and every MVA in the country with no established restrictions on access, data sharing or data mining. It will render every Marylander highly vulnerable to identity theft and will subject personal information to misuse and fraud.

The good news in all this is the far better alternative now being proposed: The Identification Security Enhancement Act. This bill was introduced this year in the U.S. Senate with bipartisan support. As Ms. Boersma notes, the "bill would protect privacy, would achieve effective driver’s license security, could be implemented more quickly than Real ID and would not cost billions of dollars to be shouldered by the states."

Thursday, June 12, 2008

Ariz. Legislature kills Real ID; critics point to hefty costs

Before I get to REAL ID, I want to correct a mistaken hyperlink I used last Thursday to the story on NPR about Jerry Brown's proposed medical records database for which I was interviewed. Here's the correct link to the California Report and about half way in to the 10 minute program on June 5th you'll find the segment and a clip from my interview. Or just click here: Listen (RealMedia stream) Download (MP3)


Another state - demonstrating the bipartisan red and blue nature of REAL ID opposition - has joined the coalition rejecting the feds attempt at creating a National ID Program. I of course am speaking of the liberty crushing REAL ID Act "passed" through congress without debate in 2005 as an amendment on a bill full of security recommendations stemming from the Sept. 11 terrorist attacks.

I suspect we all know how "the card" generally works, so let's get to Arizona! As we are all aware, there have been varying degrees of state opposition to the Act to date, with some hinting at opposition, others dragging their feet, and still others ratifying, in law, their non-compliance. Well, assuming Gov. Napolitano signs the bill, which all indications say she will, Arizona will become the 10th state to prohibit compliance with the federal program.

The Arizona Republic reports:

On a 51-1 final vote, House lawmakers sent Gov. Janet Napolitano their House Bill 2677, a measure barring the state from participating in the federal Real ID program. If Napolitano signs the bill, Arizona will become the 10th state to prohibit compliance with the federal program.

But the legislation's impact is negligible for the time being because Real ID isn't slated to take effect for at least another 18 months.


...critics have voiced concerns about hefty costs - to be borne by the states - to develop the IDs. Some opponents say the central databases needed increase the risk of identity theft and fear Real ID is a step toward a national identification card. Groups across the political spectrum - from the ACLU to the John Birch Society - have aligned against the federal program.

State compliance is voluntary, but individuals will be required to carry identification that meets Real ID standards to board commercial flights or enter federal buildings. The program's implementation has already been delayed until the end of 2009.

So to recap recent moves being made by various states - with Minnesota and Alaska leading the charge - let's go to the New American which just reported on this very question:

In May Minnesota and Alaska became the eighth and ninth states whose legislatures have rejected Real ID, joining Maine, Montana, New Hampshire, Oklahoma, South Carolina, and Washington. A dozen more states have approved resolutions calling for the costs of the Real ID program to be fully covered by Congress or the act repealed.

Minnesota’s Real ID resolution (HF3807) was clearly stated and uncompromising: “Section 1. Noncompliance With Real ID Act. The commissioner of public safety is prohibited from taking any action to implement or to plan for the implementation by this state of those sections of Public Law 109-13 known as the Real ID Act.” Both House and Senate passed this bill by veto-proof margins, 103-30 and 50-16 respectively.

Unfortunately, Governor Tim Pawlenty cleverly engineered a way to veto the bill and avoid an override vote. In the waning days of Minnesota’s legislative session, Pawlenty vetoed HF3807, then issued an executive order that would prevent full state compliance with the federal Real ID program before June 1, 2009 unless approved by the legislature. When the legislature met for the last time the next day, an attempt to override the veto was rejected with little discussion.

It was a different story in Alaska. Its resolution (SB202) stated, “A state agency may not expend funds solely for the purpose of implementing or aiding in the implementation of the requirements of the federal Real ID Act of 2005.” Although this resolution is not as bold and uncompromising as Minnesota’s was, it has the virtue of being passed into law through overwhelming votes of 39-1 and 19-1 in the House and Senate respectively, and through Governor Sarah Palin’s acquiescence when she failed to either sign or veto the bill in the mandatory 20-day period.

You can be sure I'll be keeping you up to speed on all the most important REAL ID related news for you right here.

Wednesday, June 11, 2008

Measure would let drugstores pass prescription information to bulk mailers

I must say that despite the disappointment of SB 1096 passing the Senate by a single vote last week, the continuing press attention on the bill does give reason to be hopeful.

As you may remember, SB 1096 (Calderon) - sponsored by a drug marketing firm currently being sued for privacy breaches - would allow the sharing of a patient's confidential medical information regarding prescription drugs among a pharmacy, third party corporations and pharmaceutical companies.

For more information on the bill see previous posts, beginning with this one.

Before I get to the article by consumer rights champion David Lazarus of the Los Angeles Times - which now faces an Assembly vote next week - I want to direct everyone to CFC's Action Alert opposing this bill. Tell your Assemblymember (and the Governor) to protect patient prescription records!!

David Lazarus writes:

Under legislation that quietly passed in the state Senate on May 29 and is making its way through the Assembly, drugstores would be free to share patients' prescription records with companies that specialize in bulk mailings.Money would change hands along with people's personal data, but, as you'll see, it's not exactly clear who's paying whom.


The reality, critics say, is that this is an effort by pharmaceutical companies to help ensure that patients stick with expensive name-brand drugs and not stray toward cheaper generic alternatives. They say it also could lead to privacy violations."Your private medical information is being transferred from one database to another," said Jerry Flanagan of Santa Monica-based Consumer Watchdog. "Once that genie's out of the bottle, it's very hard to get it back in."


SB 1096 is surprisingly murky when it comes to who is supposed to benefit from the legislation. The bill lists its "source" as Adheris Inc., which describes itself as "the leader in prescription-drug patient behavior modification."Adheris used to be known as Elensys Care Services Inc.

The company changed its name after it came to light in 1998 that CVS and other pharmacies were sending people's personal medical information to Elensys without their permission. A related lawsuit is pending.As Adheris, the company remains in the business of reminding people to take their meds. But critics such as Consumer Watchdog's Flanagan say Adheris' emphasis is on promoting name-brand drugs and keeping patients loyal to specific brands.


Calderon's bill appears to anticipate that mailings may be paid for by drug makers or companies such as Adheris and not just by drugstores. It says disclosure is required "if the written communication is paid for, in whole or in part, by a manufacturer, distributor or provider of a healthcare product or service."I pointed this out to Calderon."I'm not familiar with that," he replied. "I've never seen that part of the bill."This is his bill, remember.

SB 1096 would allow people to opt out at the pharmacy counter from receiving any mailings from Adheris. But it's unclear whether you could opt out from the company accessing your records. The bill says the opt-out covers "receiving a written communication from a pharmacy." It's silent on whether your private data would still be sent to Adheris' computers.


If the reminder mailings are so useful, why not just ask people to opt in? That way you'd be giving your permission upfront, rather than requiring people to cancel a service they may not have been aware of in the first place."The problem is that opt-in doesn't work," Calderon said, saying that other states have found that if you ask people to sign up for reminder programs, they usually decline. Tells the whole story, some might say.


Since 2002, Calderon has received at least $89,000 in contributions from drug companies and pharmacy chains, according to public records.

The Sac Bee also covered the bill today:

Privacy concerns have been raised about a bill moving through the California Legislature that would let pharmacies partner with drug companies to send out letters reminding patients to refill their prescriptions. Senate Bill 1096 by Sen. Ron Calderon, D-Montebello, is sponsored by a medical information company facing an invasion of privacy class-action suit that alleges some practices the legislation would make legal.


The main sponsor of SB 1096 is Adheris Inc., a Massachusetts company that has been named in class-action lawsuit in San Diego Superior Court.

The suit was filed on behalf of patients who allege their privacy was breached when they received letters from the company encouraging them to buy more medication or switch to an alternative prescription drug made by the same drug company.

Privacy advocates allege SB 1096 would open the door for pharmaceutical companies to promote their products in the guise of reminder letters.

"The bill sponsor is a marketing company employed by drug manufacturers to increase the sale of prescription drugs," Jerry Flannigan of Consumers Watchdog said in a prepared statement.


It also would let pharmaceutical companies pay for the mailings, but require pharmacies to disclose that if they were compensated for the mailings. "That's what this is about – allowing pharmacies to increase their marketing," said Jeffrey Krinsk, an attorney who is representing plaintiffs in the San Diego lawsuit.

I also highly suggest you check out this outstanding analysis by a blogger of the bill, who incidentally got contacted by Calderon's office himself to debate the issue (just as I got a call from an Adheris lobbyist for the same purpose).

I want to post a few choice clips from Brian Leubitz's piece here too, as he is actually put in the position of defending a quote I made in the Chronicle. More than that, is his clarity in regards to the various semantic tricks proponents of this bill are so proficient at utilizing:

I described the purchasers of this data as "pharmaceutical marketers." The accuracy of that description is incontrovertible; clearly the people buying this data can be fairly described as marketers. Mr. Rushing (Calderon's office) was quite keen on saying that the data wasn't going to the manufacturers but rather to these third party data brokers. Now, that might be true in practice, but there is no limitation in the bill as written which would stop the manufacturers from attaining this data to send these letters themselves.


...nowhere does the bill stop manufacturers from purchasing the data from pharmacies. In fact, the bill explicitly contemplates that "manufacturers and distributors" will be paying for these letters by requiring a disclosure on the letter.

Furthermore, I'm not sure having 3rd party data brokers like Adheris (aka Elansys ) having the data is really that much more comforting than having Merck or Eli Lilly having it. In effect, this bill would moot a court case brought against Adheris for doing this already. Retroactive immunity is in vogue these days I suppose. (Note: It's not clear that this would moot the court case, that would have to be resolved by the courts.)


But to the greater issue, that of privacy. Mr. Rushing makes the argument that 49 other states have this rule to allow sales of pharmaceutical records, and why is California the outlier? There is a simple response to this: Californians value their privacy. We have the toughest privacy laws in the nation, thank you, Representative Speier, precisely because we feel that data warehousers shouldn't have access to every morsel of information about us. As my mother always said, just because everybody else is doing it doesn't mean that we should too. We needn't join that race to the privacy floor that HIPAA provides. Our privacy laws are, and should be, a model for other states.


In fact, despite whatever arguments the National Association of Chain Drug Stores and the California Retailers Association makes on the policy arguments that this is substantially better for public health (Rushing gave me a $150bn figure for nationwide savings if everybody took their meds on schedule), the fact is that the risk involved in the sales of these records outweighs the benefits. We can already provide reminders without sales of medical records financed by manufacturers or distributors. Even the California Medical Association agrees that we needn't travel this risky ground in the name of possible results.

With all that said, let's join together and make sure members of the California Assembly understand that our medical records and our civil liberties are not for sale.

Tuesday, June 10, 2008

Billboards That Look Back

This article in the New York Times regarding billboards that actually "look" back at you and register a variety of your characteristics can be filed in the "that's really creepy" category of privacy related issues.

This reminds me of Minority Report with a dash of 1984 thrown in...and being that its news to me let's get to the meat of the article first:

They are equipping billboards with tiny cameras that gather details about passers-by — their gender, approximate age and how long they looked at the billboard. These details are transmitted to a central database.


The goal, these companies say, is to tailor a digital display to the person standing in front of it — to show one advertisement to a middle-aged white woman, for example, and a different one to a teenage Asian boy.


Although surveillance cameras have become commonplace in banks, stores and office buildings, their presence takes on a different meaning when they are meant to sell products rather than fight crime. So while the billboard technology may solve a problem for advertisers, it may also stumble over issues of public acceptance.


“I think a big part of why it’s accepted is that people don’t know about it,” said Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a civil liberties group. “You could make them conspicuous,” he said of video cameras. “But nobody really wants to do that because the more people know about it, the more it may freak them out or they may attempt to avoid it.”

And the issue gets thornier: the companies that make these systems, like Quividi and TruMedia Technologies, say that with a slight technological addition, they could easily store pictures of people who look at their cameras.

The companies say they do not plan to do this, but Mr. Tien said he thought their intentions were beside the point. The companies are not currently storing video images, but they could if compelled by something like a court order, he said.

So there you have it, yet another "avenue" has been found by big business to market to us, watch us, and store information about us! I'm not going to make any public policy suggestions yet (I can safely say I oppose this concept however), but the worry, as hinted at by Lee Tien of EFF, the real fear here is not what these billboards are being used for right now (as creepy as it may be) but what they could be used for in the future (as in Government surveillance).

Click here to read the article in its entirety.

Thursday, June 5, 2008

Jerry Brown's Rx for drug abuse: the Internet

For now it appears that Jerry Brown's plan to create an online prescription drug database to catch would be drug abusers and fraudsters isn't going to make a major media splash. As I discussed in detail yesterday, this database would be available to doctors, pharmacists, health workers, and even law enforcement.

I only found one major newspaper article on yesterday's announcement and press conference, but before I get to that, here's the link to KQED's segment on the database with a clip from my interview. Just go to the California Report and about half way in to the 10 minute program on June 5th you'll find the segment.

Or just click here: Listen (RealMedia stream) Download (MP3)

Since I talked about the issue for at least 10 minutes with KQED, I suggest you check out yesterday's post to get a more complete version of our organization's concerns about the program rather than just the one sentence soundbite in the clip.

As for today's article in the Los Angeles Times, it was short and sweet. with no real discussion of the myriad of issues we should be discussing (and will in the coming weeks and months I'm sure). Here are a few highlights:

State Atty. Gen. Jerry Brown unveiled a plan Wednesday to provide doctors and pharmacists with almost instant Internet access to patient prescription drug histories to help prevent so-called doctor shopping and other abuses of pharmaceuticals.


Beth Givens, director of the Privacy Rights Clearinghouse in San Diego, called the online access "a classic double-edged sword.""Obviously there is a good reason for it, but there could be significant privacy abuses that could end up harming individuals," Givens said, adding that patents should have access to their drug histories to ensure accuracy.

There is no more respected expert on this issue than Beth Givens - who I personally consulted on this issue yesterday. As more details on this program become available, you can be sure I'll be looking to groups like the Privacy Rights Clearinghouse and the World Privacy Forum for advice and expertise.

Wednesday, June 4, 2008

AG's office announces online drug database

I thought this program - and today's announcement of it by Attorney General Jerry Brown - raises a whole slew of privacy concerns that need to be addressed. Thankfully I got to make these concerns known to KQED today too, so listen for the California Report's coverage at 9 minutes after the hour, each hour, tomorrow morning.

The new database, to be funded privately, and in fact, it was Kaiser itself that funded the feasibility study of the program, would "allow doctors and pharmacists to immediately access a database of more than 86 million drug prescriptions. All prescriptions filled for schedule II, III and IV drugs – including powerful painkillers like morphine, hydro-codone and codeine – would be instantly available."

Its being sold as a way of cracking down on drug abusers, meaning law enforcement will also have access to your records...but they haven't said how this access would be approved or denied.
Before I comment more, here's some clips from the San Diego Union Tribune:

...his office plans to place the state's prescription-tracking database on a secure Web site that health-care providers can log onto to obtain the information instantly. The move is intended to make it tougher for patients to go from doctor to doctor and fill multiple prescriptions.


Under Brown's proposal, the Troy and Alana Pack Foundation would fund the database's implementation costs, with the state Department of Justice absorbing maintenance costs.


Jerry Flanagan of the Foundation for Taxpayer and Consumer Rights, a consumer advocacy group based in Santa Monica, warned that in establishing such a database efforts would need to be made to ensure patient information isn't released to identity thieves or unwanted marketers. “Nationally, the push to put records online has evolved faster than the concern to make them private,” said Flanagan.

The San Jose Mercury News sheds some more light on the issue:

It will cost about $3 million to develop and operate the program for three years, according to a 2007 feasibility study paid for in part by Kaiser Permanente. Funds have not yet been identified, but supporters are hopeful health care providers and insurers will foot the bill. Nationally, prescription drug fraud costs insurers as much as $72 billion a year, according to a 2007 study by the Coalition Against Insurance Fraud.


Kathy Ellis of the Department of Justice said details about law enforcement access to California's system have yet to be worked out. Access likely will be granted on a case-by-case basis to prevent "fishing" in the system, she said. "They'd have to identify what their need is. I don't see a patrol officer having a direct need for that information."

It is important that enforcers not rely on numbers when looking at suspected abuse cases, said Sherry Green, executive director of the National Alliance for Model State Drug Laws.

"Even if something looks outside the traditional range, that doesn't in and of itself mean that something's wrong," said Green. "Prescription monitoring officials can't make those kinds of health determinations — all they can do is make a recommendation that something needs to be scrutinized more."

In Maine, civil libertarians fought the development of drug-monitoring. An online system, launched in 2006 in response to the state's OxyContin epidemic, has "an arm's-reach relationship with law enforcement," said program director Daniel Eccher. Investigators can't access records without a subpoena.

I guess the obvious point is that if such a program is to be implemented we must ask ourselves whether the possible pitfalls of allowing our private prescription records to be so easily accessed outweighs the claimed benefits of "stopping drug abusers"?

By the least, any such database must include the strongest of safeguards to ensure a patient's private information is protected from identity thieves, overzealous law enforcement, or unwanted marketers.

Some suggestions might include: Legislation that puts into law, a stringent, ironclad privacy policy for this database and its maintenance.

For instance, there should be an electronic audit trail examined regularly ANYONE who has accessed your file and consumer's should have access to these (as in their) medical records and to that electronic audit trail so they knew who's been snooping around.

I also am skeptical anytime the "war on drugs" is used to rationalize the increasing deterioration of our right to privacy. Since this whole program was pushed by the insurance industry (and who paid for the feasibility study), and is going to be funded by private sources, we should wonder whether industry profits and government power is the real end goal here?

Similarly, if we really wanted to reduce drug dependency perhaps we should focus on fully funding our schools, offering first class drug counseling and rehabilitation services, and stopping the advertising of prescription drugs on television every night?

It goes without saying too, that government could also abuse this system. We're opening a Pandora's Box to say the least...and since this kind of data sharing and storage is a likely fact of life in our future, then we better be vigilant in protecting our privacy from those who might seek to benefit from it at our expense.

Tuesday, June 3, 2008

Google asked to add home page link to privacy policies

Just to briefly follow up on yesterday's post regarding Google's refusal (to date) to provide a home page link to their privacy policy - as required by California law - here's an article in Computerworld on the subject.

Also of news, we at the Consumer Federation of California have joined this coalition, signing on to a letter urging Google's CEO to reconsider its privacy policy and include that one, little hyperlink!

Jaikumar Vijayan reports:

In the latest indication of the growing unease in some quarters over Google Inc.'s privacy policies, a coalition of advocacy groups is asking the search company to provide a direct link to its privacy policies on its home page.

Executives from the Privacy Rights Clearinghouse, the World Privacy Forum, Consumer Action, the Electronic Frontier Foundation, the American Civil Liberties Union of Northern California and the Consumer Federation of California today sent a letter to Google CEO Eric Schmidt expressing their concern over the company's failure to post a home page link to its privacy policy. In their letter, the groups called Google's reluctance to post the link on its home page "alarming."


Google's refusal to do so also sets it apart from other popular Web sites that routinely put such links on their home pages...


The California law that requires company's to post prominent home page links to their privacy policies was specifically designed to give consumers easy, one-click access to the information, said Pam Dixon, executive director of the World Privacy Forum.

As a company that collects and stores a range of information, including health care data, it is important for Google comply with the law, Dixon said. "It is a very straightforward, very simple law in many ways. It is something that most businesses provide for anyhow," she said.

Click here for the rest of the article.

Monday, June 2, 2008

California Privacy Chief Says Google Should Improve Disclosure

It appears that one of the key "battle fronts" in the fight to protect privacy in the information age will be within the health industry. Whether its protecting your private prescription drug records from third party drug marketing and pharmaceutical companies or storing your most private health information in new products like Google Health (which doesn't have to abide by the same privacy protection rules as does government).

I have discussed in the past the privacy risks involved in using Google Health, but now in California, privacy advocates are up in arms about another aspect the doesn't provide a link to its own privacy policy on its home page.

The problem is that the California Online Privacy Protection Act of 2003 requires the operator of a commercial Web site that collects personal information about users to “conspicuously post its privacy policy on its Web site.” As a reporter asked in the New York Times, "How conspicuously? The site needs to link to the policy “located on the homepage or first significant page after entering the Web site...

"Privacy experts say Google is under the microscope because it collects and retains so much information about so many people."

“It wouldn’t be a big privacy issue if it wasn’t Google saying everyone else may be doing this but we don’t need to,” said Marc Rotenberg, the director of the Electronic Privacy Information Center.

The New York Times Reports:

Ms. McNabb was blunt in her assessment that, on this matter, Google should be doing a lot more. “Our recommendation is, make information about how personal information is used available very easily for people. That’s why our recommendation is, link to the privacy policy from the home page.”


Ms. McNabb said her office is going to reach out to Google in order to discuss the matter and press its recommendation. In the past, the office contacted Google about its service that allows users to look up the name and address of people based on their phone numbers. Google responded by making it easier for people to remove their numbers from this system.

EPIC, the Privacy Rights Clearinghouse, and the WorldPrivacy Forum are mobilizing the public to demand Google make these necessary changes.

Their request reads:

"If you have been following the recent news about Googleand the California privacy law, you'll know that there isa real concern that Google is not doing what just about every other commercial web site does -- link to a privacy policy on its homepage. "

The essential argument states:

"California law requires the operator of a commercial web site to conspicuously post its privacy policy on its Web site. The straightforward reading of that law is that Google must place the wordprivacy on the web page linked to its privacy policy.

Moreover, just about every major company that operates a web site places a link to its privacy policy on its homepage. While we do not believe that a privacy policy is a guarantee of privacy protection, it does represent a commitment by a commercial web site to inform users about the company's privacy practices.

Google's reluctance to post a link to its privacy policy on its homepageis alarming. We urge you to comply with the California Online PrivacyProtection Act and the widespread practice for commercial web sites assoon as possible."

More to come I'm sure...