Thursday, September 22, 2011

A REALLY BAD Week for Electronic Health Record Privacy

Let me begin with an obvious caveat: I'm no Luddite and I COMPLETELY understand the logic behind transitioning to an electronic based health records system. 

It was just a few weeks ago that a San Jose Mercury News sounded a few alarm bells regarding just how "safe" our personal data will be in the coming cyber world reality of electronic health records. But after this week, these privacy concerns have just expanded and metastasized significantly. For those that don't know, we (America) are in the midst the massive transition to e-health records, a key component of both President Obama's health care proposal as well as the stimulus package itself.

Let me again reiterate that because the three stories I'm going to share with you today, all from this week, epitomize the concerns articulated by privacy advocates is not to say that we shouldn't make this transition, for all the money and even life saving reasons everybody has probably heard by now. But what it DOES say is that STRICT privacy safeguards, at every step of the transition process, must be implemented...from the beginning, not once the Genie is out of the bottle.

And the fact is, as these breaking news stories will make clear, time is running out, because states across the country, including California, are working to implement such a system, with consumer privacy perhaps the paramount area of dispute...as I write this!

AS I said, one of the most important challenges for privacy advocates has been making sure that the transition to electronic medical records includes ironclad privacy safeguards along with it. We know such a system will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it and for what purposes?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"

Before I go on too long, let me get to the three separate articles...the first entitled "Theft of Digital Health Data More Often Inside Job, Report Finds" from Bloomberg Business Week.


The article reports:

Electronic health data breaches are increasingly carried out by “knowledgeable insiders” bent on identity theft or access to prescription drugs, according to a report from PricewaterhouseCoopers LLP. 

More than 11 million consumers have had medical data stolen or inappropriately disclosed since September 2009, and the privacy breaches are expected to rise as more health information is put online, according to the report released today by the New York-based accounting firm’s health research institute. The most frequently reported issue was the improper use of protected information by an “internal party,” the study found. 

The report underscores the need to strengthen privacy and security controls as health records are more frequently stored online and accessed by portable devices, said James Koenig, co- lead of PwC’s Health Information Privacy and Security Practice. Consumer concerns that personal medical information may be vulnerable to disclosure are likely to increase as the Obama administration spurs the adoption of digital records.

 ...

While the report didn’t specify how many security thefts were carried out by insiders, 40 percent of surveyed providers reported an incident of improper internal use of protected health information during the past two years. Over the past several years, thefts by insiders or disgruntled former employees have surpassed disclosures by hackers and outsiders, Koenig said.

Read the rest here.

Now, if that wasn't enough to get grab your attention and maybe, for a second at least, question the "we don't have time for privacy protection rush" to implement this system correctly and responsibly, there's also an article from Information Week entitled "HHS: Patient Data Breaches Have More Than Doubled".

The article reports:
Health organizations notified approximately 5.4 million individuals affected by patient health data breaches in 2010, compared to approximately 2.4 million individuals in 2009. This according to a report recently sent by the Department of Health and Human Services (HHS) to Congress. The report comes several months after the HHS office of inspector general published two audits that highlighted the difficulties healthcare deliveryorganizations are facing in their efforts to protect sensitive patient information.

HHS' latest report to Congress revealed that in 2010 theft was the most common cause of large breach incidents that affected 500 or more individuals. Among the 207 breaches that covered entities such as healthcare providers, health plans, and healthcare clearinghouses reported last year, 99 incidents involved theft of paper records or electronic media, combined affecting approximately 3 million individuals. 

.... 

In 2010, the second highest number of data breaches involved the loss of electronic media or paper records, with 33 reported cases that affected more than 1 million individuals. There were 31 breaches that involved unauthorized access to, or uses or disclosures of, protected health information that affected approximately 1 million individuals. Other breaches included 19 incidents resulting from human or technological errors that affected approximately 78,663 individuals. Eleven covered entities reported breaches caused by the improper disposal of protected health information that affected approximately 70,000 individuals. In Gallagher's view, the increasing number of incidents could mean that the policies and procedures coming from HHS are encouraging the healthcare industry to do a better job of detecting and reporting breaches. 

Read the rest here.

But wait...there's more!! A Reuters article entitled "Health industry lacks patient data safeguards: poll" adds yet another wrinkle, which again, totally and completely validates and reinforces claims by privacy advocates that we must put the privacy of patients ahead of the need to get the system up and running as quickly as possible no matter the risks.

The article reports: 

A vast majority of hospitals, doctors, pharmacies and insurers are eager to adapt to increasingly digital patient data. However, less than half are addressing implications for privacy and security, a survey of healthcare industry executives by PricewaterhouseCoopers LLP found. PwC's Health Research Institute interviewed 600 executives in the spring of this year and also found that less than half of their companies have addressed issues related to the use of mobile devices. Less than a quarter have addressed implications of social media.

...

U.S. health and drug regulators are expected by the end of the year to finalize their updated rules on patient privacy protection, and they also continue to adapt to new technologies coming to health labs and physicians' offices. Some 74 percent of healthcare organizations were planning to expand the purposes for which they use electronic patient health data, the survey found. For instance, that may mean looking across patients to find better treatments or tracking records of one patient from doctors and pharmacies to analyze medication adherence. 

But only 47 percent of the companies have or are addressing related privacy and security issues, the report said.Reports of security breaches, although many not directly related to health IT, are not uncommon in the health industry. 

Just over half of surveyed executives said they were aware of some kind of a privacy or security breach at their companies in the past two years, with hospitals being the likelier offenders. 

Read the rest of that article here.

As I have written here before on this issue, we all consider our healthcare information to be extremely personal and expect the government to protect it from falling into the wrong hands. Granted, regulations alone (nor even technical safeguard perhaps) will never be the end all solution when it comes to privacy in the information age...it must be coupled with public awareness and the pressure that consumer choice can put on industry. 

But as it stands today, there still aren't uniform standards for electronic medical records. Yes, there are some protections in the Health Insurance Portability and Accountability Act of 1996, as well as some in the stimulus bill. But key protections are still absent. 

The prohibition on the sale of medical records is weak and full of loopholes, nor does it apply to vendors like Microsoft or Google. Both companies have agreed to contracts that say they won't release your information, but there is no law mandating that they don't sell the information. If we've learned anything about corporate behavior in recent years, it’s that without ironclad, legal requirements, we shouldn't expect them to behave the way we'd expect from say, a human being.

Similarly, the breach provisions requiring companies to notify patients when electronic medical records are accessed does apply to Google and Microsoft, however, there are safe-harbor provisions that let companies off the hook from the notification requirement if the breach occurred in "good faith."

The federal law on the books only requires that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose.

Look, I don't yet consider myself an expert on this issue, for that, go to World Privacy Forum and read some of the work and research done by Pam Dixon on electronic health record privacy.

Clearly, if today's list of articles, and last months piece in the San Jose Mercury News, tells us anything its that we need MORE attention paid to privacy, not less...and that means taking a bit more time to get this new system up and running...and more care given to the rights of patients...not hospitals, not suppliers, not the government, and not any other interest looking to profit off this transition. We can have BOTH privacy and a more efficient medical records system...there's no need to sacrifice one for the other.

Tuesday, September 20, 2011

Protect Your Privacy Rights as a Job Seeker

I wanted to alert everybody to some excellent new information provided by the Privacy Rights Clearinghouse regarding not just the difficulties facing job seekers, but their privacy rights being violated in this very search (and a bill that helps address one aspect of this problem).

As PRC details in their email blast, "Taylor Thomas is left searching for employment after he is terminated from his job due to the bad economy.  Despite being highly qualified for the positions he interviews for, Taylor has one rejection after another. Two of the companies even seem ready to hire him. But, it is as if something happens to change their mind between the interview and the hiring decision.  Taylor has almost exhausted his list of potential employers and has landed an interview at what may be his best chance for a job.

Watch the video to find out what’s keeping Taylor from getting hired. Learn your rights about employment background checks, and spread the word! Although Taylor is a fictional character, the situation dramatized on the six-minute video is similar to many complaints we have received from individuals who have contacted our hotline with questions and complaints about background check errors.
"



Now, before I get to more about YOUR RIGHTS as a job seeker, particularly in what companies/employers can dig up on you and what they can't and shouldn't, let me point you to one bill, on the Governor's desk - AB 22 (Mendoza) - that addresses just one of the many concerns raised by PRC.

AB 22 would ban credit checks from being used in the screening process for most job candidates. Clearly this bill is about a lot more than privacy, it strikes at the heart of the increasing shift away from the rights of workers, and the increasing power of corporations and big employers.

As pointed out by bill proponents, including the Consumer Federation of California, when companies vet potential employees they often check everything from grade point average to criminal records. More and more, they are starting to factor in a person's credit rating as well. But given this economy, this practice is both unfair and counterproductive. The fact is, a credit report is not a good indicator of a person's trustworthiness or work ethic, particularly considering how many people's credit scores have suffered due to the Great Recession.

AB 22 as also a primary target of one of the more corrupt corporate lobbying organizations this country has ever known - the California Chamber of Commerce. In fact, they even made a video about it, listing it as one of their job killer bills.

All it does is simply prohibit most employers from conducting credit checks on applicants, unless it is substantially related to the job. For example, employers could still run credit reports on those potentially gaining access to confidential financial information. AB 22 will mean stronger privacy protections, a more fair work environment, and an easier time securing employment. 

So, this was an easy bill to support. It even provides exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement and in other narrow areas. An employer should not have any right to obtain confidential information that is not germane to a prospective employee’s job. Credit reports do not have predictive value in determining a worker’s ability to perform job duties, but a bad credit report might unfairly influence a hiring employer’s attitude toward a job applicant. 

Unemployed workers are more likely to have suffered some downgrading of their credit score due to the circumstances of their unemployment; hence reliance on credit reports as a factor in hiring decisions might adversely impact those most in need of a job. 

Credit reports are often inaccurate, and could unfairly bias an employer. Correcting mistaken information in a credit report is a tedious, time consuming process, and in the meantime, the job applicant is harmed due to errors by credit reporting entities.

But there's more to the story when it comes to the infringement on the rights of workers by employers. PRC has more: 

Whether you are hired or promoted for a job may depend on the information revealed in a background check. Job applicants and existing employees as well as volunteers may be asked to submit to background checks. For some jobs, screening is required by federal or state law. The current emphasis on security and safety has dramatically increased the number of employment background checks conducted.

In short, employers are being cautious. At the same time, applicants and employees fear that employers can dig into the past in ways that have nothing to do with the job.

This guide explains the why and how of background checks. It also tells you what can be covered in a background report, your rights under the Fair Credit Reporting Act, and what you can do to prepare. For more information, go to the References section at the end of this guide. The PRC does not perform background checks.

  1. Why Does an Employer Conduct a Background Check?
  2. What Is Included in a Background Check?
  3. What Cannot be in a Background Check Report?
  4. Who Conducts Background Checks?
  5. Fair Credit Reporting Act and Background Checks
  6. FCRA Update: Workplace Investigations and Annual File Disclosures
  7. Background Checks and Your Credit Report
  8. Investigative Consumer Reports - What Will Your Neighbors Say?
  9. How to Prepare for a Background Check
  10. Resources
It's important to point out, just as when people say "why should I care about being wiretapped, I'm not doing anything wrong!",  its the same when people don't seem concerned about background investigations. Let's remember, what YOU think about your history and actions isn't necessarily what might come up, what others might say, or what the government/corporations might interpret. In addition, when did it become okay for some investigator poking around into your personal history?

As PRC correctly points out, "In-depth background checks could unearth information that is irrelevant, taken out of context, or just plain wrong. A further concern is that the report might include information that is illegal to use for hiring purposes or which comes from questionable sources."

And back to the credit check bill, because PRC has some important points to make on why this is important as well:

Often a poor credit rating results from circumstances that are beyond your control. The loss of a job or high medical bills often leads to late payments, even bankruptcy. Still a bank or other financial institution may reason that a solid financial history is a qualifying factor for an employee who has control over substantial sums of money.

However, the same argument cannot be made when a credit check serves only as a kind of character screening. Some states have now recognized the unfairness in this by adopting laws that require a direct relationship to the job before a credit check is made.

Several states have passed laws limiting credit reports for employment decisions with provisions that require a nexus to actual job duties. Those states are: Washington, Oregon, Hawaii, Illinois, Maryland and Connecticut. Similar laws have been introduced in other states.


Finally, let me make one more point from an economic justice perspective. Just how much influence and power do we want to give the banks and credit rating agencies? Do we want our very employment futures dependent on THEIR analysis of our worthiness??? Based on their list of criteria rather than PROVEN lists of what makes a good employee, like education, references, interview ability, and employment history? To that end, let me just briefly expose the grand hypocrisy of the Chamber of Commerce selling themselves as protectors of jobs...and the leading opposition to AB 22:

As the Center for America Progress notes, "While it tells the American public it cares about American jobs, the U.S. Chamber of Commerce actually works to send jobs overseas on behalf of its corporate members, which include some of Asia’s top offshoring companies. Its secretly-funded $75 million political ad campaign attacks the “anti-jobs record” of Sen. Barbara Boxer (D-CA), Jerry Brown (D-CA), Richard Blumenthal (D-CT), Alexi Giannoulias (D-IL), Rep. Dina Titus (D-NV), and others. 

As ThinkProgress previously noted, the Chamber has repeatedly sent out issue alerts attacking Democratic efforts to encourage businesses to hire locally rather than outsource to foreign counties. The Chamber has also bitterly fought Democrats for opposing unfettered free trade deals. The Chamber’s anti-American jobs agenda serves not only the profit-seeking of right-wing corporate executives in the United States, but also works to send jobs overseas to the following outsourcing companies, who are some of the dozens of foreign corporations that pay member dues to the Chamber of Commerce’s 501c(6) account, which is used to fund its political ads:

– InfoSys, Bangalore, India (at least $15,000 in annual member dues): “Infosys is the ‘Best Outsourcing Partner’ according to the Waters Rankings for the third consecutive year.”
– KPIT Cummins, Pune, India ($7,500): “Strategic global networking, together with industry-proven practices & processes, give KPIT Cummins a cutting edge in the realm of outsourcing.”
– Patni Americas, Mumbai, India ($15,000): “Patni, the world leader in IT outsourcing and business process outsourcing provides offshore software development, global sourcing, custom software development, and a vast array of product engineering and IT services to companies worldwide.”
– NIIT Technologies, Delhi, India ($15,000): “[L]eadership in the area of outsourcing.”
– QuEST Global, Singapore ($7,500): “QuEST is a leader in the engineering services outsourcing (ESO) space.”
– Rolta, Mumbai, India ($7,500): “Rolta’s global footprint and track record along with its capable off-shoring model gives it a unique positioning in this large market.”
– SKP Crossborder Consulting, Mumbai, India ($7,500): “SKP’s core outsourcing practice is managed out of a fully equipped, spacious premises based in Pune with access to facilities in Mumbai, Hyderabad, Delhi and Bangalore.”
– Tata Group, Mumbai, India ($15,000): “[W]orld-class solutions in outsourcing – business process outsourcing, application outsourcing, infrastructure outsourcing.”
Wipro, Bangalore, India ($15,000): “India’s biggest destination for U.S. offshoring.” 

Let's start to put workers and common sense...and privacy ahead of corporate profits and their insatiable desire to make money for their shareholders rather than protect employees or improve the quality of life of working families.

The Consumer Federation of California urges the Governor to protect the financial privacy of Californians from unwarranted snooping by prospective employers by signing AB 22. And, be sure to learn everything you can about your rights from PRC's comprehensive expose.

Wednesday, September 14, 2011

Protecting Anonymity and GPS Tracking

There was an excellent op-ed in the New York Times this week about a case I've detailed on this blog for a long time now. The case involved the police covertly tracking a suspect’s car using a GPS device for an extended period of time without getting a warrant. 

A ruling in the D.C. Court (by Judge Ginsburg) of Appeals overturned the conviction of this suspected cocaine dealer, saying that the use of a secret GPS tracking device on the man’s vehicle for two months violated the Fourth Amendment’s protection against unreasonable searches and seizures. The idea being, no one wants to feel as if a government agent is following you wherever you go - be it a friend's house, a place of worship, or a therapist's office - and certainly innocent Americans shouldn't have to feel that way.

The problem was that two federal appellate courts had first upheld the use of GPS devices without warrants on the grounds that we have no expectation of privacy when we are in public places and that tracking technology merely makes public surveillance easier and more effective.

Now this case heads to the Supreme Court - and this was the topic of the op-ed by Jeffrey Rosen, a law professor at George Washington University. Rosen writes: 

Judge Ginsburg realized that ubiquitous surveillance for a month is impossible, in practice, without technological enhancements like a GPS device, and that it is therefore qualitatively different than the more limited technologically enhanced public surveillance that the Supreme Court has upheld in the past (like using a beeper to help the police follow a car for a 100-mile trip).

The Supreme Court case is an appeal of Judge Ginsburg’s decision. If the court rejects his logic and sides with those who maintain that we have no expectation of privacy in our public movements, surveillance is likely to expand, radically transforming our experience of both public and virtual spaces. 

For what’s at stake in the Supreme Court case is more than just the future of GPS tracking: there’s also online surveillance. Facebook, for example, announced in June that it was implementing face-recognition technology that scans all the photos in its database and automatically suggests identifying tags that match images of a user’s friends with their names. (After a public outcry, Facebook said that users could opt out of the tagging system.) With the help of this kind of photo tagging, law enforcement officials could post on Facebook a photo of, say, an anonymous antiwar protester and identify him. 



To preserve our right to some degree of anonymity in public, we can’t rely on the courts alone. Fortunately, 15 states have enacted laws imposing criminal and civil penalties for the use of electronic tracking devices in various forms and restricting their use without a warrant. And in June, Senator Ron Wyden, Democrat of Oregon, and Representative Jason Chaffetz, Republican of Utah, introduced the Geolocation Privacy and Surveillance Act, which would provide federal protection against public surveillance. 

Their act would require the government to get a warrant before acquiring the geolocational information of an American citizen or legal alien; create criminal penalties for secretly using an electronic device to track someone’s movements; and prohibit commercial service providers from sharing customers’ geolocational information without their consent — a necessary restriction at a time of increasing cellphone tracking by private companies. 

Click here to read more.

The Electronic Frontier Foundation and the ACLU have rightly argued that it's one thing to note someones car location and another to keep hourly data on every single stop you make along a specific route for days or months on end. The government has tried to make the case that no such distinction existed. 

The appeals court disagreed. "Society recognizes Jones‘ expectation of privacy in his movements over the course of a month as reasonable, and the use of the GPS device to monitor those movements defeated that reasonable expectation." 

Thus the court clearly drew the important distinction between short term monitoring that’s not much different from a police tail and ongoing, secret and ubiquitous tracking. 

As previously laid out in the article in Wired Magazine , "Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one’s not visiting any of these places over the course of a month. The sequence of a person’s movements can reveal still more; a single trip to a gynecologist’s office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story."

ACLU-NCA Legal Director Arthur Spitzer also makes an important point, stating: "GPS tracking enables the police to know when you visit your doctor, your lawyer, your church, or your lover. And if many people are tracked, GPS data will show when and where they cross paths. Judicial supervision of this powerful technology is essential if we are to preserve individual liberty."

In striking down the drug conviction of Antoine Jones, Ginsburg also wrote "A single trip to a gynecologist's office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story...A person who knows all of another's travels can deduce whether he is a weekly churchgoer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups -- and not just one such fact about a person, but all such facts."

Kevin Bankston, senior staff attorney for the Electronic Frontier Foundation, also illustrated just how important this case is in its implications for cellphone GPS tracking. The federal government has mandated that U.S. cellphone carriers make nearly all their phones trackable for help in 911 emergencies. However, companies say that the federal law that allows them to turn over data to law enforcement without subpoenas is prone to abuse.

Let's remember, back in 2009 we learned that Sprint received 8 million law enforcement requests for GPS location data in just one year. While that issue is slightly different than the one headed to the Supreme Court (it was based on putting a GPS tracking device in the suspects car, rather than tracking the cell phone), the general concerns are applicable: Tracking citizens without a warrant (or even probably cause!). We know these GPS chips can locate a person to within about 30 feet. They're also able to gather less exact location data by tracing mobile phone signals as they ping off cell towers. 

The ACLU’s Catherine Crump recently hit the nail on the head:"What’s at stake in the case is not whether it’s OK for the government to track the locations of cell phones; we agree that cell-phone tracking is lawful and appropriate in certain situations. The question is whether the government should first have to show that it has good reason to think such tracking will turn up evidence of a crime. We believe it should. This case is not about protecting criminals. It’s about protecting innocent people from unjustified violations of their privacy."

All eyes now turn to the Supreme Court (always an ominous proposition these days) this November...

Sunday, September 11, 2011

Toure Calls Media Out on 9/11 Coverage and Response

Check this "television editorial" out by Toure on the Dylan Ratigan Show...quite a courageous presentation in light of the fact that it's the 10th anniversary of 9/11...and he directly takes on the very corporate media that employs him (at least some of the time). He also articulately details all that we have given up as a people since that tragic day - like the fundamental principles of the Constitution itself - in order to address manufactured, artificial (and hyped) fears peddled by our own government, the corporate elite, and the military industrial complex in the name of power, control, and profit.



Thursday, September 8, 2011

CA Financial Privacy Bill Passes State Senate (AB 22), On to Governor's Desk

A bit more good news on the California privacy front to report: AB 22 (Mendoza), a bill that would ban credit checks from being used in the screening process for most job candidate passed the State Senate by a razor thin 21 to 17 vote. Clearly this bill is about a lot more than privacy, it strikes at the heart of the increasing shift away from the rights of workers, and the increasing power of corporations and big employers.

As pointed out by bill proponents, including the Consumer Federation of California, when companies vet potential employees they often check everything from grade point average to criminal records. More and more, they are starting to factor in a person's credit rating as well. But given this economy, this practice is both unfair and counterproductive. The fact is, a credit report is not a good indicator of a person's trustworthiness or work ethic, particularly considering how many people's credit scores have suffered due to the Great Recession.

AB 22 as also a primary target of one of the more corrupt corporate lobbying organizations this country has ever known - the California Chamber of Commerce. In fact, they even made a video about it, listing it as one of their job killer bills.

Now, before I get to some of the more specific reasons we (CFC) support this legislation, and urge the Governor to sign it, let me just briefly expose the grand hypocrisy of the Chamber of Commerce selling themselves as protectors of jobs. 

As the Center for America Progress notes, "While it tells the American public it cares about American jobs, the U.S. Chamber of Commerce actually works to send jobs overseas on behalf of its corporate members, which include some of Asia’s top offshoring companies. Its secretly-funded $75 million political ad campaign attacks the “anti-jobs record” of Sen. Barbara Boxer (D-CA), Jerry Brown (D-CA), Richard Blumenthal (D-CT), Alexi Giannoulias (D-IL), Rep. Dina Titus (D-NV), and others. 

As ThinkProgress previously noted, the Chamber has repeatedly sent out issue alerts attacking Democratic efforts to encourage businesses to hire locally rather than outsource to foreign counties. The Chamber has also bitterly fought Democrats for opposing unfettered free trade deals. The Chamber’s anti-American jobs agenda serves not only the profit-seeking of right-wing corporate executives in the United States, but also works to send jobs overseas to the following outsourcing companies, who are some of the dozens of foreign corporations that pay member dues to the Chamber of Commerce’s 501c(6) account, which is used to fund its political ads:

– InfoSys, Bangalore, India (at least $15,000 in annual member dues): “Infosys is the ‘Best Outsourcing Partner’ according to the Waters Rankings for the third consecutive year.”

– KPIT Cummins, Pune, India ($7,500): “Strategic global networking, together with industry-proven practices & processes, give KPIT Cummins a cutting edge in the realm of outsourcing.”
– Patni Americas, Mumbai, India ($15,000): “Patni, the world leader in IT outsourcing and business process outsourcing provides offshore software development, global sourcing, custom software development, and a vast array of product engineering and IT services to companies worldwide.”
– NIIT Technologies, Delhi, India ($15,000): “[L]eadership in the area of outsourcing.”
– QuEST Global, Singapore ($7,500): “QuEST is a leader in the engineering services outsourcing (ESO) space.”
– Rolta, Mumbai, India ($7,500): “Rolta’s global footprint and track record along with its capable off-shoring model gives it a unique positioning in this large market.”
– SKP Crossborder Consulting, Mumbai, India ($7,500): “SKP’s core outsourcing practice is managed out of a fully equipped, spacious premises based in Pune with access to facilities in Mumbai, Hyderabad, Delhi and Bangalore.”
– Tata Group, Mumbai, India ($15,000): “[W]orld-class solutions in outsourcing – business process outsourcing, application outsourcing, infrastructure outsourcing.”
Wipro, Bangalore, India ($15,000): “India’s biggest destination for U.S. offshoring.” 

But let's get back to AB 22 (Mendoza). All it does is simply prohibit most employers from conducting credit checks on applicants, unless it is substantially related to the job. For example, employers could still run credit reports on those potentially gaining access to confidential financial information. AB 22 will mean stronger privacy protections, a more fair work environment, and an easier time securing employment. 

As the California Labor Federation noted, "It is no secret that our economy’s collapse threw thousands of Californians out of jobs and onto unemployment rolls. The ensuing foreclosure and credit crises also remain painfully familiar to all, as does the struggle many unemployed workers face keeping their families fed, clothed and sheltered. The horrible result can range from the occasional missed utility bill to home fore­closure. There is no doubt that workers’ credit scores have suffered during this depression.

What many may not know, however, is that some employers have quietly begun conducting credit checks on prospective workers. In fact, more than 40% of employers say they use credit reports in making employment decisions. Evi­dence also suggests that some supervisors factor credit scores into decisions regarding promotion and evaluation of current workers.

In any economic situation, this practice consti­tutes an unwarranted invasion of privacy. Credit checks are not only poor indicators of future job success, but the methods used to determine credit scores remain highly suspect – given evidence that people of color possess arbitrarily and inexplicably low credit scores.

Also, credit ratings agency fraud played no small part in the housing bubble burst, subse­quent economic crisis and the reduced credit scores suffered by so many Americans. In that context, for an employer to discriminate against someone with a less than stellar credit record is unconscionable.

Wall Street excesses and Congress’ weak re­sponse have built plenty of barriers between the jobless and their prospects for future employ­ment. Allowing employers to use credit checks to deny employment only serves as another obstacle to getting Californians back to work.

So, this was an easy bill to support. It even provides exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement and in other narrow areas. An employer should not have any right to obtain confidential information that is not germane to a prospective employee’s job. Credit reports do not have predictive value in determining a worker’s ability to perform job duties, but a bad credit report might unfairly influence a hiring employer’s attitude toward a job applicant. 

Unemployed workers are more likely to have suffered some downgrading of their credit score due to the circumstances of their unemployment; hence reliance on credit reports as a factor in hiring decisions might adversely impact those most in need of a job. 

Credit reports are often inaccurate, and could unfairly bias an employer. Correcting mistaken information in a credit report is a tedious, time consuming process, and in the meantime, the job applicant is harmed due to errors by credit reporting entities.

The Consumer Federation of California urges the Governor to protect the financial privacy of Californians from unwarranted snooping by prospective employers by signing AB 22.

Tuesday, September 6, 2011

California Privacy Bills Reach Governor's Desk, One Signed Already

The Consumer Federation of California has been tracking and supporting a number of privacy related pieces of legislation this year. I'm pleased to report that last week three of them passed out of the legislature with one already being signed into law. 

SB 24 - Signed by Governor

SB 24 (Simitian) - a security breach notification bill - was one that we, and a host of other privacy advocates fought to enact for the last four years running, and in each instance was vetoed by then Governor Arnold Schwarzenegger. Thankfully, our luck finally turned with Governor Brown's signature last week. 

As detailed in a recent op-ed by CFC's executive director, if you are one of the many Californians who had your confidential information compromised in a security breach, you most likely found out by receiving a letter in the mail. After reading it, you were probably quite upset, but confused about what you should do about it. SB 24 will help consumers make sense of these notices, and help arm us to stop identity theft. Security breaches since 2005 exposed at least 500 million personal records of Americans, according to the Privacy Rights Clearinghouse. Some breached records contained sensitive data such as social security numbers, bank or credit card numbers or medical information.

Sony, Citibank, and the Bay Area Rapid Transit District are recent examples of businesses and government agencies whose customers’ records were stolen by hackers. Just last week it was revealed that 300,000 Californians’ intimate medical records, along with their social security numbers, were viewable for months to anyone with an internet connection, owing to an insurance processing business’ failure to safeguard its electronic data files. 

SB 24 will provide an important upgrade to California's landmark breach notification law. It spells out which key details must be included in that notification letter, and would make sure the Attorney General hears about the breach.  If a social security number or drivers license was exposed, the notice letter explains how to contact major credit agencies. That’s especially important, because it empowers consumers to better monitor their accounts for evidence of identity theft, and to take concrete steps to prevent identity theft, including freezing your credit report.

Requiring these details also creates a strong incentive for companies and state agencies to be careful with your information. No one wants their signature at the bottom of that notification letter. It won't come as a surprise to anyone that technology puts our private information, from social security numbers to medical files, at risk. The exponential growth of electronic records -- while beneficial in many respects -- makes breaches more likely and far more severe.

Losing a filing cabinet with 500 records is difficult. Losing a laptop with 5 million records is all too easy. For this reason, over 40 states have adopted security breach notice laws modeled on California law. Privacy notification laws won't stop every security lapse from happening. But they will make businesses and agencies take more precautions to safeguard their data files. And if you ever do get that dreaded letter in the mail, you'll be able to do something about it. 

SB 602 (Yee) - Reader Privacy Act - Awaits Governor's Decision 

The privacy threats posed by the explosion of digital books, which will store data that can include books browsed, how long a page is viewed, and even the electronic notes written in the margins. It's not hard to see the detailed portrait this could paint of your life. Thankfully, this concern is finally being addressed by SB 602 (Yee) -  which would provide important privacy protections for digital book readers. Even better, the bill passed the legislature last week and now awaits the Governor's decision.

Without such legislative protection, you can imagine how tempting this information could be to the government or other litigants, like those involved in divorce cases, custody battles, or insurance disputes.

In the case of digital books, we're not talking about just another library - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.

Senate Bill 602 (Yee) would update privacy protections in the digital age by preventing the disclosure of information about readers from booksellers without a warrant in a criminal case or a court order in a civil case. It also requires booksellers to report the number and type of requests they receive to track government demands for reader information. Without such protections, we're talking about a virtual one-stop shop for government and third party "fishing expeditions into the personal details of our lives." 


SB 914 (Leno) - Police Search of Smart Phones - Awaits Governor's Decision

The next bill addresses the current loophole in California that essentially allows police, without a warrant, to seize and search individuals smart phones or androids like they do a traditional cell phone. Its not hard to see why they should in fact be treated differently, being that modern cell phones are becoming more like all purpose computers than just phones, and therefore contain ALL KINDS of personal, private information the authorities have no right to without a warrant.

The problem is that in California, a privacy rights leader I should add, does not provide citizens with such protections. In fact, California's top court ruled against privacy in a case involving a 2007 arrest of someone who had purchased drugs from a police informant. Investigators later looked through the individuals phone and found text messages that implicated him in a drug deal. The suspect appealed the conviction, saying the evidence was gathered in violation of the Fourth Amendment, which prohibits unreasonable searches and seizures.

The justices disagreed: "The cell phone was an item (of personal property) on the person at the time of his arrest and during the administrative processing at the police station. Because the cell phone was immediately associated with defendant’s person, (police were) entitled to inspect its contents without a warrant." 

But the court went further - comparing the cell phone to personal effects like clothing. Worse, it argued that it wasn't because the police had a particular right in this particular case, or there was some special exception that allowed such a search, but rather, it argues that no exception was even necessary. In other words, this case was not an exception, but rather the NEW rule: cell phone records are now of little difference than the shirt on your back if you've been arrested. This is a deeply disturbing precedent if it holds. 

As State Senator Mark Leno wrote, "If you like to attend political rallies, parades, protests or sit-ins, you might consider leaving your cell phone at home in the unlikely event arrests are made. A recent California Supreme Court decision allows police to rummage through all of the private information on your smart phone as part of an arrest, including your text messages and e-mails. This warrantless search is now legal in California, regardless of whether the information on the phone is relevant to the arrest or if criminal charges are ever filed.

 ... 

Earlier this year I introduced a bill that would protect Californians against the Supreme Court decision allowing warrantless searches of the private information contained in portable electronic devices, including cell phones. Senate Bill 914 clarifies that an arrestee’s cell phone can only be accessed with a warrant, except in circumstances where there is an immediate threat to public safety or the arresting officer. It acknowledges that accessing information on a cell phone is fundamentally different than searching an arrested person’s wallet, cigarette pack or jeans pockets.

While SB 914 provides critical privacy safeguards for Californians, these protections are not new. Until the California Supreme Court decision earlier this year, state and local police correctly assumed that the state’s constitutional privacy protections prohibited warrantless searches of cell phones during an arrest. In addition, the Ohio Supreme Court has ruled that cell phone searches require a warrant, and federal law enforcement agencies also abide by the warrant protocol.

In most cases, searching a cell phone immediately during an arrest is an extraordinary measure. Once an arrest is made and the arrestee’s belongings are confiscated, a warrant for a cell phone search can be obtained if it is important to a criminal case. SB 914 will help ensure that a simple arrest – which may or may not lead to charges – is not used as a fishing expedition to obtain a person’s confidential information. 

Read more here.

All in all, its been a pretty good week on the California privacy front. I'll be back with information on SB 601 and SB 914 once we get a decision from the Governor.

Thursday, September 1, 2011

5 Places You Can Be Tracked by Facial Recognition Technology

Just a few days ago I posted a pretty extensive blog on Facial Recognition technology and the threat it poses to individual privacy. So for the sake of time and repetition I'm not going to go back over the basics (see that post for this), but rather, get straight to a fantastic article from Alternet entitled 5 Unexpected Places You Can Be Tracked With Facial Recognition Technology. Of particular interest to me was the coverage the piece gives to California's own recent fight that we at the Consumer Federation of California were deeply involved in, over biometric identifiers being used by the DMV. As such, our Executive Director, Richard Holober, is quoted in the article as well.

Before I provide some especially choice clips of this article (because it dovetails very well with my recent post on the topic), let me refresh everyone's memories regarding the successful campaign by privacy and consumer groups against the California DMV which resulted in, with just one day to spare, the Joint Legislative Budget Committee (JLBC) stepping in to reject the DMV’s proposal to impose sweeping new biometric technologies - such as facial and thumb print scans - as elements in a renewal of a vendor contract to produce driver’s licenses and ID cards.

At the time, the Consumer Federation of California had joined organizations from across the political spectrum – including the ACLU, Electronic Frontier Foundation, California Eagle Forum, Consumers Union, Privacy Activism, Privacy Rights Clearinghouse, and the World Privacy Forum - to urge the legislature to reject the DMV's request on the grounds that any change of this magnitude should be a policy matter for the legislature to decide, after considering whether it is effective, affordable, and if it contains the appropriate privacy safeguards.


If the JLBC did not act in time the proposal would have moved forward. Thankfully, at the very last moment a letter that was unequivocal in its opposition to the proposal was sent to the DMV from Senator Denise Ducheny - the Committee Chair.

Click here to read the complete letter. Here's a particularly important passage:

"Of particular concern is the proposed use of biometric technology as part of the card issuance process and the related privacy issues. I think the Legislature should consider the policy implications of using biometrics in the issuance of driver licenses before the department starts to use the technology. In addition, after review and discussions with DMV, the Analyst concluded that the request was not fully justified, in part because the department was unable to provide key information on the specific costs and benefits related to the proposed use of biometrics."

Click here to read the Monday, February 16th article in the San Jose Mercury News, entitled "DMV biometric plan will undergo public hearings".

Here was some of our argument on the DMV Proposal:

On January 14th the California Department of Finance – without notifying the public – sent a letter to inform the state Joint Legislative Budget Committee that it planned to issue a new vendor contract for production of California Driver’s Licenses, ID cards and Salesperson cards starting in June of 2009. Hidden in the fine print, the proposal called for “enhanced” biometric identification in state IDs. Unless this legislative committee objects to this plan within 30 days, the Department of Motor Vehicles will be free to begin implementing the biometric technology.

What are Biometrics?

Biometric technology is the computerized matching of an individual’s personal characteristics (like a thumbprint or facial scan) against an image or database of images.  In other words, the DMV and the Department of Finance are seeking to create a massive government database of biometric information from virtually every Californian over the age of 16 without debate or review - raising significant concerns regarding the increased surveillance, monitoring and tracking of individuals.

One would expect, in light of the ongoing and intensifying debate over the REAL ID Act (a federal plan to create a national identity card based on drivers’ licenses) and the increasing number and degree of privacy violations committed by the federal government in recent years, that such a program would be fully debated, in the open, by our representatives in the State Legislature and with public comment, before it could ever be enacted.

Because no such debate has occurred, and no attention has been given to the privacy concerns such a program warrants, a broad coalition of consumer and privacy rights advocates joined forces to urge the legislature to reject this request while there’s still time.

Our case against the proposal is twofold.

(1) The first is procedural: the DMV is attempting to use a routine contract renewal process to effectuate major policy changes.

As the ACLU noted:

    A 30-day expedited opt-out letter to the Legislature is an inappropriate vehicle to move from photographs and thumbprints of millions of Californians to advanced facial recognition technology and biometric systems that pose a number of privacy and security concerns if not handled carefully.

•    The DMV does not appear to have authority to implement biometric technologies that the Legislature has considered and rejected over the years, without the issues being fully considered and addressed in policy and budget hearings.

(2) The second relates to privacy and security: the underlying proposal to use biometric technologies has yet to establish appropriate safeguards to protect against identity theft and unwarranted government snooping into our private lives.

It’s important to understand the limitations of biometrics as well as their strengths. The fact is, biometrics are easy to steal. Our fingerprints are left everywhere we touch, and our iris scans are everywhere we look.

According to experts, biometrics work only if two things can be verified by the verifier: one, that the biometric came from the person at the time of verification, and two, that the biometric matches the master biometric on file. If the system can't do that, it can't work.

You can see more of this original post of mine here.


As face recognition and other biometrics advance, the technology has begun to proliferate in two predictable realms: law enforcement and commerce. Here are 5 places besides Facebook you might encounter face recognition and other biometric technology -- not that, for the most part, you would know it if you did. 

1. The streets of America 

In the fall, police officers from 40 departments will hit the streets armed with the Mobile Offender Recognition and Information System (MORIS) device. The gadget, which attaches to an iPhone, can take an iris scan from 6 inches away, a measure of a person's face from 5 feet away, or electronic fingerprints, according to Computer vision central. This biometric information can be matched to any database of pictures, including, potentially, one of the largest collections of tagged photos in existence: Facebook. The process is almost instant, so no time for a suspect to opt out of supplying law enforcement with a record of their biometric data.

...
 
2. The DMV

Slightly fewer than half of the DMVs in the US have the capacity to run your picture through biometric databases. Ostensibly, these searches are intended to catch people trying to collect multiple IDs from different states. Fair enough. But as EFF's Lee Tien told AlterNet, the DMV can also log into and run a person's face against any government database, including ones that hold criminal records. Last August, former New York Gov. David Paterson and DMV commissioner David Swartz held a triumphant news conference where they announced that more than 100 felony arrests were made through the DMV's facial recognition program.

In the past, the FBI has applied facial recognition technology to the DMV's vast database of photo images in pursuit of suspects, according to the AP...
'We see this as sort of creeping Big Brother government, an invasion of people's privacy,' said Richard Holober, executive director of the San Mateo-based Consumer Federation of California."

...

3. Las Vegas casinos, and Kraft and Adidas stores

For years Las Vegas casinos have used various forms of facial recognition to identify card-counters. Now, Vegas is at the forefront of efforts to adapt facial recognition to more efficiently suck money out of visitors. The LA Times reported last week that the Venetian hotel and casino has installed basic facial recognition software in advertisements. A camera captures an image of a person passing by and an algorithm determines their gender and rough age. The advertisement can then present them with products most likely to appeal to their demographic. 

...

4. Bars 

Inevitably, facial recognition software is also being deployed for the purpose of getting people laid. SceneTap, an app developed by a Chicago company uses information from facial recognition cameras planted in bars to determine the ratio of women to men and the average age of customers. As of June, 200 bars across the country had signed up to take partaccording to Forbes. SceneTap developers assured reporters that the cameras they're installing in bars do not capture high-enough-quality images to match them up to databases or Facebook profiles. 

In my last post I give a short summation of why I find the spread of this technology, and many other privacy related intrusions, so disturbing. It's not that any one violation alone is the problem, its the totality of them all...and the direction it indicates we're headed as a society. 

I wrote, "Whether its the knowledge that everything we do on the internet is followed and stored, that we can be wiretapped for no reason and without a warrant or probable cause, that smart grid systems monitor our daily in home habits and actions, that our emails can be intercepted, that our naked bodies must be viewed at airports and stored, that our book purchases can be accessed (particularly if Google gets its way and everything goes electronic), that street corner cameras are watching our every move, and that RFID tags and GPS technology allow for the tracking of clothes, cars, and phones (and the list goes on)...what is certain is privacy itself is on life support in this country...and without privacy there is no freedom. I also fear how such a surveillance society stifles dissent and discourages grassroots political/social activism that challenges government and corporate power...something that we desperately need more of in this country, not less."

Today's article from Alternet certainly gives me no reason to retract any of this...