35 posts categorized "Canada" Feed

RSA Announced "ChewBacca" Malware Attacked Retailers In 11 Countries

Global security firm RSA announced the discovery of "ChewBacca" malware attacks which targeted point-of-sale (PoS) systems in retail stores. The malware attacked and stole shoppers' credit card payment information in 11 countries, including the United States, Australia, Canada, and Russia:

"While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems."

Tracks 1 and 2, developed by the banking industry, on the magnetic stripe on your credit cards typically include the following payment information:

  • Cardholder's full name
  • Credit card number
  • Credit card expiration date
  • Country code

Track 3 of the magnetic stripe is used to store PIN, currency, authorized amounts, and other payment data for debit card transactions. It appears that a different malware version targetd both credit and debit cards via infected PoS terminals during the Target data breach. Neiman Marcus has disclosed a few details about its data breach, while Michaels Stores hase not -- so far.

The malware copied payment information from the PoS terminal's memory when the shopper's payment data was unencrypted. The malware then sent the stolen payment information to a  hidden Internet-connected server.

The Trojan was named "ChewBacca" because the sign-in page for malware users features an image of the popular character from the Star Wars films. To protect shoppers' payment data against malware like ChewBacca, RSA suggested:

"Retailers have a few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."

So, doing nothing is not an option. Business-as-usual is not an option.

Are You Walking Blindly In The 'Big Data' Revolution?

There is a good article in the BBC News website about the trends and impacts of technology -- namely about how "big data" is transforming the entire planet. "Big data" refers to information companies and governments collect about consumers. They collect this information from a variety of sources:

"... not only from posts to social media sites, mobile signals and purchase transactions but increasingly from sensors on objects from lamp-posts to skyscrapers...In Birmingham, lamp-posts are being fitted with sensors that can transmit information about cloud cover to offer hyper-local weather forecasting. In Norway, more than 40,000 bus stops are tweeting, allowing passengers to leave messages about their experiences... At MIT's Senseable City Lab, 5,000 pieces of rubbish in Seattle were geo-tagged and tracked around the country for three months to find out whether recycling was really efficient..."

You've probably noticed video surveillance cameras on street lights across the country. That's another source. This blog has reported about many other sources:

All of these types of devices will be used more and more in what people call a "smart city:"

"The core functionality of a smart city requires a vast amount data to be collected on every aspect of our lives every minute of every day. The question is how does that data get used? And it doesn't require a huge amount of imagination to see how it could be used to monitor people... the control of information is being taken away from citizens, and companies providing services are rushing to find ways of generating revenue from the data they hold. The danger is... individuals will not be able to control the ways they are monitored or what happens to the information, which is exactly the opposite of how it should be."

It seems to me, you can distill all of this into a single issue about consumers:

"... People have clicked "yes" to those terms but don't realise that everything you share can be collected. We could be walking blindly into a 24/7 surveillance society..."

We have traded privacy for convenience.

Are you walking blindly? Are you willing to continue trading convenience for privacy? Are you willing to question online processes, privacy disclosures, and website terms of usage? Are you willing to push back and say: enough? Are you willing to demand that your elected officials place consumer protections before privacy abuses happen, and not minor, ineffective protections afterwards? Are you willing to support any of the consumer advocacy groups that look out for your privacy?

CBC Interactive Map Of Foreign Travel Advisories

I like to travel to different countries. So do many people. If you plan to travel to other countries, then you might find this resource helpful to avoid getting mugged, your identity information stolen, or worse during foreign travel.

The Canadian Broadcasting Corporation (CBC), based upon data from the Canada's Department of Foreign Affairs, produced an interactive map of travel advisories for consumers. The map highlights places to avoid and places to take extra security precautions.

In the United States, the Bureau of Consular Affairs within the State Department provides similar information with alerts and warnings for foreign travel.

5 Online Privacy Tips To Keep You And Your Family Safe

Monday will be Data Privacy Day (DPD), with celebrations in North America and Europe to raise awareness and provide consumers with education about privacy. DPD was started in 2008. This year's theme is, "Respecting Privacy, Safeguarding Data and Enabling Trust." This year's events will be started with a privacy forum at the George Washington University Law School in Washington, DC. Federal Trade Commissioner Maureen Ohlhausen is the keynote speaker. More events are scheduled nationwide throughout February.

To support this event, Anchorfree and the National Cyber Security Alliance have developed together a list of tips for consumers to maintain their privacy when connected to the Internet via your smart phone, tablet, or laptop/desktop computer:

"1. Risky business - Make sure all family members understand the public nature of the Internet and its risks. Any digital information they share -- emails, photos or videos -- can easily be copied and pasted elsewhere, and is almost impossible to take back. Anything that could damage their reputation, friendships, wallet or future prospects should not be shared electronically."

A recent study found that 30 percent of teenage girls meet in person strangers they met online. So, it is critical for parents and families to practice safe habits while connected to the Internet and in the physical world. If you are a parent, grandparent, or guarding who plans to buy a smart phone for a child, then you definitely should read this contract one smart parent created to help her manage her teen's online usage.

2. Keep it hidden, keep it safe - Make sure all family members are careful about sharing sensitive information such as birth date, addresses, phone numbers, location, financial information, social security numbers, passwords and vacation plans. Most reputable online services have privacy settings. Teach your kids how to use them, too."

3. Browse intelligently - Avoid using sketchy, unfamiliar websites, and delete suspicious emails, particularly those that ask for unnecessary personal information or request that you download something. These may be malware or phishing sites out to steal your personal data.

There are several products available to automatically delete browser HTTP cookies and other files (e.g., Flash Cookies, and other LSO's = Locally Shared Objects) websites use to track you while connected to the Internet. This blog has reviewed some of them, including the MAXA Cookie Manager. I use the BetterPrivacy plugin with the Firefox browser.

The next item is critical because smart phones and tablets save a ton of metadata with each photograph or video you take. The metadata with your photos include a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata combined with your GPS location, a company can tell a lot about you, your purchases, your lifestyle, plus what you did/spent when and where.

That metadata gets uploaded to your favorite social networking website whenever you upload photos. Some social networking sites collect, save, and share all of that metadata. Others use some of it. So, consumers should:

4. Turn off geolocation - Many apps' permissions include backdoor location trackers that are constantly streaming your location. If you're not actively using your phone to navigate, turn them off. The FTC recently noted that many apps aimed at children are disclosing location; make sure your kids are following this rule of thumb as well."

The last tip cannot be over emphasized. Public WiFi hotspots are everywhere. If you expect to perform sensitive tasks (e.g., online banking, access/use sensitive documents from your employer) while connected to a public WiFi hotspot, you should:

5. Get behind a shield - Use a VPN such as Hotspot Shield, which will help identify malware sites and provide a secure, encrypted connection to the Internet for desktop or mobile devices, protecting your browsing from hackers and snoops. This is particularly important when using public Wi-Fi or other unknown networks."

AnchorFree produces Hotspot Shield. There are other brands available. Take a look at Get Cocoon and PrivateWiFi.

The National Cyber Security Alliance is a nonprofit organization formed to educate and empower consumers about Internet privacy. It collaborates with government, corporate, other non-profit and academic entities. NCSA board members include: ADP, AT&T, Bank of America, EMC Corporation, ESET, Facebook, Google, Intel, McAfee, Microsoft, PayPal, Science Applications International Corporation (SAIC), Symantec, Trend Micro, Verizon and Visa.

Some of those board members have a ways to go regarding privacy in their products or services. As a business consultant, I regularly use VPN software to remotely and securely access my clients' networks and servers. This blog post is not an endorsement of Hotspot Shield, since I have not used it.

What's your opinion of this list of tips? What VPN software do you use?

Canadian Privacy Commissioner Introduces Graphic Novel To Help Youth Safely Use the Internet With Mobile Devices

The Office of the Privacy Commissioner in Canada has introduced a graphic novel designed to help teens and youth use the Internet safely with mobile devices. If you haven't read it, I highly recommend it. It is an easy read and it clearly describes some good, basic data security habits.

The graphic novel (Adobe PDF - 4.5 M Bytes) is good for youth (and their parents) everywhere, and not just in Canada. The skills needed to safely use mobile devices and maintain privacy are universal.

In the United States, the Federal Trade Commission (FTC) offers the "Heads Up: Share With Care" guide (Adobe PDF) for youth at the OnGuard Online website.

FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

Earlier this week, the U.S. Federal Trade Commission (FTC) released its annual report of the leading complaints filed by consumers. During 2011, identity theft (again) led the list of complaints. This is the 12th consecutive year that identity theft has led the list:

Type of Complaint or Scam
Number % Of Total
1. Identity Theft 279,156 15%
2. Debt Collection
180,928 10%
3. Prizes, Sweepstakes and Lotteries
4. Shop-at-Home and Catalog Sales
98,306 5%
5. Banks and Lenders
89,341 5%
6. Internet Services
7. Auto Related
77,435 4%
8. Imposter Scams
73,281 4%
9. Telephone and Mobile Services
70,024 4%
10. Advance-Fee Loans and Credit Protection/Repair
47,414 3%

Other notable findings:

  • Fraud: 990k of the 1.8 million complaints were fraud-related. 68% of consumers reported a fraud complaint where they paid an amount. The total amount paid was $1.5 billion, and the median amount paid was $537. 43% of consumers were contacted via email. The five states with the highest per-capita fraud reported were Colorado, Delaware, Maryland, Nevada, and Virginia.
  • Identity Theft: Government documents/benefits fraud (27%) was the most common form reported, followed by credit card fraud (14%), phone or utilities fraud (13%), bank fraud (9%), and employment fraud (8%). 45% of consumers reported they contacted local law enforcement. The five states with the highest per-capita identity theft were Florida, Georgia, California, Arizona, and Texas.
  • Countries: the top five countries were the USA (80%), Canada (4%), the United Kingdom (4%), Nigeria (2%), and Jamaica (2%).
  • Age: consumers that filed complaints during 2011 were ages 50-59 (23%), followed by ages 40-49 (20%), ages 30-39 (17%), ages 60-69 (15%), and ages 20-29 (15%).
  • Military: members from all four branches plus the Coast Guard reported complaints. For this group, identity theft ranked as the number one complaint, followed by Debt Collection. Mortgage Foreclosure Relief and Debt Management ranked as fourth for this group, compared to 13 for all consumers.

During 2011, consumers submitted about 1.8 million complaints, an increase of 24% over 2010. All complaints submitted by consumers are collected in the FTC Consumer Sentinel Network database, which contains 30 different categories of complaints. Download the 2011 FTC Consumer Sentinel Network Data Book (Adobe PDF).

Consumer Receives Email Inquiry From Calgary Police About Stolen Credit Card

What would you do if you received an e-mail from a police department in another country claiming that your personal and financial information had been stolen? This happened last week to my friend, Beth (her name has been changed upon request). Beth lives in Boston received the e-mail message below:

From: Calgary Police Service
Date: Wed, Aug 3, 2011 at 4:31 PM
Subject: Police Inquiry - Identity information recovered

[Beth's personal information removed for security reasons.]

I am a constable with the Calgary Police Service (CPS) in Calgary, Alberta, Canada. The CPS recently executed a search warrant at a Calgary residence and one of the items seized was a sheet of paper bearing the personal information of 144 people; this information included credit cards, expiry dates, full names and addresses. The above information, accompanied by your e-mail address was listed. It is my intention to charge the suspect with unlawfully possessing credit card and identity information. In order to prosecute, I require confirmation that the above information is (or was) correct.

Your personal information appears to have been compromised. Therefore, I am recommending that you notify the bank that issued your credit card to have it cancelled immediately. I would also encourage you to contact your local credit reporting bureau and check to ensure that your personal information has not been used to obtain any other banking services or products.

This is a legitimate law enforcement inquiry and my credentials can be verified via the Calgary Police Service website at www.calgarypolice.ca. If you are unsure of the legitimacy of this e-mail, please present it to your local law enforcement agency, so they might assist in this investigation.

Cst. K Grier #4572
District 3 GIU
Break and Enter Detail
Calgary Police Service

First, I would like to thank Constable Grier and the CPS for catching and prosecuting identity-theft criminals. It is always good to see local law enforcement in action.

I spoke with Constable Grier about her e-mail. Since most of the identity-theft victims in this case were from other countries outside Canada, CPS notified banks and took the added step of notifying theft victims directly, when possible. Constable Grier suspected that the credit card information was either stolen from a website or accounts were hacked. Like all law enforcement, CPS appreciates the assistance the public and breach victims can provide.

This case has several implications. First, it highlights the fact that identity-theft criminals often commit other types of crimes -- in this case, burgulary. While pursuing a burgulary suspect, CPS discovered the credit card thefts. So prosecuting and jailing identity-theft criminals can also stop other crimes.

Second, this case highlights potential gaps in cross-border breach notification laws. While local law enforcement in another country may promptly notify breach victims' banks, my understanding is that there is no guarantee of data breach notice to U.S. citizens across country borders. I did some light reading and the current Red Flag Rules do not apply to breaches at bank branches located outside the USA (PDF document). Perhaps some legal scholars can expand and clarify on international laws regarding cross-border breach notification.

Third, it highlights the need for breach victims to take action. I am sure many readers want to know what to do should you receive an e-mail like the one above. Beth found this situation scary as she had never visited Calgary. She wondered if the above email was real or a scam.

Since there are so many online scams and phishing e-mail messages, I advise consumers to first verify the e-mail via an alternate method. By "alternate method" I mean an independent, different method than the format of the suspect message. Don't disclose any more personal information until you have verified that the message is real. Example: If the suspect message is an e-mail, don't press the "Reply" button. Instead, independently verify it via the phone (or an in-person visit to your local law enforcement). Example: if the suspect message is a phone call, independently verify it via e-mail or the Internet. Or, ask your local police department for help with verification of an inquiry from another police department.

In this case, verification was easy. I performed a Google search to independently find the CPS website, since I didn't want to rely on the contact information in the e-mail. At the CPS website, I found the main phone number for District 3, and called to verify that Grier is a Constable there.

I shared all of this with Beth, who started to feel better. Later she contacted Grier. The thief had stolen credit-card information for an account Beth had already closed a long time ago. While consumers may ignore the situation because credit-card theft liability is small and often limited to US $50, helping law enforcement is important. As this case highlighted, identity theives often commit other types of crimes. So, prosecution for identity theft can stop other types of crimes, too.

The Calgary Police Service Identity-theft page has advice for consumers to both avoid becoming identity-theft victims, and for identity-theft victims. If you are an identity-theft victim, CPS advises:

  • File a report with your local police department and obtain a case number.
  • Notify all creditors by phone and in writing about the crime.
  • Keep a log of all your contacts.
  • Use a credit bureau sample dispute letter.
  • Look at the crime before & after the event to learn how it happened. This will often help to lead investigators to multiple crimes.
  • Prepare to complete an ID Theft Affidavit.
  • Learn as much as you can!!

Privacy Commission of Canada Investigates Online Dating Websites

In a report (PDF format) to the Canadian Parliament earlier this week, the Privacy Commission of Canada announced that it is investigating online data websites for privacy abuses. The investigation results from a complaint filed with the Privacy Commission office by a Canadian woman who attempted to delete her eHarmony account:

"A woman who had been a member of eHarmony complained to our Office that, upon ending her membership, she had asked eHarmony to delete her online account. Days later, she went online to check that her instructions had been carried out. She discovered, however, that she could still sign in and that the account contained all the personal information she had previously provided."

The woman then did what any of us would have done. She didn't give up. She contacted eHarmony again and requested that the company delete her profile. The company's response:

"... eHarmony replied that her account was now inaccessible to other members. However, eHarmony told her that it could not entirely delete her record of having joined, or remove her personal information."

The Privacy Commission investigated and found that while 40% of online dating users reactivate dormant accounts, a larger portion -- 60% -- do not. It's investigation of eHarmony also discovered:

"... that the option to “close” an account was not readily accessible on the eHarmony website. Nor was there a clear explanation of what eHarmony meant by that term."

The Privacy Commission suggested to eHarmony that it provide both profile "deactivation" and "deletion" options. And the difference between these two options should be cleared explained in the website privacy policy. Consumers should stay in control of their personal information. The company's response:

"... eHarmony confirmed that it had taken, or was in the process of taking, steps to address our concerns, including:
1. Establishing a two-year retention period for personal information that the site collects from the users of its service;
2. Providing a clear and efficient process for users to request removal of their personal information; and
3. Providing users with clear information about the difference between deactivating an account and deleting an account as well as information about how long eHarmony retains personal information."

The retention period is important because it introduces the risk of data breaches: when unauthorized people access consumers sensitive personal information. The Privacy Commission reviewed other online dating websites and found ths some lacked a privacy policy.

What should users of online dating services do to protect themselves and their sensitive personal information? The Privacy Commission advises consumers to:

  1. Verify that the website has a privacy policy and read it before registering
  2. The policy should use easy-to-understand language, and clearly state what personal information the website collects, how it is used, and how it will be safeguarded
  3. Look for both account deactivation and deletion options. Look for definitions of any alternative words used "close," to determine if this is deactivation or deletion.
  4. Look for a statement about how long the website retains your personal information, and if it anonymizes your information after that.

My take on this: if the website doesn't have a privacy policy, don't register with that website (or app). If the website has both a privacy policy and a terms of use policy, read both documents. If the documents are difficult to understand, don't register with that website. The documents should cover all of the devices you plan to use with the website. If there are different privacy policies for different mobile device, look for another dating service.

If the data retention period is longer than two years, skip that website and look for another service. If you are savvy about data anonymization, look for a definition of that. If you don't like what you read, don't register with that website.

As I think about it, the above consumer tips are good for any social networking website, and not just online dating websites.

Are you an online dating service user? What do you think?

Data Breach At Honda Canada Affects 283K Customers

Honda Canada announced that about 283,000 Canadian customers have been affected by a data breach at its myHonda and myAcura websites. The company had noticed unusually high website activity during February. The data stolen included names, addresses, and vehicle identificaton numbers. For some customers, financing account numbers were also stolen.

The customer data was collected by customer mail programs during 2009 to Honda and Acura automobile owners. Affected customers were notified in a letter dated May 13.

As data breaches go, this could have been much worse. The data stolen did not include birth dates, telephone numbers, email addresses, credit card numbers, bank account numbers, driver's license numbers, or social insurance numbers.However, the theft of vehicle identification numbers exposes breach victims to phishing attacks.

Also, this is not the first data breach at Honda. In 2010, about 2 million Honda customers in the United States were affected by data breach involving its Silverpop e-mail marketing vendor. The number of stolen records was later revised upwards to 4.9 million Honda customers. American Honda Motor Company provided this breach help site for its customers in the United States.

Yet Another Data Breach At Sony; Playstation Network Returns Online in Phases

Several news organizations reported that hackers attacked Sony Ericsson's Canadian eShop website. This latest Sony data breach affected only about 2,000 consumers. The Canadian eShop website provides accessories and support for phone customers. At press time, portions of the Canadian eShop website were unavailable.

The Canadian eShop breach is more bad news for Sony after massive data breaches at its Playstation Network and Online Entertainment units. Sony forecasts its breach-related costs in the United States at $171 million for the coming fiscal year ending March 2012, excluding any lawsuits.

On Tuesday last week, Sony disclosed a breach at its Sony Music Entertainment Greece website, which affected about 8,500 customers. Sony also disclosed that an unauthorized user had accessed and changed its Sony Music Indonesia website, and a hacker may have accessed its Thailand website to send e-mail spam.

On Friday May 27, Sony announced a phased restoration of service at its Playstation Network unit:

"... Sony Network Entertainment International (SNEI, the company) will begin a phased restoration of PlayStation®Network and Qriocity Services in Japan and Asian countries and regions including Taiwan, Singapore, Malaysia, Indonesia, and Thailand*1 on May 28. A new identity protection program will also be offered in conjunction with the phased restoration for PlayStation Network and Qriocity customers in Japan..."

Don't Get 'Mugged' By The Area Code Phone Scam

I often write about scams by criminals trying to either trick consumers out of their money, or trick consumers into revealing their sensitive personal and bank account information.

When I returned from vacation last week, there was a voice-mail message on my home phone from a woman who said she called me a couple months ago and asked me to return her call. She only gave a first name (which I didn't recognize), didn't mention the company she was with, and didn't leave a message why she called. Plus, the phone number she left had an Area Code I didn't recognize.

Then, I saw this AT&T press release:

"809 Area Code Scam: Be cautious when responding to e-mails or phone calls from the 809, 284 or 876 area codes. This long distance phone scam causes consumers to inadvertently incur high charges on their phone bills. Consumers usually receive a message telling them to call a phone number with an 809, 284 or 876 area code in order to collect a prize, find out information about a sick relative, etc. The caller assumes the number is a typical three-digit U.S. area code; however, the caller is actually connected to a phone number outside the United States, often in Canada or the Caribbean, and charged international call rates. Unfortunately, consumers don't find out that they have been charged higher international call rates until they receive their bill."

The FCC alert also includes the 649 Area Code. For those who are curious, Area Code 649 is Turks and Caicos; 809 is the Dominican Republic; 284 is the British Virgin Islands; and 876 is Jamaica. At the FCC (U.S. Federal Communications Commission) site, you can also file a complaint.

Obviously, it is wise to return the calls only of people whose names your recognize. I didn't fall for this scam and I hope that you don't either. The AT&T press release has tips on what to do to avoid falling for this scam, and what to do if you have already been scammed.

I frequently use Snopes.com to verify e-mail messages I receive which seem odd. Snopes.com also includes a warning by the 809 Area Code scam.

How To Spot In Companies' Annual Filings Upcoming Trouble

Canadian Business Online reported the results of an interesting study:

"The study, by University of Notre Dame business professors Tim Loughran and Bill McDonald, reveals that certain innocuous-sounding phrases such as “related party transaction” and “unbilled receivables” that appear in corporate filings could signal fraud or, at the very least, problems with the business."

The researchers analyzed more than 50,000 10-K filings, documents publicly=traded companies file every year with the U.S. Securities and Exchange Commission. Phrases the researcher found as worrisome:

"The phrase that popped up the most was “related party transactions,” which appeared in 16,524 reports. The term, which means a deal between two parties who have a prior relationship, is worrisome... as it “could be an indication that a board of directors is not independent.” The study found that the more the phrase appears, the greater the company’s volatility in the following year..."


"... the more companies used the words “materially and adversely affected,” which usually refers to a negative event affecting earnings, the more the stock value dropped after the report was submitted to the SEC. Another term to watch for is “unbilled receivables.” The study reveals that the more times that term is used, “the more likely it is that someone will subsequently file a class action lawsuit against the company.”

The results of this study sound like advice consumers could use for both investing decisions and for employment search decisions.

Canadian Commissioner Says Facebook Has 'Privacy Gaps"

Facebook logo From time to time, I've written about Facebook due to its privacy and potential data breach risks. Canada.com reported:

"Canada's privacy commissioner on Thursday ruled that Facebook is in violation of the country's privacy law, citing "serious privacy gaps" in the way the popular social networking site treats its 12 million Canadian users. And if the California-based company doesn't comply with Jennifer Stoddart's directives within 30 days, Facebook will likely be hauled to Federal Court to face a judge with the power to order the company to implement the recommendations."

About 12 million Canadians use Facebook. The probe found four problems:

"In addition to an "overarching" concern relating to the "confusing" or "incomplete" way in which Facebook provides information to users about its privacy practices, the report concluded Facebook's policy to keep indefinitely the personal information of people who have deactivated their accounts is a violation of the privacy law. But the biggest sticking point has to do with the practice of sharing users' personal information with third-party developers that create Facebook applications, such as games and quizzes."

Experts estimate that there are maybe a million Facebook application developers scattered across 180 countries. I'd have to agree. When you launch an application like a quiz, it is unclear exactly what information is or will be shared and specifically to whom. For this reason, I don't use Facebook applications.

Quite predictably:

"... Chris Kelly, Facebook's chief privacy officer, said the site is continually refining its privacy controls and "certainly, we think that our approach right now is compliant with Canadian law... The probe began last year after the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa filed an 11-part complaint, alleging Facebook violated key provisions of Canada's Personal Information Protection and Electronic Documents Act, the country's private-sector privacy law."

David Fewer, acting director of the University of Ottawa law clinic that filed the complaint, said this about Facebook's third-party applications:

"This is black-letter law they're applying here... Facebook can't say the law is wrong here, or is being misinterpreted. Instead, what they need to do is go back and re-engineer how they do third-party apps. I think they rolled out third-party apps out without figuring privacy obligations into the design. There was a fork in the road early on in the design. They went left and they needed to go right. And left is where the money tree is..."

For these reasons, I don't use thrid-party applications at Facebook. It's imply impossible to tell exactly what data a consumer is releasing, who the application developer is (e.g., some are more trustworthy than others), and what other companies that application developer will share consumers' personal data with. Regardless of Facebook's new privacy policy, the site seems intent on operating with an opt-out-driven ad system which places far too much burden on consumers to constantly monitor their privacy settings to ensure that Facebook hasn't started some new program that harvests and syndicates personal data.

Fraud And Scam Warnings To Consumers From the Better Business Bureau

A couple warnings to consumers so you don't get "mugged," become a fraud victim, or pay more than you have to. First, the BBB advises consumers to read the fine print at online social media sites, especially Facebook, since:

"... the large print doesn’t always tell the whole story... in January, BBB issued a warning to consumers about online ads and Web sites that use Oprah’s name to sell acai berry supplements as weight-loss miracles... these ads are still common on Facebook and MySpace and link to fake blogs such as www.jennylosesweight.com that are designed to look like testimonials of women who lost weight on the acai supplements... The phony blogs link to Web sites that offer a free trial of an acai supplement, and while the customer may think they only have to pay shipping, they could get billed as much as $87.13 every month if they don’t cancel before the trial period ends."

Another scam consumers should be aware of:

"There are many ads on Facebook that advertise ways to make easy money from home... the ads link to blogs that were supposedly created by people who made money through a work-at-home program. One such blog written by a “Sarah Roberts” claims that she added “$67,000 a year to my family’s income working 10 hours a week... The blogs direct readers to Web sites for programs such as Internet Money Machine and Easy Google Cash where they can sign up for a seven-day trial access to information on how to make money from home. While the free trial supposedly only costs $1.95-$2.95, the individual will be charged $69.90 every month..."

Be sure to follow the above link to learn about more scams. Second, the BBB warns consumers about automated phone calls offering lower credit card interest rates:

"Consumers across the U.S. and Canada are sounding off to Better Business Bureaus about incessant automated telemarketing calls promising to lower interest rates on their credit cards. Not only are the calls a nuisance and violate U.S. and Canadian Do-Not-Call laws, but some companies behind the calls are ripping off consumers by charging large up-front fees to negotiate lower interest rates with credit card companies — something consumers can do on their own for free... After the initial recorded message, consumers must dial another number to be connected to a live person. The live “operator” usually starts the sales pitch by asking for the consumer’s credit card number and whether the consumer is interested in lowering their interest rates. From there, callers begin closing the sale, asking if the consumer is willing to pay – usually from $700 to $1,000 - to have their firm contact the credit card company and negotiate lower rates."

About telephone offers, the BBB advises consumers to:

"Never give personal information, including Social Security, bank or credit card numbers, over the phone to an unknown telemarketer. Always research the company first by reviewing its Reliability Report at www.bbb.org.; When considering any company offering any type of financial assistance, insist on getting a contract in which all terms and conditions are clearly explained before signing up or providing credit card or other payment information; U.S. consumers can place their home phone number on the federal Do Not Call list by visiting www.donotcall.gov. If the consumer’s number is already on the list but continues to receive telemarketing calls—or is receiving robocalls on a cell phone—he or she can use the same Web site to report the incident to the FTC. Canadian consumers can learn more at www.lnnte-dncl.gc.ca.

Canadian Officials Criticize TJX's Data Security

More about TJX from yesterday's Daily Business Update:

"Retailer TJX Cos. failed to put in place adequate security safeguards to protect customer information, the privacy commissioner of Canada said today."

TJX operates the Winners and HomeSense retail chains in Canada. The news article explained further:

"A joint investigation by Canada's commissioner of privacy and Alberta's privacy commissioner was launched after TJX, the Framingham-based operator of such chains as T.J. Maxx and Marshalls, disclosed in January that its computer system had been breached, resulting in the theft of millions of credit card and debit card numbers..."

Perhaps most importantly:

"The company collected too much personal information, kept it too long, and relied on a weak encryption technology to protect it - putting the privacy of millions of customers at risk..."

Do you still want to shop at Marshalls, HomeGoods, and/or TJ Maxx? First, read this background about TJX's out-of-court settlement. Then, read a January 2007 TJX press release about how TJX was improving its data security:

"[TJX] immediately engaged General Dynamics Corporation and IBM Corporation, two leading computer security and incident response firms. TJX has been working aggressively with these firms to monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information. These firms have assisted TJX in further securing its computer systems and implementing security upgrades."

Yep! That's the same IBM that suffered its own data breach in February 2007 and lost an undisclosed number of records with sensitive personal data about its employees and former employees.

Last, the N.H. Department of Justice web site posts copies of all data breach notification letters it receives. I checked the site this morning and noticed that TJX hadn't updated their January breach notification letter, portions of which contain old and obsolete information.