01-16 October 2013

Canada

CA – Groups Come Together Against Gov’t Surveillance

Georgia Straight reports that more than 20 organizations convened in Vancouver to launch the Protect Our Privacy Coalition, a group of “citizens, experts, organizations and businesses” that “have come together to defend our right to privacy based on a common statement of principle.” Micheal Vonn, policy director for the BC Civil Liberties Association, says the group was formed in response to indications that Prime Minister Stephen Harper plans to implement sections of Bill C-30 , commonly known as the online surveillance bill, and OpenMedia.ca Executive Director Steve Anderson points to revelations about spying by Communications Security Establishment Canada. [Full Story]

CA – CIRA CEO: Local IXPs Can Help Avoid Snooping

The Canadian Internet Registration Authority (CIRA) initiative to create local Internet exchange points (IXPs) “where carriers and communications providers directly connect with each other to exchange traffic”—keeping that Internet traffic out of U.S.-based exchanges. CIRA President and CEO Byron Holland noted, “All the events coming out of the U.S. with the NSA and the PRISM program highlight that it’s a good idea to keep traffic in your own jurisdiction as much as you can.” Without local IXPs, he explained, “I could be sending you an e-mail from downtown Ottawa to another point in Ottawa, and there’s a 40%- chance that will go through the U.S.” [IT Business]

CA – Change to Adoption Law Raises Concerns

Under current adoption law in Quebec, if an adopted child would like information about a birth parent, there is a process whereby a youth and family service center contacts the parent to see if they’d be interested in meeting or communicating. Similarly, the center acts as a pass-through should a parent who has given a child up for adoption want to meet that child later in life. Under a new proposed reform, however, children and parents would have to register a “veto” against their identities being given out, otherwise the information would be distributed upon request. Privacy concerns have been raised because while adopted children will have their veto automatically registered when the law passes, parents would have just 18 months to register their veto or have their identities made available. [The Montreal Gazette]

CA – Manitoba Legislation Awaits Proclamation

Manitoba’s new privacy legislation, which received Royal Assent last month, now awaits proclamation. The province’s Personal Information Protection and Identity Theft Prevention Act (PIPITPA) “will establish rules for the collection, use and disclosure of personal information, including employee information, for most organizations in the province,” the report states, noting, “At this time, the federal government has not determined whether PIPITPA is ‘substantially similar’ legislation, such that it will replace the Personal Information Protection and Electronic Documents Act within the province.” [Financial Post]

CA – BC Celebrates 20 Years of FIPPA With Video, Conference

British Columbia’s Office of the Information and Privacy Commissioner played host yesterday and today to a two-day conference, Privacy and Access 20/20: A New Vision for Information Rights, designed to both celebrate the 20th anniversary of the passing of the Freedom of Information and Protection of Privacy Act and to look forward to new challenges in information access and privacy. In a column for the Vancouver Sun, and accompanying video, Commissioner Elizabeth Denham lays out “some of the challenges we never envisioned in the early days of privacy legislation.” [Full Story]

CA – Denham: BC Laws Must Be Modernized

In an op-ed for marking the 20th anniversary of the province’s Freedom of Information and Protection of Privacy Act, BC Information and Privacy Commissioner Elizabeth Denham looks at the history of the law and the areas where reform and modernization are needed. Denham suggests the Document Disposal Act must be modernized to address public demand for transparency and accountability. Additionally, she calls for the province to anticipate the challenges of this age of Big Data, adding the province “should be more concerned with the magnitude and frequency of privacy breaches and data spills in the public and private sector.” [The Vancouver Sun]

CA – Remembering Canada’s First Commissioner

Justice Inger Hansen, Canada’s first privacy commissioner, who passed away on September 28, is remembered in an obituary. Hansen, who was born in Denmark in 1929, visited Canada for the first time in 1950 and emigrated a few years later. Appointed as Canada’s first privacy commissioner in 1977, she was “responsible for complaints relating to privacy rights and data protection, a field in which she soon became an internationally recognized authority.” In 1983, Hansen was appointed as Canada’s first information commissioner, and she went on to an appointment to the Ontario Court of Justice in 1991. A memorial service is planned for late October. [Ottawa Citizen]

CA – Union Loses Bid to Keep Recordings out of Court

A major Quebec labour union has lost its bid to prevent the provincial corruption inquiry from hearing wiretap conversations involving its senior leadership. The taped conversations of the FTQ union were taken by police during an investigation. The inquiry will only use those parts of the conversations related to “professional functions” and will not focus on individuals’ personal lives. “We must find a balance between private interests, the right to respect for privacy and the public interest in the search for truth and public information related to the mandate of the inquiry,” the commission wrote in its ruling. [CTV News]

Consumer

WW – MasterCard Study Looks At Human Nature Vs. Online Privacy

MasterCard has released a study revealing that traditional demographics—age, gender, race—are poor indicators of consumer attitudes toward online privacy. MasterCard conducted interviews with 9,000 Internet users globally. Theodore Iacobuzio, MasterCard vice president of global insights, said, “We were blown away … It’s all about why you go online,” adding, “Why you go on determines your attitude toward data privacy.” Iacobuzio’s team defined five online personality types: passive users, proactive protectors, solely shoppers, open sharers and simply interactors. The study also found that privacy attitudes do not change; they “determine your behavior.” Iacobuzio said, “One of the real lessons of this piece is that consumers are well-aware of how to protect (their privacy) and whether they want to or not.” [The Washington Post] See also: [Forbes: U.S.-Style Personal Data Gathering Is Spreading Worldwide]

E-Mail

US – Yahoo Sued for Eavesdropping on E-Mail from Non-Yahoo Users

A complaint filed in the U.S. District Court for the Northern District of California alleges Yahoo violated California privacy and federal electronic communications laws by scanning nonusers’ e-mails in the name of targeted ads. The plaintiffs, who are not Yahoo users, allege Yahoo’s interception of messages sent to a Yahoo subscriber in order to profile, collect data and scan for keywords violates California’s Invasion of Privacy Act and the Electronic Communications Privacy Act. The complaint says the practice is “the type of behavior that the U.S. Congress and the California legislature has declared should not be tolerated in a free and civilized society.” [Bloomberg]

US – Harvard to Hold Meetings on E-mail Privacy Policy

A Harvard University taskforce will hold two meetings this month to collect feedback from students, faculty and staff on the school’s e-mail privacy policies. The move comes after fallout from revelations earlier this year that school administration officials covertly searched approximately 14,000 e-mails to find the leak that led to a cheating scandal. In addition to the two meetings, the taskforce has launched a discussion blog and has met several times over the summer to define “underlying principles and questions that it hopes to discuss with the community in the coming months,” according to a university statement, which added, “Among the principles: transparency about the realities of technology, the importance of fostering trust in the Harvard community and respect for the privacy interests necessary to ensure academic inquiry.” [Boston.com]

WW – Yahoo Webmail Gets Default SSL Protection in January

Yahoo has announced that starting on January 8, 2014, all Yahoo mail will be protected by SSL by default. Microsoft has offered optional SSL protection since 2010 and it has been default for Microsoft webmail since July 2012. Facebook implemented SSL for all connections several months ago; it has been an option since 2011. Twitter offered it as an option at the beginning on 2011 and made it default by August of that year. Google has had SSL on by default since 2010, an option since 2008. Yahoo began offering the option of SSL encryption earlier this year. [WashPost] [CNET] [Register]

Electronic Records

US – McAfee: “What Idiot Put This System out There?”

While some said the criticism of privacy protections in the Affordable Care Act’s implementation was political grandstanding, at least one noted cybersecurity guru is right there with them. In a scathing criticism of the technical implementation of the Affordable Care Act, John McAfee said it is a hacker’s “dream.” Because there is no central organization of the program, “anybody can put up a web page and claim to be a broker for this system … [and] it’s not something software can solve.” An unsuspecting person is likely to think a rogue website is real, deliver up Social Security number and various other intimate health details, only to discover the site is fake and built to steal identities. Retirees, McAfee predicts, will have their savings “wiped out in one day because [they] signed up for Obamacare.” [Full Story]

Encryption

WW – Researcher Finds Encryption Flaw in WhatsApp

A security researcher said he has found an encryption flaw making it possible for adversaries to decrypt communications sent with WhatsApp, though developers say the messages are “fully encrypted” and the company’s CEO says the report is “sensationalized and overblown.” A computer science and mathematics student wrote in a blog posted Tuesday, “You should consider all your previous WhatsApp conversations compromised,” adding, “There is nothing a WhatsApp user can do about this … except to stop using it until the developers can update it.” [Ars Technica]

US – Lavabit Founder Appealing Govt’s Order to Turn Over Encryption Keys

Ladar Levison, owner of the now-shuttered secure email service Lavabit, is asking the Fourth Circuit Court of Appeals in Virginia to rule that the government’s orders earlier this year demanding that the company surrender its private SSL keys were unlawful. Levison is hoping to reopen the business. While Edward Snowden has not been named in connection with the Lavabit case, it seems likely that it was Snowden’s communications the government sought when they demanded that Levison turn over the keys. Levison eventually relented, but shut down his company immediately after surrendering the keys, saying that he would rather shut down his business than be “complicit in crimes against the American people.” [WIRED] [NBC News]

WW – Lavabit Users Will Have Brief Window to Reset Passwords, Retrieve Data

Lavabit will reopen for a brief window of time to allow users retrieve their data from the company’s servers. Starting at 8 PM US Eastern time on Monday, October 14, users have 72 hours to change their passwords. Following that period, users will have a short window of time to retrieve an archive of their stored messages and account data. [CNET] [Engadget]

US – US Govt Demanded Lavabit Encryption Keys

Recently unsealed documents in a court case regarding secure email provider Lavabit’s appeal of a US government demand for information show that the government had ordered Lavabit to provide it with its SSL keys. The order reads, in part, “The court determines that there is reason to believe that notification of the existence of this order will seriously jeopardize the ongoing investigation.” Levison says he suggested logging Snowden’s communications, decrypting them and uploading them to a government server on a daily basis. But the government wanted the private SSL certificate used to encrypt all Lavabit traffic. He initially provided the encryption keys in hardcopy format, printed out as strings of numbers. When he was found to be in contempt of court for this action, being fines US $5,000 a day, he eventually relented and provided the government with the electronic keys but the immediately shut down his business. [ArsTechnica] [ComputerWorld] [WIRED] [ZDNet] [Register] [Pleadings Exhibits (Redacte)]

EU Developments

EU – Groups Lobbying “Furiously” Ahead of Oct. 21 Regulation Vote

The European Parliament’s vote on “the introduction of the harsh new Data Protection Regulation,” scheduled for October 21, suggesting it will place the “battle between Big Data and individual privacy” front and center. With such organizations as the World Federation of Advertisers and the Industry Coalition for Data Protection “furiously lobbying ahead of the vote, hoping for a lighter-touch regime to protect the interests of business,” the report notes that while this month’s vote is not the last step in the process, “it is a key step in determining the outcome.” [AdAge]

EU – Justice Ministers Support “One-Stop Shop”

European justice ministers on Monday agreed “in principle” to accepting a “one-stop shop” framework for organizations doing business within the EU. The rule would set up a system whereby businesses processing personal data of Europeans would report to one data protection authority instead of as many as 28. French officials had called for a joint decision-making panel among data protection authorities, but Irish officials strongly opposed the proposal. Both Google and Facebook have their European headquarters in Ireland. Lithuanian Justice Minister Juozas Bernatonis said the aim is “to ensure legal certainty and reduce the administrative burden.” EU Justice Commissioner Viviane Reding said the move will benefit the consumer: “A citizen who has a problem will address himself to his own data protection authority not, as is currently often the case, a foreign authority.” [IDG News Service]

EU – U.S. Safe Harbor, Australian Gov’t Actions Questioned

The European Parliament’s Electronic Mass Surveillance of EU Citizens Inquiry is discussing the EU-U.S. Safe Harbor data sharing agreement and has concerns about “the system is flawed and allows for wide-scale abuse by the firms themselves and easy infiltration by U.S. intelligence agencies.” Christopher Connolly of Australian-based consulting firm Galexia told the committee that “many claims of Safe Harbor membership are false“—to the tune of 427 organizations “with hundreds of millions of customers.” Meanwhile, ABC News reports on documents obtained under Freedom of Information laws showing Australia’s government “knew about the secret U.S. Internet spying program PRISM months before a whistleblower made details public.” [Press TV]

UK – Privacy Groups Taking GCHQ to Court

Privacy advocates Big Brother Watch, the Open Rights Group, English PEN and Constanze Kurz have filed a legal challenge claiming GCHG’s “mass online surveillance programmes have breached the privacy of tens of millions of people across the UK and Europe,” The Guardian reports. UK MPs cleared GCHQ of any wrongdoing, and Privacy International has launched a case that will be heard by the Investigatory Powers Tribunal, but Nick Pickles of Big Brother Watch has said, “Parliament did not envisage or intend those laws to permit scooping up details of every communication we send, including content, so it’s absolutely right that GCHQ is held accountable in the courts for its actions.” [Full Story]

EU – Dutch Gov’t Wants Input on Cookie Rules Change

The Dutch government has introduced a proposal for a change in cookie rules and is seeking public input, Mondaq reports. The proposed amendment was introduced by the minister of economic affairs in May and is symbolic of the new way the Dutch government looks at cookies. It aims to exempt some cookies from rules in that if browsers allow users to actively configure settings, implicit consent may be an acceptable method, the report states. [Full Story]

EU – Will Regulation Create Euro-Only Cloud?

While the originally proposed EU Data Privacy Regulation did not include provisions to address cloud computing, several amendments have been added since. The New York Times reports that among those proposed, one bars transfers of data from EU to U.S. clouds without informed consent and another would require such transfers to come with a notification “to the data subject of such transfer and its legal effects.” EC Vice President Neelie Kroes says, “European citizens will not embrace the cloud if they are worried for their privacy or for the security of their data,” and other EU regulators seem to agree, calling for the development of European clouds. But outside the EU, others question the effect of creating European clouds. [Full Story]

EU – Avoiding Breach Fines

With a new 24-hour breach reporting mandate in place for companies doing business in the EU, WatchDox Co-founder and CEO Moti Rafalin writes. “Businesses in Europe now get a single day in which to figure out what went wrong, who could be hurt by it and how they will prevent it from happening again,” adding, “With that kind of stringent reporting regulation on the books, it’s hard to imagine why any electronic communication service companies … would fail to do everything possible to avoid security breaches.” With potentially more strict breach mandates on the horizon within the proposed EU regulation, “the choice organizations face now is whether to invest in prevention or suffer the consequences of data loss in the face of new regulations and potential litigation,” Rafalin writes. [ITProPortal]

EU – Netflix Dutch Privacy Violations: Watchdog Finds Itself Unable to Bite

Online streaming service Netflix has been found in violation of Dutch privacy law, but the nation’s data protection authority is unable to take action because the company’s European headquarters is located in Luxembourg. If the company had been located in The Netherlands or outside of Europe, the regulator would have been able to take action. According to Dutch law, businesses need explicit consent from customers prior to processing data that can be directly or indirectly traced back to an individual. Sander Dekker, The Netherlands’ secretary of education, said, “Netflix gathers so much information of its customers that this can be considered extremely sensitive data … customers must give their express consent for that, which, in case of Netflix, they have not.” [ZDNet]

EU – Microsoft Asked by EU Privacy Watchdogs to ‘Improve’ Policies

European data protection regulators have asked Microsoft to tweak its Internet product policies as part of a formal probe into privacy issues. The Article 29 Working Party has “identified a number of areas where improvements are required,” according to a statement. “Microsoft was asked to send its response very shortly, explaining how and when it would implement” the recommendations. The regulators added they are confident that an agreement will soon be reached and indicated Microsoft has been cooperative during the investigation. [Bloomberg]

FOI

US – Justice Asks FISC Not to Allow Companies to Divulge Data Request Details

The US Justice Department (DoJ) has asked the FISC to deny a request from major technology companies, such as Google, Microsoft and Facebook, to publish additional details about requests for information they have received from the government. According to a September 30 DoJ filing, divulging the specific numbers of requests, and in some instances, the nature of the requests, would “be invaluable to our adversaries.” The companies expressed their disappointment, with a yahoo spokesperson noting that the decision “ultimately breeds distrust and suspicion – both of the United States and of companies that must comply with [their] directives.” [WashPost]

Google

WW – Google Unveils Plans for User Names, Comments to Appear In Ads

Google plans to launch ads similar to Facebook’s “social” ads, which incorporate photos, comments and names of users. The changes were announced in the company’s revised terms of service last week. EPIC’s Marc Rotenberg said such ads unfairly commercialize Internet users’ images. Sen. Ed Markey (D-MA) has asked the Federal Trade Commission (FTC) to look at Google’s privacy changes, writing in a letter to the FTC that the policy raises questions about “whether Google is altering its privacy policy in a manner inconsistent with its consent agreement with the commission and, if the changes go into effect, the degree to which users’ identities, words and opinions could be shared across the web.” [Reuters]

US – Google Wins Dismissal of Suit Over Web Browser Cookies

Google has won the dismissal of a lawsuit that alleged it had violated computer users’ rights by slipping electronic cookies into their web browsers in the name of targeted advertising. Consumers sued in federal court alleging Google tricked their browsers into accepting the cookies. But U.S. District Court Judge Sue Robinson said in her opinion that users “didn’t demonstrate that Google intercepted any ‘contents or meaning’” under California’s Invasion of Privacy Act, the report states. [Bloomberg]

WW – Google Modifies Analytics In EU-Wide Privacy Concession

In a surprise turnaround, Google will begin offering data processing agreements to websites using Google Analytics in the EU, Iceland, Norway and Switzerland. Since 2011, Google has only offered the agreements in Germany, but after pressure from the Article 29 Working Party to make the agreements EU-wide, Google said in a statement, “Over the last few years, Google Analytics customers have asked us to offer data processing agreements that clarify how Analytics data is stored, used and secured. In response to this demand, we’re pleased to provide an optional data processing agreement to Google Analytics customers,” adding, so far, the agreement will only be available in English. The Dutch data protection authority (DPA) has not yet commented, but one privacy expert said the move is significant, adding, “It’s clearly the result of the close coordination of the different DPAs in this case.” Meanwhile, the U.S. Supreme Court has declined a Google Adwords privacy lawsuit. [IDG News Service]

US – Google Wants Wiretap Law Review Before Trial

Google has asked a federal judge for permission to take questions about federal wiretapping laws before a Gmail class-action advances any further. Multi-district claims over Google’s changes to its privacy policy last year have been combined into a single, massive class-action accusing the company of violating federal and state wiretapping, privacy and computer fraud laws. In a recent filing, Google said it wants questions about exceptions to the Electronic Communications Privacy Act answered by the Ninth Circuit before the suit moves forward. [Courthouse News Service]

Health / Medical

US – Texas HSA Tells Providers: Get Certified

The Texas Health Services Authority is encouraging HIPAA-compliance for providers and its call for providers to become privacy and/or security-certified. Citing the potential penalties at the state and federal level—including the Texas Medical Records Privacy Act’s authorization of fines ranging from $5,000 to $1.5 million per violation—the report highlights the authority’s efforts moving forward on a voluntary HIPAA compliance certification program authorized in a 2011 state law. The Health Information Trust Alliance is creating the certification recommendations .[HealthData Management]

US – Tiger Team Hears “Accounting for Disclosures” Testimony

At a hearing before the Health IT Policy Committee’s Privacy and Security Tiger Team on providing patients with information about access to their healthcare data. The hearing on the “Accounting for Disclosures” policy mandated by the HITECH Act included comments from various stakeholders. Patient Privacy Rights’ Deborah Peel “recommended that regulators require health IT developers to provide open access to logs that record every instance a patient’s digital health information is accessed or shared over a network,” the report states, while “doctors, insurers and software developers said such a policy is not feasible.” The committee is currently scheduled to meet October 9. [iHealthBeat]

Horror Stories

WW – Adobe Issues Security Updates for Reader, Acrobat, and RoboHelp

On Tuesday, October 8, Adobe released two security updates for Reader and Acrobat. The first update addresses a memory corruption flaw in RoboHelp 10 publishing software. The second update addresses a regression in Reader and Acrobat that affects Javascript security controls. Both updates are for Windows only. [Internet Storm Center] [SANS Bulletin] [SC Magazine] [CBR online] [InfoSecurity] [Reader and Acrobat]

WW – Attackers Steal Adobe Product Source Code and Access Customer Data

Hackers broke into Adobe’s network where they stole source code for a number of products, including Acrobat, ColdFusion, and ColdFusion Builder. They also accessed customer data, including account login credentials and nearly three million payment card records. The stolen data were stored on the same server used by the criminals who stole data from LexisNexis, Kroll, and Dun & Bradstreet. Adobe believes the attackers accessed the source code repository in mid-August. [Krebs] [CNET] [ArsTechnica] [BankInfoSecurity] Adobe Announcements: [Illegal Access to Adobe Source Code] [Customer Security Announcement] [Internet Storm Center:]

WW –2.9 Million Customers Affected by Cyber-Attack

Adobe has confirmed that 2.9 million customers had private data including passwords and payment card information stolen “during a ‘sophisticated’ cyber-attack on its website,” BBC reports. The illegal access of a variety of products’ source code is also being investigated, the report states. “We deeply regret that this incident occurred,” said Adobe CSO Brad Arkin, adding, “Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.” However, a security expert has told BBC, “Access to the source code could be very serious … if hackers manage to embed malicious code in official-looking software updates, they could potentially take control of millions of machines.” [BBC]

WW – October Shaping Up to Be Month of Innumerable Breaches

PII lost, stolen or compromised through human error. Cybersecurity concerns. Health data lost. Amidst this month’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach could be. “If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said. However, as The Wall Street Journal reports , he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.” In this exclusive for, we round-up an already very busy month in data breaches and responses. [The Privacy Advisor] Amidst last week’s reports of a hack affecting 2.9 million customers, Adobe is resetting relevant customer passwords and “notifying customers whose credit or debit card information may have been compromised.” Meanwhile, in the wake of privacy concerns about the reuse of inactive Yahoo e-mail addresses, PCWorld reports on Microsoft’s recycling of old addresses . And from medical data to personal information, breaches are being reported across the globe. In the UK, human error resulted in the exposure of hundreds of personal e-mail addresses, while the Information Commissioner’s Office has revealed that despite prior warnings, sensitive personal data was “incorrectly handled” by Luton Borough Council staff. In Ireland, The Journal reports on 11 patient data breaches at hospitals in a six-month period. And in the U.S., North Carolina-based CaroMont Health exposed about 1,300 patients’ data in an unsecure e-mail, and Natural Provisions, a Vermont grocery store chain, has agreed to pay $30,000 to settle a violation of state data breach laws. [Mondaq]

US – School District, Health-Related Breaches Reported

A New Orleans teachers’ union claims the East Baton Rouge Parish school system violated its employees’ privacy rights when it purchased a full-page ad to congratulate—by name—1,113 educators, The Advocate reports. In Illinois, a local hospital is alerting some of its patients of a possible data breach after a laptop was stolen from an employee’s car. In California, a public health unit is notifying almost 600 patients that their protected health information has been compromised after a laptop was stolen there. And in Iowa, law enforcement is investigating a breach of electronic medical records after a third-party company gained access to the system using an authorized user’s password. Meanwhile, healthcare experts have been discussing concerns related to the need to share veterans’ healthcare data and recent breaches at Veterans Affairs. [Full Story]

Internet / WWW

US – Ad Groups Working on New Tech for Opt-Out

With the W3C’s efforts on Do Not Track moving along again with a call October 9, The San Francisco Chronicle details work by the Digital Advertising Alliance and the Interactive Advertising Bureau to develop technology that would allow consumers to opt out of online tracking “when methods other than traditional cookies are deployed.” The article focuses on a firm called BlueKai, which develops technology for data transfer independent of cookies, but with “the same transparency and notices that cookies have.” [Full Story]

US – Silk Road Bust Shows Feds Penetrating Deep Internet Anonymity

The bust this week of the notorious online entrepreneur Dread Pirate Roberts, now known to be Ross William Ulbricht, a 29-year-old from San Francisco, CA, and the closing of his Silk Road online marketplace for illicit drugs and other sundries, shows U.S. law enforcement is infiltrating ever deeper into the “Deepnet” or “hidden Internet.” Silk Road operated on the Tor anonymity network and was used by thousands to get home deliveries of everything from cocaine to fake passports. Because of Tor’s ability to shield IP addresses and online personas, it can be difficult to uncover the identities of those running these kinds of marketplaces that are hidden from the vast majority of Internet users. In this case, it may be that Ulbricht was undone by his use of a Gmail address. [CSO Online]

US – “Big Data” Likened to Atomic Power and Other NSA-Related News

A scientist suggests that Big Data is akin to atomic energy in that “it’s very beneficial when used ethically and downright destructive when turned into a weapon.” Meanwhile, in its ongoing series examining the digital trails we leave behind “and who potentially has access,” NPR considers whether the Fourth Amendment provides any protection. And a Tech Dirt feature focuses on 2013 IAPP Vanguard Award winner and former Department of Homeland Security (DHS) CPO Mary Ellen Callahan, founder and chair of Jenner & Block’s Privacy and Information Governance Practice. The report cites Callahan’s comments in support of protecting Americans’ privacy rights amidst what its author references as a “lack of respect for privacy in both (DHS) and the wider intelligence community.” [TechDirt]

Law Enforcement

CA – Police Consider Wearable Cameras

The Toronto Police Service is considering wearable cameras for its police force. The aim of the wearable cameras is to provide the police and the public with better accountability. Deputy Chief Peter Sloly said the force is in the process of researching the cameras and understanding the potential logistical factors. “We’ll have to look at the IT supports,” he said, “the governance—there’ll be privacy issues.” The cameras would potentially be worn on glasses to record incidents from the officer’s view. A representative from the Canadian Civil Liberties Association has expressed concern over the technology, saying that “if you have all these things on your databases, what are the other potential uses of this? Have they thought this through?” [The Globe and Mail]

Location

US – Advertisers Finding New Ways to Track Mobile Users

New trends in mobile tracking—even if “tracking is a dirty word” now, according to Eric Rosenblum, COO at Drawbridge, a start-up that is “observing your behaviors and connecting your profile to mobile devices.” Thus, advertisers are now able to connect desktop browsing with mobile devices based on app downloads and other indicators. Other firms, like Flurry, Velti and SessionM are doing similar work in helping advertisers like Ford, American Express and Expedia better target potential customers, according to the report. For many advertisers, the report says, “cookies are becoming irrelevant.” [The Boston Globe]

WW – Indoor Location Market Set to Boom; Privacy Concerns Loom

Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations“ function—and the new iPhone’s motion sensor chip are raising privacy concerns. [MediaPost]

WW – Bolstering Brick-and-Mortar Transparency

Improved technology now allows brick-and-mortar retailers to collect data—including location and contacts—from customers’ smartphones, but according to research conducted by Create with Context (CwC), only 33% of the customers surveyed were aware of such collection. Previous research has revealed that when customers are unaware of such data collection—but then find out about it later—trust erodes. “How, then,” Ilana Westerman and Gabriela Aschenberger, both of CwC, ask, “can businesses create transparency around data collection?” [Full Story]

WW – App Tracks Consumers in Exchange for Discounts

A new shopping app tracks consumers and gives them discounts based on their location. Capable of detecting microlocation—detecting such minute details as the aisle of a store in which a consumer is standing—it communicates with the Bluetooth in users’ cellphones and alerts them to tailor-made discounts. The app’s investors and CEO “are betting on the fact that consumers won’t mind tracking if they get a significant payback from it,” the report states. The app raised $8 million in venture capital Tuesday. [Blouin News]

Online Privacy

WW – Facebook No Longer Lets Users Hide from Search

Facebook has announced the final phase of removing an old privacy feature from the site. The feature, called “Who can look up your timeline by name?” allowed users to be hidden from searches if they so chose. Those users will now begin to see removal notices from Facebook. Now, user “timelines” will only be private when marked to be seen by “friends only.” Facebook says only a single-digit percentage of users on its network were using the setting. [USA TODAY]

EU – Privacy Group Receives Facebook Response

Privacy activist group Europe-v-Facebook has received responses from Facebook to complaints about the company’s privacy policy, but the Irish Data Protection Commissioner (DPC) said the group was barred from releasing them, Computerworld reports. According to the group’s website, however, the DPC has clarified its decision and will allow the group to publish the 200-page response. The group originally filed the complaints with Facebook two years ago, claiming the social network’s privacy policies violate European data protection law. “After two years of constant battling, we finally received the ‘counterarguments’ by Facebook,” wrote Europe-v-Facebook, which now has until October 17 to comment on Facebook’s responses. The DPC will circulate a draft of its decision in the case prior to publishing its final decision. [Full Story]

WW – W3C Do Not Track in Limbo

The W3C’s Tracking Protection Working Group voted on whether to continue its efforts. The results? That remains unclear. The voting itself is public and can be found here. However, even one of the group’s new chairs isn’t sure how to interpret the results. With no option clearly the winner, the Center for Democracy and Technology’s Justin Brookman, who joined the group as chair just last month , said he is unsure of the group’s next step, adding W3C Director Tim Berners-Lee would make the ultimate decision. [The Privacy Advisor]

WW – W3C to Vote on DNT Effort

Web standards group the World Wide Web Consortium is set to vote Wednesday on whether it will continue with its Do-Not-Track (DNT) standard. Justin Brookman, the group’s newly appointed co-chairman, said he expects stakeholders “will express a desire to move forward,” adding, “We’ve had a couple of calls under the new leadership now, and so far the new structure seems to be working.” If the group expresses a desire to not move forward, Brookman said it would be “better to end it now than spend another two years squabbling and not coming to a resolution because people aren’t invested in the process.” The Washington Post reports that the increasing move by consumers to mobile will likely make current cookie-based DNT technology less relevant. According to several surveys, the majority of users now surf the web via mobile apps rather than browsers. [The Hill]

WW – Facebook Changes Teen Privacy Rules

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.” [Facebook]

US – DMA Releases Study Touting Data-Driven Job Production

The Direct Marketing Association (DMA) has released a study indicating data-driven marketing led to 675,000 jobs in the U.S. in 2012. The study responds to an increasing focus on regulating online tracking and data-driven marketing, a push that often puts the online ad industry on the defensive. The DMA’s Rachel Thomas said the study’s release aims to help change that. Meanwhile, the Better Business Bureau says “a ‘significant minority’ of publishers don’t follow self-regulatory rules requiring enhanced notice about data collection,” MediaPost reports. [The Hill]

US – Data-Mining App Receives $10M in Funding

Refresh, a mobile app mines data of individuals present at meetings by gleaning information from social networks and other publicly available sources, and how the app has just received $10 million in venture capital. Refresh founder Bhavin Shah said, “It’s common now for each of us to have 10-plus years of posts, tweets, job history, Q&A, check-ins, etc. Now is the right time to start leveraging that fragmented information to make us more thoughtful and intelligent about our friends, colleagues and everyone we meet.” He added that Refresh’s work “allows us to anticipate who you’re going to meet today and consolidate interesting information about them into a just-in-time dossier delivered to your smartphone.” [Fast Company]

Other Jurisdictions

AU – OAIC Releases Best Practice Guide for Apps

The Office of the Australian Information Commissioner (OAIC) has unveiled a guide to help mobile app developers embed better privacy practices into their products. Mobile Privacy: A Better Practice Guide for Mobile App Developers recommends developers use short privacy notices. Privacy Commissioner Timothy Pilgrim said app developers should adopt a Privacy-by-Design approach. “The mobile apps that take privacy seriously will be the ones that stand out from the crowd and gain user trust,” he said. A ZDNet report, however, suggests, “Short of enforcing privacy laws on app store curators, it is doubtful that the developers will implement the otherwise worthy privacy protections.” Meanwhile, the OAIC’s 2013 Community Attitudes to Privacy Survey, which will be released in full on 9 October, indicates six in 10 Australians choose not to use smartphones apps due to privacy concerns. [TechWorld]

AU – Gov’t Urged to Rewrite Terms of Reference

The federal government has been urged to rewrite the terms of reference for its inquiry into privacy law. The terms of reference were drawn up by former Attorney-General Mark Dreyfus and require the commission “to produce detailed plans for a privacy tort or statutory cause of action,” the report states. The commission is expected to publish an issues paper next week based on those terms of reference, the report states. In the last six months, it has become clear “the major threat to privacy is the role of the state,” said Media Entertainment and Arts Alliance Secretary Chris Warren, adding that large data aggregators are going to be a key issue moving forward. [The Australian]

ZB – Zimbabwe Passes Centralized SIM Card Database

The Statutory Instrument 142 of 2013 on Postal and Telecommunications (Subscriber Registration) Regulations 2013 establishes a central database of information about all mobile telephone users in the country based on powers granted through the Interception of Communications Act. The Statutory Instrument requires telecommunications providers to establish a subscriber database of all SIM card holders including phone numbers, names, addresses, genders, nationalities and passport or ID numbers, then regularly submit copies to the government, which will create its own central subscriber information database. [Kubatana]

Privacy (US)

US – Markey Urges FTC to Vet Tracking Technologies

Sen. Ed Markey (D-MA) has called on the FTC to investigate technologies that allow companies to track users across multiple devices. “Such persistent and pervasive tracking raises a number of important privacy concerns for all Americans,” Markey said in a letter to the FTC Thursday. Meanwhile, a new report from privacy researchers indicates many websites are using new technology to secretly track users’ browsing habits. At the EmTech 2013 conference in Cambridge, MA, this week, a senior advisor to Microsoft CEO Steve Ballmer said a new privacy model is needed to address the ways data is gathered, eWEEK reports. [The Hill]

US – Airbnb Says “Nay” to AG’s Request for Data

New York State Attorney General (AG) Eric Schneiderman demanded that apartment-sharing site Airbnb release user data on 15,000 New York City apartment hosts to investigate the legality of the site, but Airbnb has filed a motion in the New York State Supreme Court objecting to the AG’s demands. In a statement, an Airbnb spokesman said, “The subpoena issued by the attorney general last Friday goes well beyond bad actors and demands information about thousands of regular Airbnb hosts in New York. So, we made it clear to the attorney general’s office from the very beginning that we would never agree to this type of government-sponsored fishing expedition.” [Business Insider]

US – Hulu Seeks Dismissal of VPPA Case

Hulu is seeking dismissal of a lawsuit accusing it of violating the federal Video Privacy Protection Act (VPPA) “on the grounds that the web users who filed suit didn’t suffer any injuries,” MediaPost News reports. Hulu is facing a potential class-action for allegedly violating the law “by revealing information about their movie-viewing history to comScore and Facebook,” the report states. But in court papers filed Wednesday, Hulu contends that the law specifies those who are “aggrieved” by violations may seek damages. “Congress could have worded the VPPA to provide monetary relief merely on a showing of an improper disclosure,” Hulu’s motion states. “But it did not do so.” [Full Story]

US – One Class-Action Dismissed; Another Dismissal Sought

A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action. In the NebuAd-related case, U.S. District Judge Edmond E. Chang has ruled that ISP WideOpen West Finance LLC “faces no liability” under privacy laws. In the Symantec case, the company has asked a California federal judge “to toss a user’s amended proposed class-action accusing the software company of concealing a data breach by hackers who stole source code, calling the user’s claims vague and deliberately obtuse,” the report states. [Law 360]

US – Group Presses for Safeguards on the Personal Data of Schoolchildren

Common Sense Media is calling for the educational technology software industry “to develop national safeguards for the personal data collected about students from kindergarten through high school.” In a letter sent to 16 educational technology vendors, the advocacy group urged that student data be used “only for educational purposes and not for marketing products to children or their families.” Common Sense Media CEO James P. Steyer said, “We believe in the power of education technology, used wisely, to transform learning … But students should not have to surrender their privacy at the schoolhouse door.” [The New York Times]

US – State AG: Federal Breach Law? No Way

Amidst the ongoing U.S. government shutdown, representatives from state AG offices taking part in the literarily titled panel discussion “The Widening Gyre of State AGs” at this week’s IAPP Privacy Academy were asked whether there should be one all-encompassing federal data breach notification law. In this exclusive for The Privacy Advisor, Sam Pfeifle reports on their reactions. As Vermont AG William Sorrell put it, “You’d like to have this organization, the U.S. Congress—upon which, what, eight percent of Americans look favorably—you want us to say, ‘Oh, yes, we’re going to trust that body of public servants to do what’s right for our states’ citizens?’ No way.” [Full Story]

US – Callahan Named Vanguard; Innovation Award Recipients Announced

And the 2013 Privacy Vanguard Award goes to Mary Ellen Callahan, former chief privacy officer of the U.S. Department of Homeland Security. Announced Tuesday evening at the annual IAPP Privacy Dinner held in conjunction with the IAPP Privacy Academy in Seattle, WA, Callahan, who is founder and current chair of Jenner & Block’s Privacy and Information Governance Practice, was praised for her visionary leadership and extensive work in consumer protection law. Also at the Privacy Dinner, this year’s HP-IAPP Privacy Innovation Awards recipients were announced. Johnson & Johnson, Canadian Primary Care Sentinel Surveillance Network and Considerati were honored for their unique programs. [Full Story]

US – Advocates Call for Open Talks, Warn NSA Weakening Cybersecurity

A group of privacy advocates is warning that attempts by the U.S. National Security Agency (NSA) to weaken encryption for surveillance access will create mistrust in U.S.-based Internet companies around the world. Alan Davidson, a visiting scholar at the Massachusetts Institute of Technology and former Google public policy director, said for U.S. businesses, it is “terribly debilitating and undermining to have the rest of the world thinking there have been backdoors built into their systems to help the U.S. government.” The developments will also erode trust in the U.S. National Institute of Standards and Technology because of reports the standards group aided the NSA in tampering with the standards. Meanwhile, six privacy advocacy organizations are calling on the U.S. House of Representatives Privacy Working Group’s leaders to open up its meetings with tech companies to the public. [PC World]

US – One Class-Action Dismissed; Another Dismissal Sought

A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action. In the NebuAd-related case, U.S. District Judge Edmond E. Chang has ruled that ISP WideOpen West Finance LLC “faces no liability” under privacy laws. In the Symantec case, the company has asked a California federal judge “to toss a user’s amended proposed class-action accusing the software company of concealing a data breach by hackers who stole source code, calling the user’s claims vague and deliberately obtuse,” the report states. [Law 360]

US – Eggers Book Satirizes Threat to Privacy

Dave Eggers’ book The Circle, satirizes the threat to personal privacy from technology giants. “Entertained at nightly campus events by famous musicians and artists, fed by celebrity chefs and bombarded by swag, employees of the Circle corporation are expected to bask in their mutual privilege through constant oversharing in the company’s thriving social networks,” the report states. The book’s protagonist, through incentives, begins living a fully transparent life online, delivering Eggers’ message that “too many of us flock to the Internet all too willing to abandon any sense of privacy around both our personal information and our inner lives.” The New York Times  wonders if the novel will change the way we use technology. [The Associated Press]

US – Student Data Repository Debate Continues

The New York Times reports on the ongoing questions surrounding school district plans to outsource student data storage and the privacy implications. The article focuses on how a Colorado superintendent saw nonprofit data repository inBloom as a fix for managing data currently in multiple databases in the cloud. But “a series of parents, school board members and privacy lawyers assailed the plan to outsource student data storage to inBloom.” Among those who voiced concerns was EPIC’s Khaliah Barnes, who said, “While we understand the value of data for promoting and evaluating personalized learning, there are too few safeguards for the amount of data collected and transmitted from schools to private companies.” The district is expected to decide on the plan by January, the report states. [New York Times]

US – Rosenthal Is NAI’s New General Counsel, VP

The Network Advertising Initiative (NAI) has announced that longtime member company representative Noga Rosenthal has joined the NAI as its general counsel and vice president of compliance and policy. Rosenthal, who was formerly the senior vice president of 24/7 Media and Media Innovation Group, LLC, “will assist the NAI in its core mission of reinforcing responsible business and data management best practices through the development and rigorous enforcement of high standards.” “With online advertising expanding every year and the role of third parties and the technologies they employ highly debated by lawmakers and industry representatives, it is an incredibly important time to be joining the NAI team,” Rosenthal said. [Ad Ops]

US – AGs: We Aren’t Afraid to Flex Our Muscles

Representatives from the offices of three state attorneys general (AGs) said they aren’t reluctant to bring actions against companies involved in data breaches. Vermont Attorney General William Sorrell said AGs would bring such action to “serve as an example to other companies and … to have a relatively equal playing field.” Joanne McNabb of the California AG’s office pointed to the recent creation of a privacy unit under California AG Kamala Harris as proof of privacy’s importance to the state. [Bloomberg]

US – Hulu Seeks Dismissal of VPPA Case

Hulu is seeking dismissal of a lawsuit accusing it of violating the federal Video Privacy Protection Act (VPPA) “on the grounds that the web users who filed suit didn’t suffer any injuries.” Hulu is facing a potential class-action for allegedly violating the law “by revealing information about their movie-viewing history to comScore and Facebook,” the report states. But in court papers filed Wednesday, Hulu contends that the law specifies those who are “aggrieved” by violations may seek damages. “Congress could have worded the VPPA to provide monetary relief merely on a showing of an improper disclosure,” Hulu’s motion states. “But it did not do so.” [MediaPost News]

Privacy Enhancing Technologies (PETs)

WW – Cyber security: Privacy experts profit from Prism uproar

A burgeoning privacy-enhancing technology business and the rising profits is stemming from Edward Snowden’s surveillance disclosures. Businesses and governments, in addition to journalists, are demanding encryption services for protection. Silent Circle, which offers text and phone encryption services, is used by 16 of the Fortune 50 companies. Silent Circle CEO Mike Janke said, “We were growing 100% a year before the NSA/PRISM scandal; now we are growing at 400%.” He added, “Ten years ago, if you had encryption on a device, people asked what you are hiding. Now if you’re a businessperson and you don’t have it, people ask if you’re stupid.” Capital is also being invested in the privacy tech industry. All Things D reports that privacy startup Personal, which offers a digital vault service, has raised $4.5 million. According to USA Today, Yahoo will begin default encryption services in January. [Financial Times]

Security

WW –Shortage of Cyber Security Professionals Felt Worldwide

Countries around the world, including the US, the UK, Brazil, and Indonesia, are establishing cyber forces to help defend critical networks from attacks. However, there are not nearly as many qualified specialists as are needed. The governments are also facing competition from private industry for the scarce resources; private industry offers higher salaries. Most universities are not graduating high numbers of students with necessary skills, and the coursework is more theoretical than practical. Hacking contests around the country are designed to identify people who have a talent in the area, and to raise awareness of the need for talented specialists. [NBCNews] [Japan Needs 80,000 Infosec Professionals]

US – Voluntary Exec Order Cybersecurity Standards Are Baseline Expectations

US companies that do not comply with voluntary cybersecurity standards being developed under the White House Executive Order could find themselves facing liability risks. While the standards will be voluntary, organizations that do not adopt them may face negligence, shareholder, and breach of contract lawsuits if they suffer a breach. The EO standards advise organizations to identify the most valuable data and classify them. The Information Week article points out that, “There is a major difference between being ‘compliant,’ and being ‘secure'” and that securing data is not an endgame – it’s a posture. Defenses built to protect the data must be monitored. The release has been delayed because of the government shutdown. The government will take public comment on the draft standards until February 2014. [Information Week] [ComputerWorld]

BR – Brazil Plans Secure Government eMail System

The Brazilian government has given the country’s Federal Data Processing Service (Serpro) the job of creating a secure email system to protect the government’s electronic communications from being intercepted by foreign intelligence agencies. According to leaked NSA documents, various intelligence agencies have electronically spied on Brazilian citizens, government officials, and the country’s national oil company, Petrobras. [CpomputerWorld]

Surveillance

US – Are Providers Outside the U.S. Safer from Gov’t Intrusion?

The National Security Agency’s (NSA) harvests hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world. Each day, the NSA collects contacts from about 500,000 buddy lists and web-based e-mail accounts, the report states. Meanwhile, Solicitor General Donald Verrilli has asked Supreme Court justices not to hear the Electronic Privacy Information Center’s case asking for an immediate shutdown of NSA phone surveillance of Americans. In San Francisco, tech company BitTorrent has owned up to defacing its own billboards in order to capitalize on privacy fears following NSA revelations. And a U.S. appellate court has unsealed a set of documents pertaining to Lavabit, whose founder resisted government pressure for access to it. Ars Technica says, despite NSA revelations, foreign e-mail providers may not be any safer from government intrusion than those based in the U.S. [Washington Post]

US – NSA Attempts to Crack Tor Are (Mostly) Unsuccessful

According to leaked documents, the NSA attempted to monitor targets using Tor by exploiting vulnerabilities in Firefox. NSA and its UK counterpart, GCHQ, have been trying for some time to crack Tor. Short for The Onion Router, Tor is an online anonymization service that helps users hide their identities and their online activity by routing encrypted traffic through other computers, which are volunteered by those machines’ owners. One of the attempts to break Tor involved infecting the computers of Tor users. The report indicated that the NSA has been unsuccessful in decrypting Tor communications but had managed to “de-anonymize a very small fraction of Tor users.” [BBC] [Guardian] [Schneier] [Ars Technica]

US – Privacy Fears Grow as Cities Increase Surveillance

Increased use by local law enforcement agencies of Big Data surveillance technology are raising corresponding privacy concerns. Particularly, the city of Oakland, CA, recently received $7 million in federal funding to help fight terrorism at its major port. The money, according to the report, is being used for a police initiative including the purchase of gunshot-detection sensors in East Oakland and license plate scanners in police cars. Federal money is also supporting similar initiatives within the New York Police Department, including a system that links more than 3,000 surveillance cameras with license plate readers, radiation sensors, criminal databases and terror suspect lists. Oakland City Councillor Libby Schaaf said “it’s our responsibility to take advantage of new tools that become available,” but added that the system could “paint a pretty detailed picture of someone’s personal life, someone who may be innocent.” [The New York Times]

Telecom / TV

US – New TCPA Rules in Effect

The Federal Communications Commission’s revisions to the Telephone Consumer Protection Act (TCPA) went into effect October 15. The revisions require businesses to obtain express written consent before telemarketing and advertising through autodialed calls or text messages to consumer cellphones and prerecorded calls to residential phone lines. The revisions eliminate the exemption allowing firms to make prerecorded calls to a residential phone line if a pre-established relationship with the consumer existed. Punishment for violations of the new rules “can reach as high as $1,500 per violation (on a per call basis),” the alert states. [Covington & Burling client alert]

US Government Programs

US – TSA’s “Pre-Check” Raising Concerns

The Transportation Security Administration (TSA) Pre-Check program, which is due to formally launch this fall, “will already have the enthusiastic endorsement of frequent travelers—and an equally enthusiastic denouncement from privacy advocates.” The Pre-Check “trusted travelers” program may allow enrollees to bypass airport security lines, but it has privacy advocates pointing out that even those who pay the fee to enroll have no guarantee they’ll be included and those who are excluded may not be told why. “If you sign up, you’ll want to keep your nose clean for the rest of your life,” noted the Center for Democracy & Technology’s Gregory Nojeim, “because that’s how long the FBI will keep your fingerprints.” [The Washington Post]

US – FISC Approves NSA’s Request to Renew Phone Metadata Collection

The US Foreign Intelligence Surveillance Court has reauthorized the NSA’s phone call metadata collection program. The previous authorization order expired on October 11. News of the reauthorization was disclosed in a press release from the Office of the Director of National Intelligence. [ArsTechnica] [The Hill] [DNI Press Release]

US – Judge: Intelligence Director Withheld Docs Properly

A federal judge has ruled the director of national intelligence properly withheld documents related to how his office uses databases to fight terrorism. The Electronic Privacy Information Center filed suit in Washington, DC, after obtaining documents via a Freedom of Information Act request with the Office of the Director of National Intelligence on how the National Counterterrorism Center gets information from other federal agencies, the report states. Meanwhile, Director of the National Security Agency (NSA) Gen. Keith Alexander said the NSA must regain consumer and industry trust . In an opinion piece for Aljazeera America, Dan Froomkin opines that what’s needed is not promises from politicians but a public discussion of what privacy means in this new era. [Courthouse News Service]

US – General Alexander’s Scope of Influence Raises Concerns

NSA Director General Keith Alexander also heads the US military’s Cyber Command. Some have expressed concern about Alexander’s dual roles. The Brookings Institute’s Peter Singer said that it “blurs the lines between a military command and a national spy agency.” Alexander defends the breadth of his influence, saying, “We all operate on the same network. You create more problems by trying to separate them and have two people fighting over who’s in charge.” Jason Healey director of the Atlantic Council’s Cyber Statecraft Initiative said. “We’re allowing the same commander to tell us how bad the problem is and propose and implement solutions to fix it.” [WashPost]

US – Proposed Legislation Would Reform Foreign Intelligence Surveillance Court

Two US legislators are sponsoring a bill that would reform the Foreign Intelligence Surveillance Court (FISC). The proposed legislation is a companion bill to one introduced in the Senate earlier this year. Among its provisions are the creation of an Office of the Constitutional Advocate to argue for civil liberties during court proceedings and a requirement that the Attorney General declassify or summarize certain FISC decisions. [WashPost]

US – NSA Admits to Cellphone Location Data Gathering Pilot

The NSA has acknowledged that in 2010, it initiated a test project to collect wholesale cellphone location data on regular citizens, but ended the program in 2011 because it did not provide “operational value.” NSA director General Keith Alexander said on Wednesday, October 2, that sample cellphone location data were collected “to test the ability of [the NSA’s] system’s to handle the data format, but that data was not used for any other purpose.” Alexander had evaded answering a question about the subject last week in a hearing. Senator Ron Wyden (D-Oregon) suggested that there is still “significant information” that has not been disclosed. [WashPost] [Register]

US – More Privacy Victims of the Govt. Shutdown

Groups tasked with U.S. intelligence oversight have suffered a setback at the hands of the U.S. federal government shutdown. According to a Politico report, the five-member Review Group on Intelligence and Communications Technologies, the independent surveillance oversight board created by President Barack Obama to respond to criticisms of the National Security Agency’s activities, met with Congressional intelligence leadership on Tuesday, but member Michael Morell, former director of the CIA, declined to take part, saying it was inappropriate in light of the shutdown. Then, on Friday, the Review Group’s staff was furloughed by the Office of Director of National Intelligence James Clapper. The volunteer board is free to meet, but all travel funds, etc., are frozen. Similarly, the Privacy and Civil Liberties Oversight Board was supposed to hold a public hearing Friday on proposals for changing surveillance programs but postponed the session because witnesses were unable to appear. Roughly 70% of the intelligence community in the U.S. is currently on furlough. Meanwhile, some are questioning why the FTC, for example, has chosen to cut off all access to its website during the shutdown. [Full Story]

US Legislation

US – Citing “Failure of Oversight,” Patriot Act Author Sponsors Reform Bill

US Representative James Sensenbrenner (R-Wisconsin), who authored the original Patriot Act in the days following the September 11 attacks, is displeased with how the legislation has been used to justify the NSA’s data harvesting programs. Sensenbrenner is introducing legislation with co-sponsors Senator Patrick Leahy (D-Vermont) and Representative John Conyers (D-Michigan) to try to address concerns over how the law has been used. The USA Freedom Act restricts aspects of the Patriot Act’s controversial section 215 so it will be used more narrowly, in line with the original intent of the law. The bill also introduces changes to the FISC, including creating the position of public advocate to appeal court decisions that appear to violate the law, and allowing companies that have been served with the orders to specify the number of FISA orders and NSLs (national security letters) they have received and complied with. [WashPost]

US – White House Pursuing Online Privacy Bill

Now 18 months out from President Barack Obama’s unveiling of a proposal for a Privacy Bill of Rights, Politico reports that the White House is actively working on legislation that would “boost online privacy safeguards for consumers.” According to the report, the bill would define privacy rights, convene further multistakeholder approaches to defining standards and give the FTC authority to enforce codes of conduct. The Commerce Department is helping to draft the legislation, according to the report, and Rep. Lee Terry (R-NE), chairman of the House Energy and Commerce Subcommittee, has been approached about helping to shepherd the bill through Congress. The Internet Association, Direct Marketing Association and others are lining up to make sure their voices are heard. Urgency is lent by continuing NSA revelations, such as today’s news that the National Security Agency used a Firefox flaw to target users of the anonymous Tor network. [Full Story]

US – CalOPPA Introduces New Disclosure Requirements

On September 27, Gov. Jerry Brown signed into law California Assembly Bill 370, which amends the California Online Privacy Protection Act requiring businesses to disclose how they respond to Do-Not-Track (DNT) signals. The new law, which may effectively apply to any website or mobile app in the world, is the first to officially address the DNT mechanism endorsed by the Federal Trade Commission and debated by industry. While the disclosures required under the new law appear straightforward, they present formidable compliance challenges for covered businesses given that they mandate the implementation of standards and concepts that are not well settled in law or practice. [Full Story]

US – California Continues to Shape Privacy and Data Security Standards

With news that Gov. Jerry Brown has signed into law the first Do-Not-Track (DNT) legislation in the country, it’s clear that California is once again out in front of privacy law here in the U.S. The Hogan Lovells Privacy Team analyzes how California has led the way in the past, where the state is likely to head and what you need to know about the new DNT legislation and the way it’s likely to be implemented. [Privacy Tracker]

US – Montana Gun Owner Healthcare Privacy Law Goes Into Effect

As of October 1, healthcare providers—including psychological practitioners—are no longer allowed to ask patients about gun ownership, possession or use. HB 459, now Montana law at 50-16-108, M.C.A., aims to address gun owners’ concerns that medical records could be used to collect and centralize information about gun ownership. [Fairfield Sun Times]

US – DoJ, Oklahoma Rep. Considering Drone Regulations

A new report from the Office of the Inspector General (OIG) recommends that the Department of Justice look into creating rules for law enforcement’s use of drones. The OIG’s recommendation follows an audit of drone use by the FBI, Bureau of Alcohol, Tobacco, Firearms and Explosives, Drug Enforcement Administration and U.S. Marshals Service. Meanwhile, Oklahoma Rep. Paul Wesselhoft (R-Moore) is teaming up with the American Civil Liberties Union to come up with privacy laws surrounding the use of drones by the government. [The Verge]

US – Will Voters Support “Presumption of Harm” in Breach Cases?

Julian D. Perlman of BakerHostetler examines California’s move toward “amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer’s express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.” Perlman writes of California Secretary of State Debra Bowen’s approval of the necessary steps to bring the Personal Privacy Protection Act to California voters, noting it “would create presumptions that an individual’s personally identifying information is confidential when collected for a commercial or governmental purpose and that individuals are harmed whenever that personal data is shared without his or her express opt-in,” bringing California closer to the EU’s data collection and sharing approach. [Mondaq]

US – Telemarketing Rules Go Into Effect this Month

The Federal Communications Commission telemarketing rules go into effect on October 16. The rules require companies to gain express consent before calling consumers with prerecorded messages or “robocalling” wireless numbers, the report states. Consent must be written and include the number and signature of the consumer. While an electronic signature is acceptable, the agreement must also state that consent is not required “as a condition of purchasing any property, goods or services.” [Privacy and Security Matters]

US – State AG: Federal Breach Law? No Way

Amidst the ongoing U.S. government shutdown, representatives from state AG offices taking part in the literarily titled panel discussion “The Widening Gyre of State AGs” at the IAPP Privacy Academy were asked whether there should be one all-encompassing federal data breach notification law. Sam Pfeifle reports on their reactions. As Vermont AG William Sorrell put it, “You’d like to have this organization, the U.S. Congress—upon which, what, eight percent of Americans look favorably—you want us to say, ‘Oh, yes, we’re going to trust that body of public servants to do what’s right for our states’ citizens?’ No way.” [The Privacy Advisor]

US – Revenge Porn Law Doesn’t Go Far Enough: Opinion

On Tuesday, Gov. Jerry Brown continued California’s trailblazing in privacy law by signing into law the country’s second “revenge porn” law (New Jersey was first), “levying possible jail time for people who post naked photos of their exes after bitter breakups.” However, writes Emily Bazelton, the bill doesn’t go far enough. “It makes it a misdemeanor offense to post revenge porn only if a prosecutor shows that the poster intended to inflict emotional distress, rather than treating the act of posting a sexual photo without consent as an objectively harmful invasion of privacy. And the punishment wouldn’t apply if the subject of the photo took the picture herself, which means it wouldn’t help people whose exes persuaded them to hand over photos as a sign of trust.” [Slate]

US – Will Voters Support “Presumption of Harm” in Breach Cases?

Julian D. Perlman of BakerHostetler examines California’s move toward “amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer’s express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.” Perlman writes of California Secretary of State Debra Bowen’s approval of the necessary steps to bring the Personal Privacy Protection Act to California voters, noting it “would create presumptions that an individual’s personally identifying information is confidential when collected for a commercial or governmental purpose and that individuals are harmed whenever that personal data is shared without his or her express opt-in,” bringing California closer to the EU’s data collection and sharing approach.[Mondaq]

Workplace Privacy

WW – Report: Most Breaches Come From the Inside

A new report reveals that the most common cause of a data breach within an organization stems from inadvertent misuse of data by employees. Conducted by Forrester Research, the report, Understand the State of Data Security and Privacy , surveyed organizations from Canada, France, Germany, the UK and the U.S. with two or more employees. Approximately 42% of small- to medium-sized organizations surveyed had received some sort of internal data protection training. Forrester Analyst Heidi Shey, author of the report, said, “A lot of organizations haven’t invested in a dedicated privacy group or function,” and many IT departments have privacy as an extra layer, adding that, moving forward, organizations may conclude they need a dedicated privacy group. Meanwhile, startup Lookout is stepping into the bring-your-own-device arena by offering an app that bolsters smartphones against data breaches. [PC World]

+++