09-15 July 2021

Online Privacy

Research Shows 25% Opt-In Rates for Apple’s ATT

Studies revealed 25% of iOS users have opted in to Apple’s App Tracking Transparency framework. The lack of opt-ins is concerning for marketers of all sizes, from Facebook down to small- and medium-sized businesses, that rely on user tracking for advertising campaigns.

Data Sciences

DSCI Issues Privacy-By-Design Handbook for AI Development

The Data Security Council of India published a handbook outlining best practices for implementing data protection into artificial intelligence technologies from the design stage. The handbook maps out key privacy-by-design principles for developers to consider, including transparency, accountability, mitigating bias, fairness, security and privacy. Additionally, developers are provided tools such as checklists, a compliance map and examples of data security techniques to aid proper implementation.

Report: A Rise In AI-Based Toys Threatens Children’s Privacy

Efforts to develop artificial intelligence-based toys for kids could risk children’s privacy. Among the notable types of smart toys are smart companions, which learn and interact with children, and programmable toys that employ machine learning to educate kids.

CDEI Issues UK Guide for Privacy-Enhancing Technologies

The U.K. Centre for Data Ethics and Innovation published the beta version of its guidance on the adoption of privacy-enhancing technologies, which aims to support decision-making regarding the various deployments. The guide uses “a question and answer-based decision tree” format that encourages users “to explore which technologies could be beneficial to their use-case.” Also included in the guidance was more general background on privacy-enhancing tech and their benefits.

Biometrics

NIST Studies Facial Recognition’s Flight Boarding Accuracy

The U.S. National Institute of Standards and Technology released results of a study on the accuracy of facial recognition software for boarding airline flights, finding several algorithms confirmed passenger identities with 99.5% accuracy or better.

State Legislatures Pass on Facial Recognition Bans

At least 17 U.S. states rejected bills prohibiting or limiting government use of facial recognition technology during their 2021 legislative sessions. The majority of the bills concerned bans on deployments by state and local government entities, but each law met pushback focused on public safety concerns and benefits outweighing risks to individual privacy. Meanwhile, Privacy International published a guide to protestors’ privacy, noting the risks associated with biometric and artificial intelligence-based technologies. See also: More than 35 civil rights organizations are urging retailers to stop using facial recognition to screen shoppers, citing privacy concerns and disproportionate misidentification of people of color, Bloomberg reports.

Security

Report: Smart Cities Behind on Privacy, Cybersecurity

The World Economic Forum and Deloitte released a report on how smart cities are faring with their digital transformation, highlighting some shortcomings on privacy and cybersecurity. The report, which looked at smart cities in 22 countries, shows less than 25% conduct privacy assessments for new technologies and a majority of cities have not designated a cybersecurity chief.

DPAs Focusing Efforts on Insufficient Data Security

EU data protection authorities are zeroing in on companies with lacking cybersecurity measures. Regulators in Belgium, Croatia, Norway, Spain and the U.K. are among those that have issued fines related to insufficient security safeguards. Eirik Gulbrandsen, a senior engineer at Norway’s data protection authority, Datatilsynet, said most of these security violations “are entirely preventable,” and Steptoe & Johnson Partner Charles-Albert Helleputte, said the fines show regulators want to emphasize how “privacy and security in principle should go hand in hand.”

Interpol Says ‘United Global Action’ Needed Against Ransomware

The International Criminal Police Organization says “united global action” is necessary to avoid a “ransomware pandemic.” There has been “exponential growth” in ransomware incidents, and Interpol Secretary General Jürgen Stock said it has “become too large of a threat for any entity or sector to address alone.”

OCR Urges Private Sector to Beef Up Ransomware Protections

Echoing other agencies in recent weeks, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued an alert sharing resources to address and protect institutions against the recent influx of ransomware attacks. Resources included a White House Memo urging companies to strengthen their commitment to cybersecurity. Similar to other recommendations we have recently written about (for example those from NYDFS), OCR recommends that the private sector:

  1. Implement the five best practices from the President’s May 2021 Executive Order on Cybersecurity: (a) multifactor authentication, (b) early detection of cybersecurity vulnerabilities, (c) robust response to cybersecurity incidents, (d) encryption, and (e) dedicated security teams;
  2. Back up all information and data, regularly test backups, and keep the backups offline and not connected to core business systems;
  3. Update and patch operating systems, applications, firmware and other systems promptly;
  4. Test and optimize incident response plans;
  5. Run third-party checks to ensure system security; and,
  6. Segment networks to minimize damage in the event of a system compromise.

02-08 July 2021

COVID-19

Privacy Pros Concerned Over Canada’s Vaccine Passport

privacy professionals are raising concerns regarding safeguards for Canada’s proposed vaccine passport. The exact passport methodology and protections have yet to be revealed, but professionals are taking issue with potential collection of personal data. Global Privacy and Security by Design Centre Executive Director Ann Cavoukian said the program could “introduce surveillance like we’ve never seen before.”

Manitoba Universities, Colleges Will Not Be Making Vaccinations Mandatory on Campus

As universities across Canada wrestle with mandating COVID-19 vaccinations for a return on campus, seven universities and colleges in Manitoba say they will not make vaccinations compulsory when the fall term starts, citing legal and privacy concerns. A small handful of post-secondary institutions in Ontario, such as University of Toronto, Western University, Fanshawe College and Ontario Tech University, have made vaccinations a requirement for students living in residence. Other places, like McGill University, University of British Columbia, University of Alberta, University of Calgary and University of Regina, are not implementing such a policy.

Google API Update Enables Storage of COVID-19 Status on Android Devices

Google has updated its Passes application programming interface (API) to allow COVID vaccination and test result records to be stored as digital health passes on Android devices. Following the update, healthcare and other authorized organizations, together with government agencies, will be able to use the APIs to develop a fully digital version of COVID vaccination or test information. Once stored on their device, users will be able to access the digital certificate either online or offline, using their devices’ password, PIN, or biometric form of authentication. To protect user privacy, Google clarified users will be able to freely share their COVID Card with others, but the company will not share the information contained in it with its services or third parties, nor will it be used for targeted ads. Google will also reportedly not retain a copy of the user’s COVID vaccination or test information. The COVID Cards feature is currently available on devices running Android 5 or later.

Biometrics / Identity

Facial Recognition Fraud on the Rise

The Wall Street Journal reports on the rising exploitation of vulnerabilities in facial recognition systems by hackers. Parmy Olson outlines the tactics being used to fool systems, including artificial intelligence-based deepfakes and “Frankenstein faces,” while also diving into the motives behind the attempted hacks and possible preventative measures being explored. Potential solutions include algorithm redesigns and training systems on a range of altered faces.

Genetics Firm Collecting Health Data on Millions of Women Globally

Chinese-based genetics company BGI Group is collecting women’s health data from a prenatal test taken by more than 8 million women globally. The test was created in collaboration with the People’s Liberation Army of China and marketed around the world starting in 2013. BGI stores leftover blood samples and genetic data for population research, but the company maintained its collection is in compliance with relevant privacy laws, including explicit consent for collection and destruction of data after five years.

Chinese Gene Company Using Prenatal Tests to Harvest Data from Millions of Women

A Chinese gene company selling prenatal tests around the world developed them in collaboration with the country’s military and is using them to collect genetic data from millions of women for sweeping research on the traits of populations, a review of scientific papers and company statements found. U.S. government advisors warned in March that a vast bank of genomic data that the company, BGI Group, is amassing and analyzing with artificial intelligence could give China a path to economic and military advantage.

Cryptographic Technique Can Preserve Genetic Privacy in Criminal DNA Profiling

Crime scene DNA analysis can help identify perpetrators, but current methods may divulge the genetic information of innocent people. Cryptography can protect genetic privacy without hampering law enforcement, Stanford researchers say.

Latest Apple Patent Extension Filing Suggests Touch ID Biometrics on IPhone Power Button

Future iPhone releases may follow the iPad Air’s lead by integrating Touch ID biometrics in the power button. The 19 new claims relate mostly to the method of implementation and the electronic device, and describe fingerprint authentication as a first step towards unlocking and a last step towards locking the iDevice. The described electronic device could also include Face ID biometrics.

Biometric Payment Technology Changing Restaurant Experience for Guests

Experts and analysts predict self-service growth: constraints brought about by the coronavirus pandemic have led to significant changes in the way restaurant guests get access to menus, make orders and pay, with self-service kiosks and Point of Sale terminals presenting an opportunity to meet changing customer expectations with biometrics.

Google Must Face Voice Assistant Privacy Lawsuit -U.S. Judge

A federal judge said Google must face much of a lawsuit accusing the company of illegally recording and disseminating private conversations of people who accidentally trigger its voice-activated Voice Assistant on their smartphones.

Online Privacy / Surveillance

Concerns Grow Over Kids’ Debit App’s Data Collection

Greenlight is a kids’ finance technology applicationa nd. According to Greenlight’s privacy notice, the app has the right to share users’ personal data, including names, birth dates, email addresses, location history, purchase history and more, with third-party vendors. The notice also allows Greenlight to serve targeted advertisements based on the data it collects. A spokesperson said the sharing provisions were devised for future “merchant-funded offers to parents,” which would use “aggregated and anonymous information.”

ICO Crafting Draft Guidance for Children’s Code Compliance

The U.K. Information Commissioner’s Office is working on its initial draft for guidance to help organizations adhere to the agency’s Children’s Code. The draft guidance will be tested through virtual events and the ICO will accept feedback on the most effective approaches to embedding transparency practices into design processes.

Apple’s iPhone is So Good at Protecting Privacy, Advertisers are Giving Up and Switching to Android

The release of Apple’s App Tracking Transparency feature is already sending advertisers flocking to Android. Originally released as part of iOS 14.5, Apple’s new iPhone privacy-oriented feature provides users with an unprecedented amount of control over the data apps are allowed to track.

Twitter Shares Ideas Around New Privacy Features, Including A Way to Hide Your Account from Searches

Twitter today has shared a few more ideas it’s thinking about in terms of new features around conversation health and privacy. This includes a one-stop “privacy check-in” feature that would introduce Twitter’s newer conversation controls options to users, and others that would allow people to be more private on the service, or to more easily navigate between public and private tweets or their various accounts.

Atlas VPN’s New Cutting-Edge Privacy Feature Allows Users to Have Rotating IP Addresses

Virtual private network service provider Atlas VPN has introduced a new privacy feature called SafeSwap that further enhances the anonymity of its users. Atlas VPN is the first and only VPN provider to allow users to have many rotating IP addresses without having to switch between different VPN servers. This way, it makes it even harder for snoopers, authorities, Internet Service Providers, and advertisers to spy on user’s online activity.

CNPD Plans to Issue Cookie Guidance

Portugal’s data protection authority, the National Data Protection Commission, plans to issue guidelines on the use of cookies by the private and public sectors this year. The CNPD has already started to analyze how public administrations use online resources for data processing.

Law Enforcement

Law Enforcement Using AI Software to Patrol Social Media

U.S. law enforcement is using artificial intelligence software to monitor social media is sparking privacy concerns. Israeli data analysis firm Zencity, contracted to 200 agencies in the U.S., uses machine learning to formulate custom reports from scans of public conversations across social media platforms. Zencity redacts personal information from the reports and does not allow its users to see individuals’ profiles. The surveillance tactic remains controversial, with Pittsburgh City Councilor Deb Gross noting, “Surveilling the public isn’t engaging the public. It’s the opposite.”

Data Sciences

CNIL Issues Opinion on EC Proposal for AI Regulation

France’s data protection authority (CNIL) offered its opinion on the European Commission’s proposal for regulating artificial intelligence. The CNIL called for clarification on what is permitted under the framework as it would not only benefit citizens but also those who are unsure whether the products they offer can be authorized. The agency also seeks more clarity on how the regulation interacts with the EU General Data Protection Regulation.

Security / Breaches

Ransomware Attack Hits Hundreds of Businesses Globally

A ransomware attack on technology management software from Florida-based supplier Kaseya has potentially affected up to 1,500 businesses around the world. Hackers entered systems using Kaseya’s software, taking over databases while encrypting the affected companies’ customers files. Kaseya acknowledged a potential attack and advised companies to shut down potentially affected systems.

White House Working to Finalize US Ransomware Strategy

U.S. President Joe Biden is working toward finalizing a new strategy for combating and mitigating ransomware threats. Biden and relevant entities are exploring all options for sufficient and quick responses to cyberattacks, including increased cybersecurity measures and prohibiting companies from paying ransoms. Biden said he feels “good” about the current abilities to respond to ransomware despite the most recent attack on 1,500 companies stemming from hacks against Florida-based software provider Kaseya.

Linkedin Denies Exposure of 700 Million User Records Is a Data Breach

LinkedIn has forcefully denied the exposure of data relating to 700 million users of its workplace networking platform – over 90% of its total user base – which has been offered for sale on the dark web, is a data breach, insisting that since the data was scraped by malicious actors it is not at fault.

Chronicling Two Years of NHS Data Breaches

According to the U.K. Information Commissioner’s Office, the NHS reported 866 data breaches from April 2019 to March 2021, including personal data mailed to the wrong person and the loss of paperwork and laptops. Of those breaches, 12 cases involved a party altering data without patient consent.

Researcher Finds Certain Network Names Can Disable Wi-Fi on IPhones

It looks like Wi-Fi networks with percent symbols in their names may cause a bug. A security researcher has found that certain Wi-Fi networks with the percent symbol (%) in their names can disable Wi-Fi on iPhones and other iOS devices. Carl Schou tweeted that if an iPhone comes within range of a network named %secretclub%power, the device won’t be able to use Wi-Fi or any related features, and even after resetting network settings, the bug may continue to render Wi-Fi on the device unusable.

UK Government Publishes ‘Plan for Digital Regulation’

The U.K. government published its “Plan for Digital Regulation,” which outlines how the country will govern technology. The strategy highlights how the U.K. will ensure its data protection standards support “a world-leading digital economy and society whilst underpinned by the trustworthy use of data.” The plan also covers the use of artificial intelligence to “automate parts of the financial advice process.”

Privacy Implications of Autonomous Vehicles to Smart Cities: Dentons’ Report

Dentons’ “A Guide to Autonomous Vehicles 2021 – A Canadian Perspective“ dissects the frontburner policy issues, legislative and regulatory frameworks and updates, new legal precedents and leading global trends shaping the sector. The report examines five key areas: regulatory landscape; driverless vehicle testing and deployment; liability; data privacy and security; and telecommunications and 5G.

25 June – 02 July 2021

COVID-19

Google is Pushing Out Massachusetts COVID Contact Tracing App

Google appears to be force-installing the Massachusetts MassNotify COVID-19 contact tracing app on residents’ Android devices. Users are reporting that the app has been installed even if they have not activated Android Exposure Notification on their devices. It also appears that the app is not yet active; users have been unable to open it or to uninstall it. Google said “This functionality is built into the device settings and is automatically distributed by the Google Play Store, so users don’t have to download a separate app.”

Proposed Vaccine Passports Raise Privacy Concerns and Data Security Risks

Cox & Palmer Law provides an overview and discussion of the current prospect for vaccine passports in Canada, including privacy implications. They propose that any organization considering the development and implementation of a vaccine passport regime should take the following steps to limit liability and improve privacy protections:

  • Ensure the regime falls within an already existing privacy program
  • Complete a privacy impact assessment.
  • Follow guidance from federal and provincial privacy commissioners.
  • Develop and implement a data retention (and destruction) plan.
  • Engage external legal counsel.

Biometrics / identity

Liberal Party Scrutinized for Facial Recognition Use

The Liberal Party of Canada is under fire for its use of facial recognition technology to verify voter identities in candidate nomination elections. BC Information and Privacy Commissioner Michael McEvoy said the questions at hand are whether the collection and use of biometric data was done appropriately according to provincial privacy law. In addition to a provincial investigation, Canada’s New Democratic Party asked Privacy Commissioner of Canada Daniel Therrien to open an investigation. Civil Liberties Group Urges Liberal Party to Stop Using Facial Recognition Technology

GAO Surveys Federal Agencies’ Use of Facial Recognition Tech

A report from the U.S. Government Accountability Office surveyed federal agencies’ use of facial recognition technology. Of the 42 agencies examined, the GAO found 20 owned systems equipped with facial recognition technology and six of those used the tech to identify individuals following last year’s protests of the murder of George Floyd. The GAO offered recommendations for 13 agencies to assess the risks of these systems.

Online Privacy / Surveillance

Microsoft Exec Details Number of Data Requests from Law Enforcement Agencies

During a U.S. House Judiciary Committee hearing, Microsoft VP Tom Burt detailed the amount of orders for information the technology company has received from federal agencies. Burt said federal law enforcement agencies send Microsoft between 2,400 to 3,500 secrecy orders a year. “Most shocking is just how routine secrecy orders have become when law enforcement targets an American’s email, text messages or other sensitive data stored in the cloud,” said Burt.

Appeals Court Rules Aerial Police Tracking of Citizens Violates Fourth Amendment

The U.S. Court Of Appeals for The Fourth Circuit ruled that Baltimore’s process of keeping tabs on citizens’ movement across 90% of the city, without a warrant, by way of surveillance planes to track people’s movement for long periods is a violation of the Fourth Amendment. The majority opinion determined that “because the AIR program enables police to deduce from the whole of individuals’ movements, we hold that accessing its data is a search, and its warrantless operation violates the Fourth Amendment.”

Digital Identity Verification Market Forecast to Reach $16.7B by 2026

Remote onboarding adoption will drive global spending on digital identity verification to $16.7 billion in 2026, as the total number of identity verification checks more than doubles from 45 billion in 2021 to 92 billion. The Juniper Research whitepaper ‘Maximising (sic) security with digital identity verification’ reviews the various methods of identity verification, including biometrics and liveness detection, and breaks down the market by industry and geography.

Digital Government

German DPA Tells Government Organizations to Shut Down Facebook Pages

Germany’s Federal Data Protection Commissioner Ulrich Kelber asked government organizations to close their Facebook pages by the end of the year. Kelber said the pages are not able to operate in a way that does not transmit followers’ data to the U.S., in violation of privacy laws. He also recommended organizations discontinue using Clubhouse, TikTok and Instagram due to similar concerns. “Given the continuing violation of personal data protection, there is no time to waste,” Kelber said.

Mobile / Location Privacy

Australian Research Finds ‘Pervasive’ Privacy Breaches on Health Apps

An analysis of more than 20,000 health-related applications by researchers at Sydney-based Macquarie University found thousands have “serious problems with privacy” and “collection of personal user information” is “pervasive.” The researchers said “inadequate privacy disclosures” prevent users from “making informed choices.” A quarter of the apps violated their own privacy policies, and 90% of data transmissions were on “behalf of third party services, such as external advertisers, analytics, and tracking providers.”

Improving Mobile Phone Data Extraction Practices Across the UK Criminal Justice System

In a blog post, U.K. Information Commissioner Elizabeth Denham discussed efforts to improve mobile phone data extraction practices, saying a “strategic, coordinated approach is needed.” While the ICO called for a code of practice to “introduce clarity, consistency and adequate safeguards,” Denham said that has yet to be introduced.

Supreme Court Declines to Hear Digital Device Border Search Cases

The U.S. Supreme Court declined to hear three cases on searches of electronic devices at the U.S. border. One of the cases, filed by the ACLU and EFF, argued search warrants should be required for border agents to search smartphones and laptops at ports of entry. EFF said in a Tweet it filed the case “to put a stop to this egregious privacy violation” and “the fight continues to defend digital privacy at the U.S. border.”

App Pays Contractors to Collect Open-Source Intelligence

Premise is an application that pays gig workers to collect open-source intelligence for a range of private and public clients, including U.S. government agencies. The app indicated it has made $5 million off of government contract work since 2017. Data sources include Wi-Fi networks, cell towers and mobile devices, with various types of data picked off from each. Premise CEO Maury Blackman said the data collection is not intelligence work because it is “available to anyone who has a cellphone.”

Youth Privacy

Researchers: 1 In 5 Children’s Google Play Apps Violate COPPA, And Other Updates

Comparitech’s research team surveyed 500 most popular children’s applications in the Google Play Store. Key findings

  • 1 in 5 apps have privacy policies that suggest COPPA violations
  • These have been downloaded by almost 492 million users
  • 50% of all the apps that violate COPPA have received a “teacher-approved” badge
  • 5% of all the company privacy policies reviewed contained claims that the respective apps were not intended for children, despite being within the “Everyone” age category on Google Play
  • 18% of “teacher-approved” apps violate COPPA
  • 21% of free apps and 20% of paid apps violate COPPA
  • 38% of all the apps that violate COPPA are classed as “educational”

Lawmakers Ask Facebook and Google to Extend Online Privacy Protections to Youth.

U.S. Sen. Ed Markey, D-Mass., and U.S. Reps. Kathy Castor, D-Fla. and Lori Trahan, D-Mass., sent letters to Amazon, Facebook, Google, Snapchat, TikTok and Twitter asking the companies to give teenagers and young children in the U.S. the same privacy protections as provided under the U.K.’s Age Appropriate Design Code. Meanwhile, the U.K.’s Department for Digital, Culture, Media & Sport released a “one-stop shop” guide to child online safety, outlining key measures businesses should take to protect children, and TikTok removed over 7 million accounts in the first quarter of 2021 for potentially belonging to children under 13.

Security / Breaches

Ransomware Attacks Have Seen Dramatic Increase

The speed at which ransomware attacks have continued to grow is surprising, says Blake, Cassels & Graydon LLP’s Cybersecurity group of the firm’s recently released Canadian Cybersecurity Trends Study 2021, as is the increasingly large ransoms demanded for stolen data over the past two to four years. See also: Data Breach: Notification Obligations and Best Practices

Cyber Insurance Does Not Appear to be Improving Cybersecurity

A paper from Britain’s Royal United Services Institute (RUSI) “explores whether cyber insurance can incentivise better cyber security practices among policyholders, … [and] finds that the shortcomings of cyber insurance mean that its contribution to improving cyber security practices is more limited than policymakers and businesses might hope.”

Vulnerabilities Found in Dell SupportAssist

Researchers from Eclypsium have discovered four vulnerabilities in the BIOSConnect feature of Dell SupportAssist. When chained together, the flaws “allow a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device.” The flaws affect 128 models of Dell PCs and tablets. Server-side updates released in late May address two of the flaws; Dell has released client-side firmware updates to address the other two flaws.

OIG Report: Medicare Needs to Improve Hospital Medical Device Security Assessments

A report from the Office of Inspector General for Health and Human Services (OIG HHS) says that the Centers for Medicare & Medicaid Services (CMS) does not have adequate protocols in place to assess the cybersecurity of networked medical devices in hospitals. In the report OIG HHS writes that they “recommend that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals, in consultation with Department of Health and Human Services (HHS) partners and others.”

Small Devices Can Cause Big Problems: Improving Enterprise Mobile Device Security

NIST has published guidance on mobile device management best practices in the workplace. Threat identification tools, such as NIST’s Mobile Threat Catalogue, used in conjunction with a risk management process, such as the NIST Risk Management Framework, can help organizations identify security and privacy requirements and design mobile device solutions to meet those requirements. Guidance:

NIST SP 1800-21, Mobile Device Security: Corporate-Owned Personally-Enabled.

NIST SP 1800-22, Mobile Device Security: Bring Your Own Device.

NIST SP 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise

Data Sciences

StandardsCouncil Publishes Data Governance Roadmap

The Standards Council of Canada released a roadmap for data governance in parallel with Canada’s Digital Charter. The plan outlines a view on the current and desired Canadian standardization landscape while providing 35 recommendations the SCC says will “address gaps and explore new areas where standards and conformity assessment are needed.” The recommendations include accountability frameworks for privacy and security of personal information as well as a call to harmonize federal and provincial privacy laws.

MEPs Urge Safeguards With Law Enforcement’s AI Use

The European Parliament Committee on Civil Liberties, Justice and Home Affairs adopted a draft report on the use of artificial intelligence-based surveillance, highlighting the need for human oversight and sufficient safeguards. MEPs demanded a ban on the use of biometric data in public places and law enforcement’s use of private facial recognition databases. The urging is based on claims that AI-powered technologies bring potential bias and discrimination.

Survey: AI Is Stressing Data Infrastructures

A Redis Labs survey of IT professionals responsible for machine learning and AI operations found AI applications are stressing data infrastructures. 40% of respondents said their current data structures do not meet requirements for training AI models and infrastructures that consume real-time data.

NSA Issues Guidance on Securing Video and VoIP Communications

The US National Security Agency has issued guidance on securing Unified Communications/Voice and Video over IP (UC/VVoIP) systems. The technical report “outlines best practices for the secure deployment of UC/VVoIP systems and presents mitigations for vulnerabilities due to inadequate network design, configurations, and connectivity.”
 

NIST Proposes Approach for Reducing Risk of Bias in Artificial Intelligence

In an effort to counter the often pernicious effect of biases in artificial intelligence (AI) that can damage people’s lives and public trust in AI, the National Institute of Standards and Technology (NIST) is advancing an approach for identifying and managing these biases — and is requesting the public’s help in improving it. NIST outlines the approach in A Proposal for Identifying and Managing Bias in Artificial Intelligence (NIST Special Publication 1270), a new publication that forms part of the agency’s broader effort to support the development of trustworthy and responsible AI. NIST is accepting comments on the document until Sept. 10, 2021 (extended from the original deadline of Aug. 5, 2021).

CNIL Releases New Version of PIA Software

France’s data protection authority, the Commission nationale de l’informatique et des libertés, released a new version of its privacy impact assessment software. The tool “has been enhanced with a major new feature to customise the information in the knowledge base that is continuously present and guides the completion of an analysis,” the CNIL said. It is available in 20 languages.

AEPD Releases Data Processing Risk Management Guide

Spain’s data protection authority, the Agencia Española de Protección de Datos, released the “Risk management and impact assessment in personal data processing” guide. The guide includes guidance and criteria from the AEPD, the European Data Protection Committee and the European Data Protection Supervisor.

GEA-1 Encryption Algorithm Weakness Was Intentional

A paper from researchers at several European universities and research institutions suggests that the GEA-1 encryption algorithm had a deliberately baked-in weakness. The algorithm was used in cellphones in the 1990s and 2000s. Following the paper’s publication, the European Telecommunications Standards Institute (ETSI), which developed the algorithm confirmed that the weakness was deliberate, noting that it was introduced to meet encryption export regulations.

Baltimore County Public Schools Ransomware Recovery is Expensive

According to information obtained by a local television news station, Baltimore County (Maryland) Public Schools has already spent more than $8 million recovering from a November 2020 ransomware attack. The incident prevented 115,000 students from accessing remote instruction for a week. The school system’s insurance covered $2 million of the incurred costs.

18-24 June 2021

COVID-19

Ottawa In Talks With Provinces, Territories Over ‘Proof Of Vaccination’ Passport for International Travel

Intergovernmental Affairs Minister Dominic LeBlanc says Ottawa is in talks with the provinces and territories about creating some type of “passport” containing proof of vaccination against COVID-19. LeBlanc says while health information falls under provincial jurisdiction, Ottawa’s goal is to provide Canadians with a document to verify vaccinations against the coronavirus if they want to travel outside Canada. LeBlanc says the government may provide Canadians who want to travel soon an interim document to verify vaccinations. Canada Is Launching a “Vaccine Passport” Next Month

OPC Therrien Urges Proper Safeguards for Vaccine Passports

Privacy Commissioner of Canada Daniel Therrien told the House of Commons Standing Committee on Access to Information, Privacy and Ethics Canada’s COVID-19 vaccine passport application needs sufficient purpose limitations and user safeguards. Therrien said there are “issues about protection of that information” that require a detailed review process “that we have not yet done.” Therrien spoke confidently about arriving at a “privacy-sensitive and protected” solution.

Access, Privacy, Enforcement: Lawyers Say Canada’s Plan for Digital Vaccine Passports Raises Thorny Issues

The prospect of digital vaccine passports being required for Canadians embarking on post-pandemic travel has some raising concerns over privacy, accessibility, and enforcement.  Immigration lawyer Alex Stojicevic says the most obvious concern is that those who don’t have access to the proper tech will face barriers to travel. He also has concerns around who will be reviewing people’s proof of vaccine. He says people should not be required to hand their phones over to Canada Border Services Agency: Stojicevic says there are a number of other thorny logistical issues — including the fact that each province within Canada is approaching immunization in a different way, and sharing different data.  Privacy concerns are also being raised by the Canadian Civil Liberties Association. According to Executive Director Michael Bryant: “We need to make sure that that data, held internationally, is kept secure and private and isn’t used for other purposes and other agencies, other than its intended purpose of international travel. It’s one thing to require people to waive their privacy rights at the border. It’s quite another thing to ask people or require people to waive their privacy rights once they are in Canada, travelling between provinces or entering public facilities or using public services.”

Nova Scotia Privacy Commissioner Calls for Strong Vaccine Passport Privacy Protections

Nova Scotia Information and Privacy Commissioner Tricia Ralph called for future vaccine passports to have proper privacy protections in place. Ralph called for a privacy impact assessment to take place in a letter to the provincial government.

Biometrics / Identity

EU Privacy Watchdogs Call for Ban on Facial Recognition in Public Spaces

The European Data Protection Board and European Data Protection Supervisor teamed up to call for a ban on the use of facial recognition in public spaces, going against draft European Union rules which would allow the technology to be used for public security reasons. “A general ban on the use of facial recognition in publicly accessible areas is the necessary starting point if we want to preserve our freedoms and create a human-centric legal framework for AI,” EDPB Chair Andrea Jelinek and EDPS head Wojciech Wiewiorowski said.

Denham Issues Opinion on UK’s Public Facial Recognition Deployments

U.K. Information Commissioner Elizabeth Denham offered a Commissioner’s Opinion regarding the use of facial recognition by private and public entities in public spaces. Denham explained “data protection and people’s privacy must be at the heart of any decisions to deploy (live facial recognition)” and the opinion aims to set “a high bar to justify the use of LFR and its algorithms.” The opinion, according to Denham, is based off law and “six ICO investigations into the use, testing or planned deployment of LFR systems.”

Civil Liberties Group Urges Liberal Party to Stop Using Facial Recognition Technology

The CCLA is calling on the governing Liberals to “cease and desist” using facial recognition technology to verify the identity of people voting in candidate nominations, saying it “takes unfair advantage of its exemption from Canadian privacy laws.” Further, it “sends the wrong message to municipal, provincial and federal election officials that this technology is ready for prime time,” reads the letter signed by executive director Michael Bryant and privacy, technology and surveillance program director Brenda McPhail.

Unemployment Applicants Say Facial Recognition Service Caused Benefit Denials

Some U.S. unemployment recipients say incorrect identity verification by ID.me’s facial recognition technology led to denial of unemployment benefits. The service uses applicants’ biometric information with official documents to confirm identity, but some said the technology failed to correctly identify them, putting applications on hold.

Regulators Launch Campaign Against Spy Cameras, Hidden-Camera Videos

The Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Public Security Bureau and the State Administration for Market Regulation announced a three-month campaign against spy cameras and hidden-camera videos. The regulators say online platforms and camera developers that do not address privacy violations will be “severely punished” in accordance with laws and regulations. The campaign follows passage of China’s Data Security Law, slated to take effect 1 Sept.

Health Privacy

Niagara Health Patients First in Ontario to Access Diagnostic Scans Under One Digital ID

Patients at Niagara Health are among the first in the province who can access their diagnostic records such as an x-ray, CT scan, MRI, or ultrasound through Ontario trusted account, a unique patient digital identity service on the Niagara Health Navigator mobile app. Similar to the ease of online banking, patients can view and manage their diagnostic records from the convenience of their mobile device and can choose to securely share access with family members, family doctors, specialists and other care providers. This is powered by PocketHealth, a service that receives digital diagnostic records from the hospital, organizes them in a secure account and stores them for patients to access at a small fee. For more information on the Ontario trusted account, visit https://mytrustedaccount.ca

UK Health Department, NHS Publish Draft Health Data Strategy

The U.K. Department of Health and Social Care and the National Health Service released a draft data strategy that will provide patients more control of their health and records. The strategy proposes ease of access to data for patients and medical professionals while also simplifying data sharing practices. The NHS noted its plan comes with a commitment “to using data lawfully, with respect, and holding it securely with the right safeguards in place.” Additionally, the NHS committed to publishing a transparency report on data use by 2022.

Mobile / Location

CNIL Releases Draft Recommendation on Retention of Traceability Data

France’s data protection authority (CNIL) launched a public debate over its draft recommendation relating to terms of retention and use of data logs. One of the purposes of data logs, particularly in multi-user systems, is to ensure traceability of access and actions on the information systems within an organization facilitating security policy compliance. When it comes to retention periods for data logs, the CNIL recommends a period not exceeding six months to one year is sufficient except for cases when a legal obligation or particularly significant risk would require another retention period.

Commission D’access a L’Information Du Quebec Issues Guidance on Employee Geolocation Tracking

Commission d’access a la information du Quebec has issued guidance on employee geolocation tracking [see here in French and English trans here].

Online privacy / Surveillance

Study Reviews Pandemic-Era Employee Monitoring Trends

Software designer Surfshark released its Employee Surveillance Report highlighting trends in employee surveillance from March 2020 to March 2021. Surfshark scraped searches for “bossware” surveillance tools across the world and found the use of and interest in employee monitoring was most prevalent in Sweden, the U.S. and Norway. The study also found one in five businesses are deploying surveillance technology while 62% of companies do so to collect productivity data. The report goes on to compare various monitoring tools and discuss potential employee privacy tactics.

Dutch Organizations File Claim Against Tiktok Over Children’s Privacy

In a claim against TikTok, Dutch consumer protection organization Consumentenbond and the Take Back Your Privacy Foundation say the company should pay $1.5 billion euros for illegally collecting and selling children’s data for targeted advertising. The organizations also said TikTok should delete children’s data it has maintained. “TikTok’s way of working is pure exploitation and the company is earning hundreds of millions a year from children,” Consumentenbond Director Sandra Molenaar said.

Law Enforcement

RCMP Body Camera Pilot Project Wraps Up in Iqaluit

A pilot project in which Iqaluit RCMP officers wore body cameras while working has wrapped up but concerns about accountability and trust remain. Last fall, the Iqaluit RCMP launched a trial run increasing the number of Iqaluit officers wearing cameras, until all 53 were equipped in February. According to Legal Aid, officers wore the cameras at work, but they would be turned on only after the initial interaction, or in some cases, the arrest. Also, the camera only points in one direction, so it doesn’t capture everything. “There’s no guarantee that even if there is an image that is damning of police that police will release it,” said a professor.

LAPD Provided with Free Surveillance Cameras for Promotion

Ring gave Los Angeles Police Department officers free devices or discount codes to market its surveillance cameras. According to emails obtained by the Los Angeles Times, the company encouraged officers to “spread the word” about its doorbell’s ability to “reduce crime in neighborhoods.” ACLU of Southern California Senior Staff Attorney Mohammad Tajsar said the relationship highlights “a lack of clarity as to where the public sector ends and private surveillance capitalism begins.” A Ring spokesperson said the marketing campaign ended “years ago.”

Data Sciences

EDPB, EDPS Issue Opinion on Proposed AI Rules

The European Data Protection Board and European Data Protection Supervisor released a joint opinion on the European Commission’s proposed artificial intelligence regulation. Notably, the opinion proposed a ban on AI-powered biometric recognition technologies and potentially discriminatory AI systems in public spaces. In a joint statement, EDPB Chair Andrea Jelinek and EDPS Wojciech Wiewiórowski said the ban is a “necessary starting point” for a “human-centric legal framework for AI,” also noting the biometric deployments in combination with AI “means the end of anonymity in those places.”

Study Looks at Advances, Long-Term Impact of AI

A new report from Pew Research Center and Elon University’s Imagining the Internet Center found 68% of responding developers, business and policy leaders, researchers and activists do not believe ethical principles focused on public good will be employed in most AI designs by 2030. The report includes written explanations from professionals, including Google’s Chief Internet Evangelist Vint Cerf, who said, “There will be a good-faith effort, but I am skeptical that the good intentions will necessarily result in the desired outcomes.”

NIST Seeks to Quantify User Trust In AI

The National Institute of Standards and Technology is looking to quantify user trust in artificial intelligence. The NIST is accepting public comments until July 30, saying it wants to identify areas of mistrust in AI and promote informed decisions in its use. A user trust score will be used to measure items such as the age, gender, cultural beliefs and AI experience of an individual using an AI system, while a trustworthiness score will explore technical concepts.

Security / Breaches

Humber River Restores Computers After Malware Attack

Humber River Hospital is continuing to work through the shutdown of its computer systems in response to an extensive malware attack last week. The hospital had deactivated all of its computers as a safety precaution against the attack, which was a form of ransomware. Because the organization caught the malware early, it believes that it avoided the loss of data and has not received demands for a ransom.

Kroll Releases ‘2021 Data Breach Outlook’

Digital service provider Kroll published its “2021 Data Breach Outlook,” which reviewed the effects of data breaches on its clients in 2020. The report shows a 140% increase in data breach notifications compared to 2019, with the most affected industries being health care, education and financial services. Kroll said the rise in incidents is linked to a combination of remote work, the evolution of ransomware, impacts to supply chain attacks, and heightened awareness to privacy rights and regulations. SEE ALSO: Cybersecurity Firm Reports 116% Increase in Ransomware Attacks | A survey released by Cybereason found 80% of organizations that paid demands in ransomware attacks experienced a second breach, 46% believing it to be caused by the same threat actors.

CISA Highlights How Solarwinds Attack Could’ve Been Prevented

The U.S. Cybersecurity and Infrastructure Security Agency highlighted how established security recommendations could have stopped last year’s SolarWinds cyberattack, Reuters reports. In a letter to U.S. Sen. Ron Wyden, D-Ore., the CISA said had victims configured their firewalls to block outbound connections from the servers running SolarWinds, it “would have neutralized the malware,” adding those who did so avoided the attack.

Danish DPA Offers Ransomware Guidance

Denmark’s data protection authority, Datatilsynet, posted guidance on best practices to combat ransomware attacks. In a video, Datatilsynet IT Security Specialist Allan Frank offered advice on mitigation tactics as well as proper system backups. Additionally, the DPA issued a checklist of actions organizations can take to reduce the threat of ransomware, including employee awareness, system patching, filtered emails and more.

17 June 2021

COVID-19

UN Agency Details New ‘Digital Seal’ As Countries Mull COVID-19 Vaccine Passports

The International Civil Aviation Organization (ICAO) is paving the way for the creation of COVID-19 vaccine passports. In a press release, the ICAO says it has made new “technical specifications for a visible digital seal.” The ICAO said the seal stores datasets for “test and vaccination certificates” in a two-dimensional barcode which can be made of paper or “screen-based.” “Border control and other receiving parties can verify the data against established requirements efficiently and seamlessly, including through the use of traveller self-service kiosks and processes.”

Nova Scotia Privacy Commissioner Calls for Strong Vaccine Passport Privacy Protections

Nova Scotia Information and Privacy Commissioner Tricia Ralph called for future vaccine passports to have proper privacy protections in place. Ralph called for a privacy impact assessment to take place in a letter to the provincial government. “They can be a valuable tool for Canadians, but my concern is they be done the right way,” said Ralph. “My concern is they be developed in a way that would not collect too much information or disclose too much information than is really necessary.”

Human Rights Commission Wants Cautious Approach to COVID-19 Vaccine Cards 

The Manitoba Human Rights Commission urges caution in the wake of the province’s plan to issue COVID-19 immunization cards to people two weeks after they get their second vaccine dose.    The MHRC said requirements for people to provide proof of vaccination for work, access to public services or housing could potentially discriminate on the basis of disability, religious belief, political belief, social disadvantage and age. Manitoba Human Rights Commission ‘monitoring’ province’s COVID-19 vaccination card, incentives | Mayor questions vaccine card privacy | COVID-19 ‘vaccine passports’ could be abused in Manitoba, legal experts warn

Survey: 56% of Americans Don’t Trust Vaccine Passports to Protect Data

A survey conducted by Help Net Security gauged Americans’ attitude toward the security measures implemented by vaccine passports. Of the 3,000 Americans polled, 56% said they do not trust vaccine passports to keep their data secure. The study also found 58.5% of respondents said vaccine passports should not be required to attend sporting events, schools or other areas and events.

Biometrics / Identity

Privacy Commissioners Issue Draft Guidance on Police Use of Facial Recognition Technology

The OPC and the provincial / territorial privacy regulators have jointly released draft guidance on the use of facial recognition technology by police agencies for public comment. The draft guidance covers federal, provincial, regional and municipal police agencies, but not other public organizations such as border control or organizations in the private sector such as private security companies within its scope. But parts of the guidance may provide insight to organizations seeking to ensure compliance with privacy and human rights legislation, said the regulators. See also: Mugshots to megabytes: facial recognition has made privacy protection more urgent than ever 

Congress Weighs Moratorium on Facial Recognition and Biometric Surveillance Technologies

A group of congressional Democrats re-introduced the Facial Recognition and Biometric Technology Moratorium Act of 2021 [Senators Markey’ press notice)

Canadian Government Launches Plans for Digital identity

The Government of Canada has launched the latest iteration of its digital strategy, which includes a continued effort to introduce secure digital identities for citizens. In the Digital Operations Strategic Plan (DOSP) 2021–2024, CIO Marc Brouillard said that the COVID-19 pandemic has “significantly accelerated the global shift to online services” and praised civil servants’ efforts. However, Brouillard said, the government needs to go even further to make digital services as seamless as possible. Alongside creating a single digital identity for citizens, other plans include Shared Services Canada (SSC) working to consolidate departments’ networks with a wholesale shift to “cloud-first networks”.

Maryland City Bans Facial Recognition and Other Biometric Updates

The Baltimore, Maryland, City Council approved a moratorium on use of facial recognition technology by residents, businesses and most of city government. The city’s police department is exempt from the moratorium.

DHS Planning Biometric System Update

The U.S. Department of Homeland Security is preparing to transition its 27-year-old biometric systems to its new Homeland Advanced Recognition Technology in December. The rollout is not expected to be fully operational until DHS addresses three outstanding risk management best practices cited by the Government Accountability Office. In the meantime, DHS and fellow national security entities will continue using the Automated Biometric Identification System, which stores biometric data on foreign nationals for travel, trade and immigration.

TikTok Has Started Collecting ‘Faceprints’ and ‘Voiceprints.’

Recently, TikTok made a change to its U.S. privacy policy, allowing the company to “automatically” collect new types of biometric data, including what it describes as “faceprints” and “voiceprints.” TikTok’s unclear intent, the permanence of the biometric data and potential future uses for it have caused concern among experts who say users’ security and privacy could be at risk.

Europe Needs to Back Browser-Level Controls to Fix Cookie Consent Nightmares: NOYB

European privacy group noyb, which recently kicked off a major campaign targeting rampant abuse of the region’s cookie consent rules, has followed up by publishing a technical proposal for an automated browser-level signal it believes could go even further to tackle the friction generated by endless “your data choices” pop-ups. Its proposal is for an automated signal layer that would enable users to configure advanced consent choices — such as only being asked to allow cookies if they frequently visit a website; or being able to whitelist lists of sites for consent (if, for example, they want to support quality journalism by allowing their data to be used for ads in those specific cases).

Youth and Children

Report Surveys EU Children’s Privacy Standards

The U.S. Law Library of Congress published a report exploring children’s data protection standards in 10 EU jurisdictions, including the EU’s own overarching regulations and policies. The other nine countries analyzed were France, Denmark, Germany, Greece, Portugal, Romania, Spain, Sweden and the non-EU member U.K. The report dives into current landscape for children’s data protection in each case study before analyzing the protection of children in regards to targeted advertising.

Online Privacy / Surveillance

Google Agrees to UK CMA Commitments on Phasing Out Cookies

Google agreed to a series of commitments with the U.K. Competition and Markets Authority over its plan to phase out cookies via its Privacy Sandbox proposal. The commitments include limits on how Google can use user data for digital advertising after third-party cookies are removed and informing the CMA 60 days before it starts to remove cookies to give the agency an opportunity to reopen its investigation.

Google Announces Privacy, Data Security Measures for Workspace

Google announced new privacy and data security measures within its Google Workspace. Client-side encryption will give customers control of encryption keys and make customer data indecipherable, the company said. Google also announced new phishing and malware content protection for Google Drive and launched Drive labels, which enables users to classify files to ensure proper handling. The feature also works with Google Workspace’s data loss prevention and Google Vault capabilities to enhance data loss prevention.

New Privacy and Security Features Coming to iOS and macOS

Apple has unveiled improvements to iOS designed to keep your email private, crack down on data stealing apps, and help you find lost devices.

Location Privacy

Vehicle Location Data Appears to Identify People, Addresses

While Otonomo’s vehicle location data is supposed to be pseudonymous, a Motherboard investigation linked the data to vehicle owners and movements. Data from Otonomo was used to track drivers’ locations and identify their likely home addresses and identities. Electronic Frontier Foundation Staff Attorney Adam Schwartz called the data a “privacy nightmare.”

Law Enforcement

Bitcoin is Traceable, Colonial Pipeline Investigation Shows

Federal investigators’ recovery of $2.3 million of the $4.3 million in Bitcoin that Colonial Pipeline paid to hackers in a ransomware attack shows cryptocurrencies may not be hard to track. While cryptocurrency can be transferred without a bank’s permission, it can also be tracked and seized by law enforcement, and each payment is recorded in a permanent ledger. “It is digital bread crumbs,” said former federal prosecutor Kathryn Haun. “There’s a trail law enforcement can follow rather nicely.” SEE ALSO: The Fed’s Digital Dollar Would Be ‘Nightmareville’ for Privacy  and Bitcoin network approves privacy update as scrutiny increases

ICCL To Sue IAB Tech Lab Over Real-Time Bidding Allegations

The Irish Council for Civil Liberties is filing a lawsuit against the Interactive Advertising Bureau Tech Lab for alleged EU General Data Protection Regulation violations. The ICCL will file the suit in Hamburg, Germany, arguing real-time bidding systems, used by IAB member companies, harvest users’ personal data. “A retailer might use the data to single you out for a higher price online. A political group might micro-target you with personalised disinformation,” said ICCL Senior Fellow Johnny Ryan.

Mobile / Location

Apple CEO Says EU’s Proposed DMA Threatens iPhone Security, Privacy

Apple CEO Tim Cook said the European Union’s proposed Digital Markets Act will threaten the security and privacy of iPhones. While Cook said parts of the proposal are good, he criticized others, like language that would lead to installation of applications outside of Apple’s App Store. “It would destroy the security of the iPhone, and a lot of the privacy initiatives that we’ve built into the AppStore or the privacy intrusion labels and app-tracking transparency,” he said.

Data Sciences

Experts Doubt Ethical AI Design Will Be Broadly Adopted as the Norm Within the Next Decade

According to Pew Research Center, a majority of developers, business and policy leaders, researchers and activists worry that the evolution of artificial intelligence by 2030 will continue to be primarily focused on optimizing profits and social control. They also cite the difficulty of achieving consensus about ethics. Many who expect progress say it is not likely within the next decade. Still, a portion celebrate coming AI breakthroughs that will improve life.

ICO Calls for Views on Anonymisation Guidance

The UK ICO has published a call for views on the first draft chapter of its anonymisation, pseudonymisation and privacy enhancing technologies draft guidance. This first chapter is part of a series of chapters of guidance that the ICO will be publishing on anonymisation and pseudonymisation and their role in enabling safe and lawful data sharing. The guidance supplements the ICO’s Data Sharing Code of Practice.

Accounting Firm to Invest $12B in AI, Cybersecurity Hires

Accounting firm PricewaterhouseCoopers is planning to invest $12 billion over the next five years in hiring 100,000 new employees in artificial intelligence and cybersecurity. As companies face increasing scrutiny on issues including data privacy, PwC U.S. Chairman and Senior Partner Tim Ryan said, “It’s critical that our people have those skills.” The firm also plans to offer new products featuring artificial intelligence and machine learning, Ryan said, and is considering acquiring other companies to grow offerings.

Security / Breaches

G7 Commits to Action on Ransomware, Digital Privacy

The G7 group has urged Russia and other countries that may harbour criminal ransomware groups within their borders to take accountability for tracking them down and disrupting their operations. Meanwhile, the G7 also committed to ongoing collaboration towards a “trusted, values-driven digital ecosystem” and an “open, interoperable, reliable and secure internet” that is unfragmented, and supports freedom, innovation and trust to empower users. “We support the development of harmonised principles of data collection which encourage public and private organisations to act to address bias in their own systems, noting new forms of decision-making have surfaced examples where algorithms have entrenched or amplified historic biases, or even created new forms of bias or unfairness.” The summit further addressed issues around internet safety and countering far-right hate speech, whilst protecting fundamental human rights and freedoms such as freedom of speech and expression.

03-10 June 2021

COVID-19

European Parliament Finalizes COVID-19 Certificate Program

The European Parliament announced final approval of the EU’s COVID-19 certificates. Citizens will be issued a quick response code carrying information proving vaccination, negative test result or recovery from a COVID-19 infection. All EU member states will accept the certificates proving vaccination, negative test result or recovery from a COVID infection. It should facilitate free movement and contribute to restrictions being lifted gradually in a coordinated manner. It should apply from 1 July 2021 and be in place for 12 months.

Canadian Commissioners Adopt Resolution on Pandemic Privacy and Vaccine Passports

Canada’s federal, provincial and territorial information and privacy commissioners issued a joint resolution calling on governments around the country to respect citizens’ privacy rights during and after a pandemic. The resolution includes 11 principles Canadian governments can implement to modernize “legislative and governance regimes around freedom of information” and make privacy a priority.

Manitoba Launches New, Secure Immunization Cards for Fully Vaccinated People

Fully immunized Manitobans will now be able to travel without having to self-isolate for two weeks upon return with a new, secure immunization card that will be available to people two weeks after they have received both doses of a COVID-19 vaccine, Premier Brian Pallister announced today.

Vaccination Records Raising Privacy Concerns in California

The California Public Department of Health’s digital Immunization Information System holds information of California residents who received a COVID-19 vaccination, raising concerns over health data. Privacy advocates say current regulations do not prevent vaccine data from being leaked or sold into data markets, and raised concerns over weakened confidentiality laws and vaccine verification systems.

Hong Kong Residents Can Store Vaccine Records in Leavehomesafe App

Hong Kong residents can now store vaccination records or test records in the LeaveHomeSafe COVID-19 contact tracing application. Biometric or password authentication is used to unlock phones when attempting to access records. Data is saved locally on devices and users can remove the records at any time. The Privacy Commissioner for Personal Data was consulted to ensure the app’s compliance with the Personal Data (Privacy) Ordinance. SEE ALSO: A study from the Surveillance Technology Oversight Project that found vaccine tracking applications are ineffective and raise privacy concerns.

Biometrics / Identity

European Commission Proposes a Digital Identity for All EU Citizens

The European Commission has proposed a framework for a trusted and secure European Digital Identity (interchangeably referred to as ‘European e-ID’). In essence, the European Digital Identity will be available to all citizens, residents, and business in the EU, enabling them to prove their identity, access various services and share documents from their European Digital Identity wallets. The EC states that the European Digital Identity framework will be based on three pillars:

  1. Availability only to who wants to use it;
  2. Widely Useable; and
  3. Users remaining in control of their data.

OPC Finds RCMP’s Use of Clearview AI Violates Privacy Act

The OPC found the RCMP’s use of Clearview AI services violated the Privacy Act. The RCMP matched photographs against individuals in a database provided by Clearview, which OPC determined violated Canadian privacy laws last year. “The use of (facial recognition technology) by the RCMP to search through massive repositories of Canadians who are innocent of any suspicion of crime presents a serious violation of privacy,” said Privacy Commissioner of Canada Daniel Therrien.

Human Rights Commission Urges Facial Recognition Ban

The Australian Human Rights Commission is urging the federal government to issue a temporary ban on “high-risk” use of facial recognition pending legislation. The commission recommends introducing legislation “that regulates the use of facial recognition and other biometric technology,” establishing an “artificial intelligence safety commissioner” and notifying affected individuals “where artificial intelligence is materially used in making an administrative decision.”

Feds Planning to Use Biometrics at Canada-US Border

Canada’s border agency has an “urgent need” to hire a global technology firm to help develop a biometric strategy in response to rapidly evolving issues including COVID-19. The CBSA issued a notice of procurement inviting 15 firms to submit proposals for immediately setting up an Office of Biometrics and Identity Management. The chosen contractor would help the border agency develop a plan to “manage, evolve and adapt” the use of biometrics while considering its relationship with other federal departments and international partners. The OPC had not been consulted about the border services agency’s procurement notice.

National Technical Spec for Digital Credentials to Provide Greater Privacy and Security for Canadians

With a growing need for reliable methods to confirm digital identities and documents as the economy pivots online, the Standards Council of Canada (SCC) has engaged the CIO Strategy Council to develop a technical specification that will bring widespread use of digital credentials a step closer. The new technical specification will set minimum requirements to ensure that digital credentials and trust services are interoperable between businesses and governments and create a seamless experience for users. Once agreed upon, the requirements will form the basis of conformity assessment solutions to provide consumers with confidence when sharing their digital personal information.

Class-Action BIPA Suit Alleges Unlawful Voice Assistant Use

A US federal court will consider a class-action suit from McDonald’s customers in Illinois alleging the fast-food chain violated the state’s Biometric Information Privacy Act. Plaintiffs claim voice assistants were utilized at McDonald’s drive-thru windows throughout Illinois and collected consumers’ biometric information without their express consent.

Mobile / Location Privacy

CBP’s Asylum Seekers App Brings Privacy Concerns

A U.S. Customs and Border Protection mobile application to help manage the information of asylum seekers is receiving backlash from privacy advocates. The CBP One app employs facial recognition, geolocation and cloud technology to collect, process and store the sensitive information. Despite privacy impact assessments from the Department of Homeland Security deeming the app as necessary,

Police Arrest Hundreds Using Data Gathered Through Backdoored Chat App

The FBI was able to trick criminals into using an FBI-developed app, ANoM, to communicate with each other. The app was distributed on phones configured for the purpose of using the app, and starting in 2018, distributed on black markets. This week, several law enforcement agencies worldwide searched hundreds of locations in a coordinated effort using information collected from the ANoM app. The raids led to 224 arrests, the seizure of 3.7 tons of drugs, and the disruption of 20 “threats to kill.

Law In Hong Kong Would Connect Identity to Mobile Phone Numbers

A new law in Hong Kong that would require people to provide their real name and personal details to register mobile phone numbers, including prepaid SIM cards, is raising surveillance concerns. The policy would take effect in September. Assistant Professor at the Chinese University of Hong Kong School of Journalism and Communication Lokman Tsui said it is an invasion of privacy. “The Hong Kong government continues to make policies that show they don’t trust their own citizens,” he said.

Mexican Registry for Cell Phone Users Sparks Privacy Concerns

Mexico has approved a plan to register biometric data, names, and addresses of cell phone users in a database, in what activists say is an alarming decision. The Mexican government has already failed several times to protect personal data.

Amazon Sidewalk Brings Mobile Device Privacy Concerns

Amazon Sidewalk, a shared network initiative for Amazon devices set to roll out June 8, is raising privacy concerns. At launch, Sidewalk will automatically enroll devices, including Alexa, Echo and Ring products, into these networks unless users update their personal device settings. The sharing could potentially leave users’ devices and information, such as cameras and browsing histories, open to nearby devices within a local Sidewalk network.

Apple Unveils New Privacy Features for iOS 15

Apple unveiled a new slate of privacy features to debut with iOS 15 this fall. The upcoming operating system will include a “privacy report” that informs users about which applications collect their personal data.

Online Privacy

Max Schrems’ Privacy NGO, Noyb, Submits Hundreds of Draft Complaints to Companies Across Europe About Their Cookie Law Compliance

Max Schrems’ privacy NGO, noyb, has sent hundreds of draft complaints to companies across Europe that it claims use unlawful cookie banners along with a guide of how to comply [press notice]. noyb is giving these companies one month to make the changes to their cookie banners and consent management solutions before filing formal complaints with data protection authorities.

FPF, PTA Release Privacy Tech Report

The Future of Privacy Forum and Privacy Tech Alliance released a new report titled “Privacy Tech’s Third Generation: A Review of the Emerging Privacy Tech Sector.” The report looks at the evolving privacy technology market, analyzes trends and predictions, and identifies five market trends and their implications for the future. Key themes include the COVID-19 pandemic’s role in accelerating global marketplace adoption of privacy tech and the role of regulatory compliance in driving initial privacy tech purchases.

Youth Privacy

CNIL Offers Children’s Privacy Recommendations

France’s data protection authority, the CNIL, released eight recommendations to improve the protection of minors online. Based on results from an April 2020 public consultation, the CNIL suggestions include increased parental supervision and controls, further exercising of minors’ rights, and a focus on age verification and consent. The regulator also noted it launched workshops to gain further perspective from minors. The CNIL announced a public consultation on a draft framework for processing minors’ data in relation to the social and medical care sectors. The public comment period ends 31 July.

Dartmouth Ends Unfounded Cheating Investigation After Students, Rights Groups Speak Out

The Dartmouth Geisel School of Medicine has ended its months-long dragnet investigation into supposed student cheating, dropping all charges against students and clearing all transcripts of any violations. This affirms what EFF, The Foundation for Individual Rights in Education (FIRE), students, and many others have been saying all along: when educators actively seek out technical evidence of students cheating, whether those are through logs, proctoring apps, or other automated or computer-generated techniques, they must also seek out technical expertise, follow due process, and offer concrete routes of appeal.

NYC, Kinsa Partner to Distribute Smart Thermometers in Elementary Schools

Technology company Kinsa is partnering with the New York City Department of Health to distribute up to 100,000 internet-connected thermometers in elementary schools. Data collected by the smart thermometers and an accompanying application will be aggregated, anonymized and made available to local health officials.

Surveillance

Stakeholders Pen Open Letter Urging Global Biometric Surveillance

A coalition of more than 175 stakeholders signed an open letter supporting a global ban of biometric recognition technologies that aid mass surveillance efforts. The coalition, led by Access Now, claims the various tech deployments undermine civil liberties as they “identify, follow, single out, and track people everywhere they go.” Stakeholders added “no technical or legal safeguards could ever fully eliminate the threat” posed by biometric technologies, which indicates “they should never be allowed in public or publicly accessible spaces.”

Amnesty International Maps 15,000 Surveillance Cameras Used by NYPD

Human rights organization Amnesty International mapped the location of more than 15,000 cameras in Manhattan, Brooklyn, and the Bronx, used for surveillance and facial recognition searches by the New York Police Department. The cameras have been used in nearly 22,000 facial recognition searches since 2017. “Whether you’re attending a protest, walking to a particular neighborhood, or even just grocery shopping, your face can be tracked by facial recognition technology using imagery from thousands of camera points across New York,” said AI Researcher Matt Mahmoudi. [New Yorkers Are Watched by More Than 15,000 Surveillance Cameras]

Data Sciences

UK ICO Issues Draft Paper on De-Identification for Comment

The U.K. Information Commissioner’s Office opened a public consultation on the opening chapter of its draft guidance for anonymization, pseudonymization and privacy-enhancing technologies. The first of the seven-chapter guidance explores “the legal, policy and governance issues around the application of anonymization and pseudonymization in the context of data protection law.” The first consultation is open through 28 Nov.

CANON Publishes Report on De-Identification

The Canadian Anonymization Network (CANON) has recently published its report “Practices for Generating Non-identifiable Data” which was funded by the OPC. The report provides some definitions to ensure consistent terminology (which is a problem in this space), and presents a series of case studies of organizations implementing various approaches for creating non-identifiable data. It concludes with lessons learned across all of the case studies about current practices across multiple private and public sector organizations.

Australian Department of Health Notes Deidentification, Genomic Information Challenges Within Privacy Act

In a submission to a review of the Privacy Act 1988, the Australian Department of Health asked for government guidance on deidentification and genomic information. The department said, “any changes in the Privacy Act that require additional protections in relation to de-identified, anonymised, and pseudonymised information … will need to be supported by appropriate guidance and expertise in order for implementation to be effective.” It also noted “uncertainty and inconsistency” around genomic information within the scope of the Privacy Act.

Census Releases Guidelines for Controversial Privacy Tool

After three years of fierce debates, conflicting academic papers and a lawsuit, the U.S. Census Bureau announced guidelines for how a controversial statistical method [called Differential Privacy] will be applied to the numbers used for drawing congressional and legislative districts. The method is meant to protect the privacy of people who participated in the 2020 census, though critics have claimed it favors confidentiality at the expense of accurate numbers. [See also: Harvard Researchers Discourage Differential Privacy Use in 2020 Census]

Security / Breaches

Cyber Attacks More Sophisticated, Data Exfiltration ‘Not Going Away’: Risk Expert

The pandemic has proven to be fertile ground for cyberhackers. Despite this, fewer organizations surveyed by the Canadian Internet Registration Authority expected to increase human resources dedicated to cybersecurity in the next 12 months, according to its 2020 Cybersecurity Report.

Highlights

US Agencies Share Updates on Ransomware Protections

The U.S. Department of Health and Human Services’ Office for Civil Rights shared updates from the White House and Cybersecurity and Infrastructure Security Agency on protecting against ransomware threats. Addressing an increase in the number and size of ransomware incidents, a White House memo called on the government and private sector to protect their organizations with recommended best practices. An OCR fact sheet included information for organizations regulated by the Health Insurance Portability and Accountability Act.

May 28 – June 3, 2021

COVID-19

7 EU countries roll out vaccine passport

Bulgaria, the Czech Republic, Denmark, Germany, Greece, Croatia and Poland made the digital green certificate available to citizens Tuesday. The certificate shows whether an individual is fully vaccinated against COVID-19, recovered from the virus or received a negative test over the past three days. See also: Privacy Commissioners Comment on Vaccine Passports; Ombudsmen from across Canada warn provinces of domestic COVID-19 vaccine passport pitfalls; Canadian Privacy Commissioners Issue Joint Guidance on Vaccine Passports

CoE, Parliament reach provisional deal on COVID-19 certificates

The Council of Europe and European Parliament reached a provisional deal on COVID-19 certificates. Under the deal, member states will not be able to store information gathered through the certificates. Entities processing personal information will be made public to allow citizens to exercise their rights under the EU GDPR. The European Parliament Committee on Civil Liberties, Justice and Home Affairs also endorsed the digital COVID certificates.

New York vaccine passport gaining traction amid privacy questions

More than 1 million New York Excelsior Passes — the first government-issued vaccine passport in the U.S. — have been downloaded since it was introduced in March. Some states banned the use of vaccine passports, citing privacy protections, while technology professionals warn of fraud possibilities. Surveillance Technology Oversight Project Executive Director Albert Fox Cahn downloaded a different individual’s Excelsior Pass using information from social media posts and Google in 11 minutes.

Identity / Biometrics

EU Commission proposes a trusted and secure Digital Identity for all Europeans

The Commission has proposed a framework for a European Digital Identity which will be available to all EU citizens, residents, and businesses in the EU. Citizens will be able to prove their identity and share electronic documents from their European Digital Identity wallets with the click of a button on their phone. They will be able to access online services with their national digital identification, which will be recognised throughout Europe. [Report from the Commission to the European Parliament and the Council on the evaluation of Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS)]

Digital wallet unveiled in EU

The European Commission announced its proposal for a digital wallet that would store payment details and passwords and be accessible via fingerprint or retina scanning. The application would allow citizens to access government websites or pay utility bills using one identity. Users could also store official documents on the app.

Facial Recognition in the News

New York City Biometrics Law Takes Effect in July 2021

Following the municipal ban on the use of facial recognition technology in Portland, Oregon, New York City’s more expansive “biometric identifier information” law, set to go into effect July 9, 2021, will ban the sale of biometric data but permit the use of biometric identifying technologies with posted notice to customers in “simple language” to be prescribed by forthcoming rules

Online Privacy / Surveillance

NGO issues 560 cookies complaints, plans 10K more

Advocacy group NOYB sent 560 complaints to companies in 33 countries alleging unlawful deployment of cookie banners under the EU GDPR. NOYB Founder Max Schrems argues the violators do not provide a “simple yes or no option” for cookies but instead “use every trick in the book to manipulate users.” The group claims it will send up to 10,000 more complaints by the end of 2021 through its own automated system that detects cookie violations.

Mobile / Location

Amazon Sidewalk brings mobile device privacy concerns

Amazon Sidewalk, a shared network initiative for Amazon devices set to roll out June 8, is raising privacy concerns. At launch, Sidewalk will automatically enroll devices, including Alexa, Echo and Ring products, into these networks unless users update their personal device settings. The sharing could potentially leave users’ devices and information, such as cameras and browsing histories, open to nearby devices within a local Sidewalk network.

Law Enforcement

Richmond public CCTV cameras subject to function creep

Richmond may be one of the most ‘surveilled’ city in Canada now that 110 closed-circuit TV cameras have been installed at major intersections, including those leading to Vancouver International Airport.  Four years ago, Richmond adopted a $2.18-million “predictive traffic management” plan with footage also available to settle disputes like who actually was at fault in a crash. In 2018 B.C. Privacy Commissioner Michael McEvoy raised no objections to the plan after reviewing it because the traffic cameras deliberately collected low-resolution video that obscures faces and licence plates. To further ensure a privacy firewall, McEvoy also insisted that the city — not the RCMP — manage the data. Because Richmond accepted McEvoy’s guidance, its traffic management cameras are exempt from FIPPA. Now, Richmond now wants the province’s blessing to jettison all of that. The mayor and council of the city with British Columbia’s fourth lowest crime rate want the cameras zoomed in, transformed from benign traffic monitoring into high-resolution surveillance.  

Human rights groups say digital surveillance of immigrants raises privacy concerns

Human rights groups are urging the Biden administration and U.S. Immigration and Customs Enforcement to end a digital surveillance program that uses GPS-tracking ankle monitors and facial recognition technology to monitor immigrants. The groups said the SmartLINK application, one app used in the program that requires immigrants to check in with facial recognition and location confirmation, “raises a number of privacy and surveillance concerns.” They called for “solutions that put an end to all forms of immigrant surveillance and detention.”

Security /Breaches

Ransomware: avoidance and response

Ransomware is on the rise. A 2020 report by IBM demonstrates the commonality of these attacks, indicating that ransomware is by far the most common form of cyber attack in the world. It is also one of the most common cyber threats in Canada according to the Canadian Centre for Cyber Security (the “CCCS”). The CCCS stated that ransomware is becoming an increasingly common threat and that it is one of the cyber threats most likely to affect Canadians. It is thus understandable that Canadian IT professionals flagged malicious software attacks (including ransomware) as the most significant cyber risk according to the Canadian Internet Registration Authority’s 2020 Cybersecurity Report.

Phishing campaign targets government agencies

Microsoft said the group behind the SolarWinds hack launched a phishing campaign targeting 3,000 email accounts at more than 150 organizations, including government agencies.

U.S. Reports Health Breach Statistics

The U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website has seen nearly 100 new breaches in recent weeks, while the Office for Civil Rights website listed 251 breaches added this year.

Canada Post reveals supplier data breach involving shipping information of 950,000 parcel recipients

A cyber-attack on a third-party supplier of Canada Post has resulted in a data breach impacting 950,000 parcel recipients. In a press release, Canada Post said it had informed 44 “large business customers” that they had potentially been affected by “a malware attack” against Commport Communications, a provider of electronic data interchange services.

Regulators

ICO seeks comments on guidance on privacy-preserving practices

The U.K. Information Commissioner’s Office opened a public consultation on the opening chapter of its draft guidance for anonymization, pseudonymization and privacy-enhancing technologies. The first of the seven-chapter guidance explores “the legal, policy and governance issues around the application of anonymization and pseudonymization in the context of data protection law.” The examination covers the ability to anonymize datasets, if it can be done effectively and what the benefits are to applying the practice.

EDPS launches ‘Schrems II’ investigations on EUIs, European Commission’s tech use

The European Data Protection Supervisor launched a pair of investigations as part of its strategy to have EU institutions comply with the Court of Justice of the European Union’s “Schrems II” decision. The first investigation centers on the use of cloud services provided by technology companies under Cloud II contracts by EU institutions, bodies and agencies, while the second focuses on the European Commission’s use of Microsoft Office 365.

21-27 May 2021

COVID-19

CoE, Parliament reach provisional deal on COVID-19 certificates

The Council of Europe and European Parliament reached a provisional deal on COVID-19 certificates. Under the deal, member states will not be able to store information gathered through the certificates. Entities processing personal information will be made public to allow citizens to exercise their rights under the EU GDPR. The European Parliament Committee on Civil Liberties, Justice and Home Affairs also endorsed the digital COVID certificates. See also: Proof of vaccination: privacy considerations for businesses.

B.C. Privacy Commissioner says vaccine passport must be secure, used sparingly

B.C. is exploring vaccine passports as proof of immunization for travel, but B.C.’s privacy commissioner warns the province needs to proceed with caution. “How do you make it so that it’s secure, that it only contains the information that it needs to and doesn’t do things like have a centralized database that would track people, for example?” “But there are larger issues as well,” said McEvoy. “Is it something that might be required to enter, for example, a care facility, versus a gym, versus a mall, versus a Canucks game? These are questions that, I think, are larger than privacy issues — they’re also human rights issues, and they are issues as a society I think we have to grapple with. Where is the balance in all of this, where is it necessary to show a credential like that where we think it’s going to make us safer, and where are places where perhaps we don’t need it?”

Yukon Privacy Commissioner releases guidance for ‘vaccine passports’

The Yukon’s Privacy Commissioner, Diane McLeod-McKay, has weighed in on the idea of vaccine passports with guidelines released May 19. The Yukon is set to change its current border restrictions on May 25. Under the new rules Canadians who are fully vaccinated (two vaccine doses plus the waiting period) are not required to self-isolate when coming to the territory from Outside. However, travellers will be required to provide documentation and must also sign a document allowing the government to verify the information via health records. McLeod-McKay said: “I believe in being proactive, I would much rather work with the department to try and make sure that the law is being complied with. We do work quite closely together. So I will be raising that issue with them and hopefully I get a positive response.” See also: What we know so far about Yukon’s plan to verify whether someone is fully vaccinated and CBC Interview with Yukon Premier.

Sask Privacy Commissioner flags privacy concerns over COVID vaccine passports

The Saskatchewan privacy commissioner is flagging concerns over potential privacy encroachments when people are asked to confirm their vaccinations to governments and businesses. Ron Kruzeniski said governments and businesses ought to follow particular limitations when choosing to ask a person to verify they’ve been vaccinated. The first one is “do organizations have the legal authority to ask those questions or to ask to see a certificate or a passport.” Kruzeniski recommended people who are asked to provide their vaccine verification ought to ask the inquiring party: “What are you going to use it for? Are you going to tell me the purpose of your asking? Are you going to collect the least amount of information possible? And do you need to know my date of birth, my gender, my race, my income level, my postal code?” Further limitations should be used once the information is obtained, he explained. “Where and how do you store (the information)? And then the question is whom do you share it with? “It’s my personal health information, it’s nobody else’s … the last question is, ‘once you’re done with it, are you going to destroy it the right away? How long do you need it?” A “supplementary question” worth asking is “are you going to be tempted to use it for another purpose?” he said. “That’s generally viewed as a no-no.” The privacy commissioner also cautioned against only using the word “passport” to describe a vaccine verification.

N.B,. Ombud says don’t forget about privacy when discussing vaccine passports

Speaking on COVID-19 vaccine passports or certificates, New Brunswick’s ombud Charles Murray said “We are asking people about their medical history. That is a very private thing for all of us, and we’ve recognized for years, that’s amongst the most private things I can know about you, is your medical situation. If we’re going to do that, how do we build the best system to protect privacy within that constraint? Because the goal won’t be to protect privacy, the goal will be to protect public health.” Murray’s advice to political leaders should they decide proof of vaccination is required to travel: “Don’t build your document and then say, ‘Oh. Now, what about privacy?’”

Review finds state COVID-19 websites with highest numbers of user trackers

The Markup’s Blacklight scanner found Utah, Hawaii and New Jersey’s COVID-19 websites have the highest amount of advertising trackers and cookies over other states. The Utah website’s tracking technology was found to be connected to Facebook, parent companies of Google, Snapchat, Twitter, LinkedIn and Tapad. A Utah Department of Health spokesperson said the technology is used “for analytics purposes,” while privacy advocates said government entities should express caution in tracking residents’ data.

CNIL authorizes experimental concert to study COVID-19 transmission

France’s data protection authority has authorized a research project by Assistance Publique–Hôpitaux de Paris that will evaluate COVID-19 transmission during an experimental concert. The CNIL was asked to authorize the project as it involves processing sensitive data of 7,500 participants.

Requiring proof of vaccination in workplace breaches HIPAA

The Washington Policy Center argued a state-mandated proposal requiring residents to show proof of vaccine in the workplace before employers ease social distancing and mask requirements may breach individuals’ medical privacy and the U.S. Health Insurance Portability and Accountability Act.

Vaccine badges on dating apps could have legal implications: privacy expert

A few dating apps in the United States, like Tinder and Bumble, are now making vaccine badges available for users to include in their profile. So far, the feature is only rolling out in the U.S., after the White House pushed to have the apps offer special incentives to get people roll up their sleeves. It’s all part of an effort to have 70% of Americans vaccinated by July.

United Airlines will give some lucky people free flights with proof of vaccination

United Airlines is offering a chance to win free flights if you upload your vaccination record to its app by June 22. The new sweepstakes — Your Shot To Fly — applies to MileagePlus members. After uploading your record, you’re automatically entered to win a round trip flight or free flights for a year.

Why we need to seriously reconsider COVID-19 vaccination passports

In a blog post for The Conversation, Tommy Cooke warns against function creep and surveillance associated with vaccine passports and calls for greater public debate and involvement.

Majority of Canadians support COVID-19 vaccine passports for concerts, travel: Ipsos

As discussions of “vaccine passports” circulate in public policy circles, new data from the non-profit Angus Reid Institute finds Canadians largely accepting of the concept in various forms. More than three-quarters say that they would support mandatory vaccination proof for both travel to the U.S. and for international travel. In each case one-in-five disagree. That said, there is a clear preference to reduce reliance on proof of vaccinations in domestic life when compared with international travel. While a majority also agree that vaccine passports could be used at public places in their communities, like restaurants, malls and movie theatres, two-in-five (41%) oppose the idea – suggesting much more difficult implementation.

Biometrics

EU advocacy groups file claims against Clearview AI

Privacy International and Max Schrems’ NOYB filed complaints to European data protection authorities regarding alleged data scraping by Clearview AI. The groups sent filings to DPAs in Austria, France, Greece, Italy and the U.K.. Clearview’s work “goes far beyond what we could ever expect as online users.” Clearview claimed it “has never had any contracts with any EU customer and is not currently available to EU customers.”

California passes voice recognition device bill

The California Assembly passed Assembly Bill 1262, which places limits on the use and retention of voice data collected by connected TV and smart speaker developers. The law does not cover cellphones, tablets, laptops with mobile data access, pagers or motor vehicles. See also: Smart (CA) TVs Are Listening: California Assembly Passes Voice Recognition Device Bill Headed to Senate

EAB advocates for biometric border posts to include privacy-enhancing technologies

The non-profit European Association for Biometrics (EAB) has published a position paper highlighting the biometric technology that can reinforce and re-establish common security and free mobility in the Schengen area post-COVID.

Facial recognition deployed for gambling in South Australia

Facial recognition has been deployed to more than 230 gambling venues in South Australia under the government’s plan to reduce gambling harms in the State, according to a government announcement.

Online Privacy / Surveillance

Google Play Store to Add Privacy Labels to Android Apps by 2022

Following Apple’s recent rollout of privacy labels, Google has announced a similar initiative that will appear on the Play Store sometime before mid-2022. As with Apple’s program, the privacy labels are meant to give end users a quick reference to the range of data that Android apps are asking for.

German regulator probing Google’s data use

Germany’s Federal Cartel Office opened an investigation into Google over its handling of user data. The competition regulator is examining whether Google provides sufficient choices in how it uses data across the company’s various digital services.

Access Now report explores data minimization

A report published by Access Now titled “Data minimization: Key to protecting privacy and reducing harm“ explores combatting online abuses by limiting the amount of information entities can collect. The report’s recommendations include enabling data collection on protected classes for civil rights purposes or to support underrepresented populations, limiting data collected for behavioral advertising and implementing data minimization for machine learning models.

Employee monitoring increases, raising privacy concerns

A report by the Institute for the Future of Work found more companies are turning to algorithmic systems to monitor employee performance, accelerated by the COVID-19 pandemic, but the technology is raising concerns. In a survey conducted by U.K.-based trade union Prospect, the majority of workers expressed being uncomfortable with camera or keystroke monitoring.

Survey examines the current state of employee monitoring

ExpressVPN published a survey revealing the feelings of employers and employees regarding remote work and subsequent employee-monitoring practices. The survey showed 78% of 2,000 responding employers track their employees’ performance and online activity, with 66% of respondents monitoring web history tracking. On the employee side, 59% of 2,000 employees are wary of employer surveillance, and 43% believes the monitoring is a violation of trust.

Study: Australians concerned about privacy in new technology

A study by the Australian Communications and Media Authority found 70% of Australians are concerned about privacy in new technology. The study found 80% of Australians over 65 feel overwhelmed by technological change, with 95% increasingly using the internet for banking, purchases and more. The ACMA said digital use “brings with it a range of risks and challenges — from privacy and security concerns to exposure to misinformation and disinformation, scams, online bullying, and other harms.”

Law Enforcement

The OPP wants to find out if body worn cameras can improve policing

Starting this month, some provincial police officers in southwestern Ontario will start wearing body cameras to see if the technology makes police and the public safer. The year-long study was announced by the Ontario Provincial Police. OPP also said it would not release the findings of the study, when it concludes a year from now. Traffic enforcement and emergency response officers, as well as uniformed officers with the Haldimand detachment, will start wearing the technology in plain view.

Alberta drops plans for surveilling citizens with drones – proposals received much backlash

The government of Canadian province of Alberta was forced to drop plans to surveil the public using drones after the scheme was called out by activists. The dystopian plan was supposed to support safety by highlighting campsites with more than 10 individuals. The plan was discovered by independent political think tank Alberta Institute . The think tank also launched a petition calling for the abolition of the program. See also: Kenney government, the day the drone hit the fan

GCHQ’s mass data interception violated right to privacy, court rules

The UK spy agency GCHQ’s methods for bulk interception of online communications violated the right to privacy and the regime for collection of data was unlawful, the grand chamber of the European court of human rights has ruled.

Youth / Education Privacy

Education software firm addresses security vulnerabilities

A Canadian education technology company lacked a comprehensive information security framework to protect the personal information of hundreds of thousands of students, an investigation by the OPC has found. The IPC conducted a related investigation under Ontario’s Municipal Freedom of Information and Protection of Privacy Act into a complaint against a school board using the Edsby application to manage student attendance [report]. The investigation was launched following a complaint filed by a parent who had discovered security vulnerabilities in a software application adopted by his children’s school board.

Western University switches online exam proctoring services

Western University in Ontario announced it will transition to Proctorio’s online exam monitoring service this summer following student privacy concerns. The school previously used Proctortrack, which stirred privacy concerns with its invasive monitoring tactics. Western said Proctorio “addresses the privacy and security needs of our students,” but the school’s Policy Pitch Association rebutted, saying Proctorio is equally problematic.”

UK ICO highlights Children’s Code case study

The U.K. Information Commissioner’s Office highlighted a case study for its Age Appropriate Design Code. The ICO’s Children’s Code team worked with video game company Square Enix for a workshop on the Children’s Code harms framework. Workshop participants were asked questions about how they process children’s data and the legal bases for using their information. The ICO added it will translate the harms framework into an interactive tool over the coming months.

CRS report details FERPA regulations

The U.S. Congressional Research Service released a report on the Family Educational Rights and Privacy Act’s provisions and applications, detailing the act’s regulations around access to and disclosure of education records, the allowable release of directory information and deidentified data, emergency exceptions, enforcement and more. The report also calls on Congress to amend the law to add a private right of action for parents or students to take action over alleged violations.

UNICEF calls for better governance of children’s data

The United Nations Children’s Emergency Fund Office of Global Insight and Policy published a Manifesto that sets benchmarks governments, organizations and others can follow to develop better governance of children’s data. The Manifesto includes analysis, insights and guidance from 17 professionals in academics, the private sector and more. UNICEF said it wants to “address ambiguous or sensitive areas where there are no straightforward answers.”

Safeguards / Breaches

Ransomware attack compromises RCMP’s ability to issue pay stubs

The RCMP found itself the victim of a growing digital crime spree as a ransomware attack on a federal government contractor compromised the Mounties’ ability to process pay stubs for its more than 20,000 employees.

U of T teams up with schools in Canada, around the world to share cybersecurity intelligence

The University of Toronto is working with schools in Canada and abroad to thwart cybersecurity attacks by sharing data in real-time. For nearly a year, the Canadian Shared Security Operations Centre (CanSSOC), for which U of T serves as administrative lead, has been piloting a threat feed that sends members immediate information on suspicious activity and potential breaches, all while protecting the anonymity of affected institutions. Now, CanSSOC will be partnering with organizations in the United States, Australia and the United Kingdom to extend this intelligence-sharing beyond Canadian borders.

Data Sciences

Regulatory sandboxes on the rise

Emerging Tech Brew reports on the rising use of regulatory sandboxes by regulators, researchers and developers for artificial intelligence development. Researcher and NYU Professor Meredith Broussard said AI regulation is “just getting started,” and a regulatory sandbox “is a really good first step.”

Google, hospital chain partner to develop health care algorithms

Google and hospital chain HCA Healthcare are partnering to develop health care algorithms, giving Google access to patients’ digital health records. The companies said the algorithms will improve efficiency, help monitor patients and guide medical decisions. Identifying information will be removed from patient records before being shared with Google.

AI Surveillance on the Rise

Politico reports on the relationship between AI and surveillance, how the COVID-19 pandemic normalized data collection and tracking, and concerns over the technology. See also: The future of AI regulation in Canada: what we can learn from the E.U.’s proposed AI framework

Regulators

FTC publishes ‘2020 Privacy and Data Security Update’

The U.S. FTC published its “2020 Privacy and Data Security Update.” The FTC recapped its notable privacy enforcement cases from the past year, including final court approval in its case against Facebook and actions against Zoom. The agency also looked back at its cases involving the Children’s Online Privacy Protection Act and the Fair Credit Reporting Act.

U.S. Treasury Announces Cryptocurrency Reporting Requirements

On May 20, 2021, the U.S. Department of the Treasury announced a proposal that would require any cryptocurrency transaction of $10,000 or more to be reported to the Internal Review Service (“IRS”).

2021 May 21

COVID-19:

Canada’s Privacy Commissioners Issue Joint Statement On COVID-19 Vaccine Passports

Canada’s federal, provincial and territorial privacy commissioners are urging governments, health authorities and businesses across the country to fully comply with applicable privacy laws if they develop and implement controversial COVID-19 vaccine passports. The commissioners said that vaccine passports are only justified if solid scientific evidence proves they are necessary and effective in achieving intended public heath purposes and no other less intrusive option is available. The necessity, effectiveness and proportionality of vaccine passports must be established for each use context, and continually monitored. Vaccine passports must be decommissioned if, at any time, it is determined that they are not a necessary, effective or proportionate response to address their public health purposes. [See also: Vaccine Passports and Medical Paternalism]

UK ICO Fines COVID-19 Tracker for Turning Contact Data into Sales Leads

The UK Information Commissioner’s Office has issued a fine for “spamming without consent” [ICO blog & Penalty Notice] to Tested.me, a company that helps UK businesses meet the government’s coronavirus track-and-trace rules. Unfortunately for Tested.me, they also asked for consent to use contact data for purposes other than coronavirus tracking. . Separate to the investigation, the ICO responded to the rise in the use of QR code technology by contacting 16 QR code providers to ensure they were also handling people’s personal information properly.

Access to Information:

RCMP Can’t Find Report into Fatal Shooting by Moncton officer

For the second time in two years, the RCMP says it can’t find a report by an independent agency investigating shootings by officers in the Moncton-area.

N.L. Access to Information Review Wraps Up, in Contrast to Past Turmoil

Recommendations are now pending on possible revisions to Newfoundland and Labrador’s access to information system. Provincial government officials say the system is bursting at the seams, and changes are necessary, but the transparency watchdog says the past five to six years have been a “story of success” through a “world-class” system.”

BC OIPC Calls on Government to Bring InBC Investment Corp Under ATIP Legislation

BC Commissioner McEvoy is urging the provincial government to bring its proposed InBC Investment Corp. (InBC) under BC’s Freedom of Information and Protection of Privacy Act (FIPPA). On April 27, 2021 the BC government introduced legislation to create InBC, a crown corporation that will be charged with managing $500 million in public funds aimed at investing in BC’s business and innovation sectors.

Health:

Surgeon’s Licence Suspended Over Social Media Posts, Surveillance of Patients Without Consent

A Toronto plastic surgeon and self-styled social media influencer has had his licence to practise medicine suspended. In a decision released on May 12, the disciplinary committee of the College of Physicians and Surgeons of Ontario (CPSO) suspended the licence of Dr. Martin Jugenburg — who goes by Dr. 6ix on social media — for six months over inappropriate online posts and for his use of surveillance cameras in his downtown Toronto clinic.

Digital Identity:

Digital IDs Might Sound Like a Good Idea, But They Could Be a Privacy Nightmare

Current discussions of digital vaccine “passports” are just a small part of a much larger movement aimed at creating a digital identity system. The ACLU has released a report looking at digital driver’s licenses and noting many pitfalls and long-term implications for civil liberties, including Increasing inequities. centralized tracking, and poor information security. The ACLU calls on state legislators to insist that the standards for digital driver’s licenses be refined until they are built around the most modern, decentralized, privacy-protective, and individual-empowering technology for IDs; that they make sure that digital identification remains meaningfully voluntary and optional; that police officers never get access to people’s phones during the identification process; and that businesses aren’t allowed to ask for people’s IDs when they don’t need to.

Federal Agency Adopts Verified.Me® for Digital Identity Verification

SecureKey Technologies Inc., a Toronto-based provider of digital identity and authentication solutions, has announced that Employment and Social Development Canada (ESDC) has adopted Verified.Me as the new real-time way to securely verify identity when registering for a My Service Canada Account (MSCA), streamlining the digital identity verification process.

Biometrics:

Commissioner Therrien Says Facial Recognition Risks Not Addressed in Proposed Law

In remarks to Parliament, Privacy Commissioner Daniel Therrien said Canada needs new regulation for facial recognition beyond the proposed update to private-sector privacy laws, and is calling for significant amendments to the legislation. Therrien criticized Bill C-11, the Consumer Privacy Protection Act (CPPA), as inadequate, saying CPPA adds business interests for consideration without adding any consideration of the effects on privacy introduced by new technologies.

Amazon extends facial recognition ban for police

Amazon announced an extension to its moratorium on law enforcement’s use of the company’s facial recognition technology until further notice. The company’s initial one-year ban was set to expire in June. The move follows recent calls from civil rights groups asking Amazon to roll out a permanent ban on facial recognition use by police.

Other Biometrics News

Company Launches Deepfake Voice Clone Program for Celebrities

U.S. software company Veritone announced the start of a new platform that will support the creation of deepfake voice clones. Marvel.AI is being rolled out first for celebrities and content creators to use and license. The platform will build a catalog and marketplace of machine learning-generated voice recordings stored by Veritone and available for purchase with a voice owner’s consent.

Sensory’s new voice assistants do not sacrifice your privacy or send data to the cloud

Santa Clara, CA-based voice AI company Sensory has announced a custom voice assistant that delivers total privacy for its users. This voice assistant does not even need an internet connection. One of the first devices to use the Sensory voice assistant is a new voice-enabled Farberware microwave oven that features a custom, private voice UI. The technology uses a custom domain specific voice assistant that can understand over 150 commands.

Law Enforcement / Surveillance:

Police Departments Adopting Facial Recognition Tech Amid Allegations of Wrongful Arrests

Claims of wrongful arrests stemming from the use of facial recognition technology are increasing. Police in Detroit, Michigan, have now implemented policies limiting use of the tech and requiring police disclosures, while 19 cities have banned facial recognition use entirely.

Community Control of Police Spy Tech

According to EFF, police and other government agencies often unleash invasive surveillance technologies on community streets, based on the unilateral and secret decisions of agency executives, after hearing from no one except corporate sales agents. This spy tech causes false arrests, disparately burdens BIPOC and immigrants, invades privacy, and deters free speech. Many U.S. communities have found Community Control of Police Surveillance (CCOPS) laws to be an effective step on the path to systemic change. CCOPS laws empower the people of a community, through their legislators, to decide whether or not city agencies may acquire or use surveillance technology. Communities can say “no,” full stop.

Newfoundland and Labrador commissioner urges halt on bodycams

Privacy Commissioner Michael Harvey advised authorities in the town of Happy Valley-Goose Bay to end their use of body cameras following an investigation of uses by law enforcement and animal control. Harvey’s office found potential purpose limitation and data minimization issues associated with the current camera deployments. Harvey said the town should consider “entirely abandoning the initiative and re-examine from scratch its approach.”

Amazon’s Ring is the Largest Civilian Surveillance Network the US Has Ever Seen (Opinion)

One in 10 US police departments can now access videos from millions of privately owned home security cameras without a warrant. Ring is effectively building the largest corporate-owned, civilian-installed surveillance network that the US has ever seen. An estimated 400,000 Ring devices were sold in December 2019 alone

22 Automated Speed Cameras Coming to Mississauga Streets

Mississauga is considering expanding the city’s automated speed cameras from two to 22 by the end of 2021, with a budget increase of $467,000. The city says the cameras will rotate to new locations on a monthly basis, and that the locations for each camera are prioritized using a “data-driven approach that considers the severity of speeding in the area and other factors such as traffic and pedestrian volumes, collision history and site suitability.”

The Police Dog Who Cried Drugs at Every Traffic Stop

Public records show that from the time he arrived in Republic, Washington in January 2018 until 2020, Karma the police dog gave an “alert” indicating the presence of drugs 100% of the time during roadside sniffs outside vehicles.   Whether drivers actually possessed illegal narcotics made no difference. The government gained access to every vehicle that Karma ever sniffed. He essentially created automatic probable cause for searches and seizures, undercutting constitutional guarantees of due process.  Similar patterns abound nationwide, suggesting that Karma’s career was not unusual. Despite the frequent errors, courts typically treat certified narcotics dogs as infallible, allowing law enforcement agencies to use them like blank permission slips to enter vehicles, open suitcases, and rummage through purses.

Internet of Things:

NIST Seeks Consultation on IoT White Paper

The U.S. National Institute of Standards and Technology announced a public comment period for its white paper on consumer confidence in Internet of Things security. The deadline for public comments is June 14.

Security / Cybersecurity:

White House Releases Wide-Ranging Executive Order on Cybersecurity

The Biden administration issued a lengthy Executive Order, “Improving the Nation’s Cybersecurity,” on May 12, which it described as the “first of many ambitious steps” toward modernizing U.S. cybersecurity defenses. The White House simultaneously issued an explanatory fact sheet and background press call.   Pursuant to the Order, government agencies will be required to deploy multifactor authentication, encryption, endpoint detection response, and logging and operate under the principle of a “zero-trust” environment. A clear purpose of the Order is to improve the security of commercial software, including by establishing baseline security requirements based on industry best practices. [See also: Companies Prepare for Mandatory Breach Notification Under Biden EO]

NIST Releases Tips and Tactics for Dealing With Ransomware

To help organizations protect against ransomware attacks and recover from them if they happen, the National Institute of Standards and Technology (NIST) has published an infographic offering a series of simple tips and tactics. NIST has also published a more detailed fact sheet on how to stay prepared against ransomware attacks. See also: The Scourge of Ransomware

Breaches:

Cybercrime thrives during pandemic: Verizon 2021 Data Breach Investigations Report

Increase in phishing and ransomware attacks – along with continued high numbers of Web Application Attacks – underscore a year of unprecedented security challenges.

Student Health Insurance Carrier Guard.Me Suffers a Data Breach

Student health insurance carrier guard.me has taken their website offline after a vulnerability allowed a threat actor to access policyholders’ personal information. guard.me is one of the world’s largest insurance carriers specializing in providing health insurance to students while traveling or studying abroad in another country.

Mobile / Location / Online Privacy:

Dutch city hit with €600,000 GDPR fine over Wi-Fi counters

The Dutch Data Protection Authority (DPA) has fined the City of Enschede €600,000 for its use of Wi-Fi sensors to measure the number of people in the city centre. The DPA accepted that it was not the city’s intention to track people and found no evidence to suggest that this actually took place. However, it said: “Using Wi-Fi tracking that makes it possible is in itself a serious violation of the privacy law: the GDPR.” The municipality of Enschede is appealing the decision and said the accounts are anonymous and that no personal data has been processed. “We do not follow, we only count,” a spokesperson said.

Why More Young People Are Ditching Their Smartphones

As Covid-19 causes people to become increasingly glued to their devices, growing numbers of Gen Zers are shunning their phones and embracing a way of life that they say is improving their mental health. But how easy is it really to kick the habit?

Recycle Your Phone, Sure, But Maybe Not Your Number

Researchers at Princeton University have shown how fraudsters can abuse wireless provider websites to identify available, recycled mobile numbers that allow password resets at a range of email providers and financial services online [read: “Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States“].

We Found Joe Biden’s Secret Venmo – and Privacy Gaps in The Payment App

BuzzFeed News found President Joe Biden’s Venmo account after less than 10 minutes of looking for it, revealing a network of his private social connections, a national security issue for the United States, and a major privacy concern for everyone who uses the popular peer-to-peer payments app.

Many Canadians Want Government Services Made Available Online Permanently

A recent survey commissioned by ServiceNow found that 69% of Canadians would like to be able to access federal services digitally, while 70% feel this way about provincial services, and 65% about municipal services. Additionally, 74% of Canadians said the pandemic has made them more receptive to accessing government services online. However, not everyone wants to see in-person services replaced with digital counterparts. 46% of respondents said they rely on someone else helping them navigate government systems—28% of these said they require help because they find the process too complicated.

Professionals Launch ‘Dark Patterns’ Reporting Website

A group of privacy professionals and scholars launched the Dark Patterns Tip Line, a website for reporting manipulative online practices. The website educates users on what dark patterns are and where they can be found while also calling on users to report.

Democrats Push Back Against Child Version of Instagram

Four U.S. Democratic lawmakers came out against Instagram’s plans to launch a children’s version of its platform. Citing privacy concerns, they urged parent company Facebook to abandon plans, noting the company “has forfeited the benefit of the doubt” when it comes to protecting users and their interests. The push from lawmakers follows a similar call from 44 state attorneys general a week prior.

Google Announces New Privacy Features

Google announced it will release a suite of new privacy capabilities, including allowing users to delete the last 15 minutes of their search history, a password-protected photos folder, informing users when one of their passwords is compromised in a data breach, and recording which apps have access to an Android’s camera and location information.

Google Analytics Will Soon Work Without Cookies

Google plans to roll out features allowing marketers to gain insights into Google Analytics without having to use third-party cookies or identifiers. Using “advanced machine learning models,” Google will help fill in gaps on incomplete datasets when cookies are unavailable.

Data Sciences:

UK Drafts Automated Decision-Making Framework

The U.K. government published its Ethics, Transparency and Accountability Framework for Automated Decision-Making. The guidance offers seven consideration points, including proper handling of user data, to ensure “safe, sustainable and ethical use of automated or algorithmic decision-making systems.” The government hopes the framework will “improve the general literacy” around artificial intelligence for civil servants and ministers “to support the agenda and provide appropriate challenge.”

Regulators:

ICO’s Data Sharing Code of Practice laid before UK Parliament

The U.K. government laid the Data Sharing Code of Practice, created by the U.K. Information Commissioner’s Office, before Parliament. The code is designed to provide advice to businesses and organizations on how to share data responsibly. The code of practice will lay before Parliament for 40 sitting days before it goes into effect.

Study: Italy, France Doled Out Highest Fine Totals Under GDPR

A study conducted by Privacy Affairs measured the fines issued by data protection authorities under the EU General Data Protection Regulation. Spain handed out 222 financial penalties since the GDPR went into effect followed by Italy with 73. For monetary amounts, Italy had the highest total with 76 million euros in fines with France second at 54 million euros.

French Government Approves Cloud Data Storage

Members of France’s government announced a plan to allow sensitive data storage in Google and Microsoft clouds under a data localization model.

California Considers Consumer Privacy Protections for Smart Speaker Devices

Existing California law regulates the operation of voice recognition features for smart televisions. Manufacturers and their contracting third parties, for example, are prohibited from selling or using—for any advertising purpose—actual recordings of spoken words collected for a specified purpose through the operation of a voice recognition feature. On May 10, 2021, the California Assembly passed AB-1262, which seeks to extend these consumer protections to users of smart speaker devices that have a voice recording feature.

High Court Hands Irish DPC Victory in Facebook Data Transfers Case

The Irish High Court dismissed all of Facebook’s procedural complaints in a preliminary decision from Ireland’s Data Protection Commission (DPC) regarding data transfers from the EU to the U.S. A win for the Irish DPC, the court decision opens up the possibility that Facebook would eventually have to halt personal data transfers from the EU to the U.S. The case could ultimately affect trans-Atlantic data flows for other companies, as well.

FTC & Privacy: Will the FTC’s Rulemaking Push Result in New Privacy Rules?

The FTC is laying the groundwork to test the scope of its rulemaking authority. FTC Chairwoman Rebecca Slaughter (D) has centralized FTC rulemakings, noting that it was “time for the Commission to activate its unfair methods of competition rulemaking authority” and that she is “excited for this new rulemaking group to explore all the possibilities.” The Supreme Court’s recent decision in AMG Capital Management v. FTC, which curtailed the FTC’s ability to obtain equitable monetary relief, gives Slaughter’s push for rulemakings added urgency.

FINTRAC Updates Guidance on Regulatory Amendments Coming into Force on June 1, 2021

The Financial Transactions and Reports Analysis Centre of Canada [FINTRAC] has recently updated its guidance on (1) compliance program requirements, (2) methods to verify the identity of persons and entities, (3) third party determination requirements and (4) reporting terrorist property. FINTRAC has also published new guidance on prepaid payment products and accounts, the 24-hour rule and travel rule requirements.   The updated and newly published guidance reflects the series of regulatory amendments made to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act [PCMLTFA] and regulations over the past few years, the majority of which will come into force on June 1, 2021.

Events:

Privacy Symposium 2021 Scheduled for June 1 to 3

IAPP is hosting Privacy Symposium 2021, a virtual conference connecting privacy leaders, experts and practitioners from around the world on key trends, challenges and best practices. The event will take place June 1 to 3, featuring discussions on privacy as a key agenda item in boardroom discussions, data subject rights, standards in privacy management and privacy during a pandemic.

13 May 2021

COVID-19

Digital vaccination ‘passports’ coming to Quebecers Thursday, but they have no purpose yet

Starting this week, Quebecers will start getting the province’s long-awaited official digital proof of vaccination. It will take the form of an individual QR code that can be scanned on a cellphone, similar to a boarding pass at the airport. However, it doesn’t have any uses yet — no one will be able to read it for now. Health Minister Christian Dubé said no one will have the corresponding system to read the codes, except for the government. “The first step is just a technology,” he explained.

CNIL issues opinion on health pass project

France’s data protection authority, the Commission nationale de l’informatique et des libertés, issued its opinion on the government’s plan to require proof of vaccination or a negative COVID-19 test to enter certain establishments. The CNIL supports the initiative on the basis the information is not used beyond the COVID-19 pandemic. The agency also asked for the system to be continuously studied to determine whether the plan is still necessary.

NHS app to add vaccine passport functionality 17 May

The U.K. government announced the National Health Service application will be able to function as a vaccine passport starting 17 May, BBC News reports. The feature will be available to fully vaccinated citizens. The app will not be able to show COVID-19 test results; however, NHS will add the capability in a future update.

Report Details Checkpoints for vaccine passports

The Ada Lovelace Institute has published a research report outlining the requirements for a socially beneficial vaccine passport system. Key requirements for governments and developers include:

  • Scientific confidence in the impact on public health
  • Clear, specific and delimited purpose
  • Ethical consideration and clear legal guidance about permitted and restricted uses, and mechanisms to support rights and redress, and to tackle illegal use
  • Sociotechnical system design, including operational infrastructure
  • Public legitimacy
  • Protection against future risks and mitigation strategies for global harms.

Americans Support Vaccine Passports But Not For Work

The polling firm Ipsos announced: “A new Ipsos survey for the World Economic Forum finds that, on average, about three in four adults across 28 countries agree that COVID-19 vaccine passports should be required of travelers to enter their country and that they would be effective in making travel and large events safe.” On May 7 Gallup announced that “U.S. adults favor mandated vaccination certification for travel by airplane (57%) and to attend events with large crowds, such as concerts or sporting events (55%)”. Nevertheless majorities of Americans in Gallup’s survey oppose requiring proof of vaccination for people headed to the workplace, hotel stays, or restaurants.

Surveillance / Online Privacy

250 iPhone Apps Analyzed for Tracking

In March 2021, Wirecutter examined the privacy labels and practices of 250 apps across several categories, including the top apps of 2020, as well as popular games, browsers, weather apps, streaming-video apps, photography apps, notes apps, dating apps, shopping apps, news apps, and health and fitness apps. Among those apps, they found:

  • 60% of the apps had a Data Used to Track You label.
  • Of these apps, 96% used identifiers, 70% measured advertising data, 38% of the apps used location, and 19% used contact info.
  • 57% explicitly mentioned advertising as their purpose for tracking you.
  • 17 apps shared data with third parties without disclosing that sharing on their privacy label.
  • Apps that cost money collect and share less data than their free counterparts do.
  • Weather, shopping, health and fitness, dating and news apps did the most tracking.

See also: Amazon and Apple Built Vast Wireless Networks Using Your Devices. Here’s How They Work

Report: Apple gets 4% US opt-in rate under ATT

Recent data collected by Flurry Analytics shows only 4% of U.S. mobile device users are opting in under Apple’s App Tracking Transparency framework. The average daily opt-in rate worldwide is 12%. Flurry tracked opt-in rates from 2.5 million devices since ATT took effect in April.

Google to shed light on apps’ data practices

Google has announced the Google Play store will launch a safety section aimed at creating transparency on how applications collect, use and store personal data. Frey said Google will devise a policy for the app store “that requires developers to provide accurate information” about their data practices. Noncompliance with the standard will result in an order to fix descriptions or “be subject to policy enforcement,”

CMU researchers show potential of privacy-preserving activity tracking using radar

Carnegie Mellon University’s Future Interfaces Group has demonstrated a novel approach to activity tracking that does not rely on cameras as the sensing tool. CMU researchers are investigating the use of millimeter wave (mmWave) doppler radar as a medium for detecting different types of human activity. The results can be seen in this video — where the model is shown correctly identifying a number of different activities, including cycling, clapping, waving and squats. Purely from its ability to interpret the mmWave signal the movements generate — and purely having been trained on public video data.

Data mining questioned following remote cheating accusations

Accusations of cheating on remote exams at Dartmouth College’s Geisel School of Medicine are raising questions about data mining. The school used the Canvas system to track student activity during remote exams without their knowledge to try to identify cheating. Of 17 accused students, seven have had their cases dismissed. In one dismissed case, administrators said “automated Canvas processes are likely to have created the data that was seen rather than deliberate activity by the user.”

Attorneys general call on Facebook to cancel children’s version of Instagram

A coalition of 44 U.S. attorneys general called on Facebook to stop creating a version of Instagram for children. In a letter to Facebook CEO Mark Zuckerberg, the attorneys general wrote the application could affect the privacy and mental health of children who “are not equipped to navigate the challenges of having a social media account.” Meanwhile, Common Sense Media released a guide on how behavioral advertisements impact children.

Sens. propose bipartisan bill to update COPPA

U.S. Sens. Ed Markey, D-Mass., and Bill Cassidy, R-La., introduced the Children and Teens’ Online Privacy Protection Act, which aims to modernize provisions of the Children’s Online Privacy Protection Act. The bill prohibits collection of data from users ages 13 to 15 without consent, creates an “Eraser Button” on websites to delete children’s data and adds a children’s privacy unit to the U.S. Federal Trade Commission. Markey said Congress must “swiftly put in place strict safeguards that stop” companies from “tracking young people at every turn in the online ecosystem.”

Senators Reintroduce Bill to Amend COPPA

Senators introduced the “Clean Slate for Kids Online Act of 2021” last week. Bill S.1423 seeks to amend the Children’s Online Privacy Protection Act. The bill provides individuals with the right to delete personal information the operator collected from the individual as a child. The right to delete applies even in instances where parental consent was provided for the collection of the personal information. The bill provides limited exceptions to the deletion requirement. Senators previously introduced the “Clean Slate for Kids Online Act” in 2018 and 2019 without success.

NYC Passes Data Privacy Bill on Owners of “Smart Access” Buildings

New York City has passed the Tenant Data Privacy Act [TDPA], which would impose on owners of “smart access” buildings obligations related to their collection, use, safeguarding, and retention of tenant data. The TDPA would require building owners to develop and maintain policies and procedures to address the following requirements: 1) Express Consent; 2) Privacy Policy; 3) Stringent Security Safeguards; and 4) Data Destruction. The TDPA would impose strict limits on the categories of tenant data that building owners would be permitted to collect, generate, or utilize through their smart access systems. Building owners would also be prohibited, subject to certain exceptions, from selling, leasing, or otherwise disclosing tenant data to any third parties. Significantly, the TDPA would also create a private right of action for tenants whose data is unlawfully sold.

Law Enforcement

New B.C. traffic cameras will help investigate crashes, say RCMP

110 new traffic cameras are being installed on B.C. roads to help aid in crash investigations. RCMP and Richmond city officials said the cameras won’t just be taking pictures, but will be constantly recording video to get a better idea of what happens in car crashes. This will help determine fault, as well as gather data about how to make intersections safer. The footage will only be accessed in the event of a collision or if a crime is committed, and the resolution of the cameras isn’t good enough to provide details such as licence plates or facial recognition. If an outside agency wishes to access the video footage, the fee is $375. In order to maintain privacy, B.C.’s Office of the Information and Privacy Commissioner issued a directive that the cameras must not be monitored by the police, or the decision would not be supported. Instead, the footage will be monitored by the city’s transportation department.

Ontario to introduce detectors for contraband cell phones in adult correctional facilities

Ontario has announced that it will implement new specialized devices at 25 adult correctional facilities across Ontario to help detect, locate and prevent the use of prohibited cell phones and to enhance security, said a news release dated Apr. 27. These devices are expected to be fully operational by summer 2021.

The Feds Can Access the Private Data on Your Phone Through Your Car

According to a report from The Intercept, the U.S. Customs And Border Protection has now found a convenient back door to siphon much of the information from the fortress of your smartphone: your car. Even though your car tries to keep you physically safe with airbags and ABS and seatbelts, it’s shockingly inept when it comes to keeping your data safe from the prying eyes of police agencies, per the report from The Intercept. As if that weren’t bad enough, our dumb cars are letting the CBP into our smartphones while we constantly and unknowingly pass data along.

Biometrics / Identity

Biometrics commissioner: Police shouldn’t be banned from using facial recognition

U.K. Biometrics and Surveillance Camera Commissioner Fraser Sampson said police departments should not be barred from using facial recognition technology. Sampson said the use of facial recognition tech should be addressed by law enforcement rather than lawmakers. The commissioner added the use of artificial intelligence will be “inevitable” and an “increasingly necessary component of policing.”

Civil rights groups call on Amazon to ban police use of facial recognition

In a letter to Amazon leadership, 44 civil rights groups called on the company to permanently ban use of its facial recognition software and stop selling the technology to law enforcement. Following national racial protests, IBM and Microsoft indefinitely suspended sales of their software to law enforcement, while Amazon implemented a one-year moratorium that expires next month. Amazon has not said whether it will continue or lift the ban.

Other Biometric News

Anyone can use this powerful facial recognition tool — and that’s a problem

You probably haven’t seen PimEyes, a mysterious facial-recognition search engine, but it may have spotted you. If you upload a picture of your face to PimEyes’ website, it will immediately show you any pictures of yourself that the company has found around the internet. PimEyes is open to anyone with internet access. It’s a stark contrast from Clearview AI.

NYC Creates BIPA-Like Requirements for Retail, Hospitality Businesses Concerning Biometric Information Collected from Customers

Effective July 9, 2021, certain retail and hospitality businesses that collect and use “biometric identifier information” from customers will need to post conspicuous notices near all customer entrances to their facilities. These businesses will also be barred from selling, leasing, trading, sharing or otherwise profiting from the biometric identifier information they collect from customers. Customers will have a private right of action to remedy violations, subject to a 30-day notice and cure period, with damages ranging from $500 to $5,000 per violation, along with attorneys’ fees.

These new requirements are set forth in an amendment to Title 22 of the NYC Admin. Code (the “Amendment”), and apply to “commercial establishments.”

Clearview hires DC lobbyists to educate on face biometrics technology

A lobbying firm founded by former Senate aides has been hired by Clearview AI to carry out “education around facial recognition technology.” A bill introduced in April by Senator Ron Wyden (D-OR) and Rand Paul (R-KY) and titled ‘The Fourth Amendment is Not for Sale Act of 2021’, would bar Clearview and any company that obtains data from personal accounts or devise without the owner’s consent from selling the data to government agencies. Clearview is also fighting a consolidated biometric data privacy lawsuit and critics are demanding the Department of Homeland Security (DHS) cease all use of the app.

Calgary retailers launch ID entry

Four Calgary liquor stores are installing entry systems that will require customers to scan identification cards to verify age and ability to enter. The systems have been found to mitigate rising cases of theft, but privacy advocates are wary of potential data breaches associated with the system and its data collection. Office of the Information and Privacy Commissioner of Alberta Spokesman Scott Sibbald said, “There has been no consultation with our office on this project.”

Pandemic gives boost as more states move to digital IDs

With the advent of digital wallets, people are relying more on their phones to prove their identity. Some industry experts estimate that the coronavirus pandemic has sped up the widespread adoption of contactless identification methods by at least a decade. At least five states have implemented a mobile driver’s license program. Three others intend to launch programs by next year, with more expected to follow suit. According to some state officials mobile licenses will give people more privacy by allowing them to decide what personal information they share. However most states with these programs recommend that users still carry their physical driver’s license as a backup. Industry leaders say safeguards will prevent anyone’s information from being stolen, but some critics argue that having so much personal data on a phone is too risky. The National Motorists Association doesn’t believe drivers should be handing their phones over to police, potentially violating people’s Fourth Amendment rights against unreasonable searches and seizures.

Security / Breaches

UK National Cyber Security Centre (NCSC) publishes guidance on securing smart cities

The UK NCSC has published a new set of security principles to help UK authorities secure smart cities and their underlying infrastructure and protect themselves from cyberattacks. Connected Places Cyber Security Principles advises local authorities on understanding their connected places by considering required cybersecurity governance and skills, the role of suppliers, risks and more. See also: White paper: Securing smart city systems against cyberattacks and Cybersecurity: a smart city imperative

NCSC says smart cities a ‘target’ for cyberattacks, urges cybersecurity measures

The U.K. National Cyber Security Centre warned authorities that internet-connected technology used to power smart cities is “an attractive target” for cyberattacks and encouraged them to think about cybersecurity. As these systems emerge, NCSC Technical Director Ian Levy said they should be designed and built properly because “as these ‘connected places’ become increasingly joined up, the ubiquity of the services they provide will likely make them a target for malicious actors.” The NCSC also released its fourth annual report on its Active Cyber Defence programme.

Report: Remote work leads to increase in email data breaches

A report from Egress, based on a poll of 500 IT professionals and 3,000 remote workers in the U.K and U.S., found Microsoft 365 users have seen an increase in email data breaches. 67% of IT professionals said the increase is due to remote working, while 26% attributed incidents to an employee mistakenly sharing data through email. Of the Microsoft 365 users, 15% experienced more than 500 data breaches in 2020, and 93% reported subsequent negative impacts.

A ransomware cyberattack knocks out crucial fuel pipeline to the East Coast

More than 1,000 gas stations in eastern US states ran out of gasoline after a cyberattack knocked out a crucial US pipeline that supplies much of the region’s gasoline. The crunch in fuel supply has been blamed on a ransomware attack that forced the closing of part of the 5,500-mile Colonial Pipeline that supplies about 45% of the East Coast’s fuel.

Hackers release personal info of 22 D.C. police officers

A ransomware gang that hacked Washington’s Metropolitan Police Department published extensive profiles of 22 officers Tuesday as part of an extortion attempt. The files on current and former police officers are detailed and include personal information such as Social Security numbers, dates of birth, results of psychological assessments, copies of driver’s licenses, fingerprints, polygraph test results, as well as residential, financial and marriage history. The hack is entirely distinct from the attack on the Colonial Pipeline and conducted by a different group, though both are Russian-speaking outfits.

Information on 73,000 Durham students breached in ‘cybersecurity incident’

The information of about 73,000 students may have been accessed during a “cybersecurity incident”
Names of students, date of births, addresses, school locations, grades and class information may have been accessed. The cybersecurity incident allegedly involved a third-party software provider used by Durham Region’s Health Department.

Security researchers find a severe vulnerability that may affect up to 30% of all Android phones

The Check Point security research group claim that 3G to 5G connectivity can be exploited in a way that might allow a hacker to read a user’s messages and even listen in on phonecalls. This flaw involves an interface found on up to 30% of all phones worldwide.

Open source tool automates CCPA data deletion requests

Graduate students at the University of California, Berkeley’s School of Information are developing an open source tool to automate California Consumer Privacy Act data deletion requests. Through a Gmail account, PrivacyBot would enable individuals to send requests to delete data from a list of data brokers and search sites. Consumer Reports Digital Lab Product Consultant Ginny Fahs said “automating the sending of requests is a big win for consumers.”

Sarnia Police, school board investigating ‘inappropriate’ content tied to hacked online classes

Police and school board officials say they’re investigating complaints tied to offensive content after multiple online classes in Sarnia were hacked. An unknown person used language and displayed images to students and staff that were “inappropriate” after gaining access to Google online classroom meetings. Multiple allegations of inappropriate behaviour have surfaced amid students across Ontario spending the bulk of the last year-plus learning virtually due to the COVID-19 pandemic.

Malicious Office 365 Apps Are the Ultimate Insiders (item reposted in full)

Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.

OPC reports privacy breaches double under new Privacy Act

New Zealand’s Office of the Privacy Commissioner reported a 97% increase in privacy breaches in the Privacy Act’s first four months. The OPC said approximately one-third of breaches caused identity theft risk or financial harm. Email errors caused the most breaches at 25%, followed by unauthorized sharing of personal information at 21% and unauthorized access to information at 17%. Privacy Commissioner John Edwards said breaches span industries, adding a summary will be published yearly to help organizations “know where the greatest privacy risks are.”

Biden issues EO to boost US cybersecurity

U.S. President Joe Biden signed an executive order aimed at enhancing U.S. cybersecurity practices and protecting federal government systems. The order “ensures that IT service providers are able to share information with the government and requires them to share certain breach information.” Any data sharing between private contractors and federal government agencies related to breaches will be done “consistent with applicable privacy laws, regulations, and policies.”

NSW Privacy commissioner releases guide for managing risks while transitioning to cloud

New South Wales Information and Privacy Commissioner Samantha Gavel released a guide to help government agencies implement privacy practices when implementing cloud-based technologies. The guide explains privacy risks and potential impacts, including harm to individuals, and provides a framework and checklist to manage risks, including data and training practices.