1-15 September 2015


US – Class Action Launched Against Facebook Over Biometric Use

Facebook has been hit with a class-action complaint over its biometrics slurpage, with millions of possible plaintiffs who may claim damages if the advertising giant is found to have acted unlawfully. The complaint (PDF) states that “Facebook has created, collected and stored over a billion ‘face templates’ (or ‘face prints’)”, which, ostensibly, are as uniquely identifiable as fingerprints. These have been gathered “from over a billion individuals, millions of whom reside in the State of Illinois”. It is alleged that in doing this, the ZuckerBorg is in violation of the Illinois Biometric Information Privacy Act (BIPA), which was passed by the state legislature in 2008. As noted in the complaint, under BIPA a private entity such as Facebook is prohibited from obtaining or possessing an individual’s biometrics unless it achieves suitable consent, which is constituted by:

  • Informing that person in writing that biometric identifiers or information will be collected or stored
  • Informing that person in writing of the specific purpose and length of term for which such biometric identifiers or biometric information is being collected, stored and used
  • Receiving a written release from the person for the collection of his or her biometric identifiers or information
  • Publishing publicly available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information

The complaint alleges that: In direct violation of… BIPA, Facebook is actively collecting, storing, and using – without providing notice, obtaining informed written consent or publishing data retention policies – the biometrics of its users and unwitting non-users. The plaintiff asserts that he does not have, and has never had, a Facebook account, but notes that a Facebook user uploaded to Facebook at least one photograph depicting him which has resulted in the non-consensual creation of a biometric template of his face. The action is brought on behalf of a class of similarly situated individuals, defined as: The class action complaint was filed in the United States District Court, Northern District of Illinois, and is case number 1:15-cv-07681. [The Register]

US – Shutterfly Suit Progresses with Defendant Response in Illinois

New papers were filed in the case of an Illinois resident suing Shutterfly after his “faceprint” was added to its database without his knowledge. Plaintiff Robert Norberg is arguing that the move was illegal under the Illinois Biometric Privacy Law. Shutterfly moved to dismiss earlier this summer, saying the 2008 statute doesn’t regulate faceprints. However, “(b)y Defendants’ logic, nothing would stop them from amassing a tremendous, Orwellian electronic database of face scans with no permission whatsoever so long as the database were derived from photographs,” Norberg’s team wrote in court filings. “And indeed, that appears to be exactly what they are doing.” [MediaPost]

AU – Facial Recognition: Privacy Advocates Raise Concern Over ‘Creepy’ System

The Australian government has announced it is spending $18.5 million on what has been hailed as Australia’s newest national security weapon – facial recognition technology. The Capability – short for The National Facial Biometric Matching Capability – will allow law enforcement and security agencies to quickly scan through up to 100 million facial images held in databases around Australia. The images can come from drivers’ licences, passport photos or security cameras in your local shopping centre. Justice Minister Michael Keenan said The Capability had been informed by independent privacy assessments and will help combat identity fraud and theft as well as terrorism and organised crime. But privacy advocates said people should always be asked or at least notified before their faces are scanned, which under law, can happen from a distance without a person’s knowledge. [Lateline News]

WW – Porsche to Feature Emotion-Gauging Camera

Porsche’s model Mission E will come with an eye-reading, emotion-gauging camera,. The device, located in the rearview mirror, “recognizes the driver’s good mood and shows it as an emoticon,” the report states, noting the emoticon “can then be shared via social media, alongside the car’s route and speed.” Some analysts find the emoticon and camera strange, the report states. “We’re not just making cars anymore. We’re making personal expressions,” said Kelley Blue Book’s Karl Brauer, adding, “If you’re the kind of person to spend more than $100,000 on a sports car, you might just be the kind of person wanting to share pictures of yourself, too.” [The Washington Post] [Porsche’s Tesla killer: A superfast electric sports car that can read your emotions]

Big Data

US – Project Won’t Go Live Without Privacy Policy

A National Science Foundation grant has catapulted the University of Chicago-Argonne National Laboratory “Array of Things” data-collection project into the construction phase, but project leadership promise the security-minded that a privacy policy will be the final step before it’s all systems go. “We are trying to create something where the people are watching the city; it’s the polar opposite of the city watching the people,” said the project’s head scientist, Charlie Catlett. “This is fiercely protective of privacy.” While the privacy policy has been in the works for over a year, “city officials said it’s still in the draft stage, and Catlett said the sensors will not go up until the policy is finalized.” [Chicago Tribune]


CA – Body Cams Shouldn’t Capture ‘Informal’ Interactions, Police Chief Says

If Toronto police officers began switching on their body-worn cameras during informal interactions with the public, it would “completely disrupt” the force’s nearly year-long trial of the popular policing technology, turning it into “something very different and problematic,” according to Toronto police chief Mark Saunders. Currently, rather than running at all times, the cameras are only activated by the officers under certain circumstances, including when making an arrest, answering to calls for service, responding to a crime in progress and more. [Toronto Star]

CA – Feedback Sought On Proposed All-In-One ID Card for Manitobans

Manitobans are invited to share their views on a proposed all-in-one Personal Identification Card (PIC) that would combine a person’s driver’s licence, photo ID, health and travel card. The PIC, a joint proposal by Manitoba Health, Healthy Living and Seniors, and Manitoba Public Insurance, could eventually eliminate the paper Manitoba Health card by placing an individual’s personal health ID number on the back of the security enhanced, tamper-free PIC. While there are many potential benefits “we also recognize that this proposal may affect different Manitobans in different ways,” said Health Minister Sharon Blady. “So we need to hear from those who access and provide health services in our province before we choose a path forward.” In addition to seeking input from individuals, consultation will take place with numerous groups, including First Nations and Metis organizations and communities, Manitobans with disabilities, health care providers and the Manitoba Ombudsman. “The ultimate goal of the PIC is to better protect Manitobans against identity theft, forgery and fraud while ensuring that private information stays confidential,” said Manitoba Public Insurance President and CEO Dan Guimond. [CBC News] [Copy of Discussion Paper]

CA – Census Debate Revived in Federal Election

Researchers, public policy advocates, statisticians, business groups, economists — and the Liberal and NDP parties — continue to call for the mandatory long-form questionnaire to be brought back, arguing that important statistical data is getting lost. In a package of recently proposed reforms on transparency, the Liberals are promising to immediately restore the mandatory long form if they form government in the Oct. 19 federal election. And Jean Ong, a spokesperson for the NDP, said in a statement that the party has long advocated for the restoration of the long-form census and continues to do so. The lost data has massive implications for public policy decisions, business planning and a host of other areas, proponents of the mandatory long survey say.  [Toronto Star] [CA – Why Internet privacy should be a key election issue: Geist] [Why privacy matters in this Canadian election] [Prank calls, #peegate — and a party’s weird approach to privacy]

CA – Ontario Court Opens Door to Adding Privacy Claims to Defamation Lawsuits

A recent Ontario Superior Court of Justice ruling appears to open the way to adding invasion of privacy claims to defamation lawsuits against journalists, says a defamation lawyer. On Aug. 31, Justice Graeme Mew released the reasons for his July 17 decision on a motion in Chandra v. CBC. The motion, brought by the CBC, sought to have the court decide that it shouldn’t put an invasion of privacy claim to the jury that the plaintiff had added to his original defamation case. “Can a plaintiff who has sued a broadcaster for defamation in connection with a television program also maintain a claim for general damages for invasion of privacy?” Mew asked at the beginning of his reasons for his decision. His answer: Yes, but in this case at least, with some limitations. [Law Times]

CA – $55K to Surveil Garbage-Dumpers in Winnipeg

A plan to film people illegally dumping garbage will be considered by the City of Winnipeg. Coun. Ross Eadie (Mynarski) and Coun. Devi Sharma (Old Kildonan) raised the issue in a June city council meeting, and now a report is recommending the city spend $55,000 on six surveillance cameras to catch people dumping garbage in private lots. It is a rampant problem that should be met with stiff fines, Eadie said, suggesting penalties up to $2,500 for an individual and $6,000 for a business. Eadie said the city’s innovation committee would have to approve a budget increase to purchase the cameras. “The money that comes in will more than likely offset the cost of the video camera,” he said. Eadie said he believes city council will vote on it some time in December. [The Winnipeg Sun]

CA – Planned Passport Renewal Change Opens Door to Fraud, Forgery

The federal government is bringing in major changes to the way Canadian passports are issued, changes that could speed up the renewal process but also invite forgery, fraud and identity theft at a time of heightened global security. An internal notice from Citizenship and Immigration Canada reveals the changes coming this fall would allow online applications and no longer require the return of the old passport — even if it remains valid for six more months. Instead, applicants will be told to “cut the corners” of the document through an honour system. The change is to take effect on Nov. 1, 2015, for online applications and Dec. 14, 2015, for paper-based applications that are mailed or handed in to a passport office, according to the document. [CBC News]

CA – IPC Simplifying PHIPA Processes

In order to simplify and clarify how we handle different types of complaints under the Personal Health Information Protection Act (PHIPA), we are updating our existing processes. In coming months, we will test the new procedures to ensure we continue to resolve PHIPA matters in a fair, just and timely way.  Although we resolve many files at an early stage, we can also conduct a review under PHIPA, which gives us greater powers to investigate and issue orders. In our updated processes, we will: provide similar processes for all types of complaints,  distinguish between complainant-initiated files and breaches reported by custodians or files we initiated, and  clarify roles and responsibilities of Intake, Investigation/Mediation and Adjudication — the three stages of our tribunal processes. [Source]

CA – IPC: What Students Need to Know: High School Teachers’ Guides

Understanding why access to government-held information and the protection of privacy are important public values will prepare students to become active participants in our democratic society. To assist teachers in meeting the Ministry of Education’s curriculum expectations, The IPC created two resource guides that are tailored for grade 10 and grade 11/12 classes. The guides were developed in consultation with teachers and offer step-by-step activities, handouts, quizzes and evaluation criteria on subjects such as open government, online privacy and identify theft.  For summaries of the guides, see the Grade 10  and Grade 11/12 fact sheets. [Source] [Access and Privacy in the Classroom: Resources for Parents, Teachers and School Administrators] See also: [Why social media can be a minefield for teachers: Tightening up privacy settings might not be enough to protect teacher’s reputations, experts say

CA – New Lesson Plan Teaches Grade 7 And 8 Students About Online Privacy

Alberta’s privacy commissioner helped design a new course aimed at teaching Grade 7 and 8 students how to be safer online. The “Kids’ Privacy Sweep Lesson Plan” shows children how they can unknowingly share private details when they use websites and apps. The lesson defines what cookies, IP addresses and geo-locations are. It also shows students how companies collect and share data with third parties. Students are asked to look at popular apps and websites to see what personal information users are asked to provide. The lesson was developed after the Global Privacy Enforcement Network [GPEN] conducted a privacy sweep of 1,494 websites and smartphone and tablet apps targeted at children. The investigation found that 67% collected children’s personal information and 50%  shared that information with other organizations. The lesson is now available for teachers to use in schools across Canada. [CBC News] [Data Privacy Is an Uphill Battle] [WW – Digital privacy concerns ‘the new normal’ as users pay with personal information] [WW – 7 worst apps that violate your privacy] [CSO Online: Attackers go on malware-free diet] [UK: Man who changed ex-girlfriend’s Facebook profile picture to sexually explicit image jailed for over four years] [‘Sexting panic’: Why the law struggles to keep up with reality]

CA – NB Info Commissioner Pushes Back on Proposed RTI Reforms

New Brunswick’s information commissioner is pushing back against two government proposals for overhauling the right-to-information system. A report recommends looking at reinstating fees for people who use the Right to Information and Protection of Privacy Act to request government documents and records. It also suggests giving bureaucrats the power to decide for themselves whether they can ignore a request they consider “frivolous or vexatious” under the act. That recommendation is now subject to review by Information Commissioner Anne Bertrand, who says she’s leery of the provincial government giving itself the power to make that determination. [CBC News]

CA – Chicken Farm Hired to Shred Confidential Records, Report Says

A chicken farm should not be used to dispose of sensitive health documents, Saskatchewan’s privacy and information commissioner says. The matter came up in a report recently issued by commissioner Ron Kruzeniski concerning the Spruce Manor Special Care Home in Dalmeny, about 23 kilometres north of Saskatoon. The privacy office had been investigating the home earlier in the year after some of the residents’ health cards ended up in a recycling bin. In the course of that investigation, it found that in May, the home had signed a deal with an undisclosed chicken farm to destroy its confidential records. In the agreement, the farm said it would “agree to accept full responsibility to maintain the security and confidentiality of all documents” received from Spruce Manor Special Care Home. That’s “unacceptable,” Kruzeniski said in his report, noting that the agreement does not specify how the chicken farm is to “maintain the security and confidentiality” of the personal health information it has received. “I recommend that Spruce Manor Special Care Home no longer use [a] chicken farm to destroy records in spite of the former administrator asserting he had no problems/concerns with the use of the chicken farm,” Kruzeniski said in the report. [CBC News]


WW – Smart-Car Drivers Not So Worried About Privacy: Report

While rhetoric has focused increasingly on drivers’ privacy concerns as connected cars become a reality, a recent survey indicates drivers may not be as worried as has been believed. The survey was conducted by McKinsey & Co. and found more than half of respondents said they had “no problem” allowing their car to collect data and “send it anonymously to the auto maker” in the name of improvements to the vehicle. “The number jumped to 76% if auto makers guaranteed the data will only be used to improve vehicles and not shared with anyone else,” the report states, noting 70% said they’re already sharing their data with smartphone apps. [The Wall Street Journal] [U.S. Automakers Take The Wheel On Cybersecurity – But Can Canadian Manufacturers Hitch A Ride?]


US – Tech Companies Push Back Against U.S. Gov’t Data Access

A host of tech companies—including Apple, Google and Microsoft—have been tangling with the U.S. government about law enforcement’s access to user data. Most notably, this week, the Second U.S. Circuit Court of Appeals in Manhattan is set to hear a long-standing case between the U.S. Department of Justice and Microsoft over emails the agency wants access to but that are stored in Ireland. Companies including Amazon, Verizon and Cisco have all submitted amicus briefs on behalf of Microsoft in the case. A ruling against Microsoft would likely garner more distrust of U.S. companies by foreign users, the report states. In a column for Fusion, Prof. Ryan Calo writes that tech companies may be the best defense and brightest hope against too much government surveillance. [The New York Times] [What does the Microsoft privacy battle mean for the future of internet security? ] [CNET: Apple, Microsoft Tussle With Feds Over Access to User Data] [If you care about privacy, you should be using and supporting Apple]

US – US Voting Machine Woes

The majority of US states use electronic voting systems that are at least 10 years old, according to a report from the Brennan Center for Justice at the New York University School of Law. Not only are the systems out of step with the latest technological advances, but there are also reports of equipment degradation and unreliability. Many of the machines are running versions of Windows XP, and some machine manufacturers are no longer in business. [Wired]


US – DoJ, Microsoft Present Arguments in eMail Warrant Case

Representatives from the Department of Justice (DoJ) and Microsoft each made their arguments before the Second Circuit Court of Appeals in a case that could determine what rights governments have in accessing information contained in the cloud. Microsoft’s counsel told the court that compelling it to hand over data stored on servers in Ireland “is an execution of law enforcement seizure on their land … We would go crazy if China did this to us.” The DoJ argues that the emails should be considered business records, meaning a search warrant would suffice. However, Microsoft argues they are customers’ personal documents. The three-judge panel could hand down a decision as early as October or as late as February, the report states. [The Guardian] [Silicon Republic] [Washington Post] [The Hill] [WW – Microsoft Slips User-Tracking Tools into Windows 7, 8 Amidst Windows 10 Privacy Storm]


US – Could Apple Face Fines for Lack of Backdoor Access?

A Department of Justice (DoJ) court order demanding Apple provide authorities with real-time access to a suspect’s iMessages sent between iPhones. The company allegedly told the DoJ that the data is encrypted, preventing law enforcement from gaining access. Johns Hopkins Prof. Matthew Green asked, “Could a court force (Apple) to modify their technology in order to make eavesdropping possible?” One way the government could compel a company to provide court-ordered data is to levy fines, the report states, something Yahoo faced years ago. Sen. Chuck Grassley (R-IA) has asked the DoJ to brief him on the Apple iMessage case. [ZDNet]

US – White House Says Legislative Fix on Backdoors Not Needed

The White House has indicated it will not seek legislation to mandate backdoors to encrypted communication services. The Obama administration is also considering “whether to publicly reject a law requiring firms to be able to unlock their customers’ smartphones and apps under court order,” the report states. A White House official said, “The encryption issue … both in this country and abroad is going to have a major impact on how law enforcement and intelligence do their jobs.” Meanwhile, government officials—including from the FBI and Department of Justice—and cryptographers debated the role of encryption in electronic communications Tuesday. [The Washington Post]

US – New Hampshire Library Suspends Tor Relay

The Kilton Public Library in Lebanon, New Hampshire library was selected as a pilot location for a Tor relay program organized by the Library Freedom project and The Tor Project. Shortly after the library announced its participation in the program, the US Department of Homeland Security (DHS) contacted the town’s police department. When the police voiced concerns about Tor to the library board, they suspended the library’s participation in the program. The board will vote on September 15 whether or not to restart participation. [Ars Technica] [EFF]

US – Apple to DoJ: We Can’t Give You Real-time Access to iMessage

Over the summer, the US Justice Department served a court order on Apple, demanding that the company provide DOJ with real-time text messages sent between suspects in a case involving guns and drugs. Apple replied that it was unable to comply because the iMessage system encrypts communications on individual devices and Apple does not have the key. Apple only has copies of messages if users save them to iCloud. [Schneier] [The Guardian] [ZDNet] [NYTimes]

EU Developments

EU – “Umbrella Agreement” Finalized; AG to Issue PRISM Decision Soon

The EU and U.S. have reached an agreement that would protect personal data used for law enforcement purposes. However, though the text has been finalized, the European Commission has said it will not be signed until the U.S. passes legislation giving EU citizens the right to judicial redress in the U.S. Meanwhile, Europe’s Advocate General is expected to issue a long-awaited legal opinion on Facebook’s sharing of personal information with the National Security Agency under the agency’s PRISM program. The opinion, which is non-binding but influences the 15 judges on the European Court of Justice, will likely affect the EU-U.S. Safe Harbor Agreement. The opinion’s expected delivery date is now September 23. [Reuters]

EU – Drones: A Growing Danger to Data and Privacy Protection

The Article 29 Data Protection Working Party (WP29) published its opinion concerning data and privacy protection issues relating to the use of unmanned aircraft systems (UAS) in Civil Aviation which is addressed both at national (CAAs) and European legislators. The WP29 gives indications and recommendations to policy makers and sector regulators, manufacturers and/or operators. In the WP29’s opinion, the introduction of no-fly zones could be envisaged, and maps could be printed out to inform the users about the designated areas. This might represent a solution to ensure the protection of private areas (such as gardens, courtyards, terraces). Manufacturers could involve a Data Production Officer in the design and make drones as visible as possible. The WP29 also recommends the adoption of Codes of Conduct, containing sanctions in case signatories violate the norms, which might help operators prevent infringements. The WP29 emphasises the importance of transparency and proportionality principles. Data subjects must be aware of the collection and the processing of their personal data (Article 6 of the Directive) and also informed (Article 11) publically by means of social media, leaflets, websites etc. In conclusion, the Working Party calls on European and national policy makers, as well as Civil Aviation Authorities (CAAs) and Data Protection Authorities (DAPs) to cooperate and to promulgate a comprehensive legislation. The main scope is to make data processing legitimate in compliance with Article 7 of the Data Protection Directive. [Mondaq News] [States are pushing to pass their own regulations on drones in the absence of federal laws] [Unwanted visitor: Peeping drone raises privacy concerns for Island family]

EU – EDPS Planning International Tech Board of Ethics

The European Data Protection Supervisor (EDPS) issued a surprise opinion last week on the tech industry and is planning the implementation of an international board on tech ethics,. EDPS Giovanni Buttarelli said the ethics board will advise on “the relationships between human rights, technology, markets and business models in the 21st century” and will not be strictly EU-based. He said U.S. advisors could also be on the board. Buttarelli’s opinion looked at emerging tech trends that “raise the most important ethical and practical questions for the application of data protection principles.” He is expected to meet with officials from the U.S. FTC and the White House this week. [EurActiv]

UK – ICO Offers Opinion on GDPR Texts

In a whitepaper, the UK Information Commissioner’s Office (ICO) offers its thoughts on the current negotiations over competing texts for the General Data Protection Regulation (GDPR), currently in the trilogue process. “We thought it would be useful,” the paper reads, “to set out our observations on the parts of the Council text that we consider to be most in need of improvement.” The highlights include a warning against the proliferation of “different data protection regimes” stemming from a weakening of the one-stop shop mechanism; the need for a single definition of “personal data”; the “confusing” nature of the allowance for further data processing; the need for a definition of “child”; a preference for “right to erasure” over “right to be forgotten,” and a concern that data breach notifications will overwhelm the ICO unless notification is limited to “high-risk” breaches. [Source]

UK – GDS Creates Privacy Officer Role

In its efforts to ensure GOV.UK Verify meets privacy requirements and gives its users what they expect, Government Digital Service (GDS) has created a new privacy officer’s position. Toby Stevens, GOV.UK Verify’s independent privacy adviser, is “taking on the privacy officer duties on an interim basis” while GDS fills the role, the report states. “The privacy officer will provide a focal point for decisions that may affect the use of personal data, and manage the dialogue between developers at GDS, GOV.UK Verify users, certified companies and departments offering services through GOV.UK Verify,” Stevens said, noting the privacy officer will also work with organizations such as the Information Commissioner’s Office. [Computing]

UK – ICO Probes Charity Data Use; Says Strong Interest in Privacy Seals

The Information Commissioner’s Office (ICO) is investigating the data-sharing practices of the charity sector after reports that some organizations may be profiting from donor contact data. Information Commissioner Christopher Graham described the allegations as “clearly concerning” and said the ICO is currently trying to “work out exactly what has happened.” Some of the charities named in the investigation have defended their practices. Separately, the ICO has said there are “strong levels of interest” from businesses in its privacy seals project, which it expects to be “up and running” in advance of when the EU General Data Protection Regulation comes into force. [Full Story] See also: [UK: Information watchdog investigates ‘charity data sales’ ] and [UK Charities face scrutiny over trading of elderly man’s data]

NL – Intelligence-Gathering Bill Raises Concerns

A draft government bill aimed at reforming intelligence-gathering that is prompting privacy concerns. The Netherlands Institute for Human Rights is concerned that the bill “will grant security agencies far-reaching surveillance powers with insufficient protection of privacy,” the report states. The government, however, believes the bill brings “badly needed modernization of intelligence-gathering methods and improve(s) internal security, without violating privacy,” the report states. Government spokesman Tijs Manten said, “We think that the balance between safety and privacy in the draft is just,” while the institute points to the draft legislation allowing the government “to authorize tapping of private Internet and telephone data” as reason for concern. [Reuters] [Dutch intelligence-gathering reform bill sparks privacy concerns]

UK – Cox Wins Privacy Case Against Newspaper

Radio 1 DJ Sara Cox has won a landmark privacy case against a national newspaper after it published naked photographs of her on honeymoon. The DJ sued the People newspaper after it published the pictures of her and her husband Jon Carter while holidaying in the Seychelles in 2001. The case, settled in the High Court, came despite the People providing an official apology at the time – following a complaint to the Press Complaints Commission. The newspaper was sued under article 8 of the Human Rights Act, which works to protect an individual’s right to a private life. [Daily Mail]

EU – Other EU News

Facts & Stats

WW – The Difference Between a Safe Internet and One That’s Not? $120 Trillion

The projected economic difference between a future “where cybersecurity is considered a human right” versus one where the online world is “plagued by cybercrime” with security as “a luxury good”—it’s about $120 trillion. That’s according to research from Atlantic Council and Zurich Insurance, which worked with the University of Denver’s Pardee Center for International Futures “to determine if the global benefits the Internet brings … would outpace—or be overshadowed by—digital threats.” Their report suggests, “Tens and even hundreds of trillions of dollars are at stake … not to mention the social and cultural impact … with perhaps a small window of a few years to pull back and reorient towards a more secure and more resilient Internet.” [CSM Passcode]

WW – 2015 Breach Index: 246 Million Individuals Affected So Far

Digital security firm Gemalto has released its Breach Level Indexfor the first half of 2015. It reports 888 breaches thus far, affecting the records of 246 million individuals around the world, a 10-percent increase in the number of breaches vs. the first half of 2014. Meanwhile, in the U.S., the personal information of nearly 80,000 students across eight Cal State campuses was breached. The students were all enrolled in an online sexual violence prevention course. Compromised data includes passwords, user names, email addresses, gender, race, relationship status and sexual identity. Cal State officials are currently investigating the incident. [Los Angeles Times]

WW – Study: Data-for-Goods Swap Not Beneficial

Aimia, a marketing and “loyalty analytics” firm, recently conducted its second annual survey to determine how consumers feel about how businesses use their data. The study found that “less than one in 10” of Canadians believed that the data they shared with organizations got them some sort of beneficial dividend. “I’m surprised marketers aren’t delivering on their part of the bargain,” said Aimia CMO John Boynton. “Why would people give you their data?” he asked. “There’s an expectation. If all you’re doing is collecting data, and your marketing programs are the same, you’re in trouble. And you may not get a second chance.” [The Globe and Mail]

US – Industry Group Trying To Solve the Ad Blocking Problem

A recent study estimated publishers will lose $21.8 billion in revenue this year due to the 198 million people around the world who use ad blockers. The Interactive Advertising Bureau (IAB) is looking for ways to get ahead of this issue, hosting a leadership summit this past July to “get the options on the table,” according to Scott Cunningham, a senior VP at the IAB and general manager of its Technology Lab. Options included getting the top 100 websites to stop showing content to users with ad blockers on the same day and suing the ad-blocking companies. IAB working groups continue to look into other options and CEOs from anti-ad blocking companies attended a meeting in August. [Advertising Age]

WW – Study: Finance, HR Pose Biggest Data-Loss Risks

A new study conducted by data-loss prevention vendor Clearswift finds surveyed data-security specialists are most concerned about threats stemming from the finance and HR departments. Further, nearly 90 percent of the 500 global professionals surveyed said they had experienced a “security incident” in the past year, and 73% of those came from “people they knew, such as employees, past employees or customers/suppliers.” Finally, 79% replied that men were more of a threat to cause a data-security incident than women. [SC Magazine]


US – Dodd-Frank Means Traders Are on Record

Phone conversations are no longer the “haven” they once were for traders looking to say whatever they pleased, as the U.S. government and even individual banks listen to and store audio files per 2010’s Dodd-Frank legislation. “We have seen a 100-percent increase in the volume of audio data recorded and analyzed by banks,” said Clutch Group President Brandon Daniels. Banks are employing sophisticated software for tracking purposes, and the move has brought casualties, with Deutsche Bank AG terminating two of its traders after communication reviews. While banks “make sure that their people are being policed the right way … a lot of the guys are probably thinking twice about whether they’re in the right profession,” said Options Group CEO Michael Karp. [The Wall Street Journal] [Bank privacy notices are a joke: Here’s why] [Carnegie Mellon University did a study that suggested some banks don’t even follow the very liberal regulations set out in their privacy notices]


EU – Journalists: Initiatives Weaken Press Freedom

The German Union of Journalists has criticized Parliament’s data retention initiatives, arguing they “impair the freedom of the press and broadcasting, as they weaken protection for those who provide information, as well as editorial confidentiality.” Media outlets like the German Press Council also “consider that the planned regulations are not compatible with the jurisprudence of the European Court of Justice,” the report continues. Parliament will discuss data retention later this month, but “the current planning does not envisage that representatives of the media will be heard,” the report states. [Telecompaper] See also: [Opinion: We should nurture the principle of open courts]

Health / Medical

US – Health Care App Uses Apple Watch to ID Doctors, Follow Privacy Law

Health care app maker AirStrip has found a clever way to comply with strict federal privacy laws: using Apple Watch’s abilities to confirm a doctor’s identity. AirStrip’s co-founder Cameron Powell demonstrated the app’s power at an Apple event in San Francisco. The app shows patients’ information, including their diagnoses and lab results, on the watch screen and allows doctors to send them secure messages. The app also lets doctors communicate with other health care providers about patients. The Airstrip app taps into the Apple Watch’s ability to sense who is wearing the device. That allows the AirStrip app to comply with HIPAA, a federal law that strictly protects a patient’s private health information. Any electronic health record system has to comply with this law, and the Apple Watch is no exception. [CNET]

US – Texas: Med Board Lets DEA Sneak Peeks at Patient Records

The Drug Enforcement Administration has been sifting through hundreds of supposedly private medical files, looking for Texas doctors and patients to prosecute without the use of warrants. Instead, the agents are tricking doctors and nurses into thinking they’re with the Texas Medical Board. When that doesn’t work, they’re sending doctors subpoenas demanding medical records without court approval. The DEA can’t even count how many times it has resorted to the practice nationwide. A spokesman estimated it was in the thousands. But, as a legal brief filed last week points out, lawyers for the federal government can’t find a single case in which a court has “authorized the use of such a broad array of patient information with such a sparse record as to why it needs such information.” Earlier this year, a federal judge in Texas did just that, setting up a showdown in the 5th Circuit Court of Appeals over whether the DEA needs a reason to go rummaging through private medical records in search of pill mills and prescription drug abusers. Without the legalese, the issue is simple: How good a reason does the DEA need to get access to medical records? The DEA doesn’t think it needs much of one. [Watchdog.org]

Horror Stories

US – Target-Affected Banks Granted Class-Action Status

A federal judge has granted class-action status to lawsuits by financial institutions that were victims of Target’s 2013 breach,. “The decision may force Target to pay more than it previously estimated to banks that want the retailer to pay their costs for when consumers sought new credit cards after the breach,” the report states. Meanwhile, Charlotte-Mecklenburg Schools’ trouble has just begun, with the district having to notify 7,600 job applicants that their Social Security numbers were shared sans authorization. And, Engadget reports that Vladimir Drinkman has pleaded guilty to the theft of more than 160 million credit card numbers since 2003, in what the Department of Justice called the “largest such scheme ever prosecuted in the United States.” [The Star Tribune]

US – Excellus Bluecross BlueShield Breach Affects 10.5 Million

A New York state-based healthcare insurance company Excellus Bluecross BlueShield and its affiliate, Lifetime Healthcare, have experienced a data breach. Excellus learned last month that intruders had initially accessed the system in December 2013. As many as 10.5 million people may be affected by the breach. [The Hill] [SCMagazine] [NBCNews]

WW – More Bad News for Ashley Madison Users

Programming errors and shortcuts have resulted in improper encryption of the passwords of at least 15 million hacked Ashley Madison (AM) accounts. A group of hobbyists claim to have cracked the passwords in a matter of 10 days. Gabor Szathmari, an information-security consultant, writes in a blog post that the “source code contains AWS tokens, database credentials, certificate private keys and other secret credentials,” resulting in “a much more vulnerable infrastructure.” Another security consultant notes that users who have used an AM password for another account “need to change it immediately.” [ComputerWeekly] [Big hacks, big data add up to blackmailer’s dream]

WW – Following Ashley Madison, Gov’t Investigates Employees Implicated

Robin Levinson King questions whether things will ever be the same following the Ashley Madison breach. “Beyond the sex and the secrecy is a story about what privacy means in the digital age and what responsibility both companies and Internet users have towards protecting others’ privacy,” King writes. Meanwhile, the BC government is investigating the government emails uncovered in the breach. According to the Ministry of Technology, Innovation and Citizen Services, there were 14 email addresses implicated. Five of them are inactive accounts. “Our primary concern is security at this time,” the ministry said. [The Toronto Star]

WW – On Making Stolen Ashley Madison Data Legally Toxic

Several class-action lawsuits have arisen in the wake of the hack of Ashley Madison and efforts to make personal data stolen from the infidelity website legally toxic. Specifically, a new lawsuit aims to hold websites and hosting services liable for aiding and abetting the hackers by making the sensitive data searchable online. The complaint states that while these “entities may labor under the belief that their actions are entrepreneurial rather than criminal … the fact remains that they are in willful possession of stolen property.” Meanwhile, a U.S. pastor whose name was allegedly among those leaked has committed suicide; police in Canada have said at least two other individuals have killed themselves after the release of their information as well. [Fusion] [Ashley Madison Says It’s Still Gaining Users Amidst Privacy Woes] [We’re not talking about data security, and that’s a problem]

US – 10M-Plus Records Affected in Insurer, Bank Breaches

A breach of Excellus BlueCross BlueShield’s systems has affected more than 10 million records. The data loss was discovered when the organization conducted an external forensic assessment after other healthcare organizations, such as Anthem and Prema, reported breaches of their own. According to investigators, the breach started as early as 2013. “We are taking additional actions to strengthen and enhance the security of our IT systems moving forward,” Excellus said in a statement. Meanwhile, “thousands” of clients’ data was stolen from UK-based Lloyds Premiere Banking. [ComputerWeekly]

WW – Leaked Data Fuels Bank Scams, Gov’t Data Mining

The leaked data stolen from infidelity site Ashley Madisoncontinues to pose problems for individuals in new and malicious ways, according to two separate reports. Fraudsters are currently trying to take advantage of the leaked data, and data stolen from Carphone Warehouse, to trick people into disclosing their bank details. Meanwhile, according to The Telegraph, UK intelligence agencies are mining Ashley Madison data to see if their own staff could be targeted for blackmail while also using it to find potential intelligence targets. [The Independent][US: Data Privacy: Wyndham Hotel’s Wake Up Call Should Be Your Own]

US – DHHS Settles with Cancer Care Group for $750,000

In a settlement with the Department of Health and Human Services (DHHS) over potential HIPAA violations, Cancer Care Group has agreed to pay $750,000 and adopt a “robust corrective action plan to correct deficiencies in its HIPAA compliance program,” according to a DHHS press release. The settlement follows a breach three years ago after an unencrypted server backup and laptop were stolen from the car of an employee of the oncology practice. Meanwhile, the Association of American Physicians and Surgeonshas filed an amicus brief with the U.S. Supreme Court, urging the court to dismiss the state of Vermont’s appeal of the Second Circuit’s decision to block “enforcement of Vermont’s database requirement against Liberty Mutual Insurance Company” due to privacy concerns. [DHHS] See also: [CA – Rouge Valley Hospital Clerk Pleads Guilty to Stealing, Selling Patient Records] [CA – Ajax woman disturbed over alleged suggestive texts from Sleep Country staffer] [UK London HIV clinic accidentally reveals hundreds of patients’ identities]

Identity Issues

EU – DPA Issues Anonymisation Guide

Norway’s Data Protection Authority (DPA), Datatilsynet, has issued a guide on anonymising personal information. The DPA’s guide “provides practical guidance for data controllers on the considerations to be made prior to anonymising data and highlights Datatilsynet’s opinion on the effectiveness of different anonymisation methods,” the report states. DLA Piper’s Cecilie Ronnevik notes the guide is needed because “Datatilsynet has, over the years, found that there are severe misunderstandings regarding the definition of identifiable personal data.” Along with anonymisation, the guide also considers the topic of pseudonymisation, the report notes. [Privacy This Week]

US – Judge Upholds Arizona’s ‘Show Your Papers’ Immigration Law

A federal judge has upheld part of Arizona’s contentious immigration law, rejecting claims that the so-called “show your papers” section of the law discriminated against Hispanics. The ruling by U.S. District Judge Susan Bolton was on the last of seven challenges to the 2010 law. The section being upheld allows police in Arizona to check the immigration status of anyone they stop. Bolton ruled that immigration rights activists failed to show that police would enforce the law differently for Hispanics than other people. The section is sometimes called the “show your papers” provision. The judge also upheld a section that let police check to see if a detainee is in the United States illegally. Bolton voided any laws targeting day laborers. Bolton’s ruling came two days after a federal judge approved a deal between the U.S. Department of Justice and Arizona’s Maricopa County to resolve accusations of civil rights abuses and dismissed the department’s lawsuit against Sheriff Joe Arpaio and his deputies. [Reuters]

US – Gov’t Awards $133M Contract for OPM Hack Data Protection Services

The Department of Defense (DoD), Office of Personnel Management (OPM) and General Services Administration have awarded a $133.3-million contract to Identity Theft Guard Solutions to provide personal data protection services to the 21.5 million victims of the second OPM hack. The contract is part of a larger $500-million Blanket Purchase Agreement for responding to the devastating data breach and potential future breaches stemming from the hack. Unlike the response to the first hack, the DoD—and not the contractor—will notify victims, and the Pentagon will cover the contract cost. Acting OPM Director Beth Cobert said notifications would not go out until the “end of the month.” [GovExec]

Internet / WWW

RU – Data Localization Enforcement Postponed Until January

Russia has postponed the enforcement of a new national law requiring technology companies that handle the personal data of Russian citizens to install data centers within the country’s national borders. The law officially goes into effect today, but Russian regulators have told companies such as Facebook, Google and Twitter they will not check for compliance until January. A spokesman for Russian communications regulator Roskomnadzor said, “We understand that in transnational companies where offices are spread globally, it takes a while to make a decision.” The spokesman also pointed out that Roskomnadzor does not yet have the resources to check that every company is in compliance. [The Wall Street Journal]

Law Enforcement

CA – Ontario Says it Cannot Get Data on Effectiveness of Carding for Review

The provincial government cannot compel Ontario’s police forces to hand over their data on street checks — including information as to how many times the controversial practice has helped solve crimes, according to Minister of Community Safety and Correctional Services Yasir Naqvi. That means that as the province continues its review of street checks, commonly known as “carding,” it will do so without knowing how often the practice has actually proved useful to investigations, by leading to an arrest, to the discovery of a weapon or drugs, or more. Naqvi said his ministry has been consulting with Ontario’s Information and Privacy Commissioner about how to gain access to this policing data in aggregate form, stripped of any personal information. [Metro News]

US – Judge Lifts 11-Year-Old Gag Order

The Intercept reports U.S. District Court Judge Victor Marrero has “fully lifted an 11-year-old gag order that the FBI imposed on Nicholas Merrill … to prevent him from speaking about a National Security Letter served on him in 2004.” Merrill was the founder of a small Internet service provider and, upon being served the order, was told he couldn’t speak of it to anyone. The lifting of the order is the first time such an order has been fully lifted since the USA PATRIOT Act of 2001 permitted the FBI to issue letters demanding information for national security purposes. Merrill and the ACLU have been fighting to lift the order since 2004. [Full Story]

US – Undercover FBI Agents Spy On Burning Man Festival to Prevent ‘Terrorism’ and Test Out New ‘Intelligence Collection’ Technology

The FBI has admitted to gathering secret intelligence about the annual Burning Man festival since 2010. In response to a request under the 2012 Freedom of Information Act, the security service said its Special Events Management unit has kept files on festival-goers, known as ‘burners’ – to ‘aid in the prevention of terrorist activities and intelligence collection’. But the FBI’s 16-page response to the question by Inkoo Kang is heavily redacted, with information about the technology being used to secretly gather the information being blanked out. The revelation comes as the 29th Burning Man takes place in the Black Rock Desert in Nevada. [Mail Online]


JP – Amendments Call for Information Protection Commission

The Diet passed an amendment to the Act on the Protection of Personal Information that permits the creation of a Personal Information Protection Commission (PIPC), effective in January. The PIPC “will be established as an independent authority,” the report states, in an effort “to bolster Japan’s expected request for a determination of adequacy by the European Commission.” Updates to the law were also found in Article 24, which “imposes restrictions on the transfer of personal information of Japanese citizens to third parties in foreign countries,” the report continues, adding that “draft rules for implementing Article 24 specifically call out a company’s APEC Cross Border Privacy Rules certification as satisfying this requirement.” [TRUSTe Blog]

AU – Australian Data Retention Laws End Online Privacy

The digital privacy of Australians ends on October 13. On that day this country’s entire communications industry will be turned into a surveillance and monitoring arm of at least 21 agencies of executive government. The electronically logged data of mobile, landline voice (including missed and failed) calls and text messages, all emails, download volumes and location information will be mandatorily retained by Australian telcos and ISPs. Intelligence and law enforcement agencies will have immediate, warrantless and accumulating access to all telephone and internet metadata required by law, with a $2 million penalty for telcos and ISPs that don’t comply. There is no sunset clause in the Abbott government’s legislation, which was waved through parliament by Bill Shorten’s Labor with only minor tweaks. The service providers are to keep a secret register of the agency seeking access to metadata and the identity of the persons being targeted. There is nothing in the Act to prevent investigative “fishing expeditions” or systemic abuse of power except for retrospective oversight by the Commonwealth Ombudsman. That’s if you somehow found out about an agency looking into your metadata – which is unlikely, as there’s a two-year jail sentence for anyone caught revealing information about instances of metadata access. [TNT Report]

Online Privacy

US – FTC, Nomi Deal: If You Say Consumers Can Opt Out, Don’t Track Them

A deal was finalized late last week between the FTC and Nomi Technologies, a retail tracking company. When companies advise consumers they can choose not to be tracked, they “must keep that promise,” the report states, suggesting that is the takeaway from the FTC’s decision regarding Nomi. The FTC said it “encourages companies to provide truthful privacy choices to consumers and believes such choices are consistent with growth and innovation. However, the Commission also must take action in appropriate cases to stop companies from providing false choices.” In its deal with Nomi, the FTC has required the company “promise that it won’t in the future misrepresent its privacy policy,” the report states. [MediaPosty] See also: [Privacy Protectors: Crucial Contributions by Librarians] and [US – Clever Startup Now Protects Student Data in One-Third of Schools]

WW – Facebook to Introduce Ad-Tweaking Feature

Following discussions with Ireland’s Office of the Data Protection Commissioner, Facebook will now allow users across the globe to modify the way they see ads in the site’s own settings instead of utilizing a third party to get the same results. “We’re introducing an additional way for people to turn off this kind of advertising from the ad settings page right on Facebook,” said Facebook Global Deputy CPO Stephen Deadman. “If you choose to use this tool, it will become the master control for online interest-based advertising across all of your devices and browsers where you use Facebook.” Meanwhile, Facebook hopes that a U.S. appeals court will permit its $20 million settlement regarding the “challenge to its use of social media images in advertising features” to stand. [The Independent] [Facebook’s new digital assistant ‘M’ will need to earn your trust

WW – GPEN Finds Apps Collecting Kids’ Info

After examining almost 1,500 apps and websites aimed at children, the Global Privacy Enforcement Network found 67% harvest personal information with only 31% employing controls. Adam Scott of the UK Information Commissioner’s Office said, “The attitude shown by a number of these websites and apps suggested little regard for how anyone’s personal information should be handled, let alone that of children.” Though Canadian Privacy Commissioner Daniel Therrien noted a small number of websites and apps “did not collect any personal information at all, demonstrating it is possible to have a successful, appealing and dynamic product that is also child friendly and worry-free for parents.” Meanwhile, Microsoft is working to ensure children’s privacy regulations are observed in app advertising. [Source] [Kid-friendly websites, mobile apps often putting children’s privacy at risk, probe finds] [Canada’s privacy watchdog’s ‘bad blood’ with Taylor Swift]

WW – TRUSTe Introduces New Opt-Out Feature

TRUSTe has announced its TRUSTed Ads Compliance Manager has a new component: Dynamic Platform Protection. The program employs a “single smart tag” that companies can use to streamline opt-out functions on both desktop and mobile devices. “With the addition of Dynamic Platform Detection, TRUSTe is taking the industry one step closer to a universal opt-out which can be supported and guaranteed across a variety of connected advertising environments.” “Many consumers are embracing the convenience and benefits of connected devices,” said TRUSTe CEO Chris Babel. “However, the use of different tracking technologies to serve relevant ads across these platforms remains a privacy concern for consumers and a challenge to industry seeking to deliver and honor advertising preferences.” [TRUSTe Blog]

WW – Spotify Releases Another New Privacy Policy

Two weeks after negative media and public response led to Spotify CEO Daniel Ek clarifying the company’s privacy policy, the music-streaming service has released a new privacy policy designed to “more clearly state why and when the company will ask for access to information like users’ photos and GPS data—as well as how that information is used.” The new policy, which comes with an easy-to-use table of contents and is in “plain language,” makes it clear that Spotify divides data into two categories: data needed to use the Spotify service and data Spotify can use for extra benefits. This latter category can only be accessed by Spotify with explicit user consent, the policy states. [NBC] See also: [What could derail the wearables revolution? ]

WW – Can the One-Page Privacy Policy Become the Norm?

Online security company AVG Technologies has announced the release of the One-Page Privacy Policy. The policy will take effect October 15 and was first pledged by AVG CEO Gary Kovacs, who promised the Amsterdam-based company would develop a “simple privacy policy that can communicate on one page the basics of what data AVG collects and how AVG uses it,” according to a press release. Kovacs at the same time has challenged others in the industry to follow AVG’s lead and offer the same transparency to users. “Without privacy online, there can be no security; and without security, there can be no trust,” said AVG’s Harvey Anderson. [Source]

Other Jurisdictions

RU – Russian Data Law Fuels Web Surveillance Fears

A new law has been implemented in Russia that in theory demands companies store data about Russian citizens on Russian territory, throwing thousands of firms with online operations into a legal grey area. The law, which came into operation this week, is part of an attempt to wrest control of the internet, which president Vladimir Putin has called a “CIA project”. The Russian authorities are keen to ensure greater access for domestic security services to online data, and lessen the potential for foreign states, especially the US, to have the same access. The law has created disquiet among internet giants such as Facebook, Twitter and Google, which would have to move data on Russian users to servers inside Russia and notify the Russian internet watchdog, Roskomnadzor, about their location. As is often the case with Russian legislation, the exact scope of the law is unclear. It could be left largely unimplemented, but always available as a tool to use when required. [theguardian.com]

HK – HKBN Fined HK$30,000 in “Landmark” Case

Hong Kong Broadband Network (HKBN) has been “fined HK$30,000 in a landmark trial over using customer data for direct marketing despite receiving an opt-out request.” HKBN had pleaded not guilty, the report states, noting this is the first case “since an amendment to the Personal Data (Privacy) Ordinance took effect on April 1, 2013.” The Office of the Privacy Commissioner for Personal Data (PCPD) has received more than 500 complaints about direct marketing since the ordinance was amended, the report states, noting PCPD Stephen Wong has indicated organizations should regularly update their opt-out lists as those convicted “are liable to a maximum fine of HK$500,000 and imprisonment for three years.” HKBN has said it plans to appeal the fine. [The Standard] [Hong Kong Broadband Network received a fine of HK$30,000 for using customer data for direct marketing despite receiving an opt-out request. The fine is the first since amendments to the Personal Data (Privacy) Ordinance went into effect.]

HK – PCPD Finds Benchmark for Prosecution Is High

Privacy Commissioner for Personal Data (PCPD) Stephen Wong said of the 40 cases involving the misuse of data in marketing referred to police in the last two years, “only three have made it to court.” Wong said the “benchmark for prosecution of such cases is high,” the report states. According to a study by the PCPD’s office and the University of Hong Kong, only 30% of complaints can be investigated; while Hong Kong residents are keenly aware of privacy rights, they aren’t as aware of the limitations of privacy law, the report states. Wong said his office receives about 18,000 inquiries a year, and last year received 1,700 complaints. [The Standard]

IN – The Constitutionality of Privacy in India

The Constitution Bench of the Supreme Court of India will soon pronounce whether the right to privacy is fundamental, and while India’s constitution doesn’t explicitly guarantee its citizens a right to privacy, the court has noted that “many of the fundamental rights of citizens can be described as contributing to the right to privacy.” Sudhanshu Ranjan writes, “In many subsequent cases, the right to dignity was held as a non-negotiable right. It is evident that the right to dignity is hollow without the right to privacy.” Though the court is still in this process, the government intends to introduce the DNA Profiling Bill soon, which includes “no safeguard against the misuse of data proposed to be collected under the bill.” [The Asian Age]

WW – Other International News

Privacy (US)

US – Twitter Sued for Alleged Direct Message Interception

A class-action lawsuit has been filed against Twitter, claiming the social networking company “surreptitiously eavesdrops” on users in its direct messaging feature. The suit alleges Twitter intercepts messages without user consent and through its algorithms. When a user sends another user a direct message with a hyperlink included, the suit alleges, Twitter changes the original link to its own custom link without the user seeing the change. The company allegedly benefits from this because it can analyze traffic and offer more relevant advertising. Twitter’s privacy policy says it keeps track of how users send and receive hyperlinks. In addition to halting such a practice, the suit seeks redress and statutory damages under the Electronic Communications Privacy Act. [TechCrunch]

US – Proctortrack Data Deleted

After allegedly breaking its 90-day, post-test deletion promise with Rutgers University, online proctoring software company Verificent deleted the biometric and personal student data gleaned from its Proctortrack program,. “The data has been deleted in compliance with the agreement; spring semester student data was purged on September 1,” said a Rutgers University spokesman, adding, “Any student data obtained during an online exam is used only by Proctortrack to ensure compliance with testing policies” and “notice of the deletion began going out to the more 3,000 students who chose to use the Proctortrack software.” Rutgers has said the company used the academic calendar and holidays to calculate the 90 days, which added to the delay. [Ars Technica]

US – Court Urged to Vacate $8.5M Google Settlement

Activist Theodore Frank has filed papers asking the Ninth Circuit Court of Appeals to vacate an $8.5 million settlement with Google. Frank alleges the settlement, which “requires Google to pay around $6 million to six nonprofits … and more than $2 million to the attorneys who brought the lawsuit” amounts to a payment to attorneys “with a change in accounting entries for another $6 million of Google money from its every-day charitable donations to a … settlement fund.” Meanwhile, a California appeals court has found that the rights of defendants in criminal cases to access “information that will aid in their defense does not extend before trial to social networking posts that are protected under federal law.” [MediaPost]

US – Privacy Scholars Want Spokeo Ruling Upheld

A group of 15 privacy scholars have filed a brief with the Supreme Court regarding Spokeo, Inc v. Robbins. To disallow the class-action against Spokeo would present significant detriment to the Fair Credit Reporting Act (FCRA), they suggest. “The FCRA’s consumer transparency requirements and remedial provisions were designed to encourage steady improvement in consumer reporting practices and to relieve pressure on public enforcement authorities,” the document abstract states, noting, “The Petitioner’s claim that Respondents cannot pursue it for its violations of the FCRA would unravel that bargain, preserving consumer reporting agencies’ broad immunity from suit while diminishing incentives to handle data fairly.” [Paper]

US – White House Weighs in on Spokeo

The news surrounding the Spokeo case continues with the White House throwing its hat in the ring via a 49-page brief that exhorts a Supreme Court ruling in favor of consumers. “Congress could reasonably conclude that the inclusion of false information in a report … should be treated as a legally cognizable injury to the individual consumer involved, even though the precise nature and extent of any later consequential harms may be difficult to verify in individual cases,” the brief states. [MediaPost]

US – Sony, UCLA Health Win in Court

A federal appellate court ruled unanimously that a class-action against Sony claiming the company violated the Video Privacy Protection Act (VPPA) cannot go forward. The court stated the law doesn’t provide a private right of action for retaining records beyond a time limitation, only by divulging that information. A California court cleared the University of California Los Angeles Health System of responsibility for the unauthorized release of a woman’s medical records. The incident occurred when a temporary worker—a “romantic rival”—used a doctor’s username and password to access a woman’s medical records and then texted them to others. [MediaPost]

US – Privacy of Women Seeking Abortions Tested Repeatedly

Anti-abortion groups access information on women seeking abortions and then publish information on their websites. A few years back, Jonathan Bloedow filed a series of requests under Washington state’s Public Records Act asking for details on pregnancies terminated at abortion clinics around the state. For every abortion, he wanted information on the woman’s age and race, where she lived, how long she had been pregnant and how past pregnancies had ended. He also wanted to know about any complications, but he didn’t ask for names. This is all information that Washington’s health department, as those in other states, collects to track vital statistics. Bloedow, is an anti-abortion activist who had previously sued Planned Parenthood, accusing the group of overcharging the government for contraception. The health department had already given him data for one provider, he said, and was on the verge of turning over more information when Planned Parenthood and other clinics sued, arguing that releasing the records would violate health-department rules and privacy laws. The legal skirmish, and others like it nationwide, reveal a quiet evolution in the nation’s abortion battle. Increasingly, abortion opponents are pursuing personal and medical information on women undergoing abortions and the doctors who perform them. They often file complaints with authorities based on what they learn. [ProPublica, seattletimes.com]

US – Privacy Concerns Don’t Curb Use of Classroom Apps

Parents and lawmakers want more safeguards to prevent exposure of student data. Laptops, tablets and smartphones each year play a more prominent role in schools, despite lingering concerns that private companies and government agencies are using such devices to collect massive amounts of data that can be used to profile students. [US News]

Privacy Enhancing Technologies (PETs)

EU – EuroPriSe Awards First Website Certification Seal

A little more than 20 months after the EuroPriSe privacy certification seal changed hands on January 1, 2014, the new operation has awarded its first Website Certification Seal to theWebsite of Versorgungsanstalt des Bundes und der Länder, Germany’s Pension Institution of the Federal Republic and the Länder. Previously, seals were only awarded to IT-based services for confirmation that data processing and collection met European data protection law. . [Privacy Advisor]

WW – Apple iOS9 to Provide Content Blocking

More debates around online privacy are likely to emerge in the coming weeks with Apple’s expected release of its new operating system, iOS9, which will include a new content-blocking feature allowing developers to block cookies, images and other trackers. Apple is also expected to implement new security and encryption features called App Transport Security, essentially providing HTTPS for apps. The move could have profound effects on the ad ecosystem, the report states. [Ad Exchanger] [Apple Moving Forward In App Privacy; Google…Not So Much?]

US – DARPA’s Brandeis Project to Cultivate Privacy Tech

A new privacy-focused project by the Defense Advanced Research Projects Agency (DARPA). Counter to the post-9/11 Total Information Awareness program that was eventually shuttered, “Brandeis” aims to cultivate technology for protecting individual privacy. DARPA Program Director John Launchbury, a cryptographer and computer scientist, said, “Privacy is a key enabler to things we care desperately about, like democracy and innovation.” DARPA is looking to collaborate with leading researchers and entrepreneurs and expects the project to last approximately four-and-a-half years, with a budget in the “tens of millions of dollars.” The early-stage research efforts DARPA will support include advanced cryptography, multiparty differential privacy and artificial intelligence for predicting an individual’s privacy preferences. [The New York Times]

WW – Data Shows Tor Use Booming

According to new online program Onionview, which permits users to see where Tor nodes have been activated, there are now more than 6,000 such systems in use,. “People think that Tor is 10 people running computers in their basements,” said Onionview creator Luke Millanta. “When people see the map,” he said, they can see “what 6,000 nodes around the world looks like.” The data also indicates a five-year peak in Tor nodes. In 2010, the count “consisted of less than 2,000 nodes, compared with 6,425 today,” the report states, adding that Germany and the U.S. lead the world in Tor use. [Wired] [This program lets you snap a photo of whoever’s trying to hack you]

WW – Report: Overheated Rhetoric Creates a ‘Privacy Panic Cycle’ for New Technologies, Warns Policymakers Not to Overreact

The Information Technology and Innovation Foundation (ITIF) today released a comprehensive analysis of how privacy advocates trigger waves of public fear about new technologies in a recurring “privacy panic cycle.” ITIF urged policymakers to recognize these panics and not allow hypothetical, speculative, or unverified claims to distort the policy process or inhibit new innovation. In a new report released today, “The Privacy Panic Cycle: A Guide to Public Fears About New Technologies,” ITIF outlines the stages of public panic and the factors and trends influencing these stages, along with examples of how the panic cycle has repeatedly played out throughout modern history—from the first portable camera to search engines to drones. [Infographic summary of the report] [Full Report] [WASHINGTON PRWEB]

WW – Is Obfuscation the Newest Tool for Privacy Protection?

In an interview with Slate, Finn Brunton, co-author of Obfuscation: A User’s Guide for Privacy and Protest, with fellow NYU Prof. Helen Nissenbaum, discusses the nature of online privacy and a new tactic—obfuscation—in the fight for relative Internet ambiguity. In their book, Brunton and Nissenbaum describe obfuscation as “the deliberate addition of ambiguous, confusing or misleading information to interfere with surveillance and data collection,” the report states. “Part of what we like about obfuscation is that it’s an approach that doesn’t rely on perfect technology perfectly implemented, or everyone getting onboard at the same time,” Brunton notes, adding it’s “not a replacement, but rather a supplement, a complement that we would see added to the existing toolkit of privacy protection practices.” [Full Story]


WW – Forum Stresses Importance of Industry, Gov’t Efforts

To date, the debate on Internet of Things (IoT) technologies has focused on companies’ abilities to keep their Internet-connected devices secure and government efforts to make sure proper privacy protections are in place. But at last week’s Security of Things Forum, both government and industry panelists said industry has to do more to protect consumers. That’s because consumers don’t always totally understand the privacy implications at hand when using IoT devices. But Andrea Matwyshyn, a law professor at Northeastern University, also said regulators have to be careful when policy-making that they understand the technology as well, or risk overregulating. “In this case, we need a regulatory scalpel, not a regulatory axe,” she said. [The Christian Science Monitor] Republican commissioners from the FTC and the FCC warn the FCC’s move into the FTC’s Internet privacy jurisdiction will lead to excessive enforcement and uncertainty,.


US – NCSC Launches Spear-Phishing Awareness Campaign

During the Intelligence & National Security Summit, Bill Evanina, director of the National Counterintelligence and Security Center (NCSC), introduced the NCSC’s new Know the Risk, Raise Your Shield campaign to raise spear-phishing awareness. Evanina said “91 percent of the breaches we’ve seen in the last few years have emanated from spear phishing,” adding, “Our adversaries do not need to use sophisticated attacks—it all starts with e-mails.” Understanding the danger of clicking mysterious links is “something we all need to do,” he said, noting, “If just a few people don’t click the link, it could prevent another huge breach in the future.” [Ars Technica]

WW – Cloud Security Alliance Proposes Threat-Sharing Scheme

Aiming to help organizations report threats, the Cloud Security Alliance is proposing establishing a scheme that would allow for the anonymous sharing of information. The Cloud Cyber Incident Sharing Centre would take in threat information and then, using algorithms, would “provide near-real-time correlation with reports supplied by other vetted members. If similarities are discovered, members can be alerted and provided with the related reports that contain additional attack indicators, valuable context and mitigation advice,” reads a CSA white paper outlining the proposal. Threat-sharing is especially important for the cloud industry because of how harmful a widespread attack could be given the cloud’s central role in IT structures. [Full Story]

US – OMB Guidance on Federal Contractor Cybersecurity is Lenient and Vague

The US Office of management and Budget’s draft guidance on cybersecurity for federal contractors is facing criticism for being too lenient and too vague. In a letter responding to the draft, the US Chamber of Commerce wrote, “The guidance needs to be dynamic and not become an ossified checklist of requirements that fails to respond to actual threats.” And the US Professional Services Council called the guidance “too little, too late, and too flexible.” [FederalTimes] [The Hill] [WeLiveSecurity] [FedScoop]

US – CA Welcomes New Cybersecurity Center

Governor Jerry Brown (CA-D) signed into existence the California Cybersecurity Integration Center, a new agency with a chief goal of protecting the data of state organizations from breaches. “The center will serve as a central hub for the state’s online security and coordinate with state departments, federal agencies and tribal governments, utilities and other service providers, academic institutions and non-governmental organizations,” the report continues, adding that the move follows instances of IT non-compliance found by state auditors. [CBS Sacramento]

WW – Baby Monitors Not Secure: Study

According to a study from Rapid7, several Internet-connected baby monitors lack basic security. Some of the monitors do not encrypt their data streams, and some use unchangeable administrator passwords, which are easy to obtain. Because the monitors are Internet-connected, once compromised, they could be used to jump to other devices on the same network. “Eight of the nine cameras got an F and one got a D-minus,” said researcher Mark Stanislav.” [Fusion] [The Hill] [The Register] [ZDNet] [Rapid7 Paper]

WW – Microsoft Paper Says EHR Databases, Even Encrypted, Aren’t Safe

According to a new study by Microsoft, many types of electronic medical record databases are vulnerable to data leaks even if they’re encrypted. In the paper, researchers describe gaining access to such information as sex, race, age and admission information using actual patient records from 200 U.S. hospitals, the report states. Given that, the researchers recommend such databases not be used, the paper states. The risk lies in that encrypted data must be decrypted often to be effective, and that data gets stored in a computer’s memory, which would be dangerous if cybercriminals gained access. The paper will be presented at a security conference next month. [IDG News Service] [Microsoft researchers warn that some encrypted databases used for medical records aren’t so secure]


WW – UN’s Cannataci on Lack of Surveillance Oversight

UN Special Rapporteur on Privacy Joseph Cannataci said the lack of oversight for UK surveillance activities is “worse than a bad joke” and possibly “downright dangerous.” Specifically, he said the three bodies with oversight powers, the Information Commissioner’s Office, the Intelligence and Security Committee and the Investigatory Powers Tribunal, are all under-resourced and incapable of undertaking the work necessary to keep in check “one of the largest intelligence set-ups in the Western world.” [Full Story] [UK: Man fined for flying drone at football matches and Buckingham Palace]

US – NSA Bulk Call Records Collection Extended for Last Time

The NSA’s controversial program for the bulk collection of domestic phone call records has been granted extension for the last time, according to documents released. Under an order  by the secret Foreign Intelligence Surveillance Court, the NSA is now allowed to continue collecting the data for a three-month period until Nov. 28. The permission was extended in June to Aug. 28. U.S. President Barack Obama approved as law in June the USA Freedom Act, legislation that reins in the program by leaving the phone records database in the hands of the telecommunications operators, while allowing only a targeted search of the data by the NSA for investigations. While some provisions of the Act took effect immediately upon enactment, the ban on bulk collection of call records allowed for a 180-day transition of the program. After Nov. 28, the NSA’s access to phone data collected so far, for the purpose of analysis, will end, according to a joint statement by the Department of Justice and the Office of the Director of National Intelligence. The data will, however, not be immediately deleted. If the court approves, the agency aims to keep the data for another three months and give technical personnel access to it “solely for data integrity purposes to verify the records produced under the new targeted production mechanism” permitted by the USA Freedom Act. In a related development, the U.S. Court of Appeals for the District of Columbia Circuit reversed a preliminary injunction on the collection of phone records by Judge Richard Leon of the U.S. District Court for the District of Columbia. The judge had earlier ruled that the NSA’s bulk collection of domestic phone records likely violated the U.S. Constitution. [pcworld.com] [Judges seem hesitant to stop NSA bulk collection before ban takes effect] The U.S. Court of Appeals for the District of Columbia Circuit Court ruled that the National Security Agency’s collection of metadata under the USA Freedom Act could continue until the bill’s expiration in November.

US – Vodafone Accessed Australian Journalist’s Phone Records

Vodafone failed to inform a Fairfax journalist that her phone records had been accessed by the company in a bid to uncover the source of her stories, despite senior staff acknowledging that the conduct was potentially illegal. The telco giant admitted in a statement that one of its employees had accessed “some recent text messages and call records” of investigative journalist Natalie O’Brien in January 2011. But O’Brien said the telco giant never informed her of the breach, which occurred shortly after she exposed major security flaws with Vodafone’s Siebel data system in a page one story on January 9, 2011. [stuff.co.nz]

CO – Colombia’s Spy Agencies Collecting Bulk Data Without Warrants

Intelligence agencies in Colombia have been building robust tools to automatically collect vast amounts of data without judicial warrants and in defiance of a pledge to better protect privacy following a series of domestic spying scandals, according to a new report by Privacy International. The report published by the London-based advocacy group provides a comprehensive look at the reach and questionable oversight of surveillance technologies as used by police and state security agencies in Colombia. One tool developed is capable of monitoring 3G phone cell and trunk lines carrying voice and data communications for the whole country, according to the report. The system, called Integrated Record System, was built by police intelligence starting in 2005 and had the capacity of collecting 100 million cell data and 20 million text message records per day without service providers’ knowledge, according to the report’s authors. The report doesn’t say how the technology was used but such mass, automated collection of data isn’t explicitly authorized under Colombian law, according to the group, which based its findings on purchase orders and documents, many never seen before, and confidential testimony by people working in Colombia’s vast surveillance industry.[usnews.com]

US – Twitter Hit With Class Action Lawsuit for Eavesdropping on Direct Messages

To most Twitter users, URL link shorteners are a convenient way to stuff more into a 140-character message. But a proposed class action lawsuit filed this week alleges that the social media service is using them in violation of the Electronic Communications Privacy Act and California’s privacy law. The complaint brought in federal court in San Francisco from Wilford Raney and others similarly situated is claiming that despite Twitter’s assurances that users are allowed to “talk privately” among one another, “Twitter surreptitiously eavesdrops on its users’ private Direct Message communications. As soon as a user sends a Direct Message, Twitter intercepts, reads, and, at times, even alters the message.” The lawsuit uses a link to The New York Times as an example.  The new lawsuit aims to represent two classes — every American on Twitter who has ever received a direct message and every American on Twitter who has ever sent a direct message. The claimed damages are as high as $100 per day for each Twitter user whose privacy was violated. Here’s the full complaint. [Hollywood Reporter]

Telecom / TV

US – CBBB to Enforce Mobile Ad Space

September 1 marked the beginning of a new enforcement regime in the mobile ad space as the Council of Better Business Bureau’s (CBBB) Online Interest-Based Advertising Accountability Program starts cracking down on the Digital Advertising Alliance’s Self-Regulatory Principles in the mobile environment. With exclusive comments from the CBBB’s Accountability Program Vice President and Director Genie Barton, this report examines what the CBBB will focus on enforcing and what businesses and app developers need to know in order to avoid an unwanted self-regulatory knock at the door. [The Privacy Advisor]

US – Justice Department Tightens Stingray Rules

The US Justice Department (DOJ) has published a new policy regarding its use of cell-site simulator devices commonly known as Stingrays. Government agents will need to obtain a warrant before using the technology to locate mobile devices. They will be prohibited from gathering communication content, including pictures, and must regularly purge the data they do collect. [The Hill] [ComputerWorld] [Wired] [Ars Technica] [DOJ Policy Guidance]

US – New DoJ Stingray Policy Falls Short, Advocates Say

The Department of Justice (DoJ) has announced a new policy for its use of cell-site simulators—known as stingrays—according to a DoJ press release. The policy requires law enforcement to obtain a warrant before deploying the technology. “Cell-site simulator technology has been instrumental in aiding law enforcement in a broad array of investigations, including kidnappings, fugitive investigations and complicated narcotics cases,” said Deputy Attorney General Sally Quillian Yates. “This new policy ensures our protocols for this technology are consistent, well-managed and respectful of individuals’ privacy and civil liberties.” The department-wide policy goes into effect immediately. Privacy advocates, however, say the new policy is flawed because of “substantial loopholes.” [Full Story

US Government Programs

US – Congress Eyes Privacy Rights For Non-U.S. Citizens

Lawmakers and tech companies — including Google — are calling for the U.S. to extend certain Privacy Act rights to non-U.S. citizens. At issue is a data sharing “umbrella agreement” that U.S. and European Union negotiators agreed to earlier this week. The E.U. says that if Congress does not pass legislation extending the right to seek legal redress for privacy violations to non-U.S. citizens, the agreement is a no-go. The Judicial Redress Act, introduced by Sen. Chris Murphy (D-Conn.) and co-sponsored by Sen. Orrin Hatch (R-Utah), would allow the Attorney General to work with other agencies to designate certain countries whose citizens would have the right to enforce their data protection rights in U.S. courts. The lawmakers have cast the bill as urgent in light of its significance in the umbrella agreement negotiations. [The Hill]

US – IG: DHS Needs To Bolster Systems

The inspector general (IG) in charge of reviewing the Department of Homeland Security (DHS) issued a new report this week saying that the agency needs to improve the security of its information systems and establish a cyber-training program for analysts and investigators. “Without developing the department-wide training program, component personnel may not possess the skills necessary to perform their assigned incident response duties or investigative responsibilities in the event of a cyber attack,” the IG report states, adding, “We identified vulnerabilities on internal websites … that may allow unauthorized individuals to gain access to sensitive data.” The audit did say, however, that the DHS has improved coordination between agencies and set out nine recommendations for improvement. [Reuters]

US – NATGRID Database Rings Alarm Bells

The government is developing the National Intelligence Grid (NATGRID), which will fuse 21 personal information databases of Indian citizens, as well as National Population Register (NPR) information and biometric data from the Unique Identification Authority of India (UIDAI), accounting for 1.2 billion people. “The government’s defense is that it can anyway get access to such information under the Code of Criminal Procedure and NATGRID will expedite the process,” the report states. With the privacy and data protection bill still not approved after four years, the report suggests “the government wants to buy more time till UIDAI and the NPR complete the process of capturing biometric data in the entire country.” [The Business Standard]

US Legislation

US – Senate Judiciary Set to Consider ECPA Reform

A coming Senate Judiciary hearing on reforming the Electronic Communications Privacy Act (ECPA), will see legislators looking back to the 1967 Supreme Court case Katz v. United States to “revisit the ECPA’s roots” instead of simply reforming the “flawed” 1986 statute. The full committee hearing is set for 10 a.m. EST and will feature two panels of witnesses, including representatives from the Department of Justice, SEC and FTC, as well as the Tennessee Bureau of Investigation, Google, the Center for Democracy & Technology and the Software Alliance. [Full Story]

US – Senators Consider Legislation to Fight Taxpayer ID Theft

The recent IRS breach affecting more than 300,000 individuals has inspired the Senate Finance Committee to develop bipartisan taxpayer identity-fraud legislation, which will be debated Wednesday. “We need to do a better job of protecting taxpayers,” said Sen. Ron Wyden (D-OR). The bill would aim to “enhance taxpayer notifications regarding identity theft, push employers to file tax forms earlier and improve the electronic tax-filing system to speed processing and uncover more fraud” while intensifying sanctions for criminals. Meanwhile, the IRS confirmed that, for tax purposes, breach victims do not need to report identity-theft protection they receive. [The Hill]

US – Other Legislative News

Workplace Privacy

WW – Survey: Employees Know Risks But Aren’t Protecting Data

A Wakefield Research survey on behalf of Citrix Systems finds that breach awareness versus employee-to-employee breach defensiveness is growing disproportionately. While “U.S. workers are aware of threats to security and data and are feeling vulnerable … many fail to take basic security steps to protect their data … and some are not confident their companies are focused enough on the issue,” the report states. The survey found that 92% of “American workers believe security and data protection are priorities for the companies they work for,” but “88% believe companies say their data is more secure than it actually is,” the report states. [eWeek]

US – NFL Players Get Bugged

Some National Football League (NFL) teams now employ technology company Zebra’s radio frequency identification device (RFID), a uniform-attached tracking mechanism that collects data that may impact NFL goings-on from practice schedules to betting. “Every movement of every player now could be monitored within an accuracy level of all but a few inches,” the report states, adding, “But its most unexpected impact will have nothing to do with sports at all … Fortune 500 companies are watching the NFL closely, examining how they might incorporate the RFID chip to monitor every move of their onsite employees from the construction site, the office and beyond.” [Ars Technica] [How the NFL—not the NSA—is impacting data gathering well beyond the gridiron] SEE ALSO: [CBC News: How games, social media are changing the hiring game] | [CBC News: How new data-collection technology might change office culture] |  [CBC News: WW – Companies Monitoring Personal Time, for ‘Self-Improvement’]

CA – OFL Employees Demand Their Office Be Checked for Concealed Cameras

The discovery of a camera hidden in an exit sign at the Ontario Federation of Labour has prompted shaken employees to demand a complete electronic sweep of their office. Meanwhile, concerns have also been raised about other cameras contained in what appear to just be smoke detectors in public areas of the building, partly owned by the OFL. The Star has learned the demand for an office sweep is included in a grievance filed by the Canadian Office and Professional Employees Union (COPE), the union representing the employees. The grievance is scheduled to go to arbitration on Oct. 8. An email statement said that “every security camera in the OFL building is located in a public area where no one would have the expectation of privacy, and each security camera is trained on an entrance, a stairwell or an elevator.” “They are not, and have never been, used to monitor or discipline staff of the OFL or the OntFed building. These security cameras were installed on the advice of police because of persistent situations involving intruders who were harassing staff of the building and because of break-ins and thefts in the building.” [The Star] [US man loses job offer after sending naked selfies to boss]


16-31 August 2015


AU – Australian Government to Debut Facial Recognition Database

By next year, the Australian government expects to have a plan in place for law-enforcement agencies to share facial-recognition data. As they try to battle organized crime, the report says, law-enforcement officials have been working on a national facial recognition database, which will initially be focused on matching faces to known criminals and then expand to match the faces of unknown criminals in footage or images to those in the general population via images collected for identity documents. The government currently holds some 100 million such images. At least six federal agencies will be able to access the database when it goes live. [IT News]

AU – Portable Fingerprint Devices on NSW’s Horizon

New South Wales (NSW) police are on the lookout for portable fingerprint scanners that are compatible with Samsung Note 4, a move that will cause minimal privacy waves. The search for the scanners was catalyzed by the police department’s desire to streamline the identity-check process, the report states, noting that while “there has also been strenuous ongoing debate in the country about associated privacy and civil rights issues … the NSW Police efforts in this case are fairly incremental … and are unlikely to spark a major controversy, at least until the police actually start using fingerprint sensors in the field.” [MobileIDWorld]

WW – Facebook Launches Facial Recognition Tool

Facebook has launched a facial recognition tool in India that it withheld in Europe due to privacy concerns. “Moments” groups photo albums together using face recognition algorithms and allows users to search for photos of themselves and friends. American users are already using the tool. In June, Facebook said EU laws prevented it from releasing the app in Europe; regulators told the company it must offer an opt-in choice before unveiling. [Planet Biometrics]

Big Data

WW – Protecting Privacy Shouldn’t Be an Afterthought

Privacy must be the foundation of the Internet of Things (IoT) as its technology develops, and in order to quell user trepidation, the matter of how to do that “deserves serious thought.” “Privacy, security and trust cannot be an IoT afterthought—after all, these devices are collecting our stories,” the report states, noting data should be thought of as stories that generate insights for those seeking to market products to individuals. “Security has to be baked into the core platform from the beginning in order to explicitly manage what is happening to the information collected, who controls it, who has access to it and what is done with it,” the report states. [Information Age]


CA – Canada Privacy Commissioner Issues BYOD Warning for Businesses

The Office of the Privacy Commissioner of Canada, alongside counterparts from British Columbia and Alberta, have issued a document offering guidance for companies looking to implement BYOD programs. Citing “an increased blurring of the lines between professional and personal lives” and “employee concerns that privacy is at risk”, the 16 page missive goes through the various stages of rollout, from getting senior management onside, to privacy impact and threat risk assessments, and testing and enforcing policy. [Appstech News] The Offices of the Privacy Commissioner and of the BC and Alberta Information and Privacy Commissioners have created new guidelines for BYOD programs.

CA – BC Commissioner Calls for Compulsory Reporting, Privacy Training

BC Information and Privacy Commissioner Elizabeth Denham believes the province should require mandatory privacy breach reporting. Because BC still has voluntary breach reporting, “Denham said she has no way of knowing whether she’s hearing about all serious cases or whether citizens and consumers are being properly notified,” the report states. Meanwhile, in St. Johns, an attorney has filed a class-action against Kiewit Energy over a privacy breach, and The Canadian Press reports on the call for improved Internet privacy training for both government and private-sector employees to help prevent breaches. “Online privacy awareness training is crucial to protect not only the employees but the employers’ reputation,” said University of Ottawa’s Karen Eltis. [Times Colonist] [Watchdog urges compulsory reporting of B.C. privacy breaches]

CA – Senate Reports Point to Tory Privacy Priorities

Newly released Senate committee reports provide a glimpse into Conservatives’ privacy policy priorities, writes Michael Geist. Specifically, the Senate Committee on National Security and Defence released two reports recommending a “massive expansion in the collection and sharing of biometric information” at the borders and “examining training and certification of imams in Canada.” While the reports acknowledge potential privacy issues, they offer, Geist says, few protective measures other than “appropriate oversight.” [The Tyee]

CA – Toronto Police Curb Disclosure of Suicide Attempts to U.S. Border Police

Following a highly critical report and unprecedented legal action by Ontario’s privacy commissioner, Toronto police have taken steps to keep U.S. border police from automatically accessing records about a Canadian’s suicide attempts — sensitive personal information that could result in being denied entry. In a report to the Toronto police board released this week, Chief Mark Saunders outlined changes made in the wake of Cavoukian’s 2014 report, Crossing the Line, which chronicled the experiences of Ontarians refused entry into the U.S. based on a past suicide attempt. Cavoukian’s report and a Star investigation probed how U.S. border guards were being alerted to prior suicide attempts through the Canadian Police Information System (CPIC), a national police database operated by the RCMP. In his letter to the board, Saunders described new protocol that “balances public safety with the need to protect Canadians’ privacy” by setting stricter limits on what information can be viewable by U.S. Customs and Border Protection through CPIC. It’s a different solution than Cavoukian’s, which suggested Toronto police halt the practice of automatically uploading or disclosing personal information through CPIC related to suicide threats or attempts. Insistent that a record needs to be shared with other police forces — information about previous suicide attempts or threats “can be instrumental in managing potential risk to the public, the officer and, importantly, the person in crisis,” Saunders writes — Toronto police instead worked with the RCMP to develop a new CPIC function that blocks U.S. border officials from accessing certain information. [thestar.com]

CA – Expert: ‘Dangerous’ Alberta Court of Appeal Precedent Will Promote Government Secrecy

Alberta’s information commissioner is appealing a ruling to the Supreme Court of Canada which significantly limits her powers to hold the government accountable. It also sets a precedent which one expert says could lead to increased secrecy at government ministries across Canada. In April, the Alberta Court of Appeal ruled information and privacy commissioner Jill Clayton does not have the legal authority to compel public organizations – such as government ministries – to hand over records which it claims are subject to solicitor-client privilege. Ottawa lawyer and freedom-of-information expert Michel Drapeau called the ruling a “very, very dangerous precedent” which he believes will be frequently abused by governments seeking to evade transparency and accountability. “We will only receive information which a government institution decides we are entitled to,” Drapeau said. “(Ministries) will block the rest of it by using this very convenient tool: solicitor-client privilege.” [CBC News] Alberta Information and Privacy Commissioner Jill Clayton is appealing a ruling that “significantly limits her powers to hold the government accountable” to Canada’s Supreme Court.

CA – Nova Scotia Judge Reserves Decision on Law Inspired by Rehtaeh Parsons

Arguments have now concluded about the constitutionality of Nova Scotia’s ground-breaking legislation designed to combat cyberbullying. After a day and a half of arguments from lawyers, Justice Glen MacDougall reserved his decision to a later date. Privacy lawyer David Fraser brought the Charter challenge to the Nova Scotia Supreme Court, saying the 2013 provincial statute violates Sections 2b and 7 of the Canadian Charter of Rights and Freedoms. Those sections pertain to the freedom of expression and the right to life, liberty and the security of person. “The definition of cyberbullying is too broad and is defective,” said Fraser. He argued in court that any comment made online that could hurt a person’s feelings may constitute cyberbullying. That could result in sweeping communication restrictions to the person who made the comments, Fraser argued. The current legislation, he said, captures everything from political advertising to benign online commentary. Legislation passed at 2013 In defence of the Cyber-Safety Act on behalf of the Attorney General, lawyer Debbie Brown argued the legislation does not infringe on any rights, and that any infringement that does exist is reasonable. Brown told the court that Freedom of Expression protects three categories of speech:

  1. Pursuit of truth
  2. Participation in social or political decision making
  3. Self-fulfillment

She argued that cyberbullying — in this specific case and in general — rarely falls into any of these three categories. If the speech is not protected by the Charter, the Act should be allowed to stand, Brown said. Lawyers also tackled a procedural issue. Court orders issued under the current Act can be enforced “ex parte”, meaning without comments from both parties involved. Victims can request a court order under the act, without the accused being notified. That means the first notice an accused cyber-bully may receive, is a document served by police immediately restricting their online communication. Justice Glen MacDougall did not give a precise date when he may return with a decision. [Source]

CA – Privacy Commissioner Investigates Ashley Madison Data Breach

The Office of the Privacy Commissioner “has commenced an investigation into the matter concerning (Ashley Madison owner) Avid Life Media.” Last week, hackers leaked the personal information of 39 million Ashley Madison users, including emails, credit card information and sexual preferences. “Given that the company is based in Canada, and considering the global scope of the incident, our office will be investigating jointly with the Office of the Australian Information Commissioner, and in cooperation with other international counterparts,” Lawton said. [Source]

CA – Feds Consider Scheme to Circumvent Effect of Ruling That Curbs Police Access to Internet Subscriber Data

A new administrative scheme that would allow police to obtain basic information about Internet subscribers without a warrant is one option being considered by federal officials following a landmark Supreme Court ruling that curbed access to such data, Canadian police chiefs say. The glimpse into federal deliberations about how to address the highly influential court decision comes in a newly published background document from the Canadian Association of Chiefs of Police, which is urging the government to fill the legislative gap. [The Star]

SK – A Look at the Latest PIPA Amendment

The Personal Information Protection Act (PIPA) has been amended. “As a result of the amendment, organisations that experience a data breach could find themselves faced with court-awarded damages of up to three times the actual damage caused” by the breach, the report states. Once the amendment goes into effect, it is expected it “will lead to a sharp increase in liability lawsuits following personal data breaches. With some organisations holding millions of customers’ data, the enormous potential fine should in turn encourage organisations and others who hold personal data to take greater care to protect personal information,” the report states. [ReedSmith’s Technology Law Dispatch]

CA – Roundup: Courts, Commissioners Take Action

Alberta Information and Privacy Commissioner Jill Clayton is appealing a ruling that “significantly limits her powers to hold the government accountable” to Canada’s Supreme Court. University of King’s College’s Dean Jobb writes on an “about face” on police disclosures of those who have died as a result of violent crimes. Tthe Ontario Office of the Information and Privacy Commissioner has found “no evidence of tampering or interference with documents requested“ by the newspaper. And in Saskatchewan, the Office of the Information and Privacy Commissioner found a healthcare employee’s privacy was breached “when his personal information was shared by his employer, the health region and the health ministry.” Meanwhile, in Toronto, “police have taken steps to keep U.S. border police from automatically accessing records about a Canadian’s suicide attempts.” [CBC News]

CA – IPC: Letter to Minister Proposes MFIPPA Amendment

In a letter to the Honourable Ted McMeekin, Minister of Municipal Affairs and Housing, the Ontario Commissioner applauds the ministry for engaging the public and other stakeholders in its review of Ontario’s municipal legislation. Recognizing this process as an opportunity to improve accountability and transparency, he recommends amendments to the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) relating to municipal councillors’ records. The proposed amendment would broaden the scope of information accessible under MFIPPA. The Commissioner has offered his continued assistance to the minister and his staff. He also asks that our office be consulted on any reforms that involve new collection, use or disclosure of personal information or personal health information. [Source] SEE ALSO: When the Ontario Legislature resumes its sitting in September, it will be looking at the Police Record Checks Reform Act 2015.

CA – Other Privacy News


US – Millennials, Others Concerned About Privacy

According to a study by security corporation Intercede, less than five percent of 16- to 35-year-olds in the U.S. and UK trust that their digital identities are adequately protected, with 70 percent believing that these online risks aren’t going anywhere soon. Lubna Dajani, a digital technologist, noted, “Businesses and governments should urgently review current security protocols or else risk the potential to drive innovation and growth.” And The Telegraph reports Google search data indicates concern among UK residents in the wake of recent breaches. Meanwhile, InfoWorldprovides tips on how to protect anonymity online. [ComputerWeekly]


AU – NSW Data Collection Plan Involves Privacy Input

New South Wales (NSW) has a “plan for a whole-of-government data analytics centre,” suggesting that while it highlights “the potential of big data to influence and inform government policy decisions … it’s good to see that a steering committee, composed of NSW’s privacy commissioner, chief scientist, customer service commissioner and information commissioner, has been established to oversee the centre’s ­establishment.” The report calls the involvement of privacy experts “absolutely crucial ­because harnessing big data does have its complications”—specifically addressing consumers’ rights and interests, noting that even with anonymous data, “data analytics increasingly gives organisations the ability to drill down to monitor and understand individual behaviour, often without the awareness of those being observed.” [Technology Spectator]

AU – Research: Government Failing on PIAs

The government “has failed to conduct proper privacy impact assessments (PIAs) on almost 90% of the national security measures it has passed in the last 14 years.” That’s according to independent research by privacy advocate Roger Clarke, the report states, noting that since the Sept. 11, 2001, terrorist attacks, “Australia has passed about 72 security-related measures—from increasing electronic spying, to metadata and biometrics,” but “only 20 of those laws had any kind of PIA, and of those, half were done in secret without any public consultation,” Clarke said, “The track record of government agencies is appalling on this matter.” [ABC News] [AU – Government failed to conduct privacy impact assessments on 90pc of security measures]

EU – Should Government Publish New Citizen Data?

Activists are expressing concern about an Irish government policy of publishing the names and addresses of new citizens in Iris Oifigiúil, the official government register. Digital Rights Ireland believes the practice, which has been in place since at least 2005, is in breach of EU law. However, the practice was reviewed in 2011 by the Minister for Justice and it was decided the practice is mandated by a 1956 Act. The Data Protection Commissioner found, too, that the processing of personal information in this way is exempt from the Data Protection Act. In response, the Migrant Rights Centre Ireland has said they are “astounded” that the government has made this information so easily accessible. [Irish Times] See Also: [Government surveillance of citizens a troubling trend in Canada] and [Micro-targeting is a political tool that can help parties win]

US – Audit Finds Dozens of CA Agencies Noncompliant

Dozens of California state agencies have not fully complied with cybersecurity standards designed to protect Social Security numbers, health records, income tax information and other sensitive data from hackers. That’s according to a report released by auditor Elaine Howl. The audit found 37 executive branch agencies that told the Department of Technology they met security requirements hadn’t done so, and eight won’t finish the necessary tasks until 2020, the report states. Howle’s “high-risk update,” which doesn’t name the agencies, “raised questions about the technology department’s oversight in light of high-profile breaches elsewhere that have exposed confidential records maintained by public agencies,” the report states. [The Recorder]

WW – Other Privacy News


WW – Study: Millennials Dubious About Their Privacy

According to a study by security corporation Intercede, less than 5% of 16- to 35-year-olds in the U.S. and UK trust that their digital identities are adequately protected, with 70% believing that these online risks aren’t going anywhere soon. “Millennials have been digitally spoon-fed since birth, yet a general malaise is brewing among this demographic in terms of how safe their online data really is,” said Lubna Dajani, a digital technologist, adding, “Businesses and governments should urgently review current security protocols or else risk the potential to drive innovation and growth.” [ComputerWeekly]

[US: Why Don’t Huge Privacy Flaws Result In Recalled Smartphones? ] [Privacy focused Blackphone 2 Is Now Available For Pre-Booking] [‘Butt-dial’ saves teen’s life in Tennessee ]

Electronic Records

WW – EHRs Pose Challenges for Privacy, Accuracy of Records

As healthcare providers switch to electronic health records (EHRs), methods for controlling access and accuracy are needed. The Intercept highlights stories of patients’ mental health records being accessed by individuals the patients did not expect to have access—for example, through an open EHR system in an effort toward increased efficiency or through a company’s health-incentive program. Data-matching is also a challenge, with the growth of EHRs and the push for a secure national health data exchange, there is a need for new methods, “such as new algorithms” to improve the process. Meanwhile, Intel and the Knight Cancer Institute recently announced the Collaborative Cancer Cloud, which uses data analysis to advance cancer care. [The Intercept]

EU Developments

EU – Coalition Calls on EU to Strike Part of GDPR

A broad industry coalition is lobbying the European Union to strike out part of the General Data Protection Regulation that could force companies to deny requests for personal data from non-member countries. Article 43a of the regulation says companies should not always comply with requests from courts, tribunals and administrative authorities in non-EU countries for the personal data of Europeans—except under law enforcement treaties or relevant agreements between those countries and the EU. The clause could create a quagmire for global companies, according to the Industry Coalition for Data Protection, whose members include Apple, Google and AT&T. It asks that the issues be dealt with in the data protection directive rather than the regulation. [Politico]

UK – Preparing for the GDPR and the Value of Privacy

UK Information Commissioner Christopher Graham discusses the EU General Data Protection Regulation (GDPR). Graham contrasts his office’s enforcement capabilities with those of the U.S. FTC, which he says can impose “eye-watering fines, which has a major effect in protecting privacy,” while “the most I can fine anyone … is half a million pounds. The FTC wouldn’t cross the road for half a million pounds or dollars.” Meanwhile, Krux’s Joe Reid writes forFourth Source about provisions expected in the forthcoming GDPR and the value of privacy for businesses, noting, “The ability of a business to keep its customer data safe is increasingly becoming a differentiator.” And Computer Weekly reports that “prudent businesses” in the UK “are considering and planning for the new regulation right now.” [Computing]

UK – ICO Wants Links to Stories about RTBF Requests Removed

Since the EU’s embrace of the right to be forgotten, reports citing specific examples of story-removal requests have begun spurring interest in the stories set to be removed. As such, the UK Information Commissioner’s Office has requested Google take down links to those article-removal-request stories as well. The move “could provide an example for other countries, potentially provoking a new wave of takedown requests of stories about takedown requests and a subsequent wave of stories about those new requests,” the report states, adding, “That will also give ammunition to both free speech advocates and privacy activists in their tussle over where to draw the line between privacy and the public’s right to know.” [The Wall Street Journal]

UK – Councils Respond to Breach Report

Local councils are responding to the recent Big Brother Watch report on more than 4,000 data protection breaches by councils in the past three years, with one spokesman stating, “We have a legal, moral and ethical duty to properly take care of personal information. As an organisation which processes hundreds of pieces of data every day, we take that responsibility very seriously.” [Burton Mail] Meanwhile, the Information Commissioner’s Office (ICO) has given Central Bedfordshire Council a “limited assurance” rating following a data protection audit. “The ICO advised that the council take action to better its data sharing practises, records management and training and awareness,” the report states. [Digital by Default News]

EU – DPC: Current Laws Keep Cab CCTV Footage Out of Court

Although the National Transport Authority has put forward proposals for public input to make CCTV mandatory in taxis, in-cab surveillance footage is inadmissible in Irish courts under current law. “Technically,” an Office of the Data Protection Commissioner (ODPC) spokeswoman said, “it’s just another individual. They would be inadmissible in a court, because they had no consent from the other person to record it, so they wouldn’t be able to use it.” The ODPC spokeswoman added, “It wouldn’t be of use unless the regulation changes and they are allowed to have CCTV footage and they become the data controller of the CCTV footage.” [Herald.ie]

EU – DPA Fines Data Seller, Purchaser

The Bavarian Data Protection Authority (DPA) recently fined both a seller and purchaser “for unlawfully transferring customer data as part of an asset deal. Citing the economic value of customer data, the report notes, “It frequently happens that a company tries to sell these high-value assets to another company as part of an asset deal.” In the Bavaria DPA case, the report states, “transferring customer email addresses requires prior customer consent or, alternatively, customers must be informed of the intent to carry out such a transaction beforehand to give them the opportunity to object.” While exact penalties were not released, the DPA “confirmed they were both five-figure sums and emphasised that the penalties were significant and incontestable.” [JD Supra] The National Law Review reports that the German Chamber of Commerce and Industry has “expressed doubts over the appropriateness” of a governmental draft data retention bill.

UK – Elton John Pursues Privacy Law Case Against French Media

Elton John is taking legal action in France over “unfounded reports” about his and husband David Furnish’s private life. Lawyers for the singer have pledged to take action against three French media outlets after they published rumours about John’s health. A legal rep for John and Furnish said that his clients “have instructed my office to pursue through the justice system the violation of the right to respect for their private life due to the publishing by Closermag.fr, TeleStar.fr and VSD of unfounded rumours about their health”. He added that the two men “will no longer tolerate the violation of their privacy and the exploitation of their renown and their image for commercial ends in France”. [Source]


CN – 15,000 Suspected Cybercriminals Arrested

In an attempt at “cleaning up the Internet,” the Chinese government arrested 15,000 alleged cybercriminals. “The Chinese have gotten increasingly worried that they do not have the right kind of regulations, protections and responses in place,” said the Council on Foreign Relations’ Adam Segal. “There is a real sense that there needed to be some type of regulatory response to potential attacks.” The move is among other recent Chinese gestures in an attempt to drum up a greater privacy presence, including the announcement of “cyberpolice units” installed at major corporations and a data protection draft law. [PYMNTS]

WW – Twitter Implements “Right To Be Forgotten” for Politicians’ Tweets

Twitter blocks accounts that keep tweets deleted by politicians, saying their rights are more important than society’s right to know. One of the most fascinating things about watching the evolution of Twitter as a platform is the tension between its desire to be a tool for free speech around social issues — a kind of engine that empowers citizen journalists — and the pressure to be a business. Is the service really the “free-speech wing of the free-speech party,” as its executives are fond of saying, or is it just another advertising platform whose primary motivation is boosting its share price? The latest incident to highlight this tension is Twitter’s blocking of a number of accounts that preserve the tweets of politicians, as a way of tracking their public statements about social issues. Twitter first blocked the U.S.-based account @Politwoops in June, and now it has blocked a number of other similar accounts in different countries that were run by the Open State Foundation, a non-profit group that promotes transparency through open data. “Twitter’s decision to pull the plug on Politwoops is a reminder of how the Internet isn’t truly a public square. Our shared conversations are increasingly taking place in privately owned and managed walled gardens, which means that the politics that occur in such conversations are subject to private rules.” [fortune.com] See also: [Download a free messaging app that protects your privacy] [Global think tank calls for global digital privacy] [People are freaking out over a feature in Windows 10’s family accounts] [What’s up with ‘dox’? The troubling history of an online scare tactic] [Lessons From a Tragic Kidnapping in Germany]


US – SEC Won’t Penalize Target for Breach

The Securities and Exchange Commission (SEC) has decided not to penalize Target for its 2013 cyber-attack, which resulted in the exposure of millions of customers’ data. The SEC was one of several government entities investigating the company following the breach, the report states. In Target’s quarterly results document, which was filed with the SEC and published online for Target’s investors, the company said the SEC’s investigation had ended and that it “does not intend to recommend an enforcement action against us.” State attorneys general and private litigators continue to investigate, which may result in penalties or settlements, the report states. [StarTribune]

US – Bank Lawyers Displeased With Visa-Target Deal

While Visa and Target announced a deal last week to compensate card issuers with up to $67 million, lawyers for a slew of banks and credit unions seeking class-action status say it’s not enough “for costs incurred in reissuing cards and reimbursing customers for fraudulent charges.” With a deadline to participate in the Visa-Target deal set for September 4, banks and credit unions must decide whether to take that money or to forgo it in favor of the potential class-action, a certification hearing for which is scheduled for just six days later. Plaintiffs’ lawyers “strongly recommend that financial institutions not accept the optional alternative recovery offers.” [National Law Journal]

US – Visa, Target Reach $67M Agreement

Visa says it has reached an agreement with Target to reimburse card issuers up to as much as $67 million for costs related to the retailer’s 2013 data breach. The agreement is more than three times the amount of a prior settlement proposed with MasterCard that did not gain enough support from the financial institutions involved, the report states. In April, the financial institutions challenged the proposed $19 million data breach settlement with MasterCard, filing a motion to void it. Settlement negotiations with Visa were ongoing at that time. “Visa has worked to help Target reach a resolution for the expenses incurred by financial institutions as a result of the 2013 compromise,” a Visa spokesperson said, adding, “This agreement attempts to put this event behind us.”  [Reuters]

WW – AM Hackers Speak Out; Class-Action Seeks $578M

The latest Ashley Madison news includes more class-action developments and an interview with the hackers behind the breach. “Will The Impact Team be hacking any other sites in the future? If so, what targets or sort of targets do you have in mind?” “Not just sites. Any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians. If we do, it will be a long time, but it will be total,” The Impact Team responds in an email. Meanwhile, a class-action suit filed “on behalf of Canadians who subscribed” to the site seeks $578 million,StarTribune reports, and Ars Technica reports a New York-based firm is seeking Ashley Madison users in the U.S. to join a prospective privacy and consumer fraud suit. Meanwhile, a CSO op-ed highlights different strategies for companies to stay safe from “cyber extortion.” [Motherboard]


WW – Sunshine Laws and Privacy vs. Transparency

Legislation requiring business “to record their beneficial owners in a public central registry maintained by the government” is a step toward healthy transparency, Alexandra Wrage writes. “Elsewhere in the world, owners of private companies can continue to keep that information hidden from public view,” Wrage notes, adding, “While many argue that this is a fundamental principle of financial privacy, it has also permitted extreme abuses by criminals and kleptocrats.” Wrage adds that “in spite of privacy concerns, many in the business world support the new requirements” and that “sunshine laws make it easier for companies to conduct due diligence on their partners.” [Forbes]


IN – DNA Bill Questioned; Litigation Filed

The Indian Ministry of Science& Technology’s Department of Biotechnology posted its Human DNA Profiling Bill for public feedback through August 20. The report cautions among omissions in the current draft, “the Group of Experts’ privacy recommendations are also still missing.” According to the report, the bill does not include such privacy safeguards as distinguishing when DNA can be collected without consent and providing an explicit guarantee that DNA will not be used for purposes other than those for which it was collected. Meanwhile, The Times of India reports an individual has filed a public interest litigation with the Bombay High Court over Mumbai police’s hotel raids, alleging a right-to-privacy violation. [Wire]

Health / Medical

EU – Dutch Patient Privacy Concerns Persist

A bill being prepared by Dutch Health Minister Edith Schippers is raising concerns. “The government plans to loosen rules on patient privacy by requiring doctors in some cases to work with official agencies probing disability fraud,” the report states, noting the legislation “could clash with the EU’s schedule for implementing regulation to boost patient data protection, which starts to get under way in September.” Meanwhile, IT Pro Portal sums up six tips for moving healthcare services to the cloud in the UK, and the NHS England and the UK government need “to face privacy and security risks head-on” as patients’ privacy concerns “stand in the way of great health research and public service efficiencies.” [Politico]

US – Study: Health Industry Biggest User of Shadow Data

A study from cloud provider Elastica has found the healthcare industry is the biggest culprit for shadow data use. Elastica defines shadow data as “all potentially risky data exposures lurking in sanctioned cloud apps, due to lack of knowledge of the type of data being uploaded and how it is being shared,” the report states. Healthcare companies have many violations “because of the complexity of relationships in the industry, which include physicians, hospitals, clinics, patients, employees, contractors and insurers, among others. Consequently, there are more potential areas of data leakage than in other industries,” the report states, noting Elastica “found millions of files at risk for direct compliance violations, possible intellectual property leaks or generally risky exposures.” [HealthData Management] [Why cloud security is your next big, expensive, headache]

UK – CHIME Contest to Award $1M for NPI Solution

In an effort to move forward with plans for a national patient identifier (NPI), the College of Health Information Management Executives (CHIME) is launching a contest—and offering $1 million for the best NPI proposal. Historically, the idea of an NPI has been controversial, but supporters “say it is crucial to ensuring patient safety and to enabling healthcare organizations to exchange electronic patient data,” the report states. CHIME’s Keith Fraidenburg has emphasized the winning NPI “must protect privacy and security,” the report states, noting, “Whatever CHIME comes up with, privacy defenders are sure to fight back” due to concerns an NPI will make “records more vulnerable to theft and misappropriation.” The contest kicks off this fall, with a winner announced in 2016. [CIO] [US: National patient identifier struggles for life]

Horror Stories

US – Breach Worse Than First Believed

The Internal Revenue Service (IRS) has announced hackers “potentially accessed tax information for a total of 338,000 taxpayers—triple the amount feared when the breach was first disclosed in May.” Originally, the IRS believed the hack had exposed information on 114,000 taxpayers, the report states. “As part of the IRS’s continued efforts to protect taxpayer data, the IRS conducted a deeper analysis over a wider time period covering the 2015 filing season, analyzing more than 23 million uses of the Get Transcript system,” the IRS said in a statement, noting it is “moving aggressively to protect taxpayers whose account information may have been accessed.” [NBC News]

US – Breach of IRS Site Indicates Troubling Lack of Security

The IRS 2015 breach, in which hackers utilized weak elements of the agency’s website to steal nearly 334,000 personal records, was easy to do based on previous breaches and sub-par IRS cybersecurity measures. “Just knowing a person’s address, which you can get from one of these more traditional breaches, you can discover a lot about a person,” said the University of Michigan Kevin Fu. This easy access to information coupled with weak internal programs, some of which “have been running for 50 years,” according to John Koskine, IRS commissioner, makes it a “difficult challenge competing with organized criminals who have resources.” [Quartz]

WW – Hackers Finally Post Stolen Ashley Madison Data

Hackers who stole sensitive customer information from the cheating site AshleyMadison.com appear to have made good on their threat to post the data online. A data dump, 9.7 gigabytes in size, was posted to the dark web using an Onion address accessible only through the Tor browser. The files appear to include account details and log-ins for some 32 million users of the social networking site, touted as the premier site for married individuals seeking partners for affairs. Seven years worth of credit card and other payment transaction details are also part of the dump, going back to 2007. The data, which amounts to millions of payment transactions, includes names, street address, email address and amount paid, but not credit card numbers; instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a transaction ID unique to each charge. AshleyMadison.com claimed to have nearly 40 million users at the time of the breach about a month ago, all apparently in the market for clandestine hookups. [Wired Magazine] [The AshleyMadison Leak and Why We Shouldn’t Buy Into It] [Ashley Madison hack includes hundreds of gov’t email addresses] [Ottawa man files lawsuit against Ashley Madison citing privacy breach] [Cyber-Posse Aims to Round Up Ashley Madison Hackers] [How one woman discovered she had an Ashley Madison account]

JP – JPS Needs Cybersecurity Updates Post-Hack

The Japan Pension Service’s (JPS) handing of a May targeted attack that affected 1.25 million records illustrates a “sloppy information management (that) must be corrected urgently.” “A sweeping organizational reform is called for, in addition to the bolstering of information management systems,” the report continues, noting a similar attack occurred in April. The report calls for efforts “to ensure that a recurrence of similar incidents is robustly prevented” and to restore confidence in the JPS. Cybersecurity reform is especially important, the report states, as cyber-attacks “are becoming more ingenious and shrewd.” [The Japan Times]

WW – Ashley Madison Leak Fallout Continues

Reaction to the massive leak of personal information from Ashley Madison continues, Kashmir Hill writes. Several websites have emerged that allow users to sift through the data, including a site in which a user can plug in an email address to see if it is affiliated with Ashley Madison. In the first 24 hours, https://ashley.cynic.al/ received more than 300,000 visits with more than one million searches. Hill writes, “The ease of checking the Ashley Madison database for a match raises a much tougher ethical question: Even if you can check to see who was using Ashley Madison, should you?” Business Insider shares an interview it conducted with the CEO of Avid Life Media, the parent company of Ashley Madison, before the hack. Meanwhile, New Zealand Privacy Commissioner John Edwards has said that “not a lot” can be done to remove the information that was stolen from AM, Stuff.co.nz reports. [Fusion]

WW – Ashley Madison Suit Filed

Amidst hackers’ exposure of more information from infidelity site Ashley Madison, Toronto lawyers have filed a class-action notice in Superior Court. The “Impact Team, the ‘hacktivist’ group who released 10 gigabytes of customer data earlier this week, dropped another 20 gigabytes of data, including emails from the inbox of company CEO,” the report states. “It seems massive in some respects, but for us, it’s a classic privacy breach case,” said Ted Charney, one of the attorneys working on the suit. The corporations that run Ashley Madison are listed in the suit, but the hackers are not, the report states. [Toronto Sun]

WW – The Ashley Madison Class-Actions Begin

Amidst the exposure of more information from infidelity site Ashley Madison, class-action suits now follow in the U.S. and Canada. The Canadian suit names the corporations that run Ashley Madison but not the hackers, while an Oklahoma firm “appears to be seeking out plaintiffs.” Lawsuits filed over the hack will be challenging, noting, “Those who take legal action will likely out themselves as one of the notorious website’s purported 39 million members. And just like with any ordinary data breach, they would have to prove they were harmed in some way in order to collect damages.” Meanwhile, Glenn Greenwald likens reactions to the Ashley Madison hack to Hawthorne’s The Scarlet Letter. [NBC News]

WW – Avid Life Media Offering $500K for Ashley Madison Hackers

Information regarding the specific identities behind the Ashley Madison hack is worth $500,000, Toronto police said on behalf of Avid Life Media, the organization that runs the hacked site. The announcement comes on the heels of an alleged dual suicide of two Ashley Madison leak victims. “This hack is one of the largest data breaches in the world,” said the Toronto police’s Bryce Evans. “The social impact behind this leak, we’re talking about families; we’re talking about children … It’s going to have impacts on their lives.” He said he hopes those “who no doubt have information that could assist this investigation … do the right thing.” Meanwhile, the Office of the Australian Information Commissioner has opened an investigation into the breach. [Tech Crunch]

WW – Breach Affects 93,000 Web.com Users

93,000 Web.com users’ credit card information was compromised in a breach discovered on August 13. The company discovered the breach during routine security checks. Web.com has set up an FAQ page for its customers addressing issues including why it took the company five days to notify users of the breach and what its users should do now. “You should keep a close eye for any suspicious or unusual activity on any credit/debit cards that you may have used with Web.com,” the FAQ states, adding customers should also monitor their credit reports. The company is also offering a year of free credit monitoring, the report states. [Naked Security] [UK: Data breach by holiday firm Thomson exposes hundreds of passengers]

US – DoE Publishes Draft Medical Records Guide

The Department of Education (DoE) has published draft guidance for colleges to best navigate the use of student medical records while respecting privacy. The guidance was catalyzed by the recent University of Oregon suit in which the plaintiff argued the school violated her privacy by accessing her mental health records for use in a rape case. “We want to set the expectation that, with respect to litigation between institutions of higher education and students, institutions generally should not share student medical records with school attorneys or courts, without a court order or written consent,” said DoE CPO Kathleen Styles. The guidance is open for comments until October 2. [Inside Higher Ed]

Identity Issues

In – UID Concerns Persist

“If I had a rupee for every time someone tried the ‘If you have nothing to hide, you have nothing to fear’ argument on me, I could have funded a privacy think tank devoted to debunking it,” Malavika Jayaram writes. Jayaram discusses the plan for a universal identifier or Aadhar cards, contending that with Aadhar, “Privacy is breached at several levels,” including when data is collected, when it is stored and when it is used. “All of this is compounded by the lack of a statutory frame for the Unique Identification Authority of India and/or a dedicated privacy law,” Jayaram writes, noting that while the attorney general has stated “there is no privacy violation if the data is not shared, this fails to acknowledge the very complex network of transactions and uses that the scheme is predicated on.” [Scroll]

US – Cross: Real-Name Policy Doesn’t Curb Harassment

Sociologist Katherine Cross argues that real-name policies implemented by several social networks and online communities will not stop cyber harassment. “The anti-anonymity lobby is being led by very large companies that have built both a business model and an ideology around forcing us to have a specific set of identities we bring to the Internet,” Cross said. “It’s being dressed up as a solution to abuse, but it is not … anonymity does not cause harassment—it does play a role, but it is much more complicated than most people make it out to be.” Cross added, “If we continue down this path of blaming anonymity, we will never tackle the causes of online harassment.” [Wired]

US – Woman Pleads Guilty to $7.5 Million Identity-Theft Scheme

A Phenix City woman pleaded guilty in Montgomery to conspiracy and aggravated identity theft involving a $7.5 million identity-theft refund fraud. Talashia Hinton pleaded guilty in U.S. District Court to using information stolen from state of Alabama databases maintained by the state of Alabama to file false tax returns and steal millions from the government. The indictment contends that Hinton worked with co-conspirators to file more than 3,000 false tax returns for 2012 and 2013, claiming more than $7.5 million in federal income tax refunds from the Internal Revenue Service. [The Montgomery Advertiser] [Internet company Web.com hit by credit card breach]

Internet / WWW

UN – Privacy Chief Calls for Internet Geneva Convention

Joseph Cannataci, the UN’s first special rapporteur on the right to privacy, believes “the world needs a Geneva convention style law for the Internet to safeguard data and combat the threat of massive clandestine digital surveillance,” The Guardian reports. Describing the current state of the world as worse than George Orwell’s 1984, he notes, “Orwell foresaw a technology that was controlling. In our case we are looking at a technology that is ever-developing, and ever-developing possibly more sinister capabilities.” Meanwhile, InfoSecurity reports the UN Diplomatic Council (DC) is criticizing Internet providers’ failure to protect customers’ digital information. “There is an urgent need to bring about a harmonization via the UN, which guarantees the people all over the world a digital privacy,” said the DC’s Dorian Hartmuth. [The Guardian]

Law Enforcement

US – License Plate Reader Controversy at Forefront After Wednesday’s Killings

After Virginia State Police used an automatic license-plate reader (ALPR) to spot Vester Lee Flanagan fleeing the scene after shooting to death two journalists, the debate over ALPRs has come to the forefront. While organizations like the Electronic Frontier Foundation (EFF) and the ACLU have spoken out against the devices for the privacy implications for ordinary citizens, police departments say they’re a critical tool in controlling crime. Jennifer Lynch, senior staff attorney at the EFF said while ALPRs may be useful “in an extreme scenario like this one, that shouldn’t mean the police can indiscriminately keep data for an extended period of time on all other cars in the area.” [SC Magazine]

US – San Jose Looks at Using Garbage Haulers to Catch Car Thieves

San Jose Mayor Sam Liccardo and Councilmen Johnny Khamis and Raul Peralez have proposed that the city consider strapping license plate readers to the front of garbage trucks, allowing them to record the plates of every car along their routes. The data would be fed directly to the Police Department from the privately operated trash trucks, prompting an officer to respond to stolen vehicles or cars involved with serious crime. “We can cover every street at least once a week and possibly deter thieves from coming into our city,” Khamis said. A committee chaired by Liccardo that sets the council’s agenda voted to continue exploring the idea. Khamis said action is only the first step in a long process. The proposal calls for city officials to explore the “feasibility, legality and civil liberties implications” of garbage-truck mounted license plate readers. Questions the council members asked the city to consider include the process of transferring license data from the private garbage trucks to the police, whether they would be subjected to the same or different policies governing police car license readers and whether other cities have taken similar measures and how they worked. “We’ll look at privacy concerns and talk to ACLU before we do anything,” Khamis said. [San Jose Mercury News] [Beaconsfield garbage truck cameras an invasion of privacy, residents say] [US: Privacy Questioned as Firefighters Embrace Helmet Cameras]\

CA – Ontario Police Records Check Changes on the Docket

When the Ontario Legislature resumes its sitting in September, it will be looking at the Police Record Checks Reform Act 2015, which would limit the types of information disclosed in response to records check requests and bring greater uniformity to records checks. Timothy Banks examines “what a police records check will include and what it won’t when you request a police records check on a current or prospective employee or volunteer.” The bill has broad support and “is a direct response to concerns about the practice of releasing non-conviction information and mental health information as part of criminal record checks,” reports Banks. [Privacy Tracker]

US – Police Data Now Has Six-Month Shelf Life

In California, the Oakland Police Department has announced that it will now store license-plate reader data for six months, a new policy catalyzed by its server system consistently crashing due to the large amounts of information it was required to retain. “Looking back at a year doesn’t help you solve a case,” said Oakland Sgt. Dave Burke. “There is no plan to store the data beyond six months. The investigators are not looking for data beyond six months. It does us no good to have these datasets if we do not mine them for intelligence.” [Ars Technica]

US – City Attorney: MeetMe Creators Going Beyond Settlement

MeetMe, Inc., has agreed to a $200,000 settlement with the City of San Francisco following a lawsuit regarding its privacy policy and how its popular MeetMe mobile app potentially endangers minors who utilize the program. “Company officials thoughtfully and responsibly considered the violations we alleged under California law, and ultimately aspired to remedies even beyond those we sought,” said San Francisco City Attorney Dennis Herrera. The company pledged to “simplify its privacy terms by drafting a new policy written at a ninth-grade reading level, displaying all privacy settings on one screen and providing regular ‘privacy check-ups’ to apprise users of their settings and explain how to modify their choices,” the report states. [The Recorder]

US – First State Legalizes Taser Drones for Cops

It is now legal for law enforcement in North Dakota to fly drones armed with everything from Tasers to tear gas thanks to a last-minute push by a pro-police lobbyist. With all the concern over the militarization of police in the past year, no one noticed that the state became the first in the union to allow police to equip drones with “less than lethal” weapons. House Bill 1328 wasn’t drafted that way. The bill’s stated intent was to require police to obtain a search warrant from a judge in order to use a drone to search for criminal evidence. In fact, the original draft of Rep. Rick Becker’s bill would have banned all weapons on police drones. Then Bruce Burkett of North Dakota Peace Officer’s Association was allowed by the state house committee to amend HB 1328 and limit the prohibition only to lethal weapons. “Less than lethal” weapons like rubber bullets, pepper spray, tear gas, sound cannons, and Tasers are therefore permitted on police drones. Becker, the bill’s Republican sponsor, said he had to live with it. [The Daily Beast] [Will we pick privacy over drone-drops from Amazon? ]


NZ – Immigration NZ in Breach of Privacy Act

Immigration New Zealand has been found to have breached an immigrant’s privacy by refusing to correct his date of birth. The man from Ethiopia had no record of his birth, and arrived in New Zealand with incorrect information on his travel documents. Two years later he underwent a bone density scan and dental examination to clarify his age, which indicated he was possibly as old as 18 at the time. The man asked Immigration New Zealand to change his year of birth to 1996, but it refused and added a note to his file instead. Privacy Commissioner John Edwards has referred the case to the Director of Human Rights Proceedings. He said the incorrect date restricted the man from accessing a number of entitlements, including a driver’s licence and the adult minimum wage. But a spokesperson from Immigration said if the man’s passport showed his birth year as early 2000, the document itself needed to be altered or replaced, and there were important identity issues at stake. [radionz.co.nz]

Online Privacy

RU – Complaints Filed Over Windows 10

The Prosecutor General’s Office received another round of complaints regarding Windows 10, this time from Moscow law firm Bubnov and Partners, alleging the system allegedly reaps user data without consent—a potential breach of Russian privacy statues. “The new operating system offers users the choice of how they want it to handle their data, and users can change the settings at any point,” Microsoft said in response. The Russian Association for Electronic Communications corroborated the company’s claim in a statement, including information for concerned customers to change their settings. [The Moscow Times] See also [NZ Privacy Commissioner watching Microsoft on Windows 10]

WW – Study Finds Zombie Cookie Use to Be an Undead Practice

In a recent study, consumer advocacy organization Access discovered via its site AmiBeingTracked.com that, after use was thought to have died down, 15% of wireless users are still falling prey to “zombie cookies” that permit carriers like Verizon and AT&T to “to ignore a user’s privacy preferences on the browser level and track all online behavior,” Wireless reports. “Using tracking headers also raises concerns related to data retention,” the study states. “When ‘honey pots’ of sensitive information, such as data on browsing, location and phone numbers, are collected and stored, they attract malicious hacking and government surveillance. This kind of collection and retention of user data is unsustainable and unwise, and creates unmanageable risks for businesses and customers alike.” [Full Story]

WPF Launches Campaign to Opt Kids Out of Data-Sharing

The World Privacy Forum (WPF) has launched an #OptOutKids campaign that encourages parents and students to opt out of allowing schools to share their data. “Most parents are unaware that schools can compromise their children’s privacy and possibly their safety by sharing private information like their child’s phone number, home address, date of birth, GPA, email and photos with anyone without consent,” WPF states in its announcement. Most schools, however, have a brief window for opt outs, according to WPF Executive Director Pam Dixon, and the beginning of the school year is the time. Parents should opt their children out, Dixon said, because schools sending detailed data on children to unknown third parties can be “a risk for identity theft and worse.” [Full Story]

WW – Twitter Decides Politicians’ Tweets Need Forgetting

Mathew Ingram writes about Twitter’s decision to block users like @Politwoops, which used Twitter’s API to document and track Twitter statements of politicians, archiving them even after they’d been deleted. Twitter’s position is that politicians are just like any users, and it would be chilling for users to think they could never erase a statement made on Twitter. However, argues Ingram, “there’s a clear social value in having tweets about important political topics preserved, in the same way that there’s a social value in recording off-the-cuff remarks made by politicians at meet-and-greet events.” Does this decision and the likes of the UK Information Commissioner’s Office position that links to stories about RTBF removals need to be removed indicate a chilling for free speech? [FORTUNE]

UK – ICO Wants Links to Stories About RTBF Requests Removed

Since the EU’s embrace of the right to be forgotten, reports citing specific examples of story-removal requests have begun spurring interest in the stories set to be removed. As such, the UK Information Commissioner’s Office has requested Google take down links to those article-removal-request stories as well. The move “could provide an example for other countries, potentially provoking a new wave of takedown requests of stories about takedown requests and a subsequent wave of stories about those new requests,” the report states, adding, “That will also give ammunition to both free speech advocates and privacy activists in their tussle over where to draw the line between privacy and the public’s right to know.” [The Wall Street Journal]

WW – Torrent Sites Block Windows 10; Apple Criticized

Since Windows 10 launched, there’s been no shortage of privacy concerns voiced. Now, torrent sites are beginning to put measures in place to block Windows 10 users from accessing them. “The concern is spreading like a virus,” noting the concerns are largely the result of paranoia. The Australian tested Windows 10’s new facial recognition featureand found the software “able to maintain privacy even when dealing with identical twins.” Meanwhile, Theo Priestley criticizes Apple’s use of data, saying the company is “still very much self-serving for the sake of looking consumer friendly.” [BetaNews] [TORRENT TRACKERS BAN WINDOWS 10 OVER PRIVACY CONCERNS] [Apple Privacy May Not Be As Private As You Think]

WW – Spotify Clarifies Privacy Policy

Spotify unveiled a new privacy policy that proved to be controversial. The new policy explained how Spotify plans to use personal information to enhance its features and would do so by collecting information about users’ location, contacts and photos, among other data. The changes prompted Norway’s data protection authority to criticize the company, and Minecraft creator Markus Persson to say he’d cancel his subscription. But the day after unveiling the new policy, Spotify CEO Daniel Ek clarified that Spotify would seek express permission from users before accessing any of the data and would only use it for the specific purposes for which it was collected, Wired reports. Some say the incident illustrates the dangers of poor messaging, not poor policies. [Full Story] [Location, Sensors, Voice, Photos?! Spotify Just Got Real Creepy With The Data It Collects On You] [Spotify’s chief executive apologises after user backlash over new privacy policy]

WW – Is the Media Overreacting to Spotify’s New Privacy Policy?

Media reports emerged calling Spotify’s new privacy policy creepy and an “eerie“ agreement “you can’t do squat about,” but Tom Warren points out such analysis is an overreaction and spreads “FUD”—fear, uncertainty and doubt. Critics have pointed out that Spotify wants to collect photos, contacts or media files from mobile devices, but Warren notes that those critics are failing to point out that the privacy policy states, “[w]ith your permission” first. “Instead of spreading FUD … a reasonable debate around smarter and more transparent terms of use or even why all these apps constantly need this data would be a way to hold Spotify and many other companies to account.” [The Verge]

WW – Facebook Privacy Policies Progressively Problematic?

A study by two Harvard students indicates Facebook’s privacy policies have shown a “stark” and steady decline since a major 2009 privacy overhaul. Jennifer Shore’s and Jill Steinman’s research indicates that Facebook “doesn’t seem especially responsive to pressure either from advocacy groups or regulators,” the column continues, noting their findings indicate the company’s “standards for privacy drop in 22 of the 33 areas that they study.” Meanwhile, the Harvard student who lost his Facebook internship after developing a “Marauder’s Map” function using site data tells GeekWire he’s “happy with the way things turned out.” [Washington Post] [Facebook’s Threat Intelligence Sharing Potential: Data management, scale, and algorithmic strengths may give Facebook an advantage in threat intelligence sharing]

Other Jurisdictions

AU – Pilgrim Reappointed as Privacy Commissioner

Privacy Commissioner Timothy Pilgrim has been reappointed for another year, with his next term to begin in October. Australian Attorney-General George Brandis, who reappointed Pilgrim, praised his “good working relationship” with businesses as well as government agencies and consumer groups and his work “building awareness of privacy rights and obligations.” Pilgrim has served as privacy commissioner for five years, working in that capacity from July 2010 until July of this year, and then adding “the three-month role of acting information commissioner to his portfolio last month,” the report states, noting Pilgrim also served previously as deputy privacy commissioner from 1998 until 2010. [ZDNet]

IN – Prime Minister to Promote Digital India Campaign This Week

Prime Minister Narendra Modi will this week visit Silicon Valley to promote his “Digital India” campaign. But privacy advocates are speaking up ahead of Modi’s arrival. Approximately 137 academics, the majority being of Indian-origin, signed a statement saying Digital India seems to ignore how data is treated and how it might fuel repressive surveillance programs. “We are concerned that the project’s potential for increased transparency in bureaucratic dealings with people is threatened by its lack of safeguards about privacy information, and thus its potential for abuse,” the statement reads. [The Economic Times]

WW – Other Privacy News

Privacy (US)

US – FTC Settles With 13 Companies for False Safe Harbor Claims

The U.S. FTC announced it has settled with 13 companies on charges “they misled consumers by claiming they were certified members of the U.S.-EU or U.S.-Swiss Safe Harbor frameworks when their certifications lapsed or the companies had never applied for membership in the program at all.” The companies include a data broker, IT forensics firm, medical waste solution provider—even Dale Jarrett Racing Adventure. Under the settlement, the companies are “prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or other self-regulatory or standard-setting organization.” Meanwhile, the FTC awarded a $25,000 cash prize to the makers of RoboKiller, a mobile app that “blocks and forwards robocalls to a crowd-sourced honeypot.” Other prizes were awarded as well as part of the National Day of Civic Hacking in June. [Full Story]

US – FTC Announces “Start with Security” Agenda

The FTC has unveiled the agenda for its “Start with Security” conference on September 9 in San Francisco, CA. “Aimed at start-ups and developers,” the FTC press release explains, “this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development and vulnerability response.” Cosponsored by the University of California Hastings College of the Law, conference panelists include a wide array of chief information security officers, engineers, chief technology officers and product managers from several organizations, including Google, Yahoo, Mozilla, Pinterest, Twitter, SANS Institute, OWASP Mobile Top Ten, Fastly, Dropbox, Duo Security, HackerOne, Contrast Security and Signal Sciences. [Full Story]

US – FTC Announces New Event, PrivacyCon

In order to best ensure solid consumer privacy policy while concurrently encouraging technological innovation, the FTC needs greater input from technologists, FTC Chairwoman Edith Ramirez announced a new event this January. “We hear frequently from industry groups, consumer advocates and government colleagues about policy issues,” Ramirez says. “We also hear from technologists, but not as much as we’d like-we need more of them to weigh in on these important issues.” An easy way to do that, she explains, is contributing technological and privacy-related research to the FTC’s first-ever PrivacyCon , “which aims to bring together leading privacy and security researchers with policymakers to present and discuss their latest findings” in Washington, D.C. [Ars Technica]

US – Suits Filed Against IRS, MIE

Two Texas women filed lawsuits last week in Washington, DC, complaining the “U.S. government cannot be relied upon to keep the personal data of its citizens safe.” The suits follow the Internal Revenue Service’s (IRS) data breach in which hackers gained access to PII belonging to at least 330,000 people. California firm McCuneWright also filed a class-action complaint Thursday against the IRS. Meanwhile, Medical Informatics Engineering faces an additional three federal lawsuits over its recent breach, bringing the grand total to six, The Journal Gazette reports. [Bloomberg]

US – Delaware Reader Privacy Law Takes Effect January 1

On January 1, 2016, a new law will go into effect in Delaware that requires all book service providers with online sales exceeding two percent of their gross sales to protect the privacy of customer information. The Delaware Online Privacy and Protection Act will not affect most independent booksellers because it applies only to companies that sell a lot of books online, the report states. And unlike reader privacy laws in California and New Jersey, it does not affect brick-and-mortar stores. The Delaware law does not impose penalties but does allow that a company could be the target of a civil suit for breach of privacy. [American Booksellers Association]

US – Corporation Commission to Investigate Data-Sharing Complaint

The Kansas Corporation Commission (KCC) plans to investigate a complaint alleging Westar Energy violated customers’ privacy. Westar partnered with Home Serve USA in October to give customers the option to buy coverage for electric infrastructure around their homes not covered by the utility. But one Emporia resident filed a complaint with the KCC alleging Westar violated its privacy policy by giving her information to Home Serve, claiming she’s received junk mail from Home Serve. Gina Penzig, spokeswoman for Westar, said the utility’s privacy policy allows it to share customers’ contact information with “well-vetted partners” like Home Serve. [The Hutchinson News]

US – Ex-Prez Bush, Cheney Sued for Email, Phone Spying During Olympics

Ex-US president George W Bush, former Vice President Dick Cheney, and senior law enforcement officials have been named in a class-action lawsuit for authorizing blanket phone, email, and text message surveillance of Utah citizens during the 2002 Winter Olympics. In 2013 the Wall Street Journal reported that the FBI and NSA had done a deal with telco Qwest Communications for blanket surveillance coverage for Salt Lake City during the Winter Olympics. Then-mayor Ross “Rocky” Anderson has now taken up the case and has filed the class action suit. “This is the first time anyone knows of that a surveillance cone has been placed over a specific geographical area in the United States,” he said. “What was so alarming was that they were reading the contents of the text messages and emails.” Anderson served two consecutive terms as mayor between 2000 and 2008. There are currently six plaintiffs, including Utah State Senator Howard Stephenson (R-Draper), former Salt Lake City Council member Deeda Seed, and local historian Will Bagley. In addition to the presidential duo, the suit names former NSA Director Michael Hayden and Cheney’s attorney David Addington, who authorized the surveillance. [The Register]

US – Comcast Names Web Subscriber Whose Account Was Used to Insinuate a Politician Molested Children

Comcast Cable Communications has given a northern Illinois politician the identity of an Internet service subscriber whose account was used to post an anonymous comment online suggesting the politician molests children. That customer is being named as defendant in a lawsuit in the case, which arises from comments made online anonymously. Illinois courts have ruled an account holder’s privacy isn’t protected in such matters. Comcast turned over the name of the subscriber on Aug. 14, attorney Andrew Smith said, almost two months after the Illinois Supreme Court upheld lower court rulings that Internet service providers have no obligation to withhold the identity of a commenter if their comments could be considered defamatory. The U.S. Supreme Court declined to take up the case, which has played out in an environment of increasing concern about potentially damaging online comments made by anonymous Internet users. Experts generally agree that Internet commenters should know their identity won’t be protected if their comments cross the line into defamation. [Associated Press]

US – OPM Sued Again … This Time by a Judge

The U. S. Office of Personnel Management has been hit with yet another lawsuit related to its alleged cybersecurity and privacy failings, and the role they played in the massive breach that exposed background-check information that the agency was storing for 21.5 million people. But unlike the three other lawsuits already filed against OPM, this one differs in part because the plaintiff is a judge. Teresa J. McGarry, who works as an administrative law judge for the Social Security Administration, filed her lawsuit earlier this month against OPM, the U.S. Department of Homeland Security, as well as KeyPoint Government Solutions, which is the largest provider of background-check services for the U.S. government. McGarry’s lawsuit, which seeks class-action status, alleges that OPM failed in its duty to maintain and safeguard the data that was in its care – including background-check forms containing extensive personal information from applicants, as well as copies of applicants’ fingerprints – thus violating U.S. privacy laws, as well as government cybersecurity regulations. The suit seeks in part to make both OPM and KeyPoint take “reasonable steps” to implement and maintain a program to protect people’s personally identifiable information. It also seeks unspecified damages.

Einstein Called Out: The lawsuit also takes aim at DHS and, in particular, its administration of the so-called Einstein intrusion detection system (see Senate Committee Passes Bill Requiring Einstein Use). “The system was created to detect and prevent intruders from compromising the cybersecurity of federal governmental databases, including those housed at OPM and other governmental agencies,” the lawsuit says. “DHS failed as Einstein did not prevent intruders from breaching the OPM network and extracting sensitive files pertaining to millions of current, former and prospective federal employees and contractors.”

Four Lawsuits – And Counting: So far, the OPM breach has resulted in lawsuits being filed against the agency by two unions – the American Federation of Government Employees and the National Treasury Employees Union – on behalf of their members, as well as a $5 million lawsuit filed by breach victim Marcy C. Woo. She worked for the federal government for 28 years, and her suit alleges that top officials at the OPM knew about cybersecurity deficiencies, but failed to fix them. Woo’s lawsuit names OPM, as well as former director Archuleta, CIO Donna Seymour and KeyPoint. [Government Information Security]

US – FERPA Updates: It’s a No From the Internet Association

The Internet Association takes umbrage with proposed revisions to the Family Education Rights and Privacy Act (FERPA) via the Student Privacy Protections Act, arguing that the requirements are “too broad.” “As currently drafted, the data security and privacy provisions of the bill impose vague security requirements, including notice requirements triggered by a ‘breach of the security practices,’ which theoretically could include common employee errors such as failing to properly sign-in a visitor or failing to logout of a computer when going to get coffee for five minutes,” the organization said in a letter to the of the House Education and Workforce Committee. [The Hill]

US – Jeb Bush: Revisit USA PATRIOT Act Changes

Republican presidential candidate Jeb Bush said he found “no evidence” that USA PATRIOT Act surveillance measures were detrimental to American civil liberties, arguing that revisions to the act need to be reconsidered. “There’s a place to find common ground between personal civil liberties and NSA doing its job,” Bush said. “I think the balance has actually gone the wrong way.” He also called for greater corporate/government cooperation while taking aim at encryption efforts. “It makes it harder for the American government to do its job while protecting civil liberties to make sure evildoers aren’t in our midst,” he said. “Market share … should not be the be-all-end-all,” he added, advocating for “a new arrangement with Silicon Valley in this regard.” [Associated Press]

US – Court: MSU Required to Share Info

A Michigan Court of Appeals has ruled that Michigan State University (MSU) is legally obligated to disclose all personal details in public incident reports about its student athletes. After filing a September 2014 document request for an investigative piece, ESPN found that MSU “removed the names and identifying information about suspects, victims and witnesses,” the report states. ESPN successfully sued the school in February for the release of pertinent information, but MSU brought the matter back to court in an attempt to change the ruling. “The disclosure of the names of the student-athletes who were identified as suspects in the reports serves the public understanding of the operation of the university’s police department,” the Court of Appeals said. “The disclosure of the names is necessary to this purpose.” [ESPN]

US – Privacy News Roundup

US – Court Rules in Favor of NSA

Much to the chagrin of privacy advocates, the U.S. Court of Appeals for the District of Columbia Circuit Court ruled that the National Security Agency’s (NSA) collection of metadata under the USA Freedom Act could continue until the bill’s expiration in November, due to a “lack of sufficient grounds for the preliminary injunction.” Meanwhile, Andy Greenberg argues that suing the NSA is tricky because “someone has to prove that their privacy rights were infringed. And that proof is almost always a secret.” Regardless, plaintiff Larry Klayman plans on taking an appeal to the Supreme Court. “We are confident of prevailing,” he said. [Reuters] [Privacy Is a Human Right: Data Retention Violates That Right]

US – NSF, Intel Partnership Extends $6 Million in Research Grants

The National Science Foundation (NSF) and Intel have partnered to offer two new grants totaling $6 million for researchers aiming to find privacy and security solutions in the cyber-physical systems (CPS) underlying the Internet of Things. An NSF press release notes that a “key emphasis of these grants is to refine an understanding of the broader socioeconomic factors that influence CPS security and privacy.” Jim Kurose, who heads up the NSF’s Computer and Information Science and Engineering, said, “Rigorous interdisciplinary research, such as the projects announced today … can help to better understand and mitigate threats to our critical cyber-physical systems and secure the nation’s economy, public safety and overall well-being.” Intel’s Christopher Ramming said the company is “enthusiastic about this new model of partnership.” [Full Story]

Privacy Enhancing Technologies (PETs)

WW – Blackphone 2 Coming in September

Silent Circle’s privacy-focused Blackphone has a new iteration: Blackphone 2. “Thanks to the encryption and special software, all calls and texts made with the phone are secure from all the inquisitive eyes,” the report states. The phone employs Silent OS and Spaces, a program that permits “users and companies to create isolated operating system accounts that don’t interact with each other and therefore, remain more secure,” the report continues. Currently available for preorder, the device will be widely released in September. [TechWorm]

WW – Has the Time Come for Personal APIs?

Chris Middleton writes about a future where “a search company has used all of the personal data that’s spread across the Internet about me to patent the concept ‘Chris Middleton,’ and, as a result, I am now a person of no fixed identity languishing in prison for breach of copyright.” Consumers, he suggests, should protect themselves by creating personal application program interface (API) platforms. Personal APIs “could be a fascinating route ahead for consumers in the digital world,” he writes. Placing data behind personal APIs might give consumers the ability to force organizations and individuals “to engage with you on your terms,” he writes, giving consumers the power to withdraw their support from those that do not “match your own belief systems.” [diginomica]


WW – Companies to Collaborate for IoT Privacy

Microchip Technology has announced a collaboration with Intel to implement Intel Enhanced Privacy ID (EPID) technology. “Intel EPID is a sophisticated, proven approach to device authentication that provides both security and privacy for the on-ramp to the Internet of Things (IoT),” the report states. “Microchip has long recognized the importance of security in IoT applications,” said Microchip’s Ian Harris. “Collaborating with Intel to integrate its proven Intel EPID technology demonstrates Microchip’s steadfast commitment to providing the very best IoT solutions, by working to enable designers with the safe and secure interoperation of their ‘things’ with Intel’s devices, gateways and servers.” [StreetInsider.com]

JP – Police, Satellite Tracking Planned

By 2018, the Road Transport Department plans to apply a Radio Frequency Identification (RFID) device to vehicles across Malaysia. The aim of the RFID is to “allow real-time monitoring of traffic conditions and help police track down criminals,” the report states. “While this may raise privacy concerns … the use of RFID tech will herald a new era for vehicle security … and could be the answer to combat vehicle theft and cloned vehicle syndicates,” said Deputy Transport Minister Datuk Aziz Kaprawi. A “smart code” feature permits vehicle tracking by the authorities and satellites. [Paultan.org] [Somebody’s watching: Telematics for cars pits insurers against privacy advocates]

US – California Bill Seeks to Regulate Smart TVs

After discovering that “smart” TVs could record their owners’ conversations without consent, California Assemblyman Mike Gatto (D-Glendale) is championing AB116, which aims to mandate that smart TV users be “explicitly informed” their devices might record their conversations. The bill also “forbids TV manufacturers and related third parties from using or selling stored conversations for advertising purposes and would allow manufacturers to reject law enforcement efforts to use the feature to monitor conversations,” the report continues. While privacy advocates applaud the move, the Electronic Frontier Foundation’s Lee Tien points to room for improvement. “Notice is not consent,” Tien said. Smart TV-maker Samsung has indicated it supports the bill, the report states. [Associated Press]


US – Pentagon Releases Cybersecurity Incident Reporting Rules

The Pentagon is rolling out long-awaited rules governing how the defense industry should report cybersecurity incidents. The regulations were published in the Federal Register on Wednesday. They require contractors and subcontractors to report “cyber incidents that result in an actual or potentially adverse effect” on either the contractor’s information system and data or its ability to provide “operationally critical support,” the report states. The rules aim to provide a single pathway for Defense Department contractors to report cyber incidents. [The Hill]

WW – Study: The Access of the Few Creates Risk for the Many

According to a new study by CloudLock, system administrators and those with heightened privileges at an organization that employs a cloud service are responsible for 75 percent of the risk, with hackers focusing in on those particular users for easy data access. “Cyber attacks today target your users—not your infrastructure,” said CloudLock CEO Gil Zimmermann. “As technology leaders wake up to this new reality, security programs are being reengineered to focus where true risk lies: with the user,” adding that “the best defense is to know what typical user behavior looks like—and, more importantly, what it doesn’t.” [The Washington Post] [Cars can be hacked by their tiny, plug-in insurance discount trackers]

US – Uber to Beef Up Security Team in Push to Strengthen Data Safety

Uber is to significantly expand its security team as it seeks to soothe worries about data privacy, defend against hackers and even protect its offices and employees from physical attack. The group, most recently valued at about $50bn, plans to end the year with more than 100 staff in its security team, an increase from about 25. [Financial Times]


WW – UK Surveillance ‘Worse Than Orwell’, Says UN Privacy Chief

Joseph Cannataci, the newly appointed UN special rapporteur on privacy has called the UK’s oversight of surveillance “a rather bad joke at its citizens’ expense,” describing the situation regarding privacy as “worse” than anything George Orwell imagined in his dystopian novel ‘1984’. Appointed after concern about surveillance and privacy following the Edward Snowden revelations, Cannataci agreed that his notion of a new universal law on surveillance could embarrass those who may not sign up to it, but for Cannataci – well-known for having a mind of his own – it is not America but Britain that he singles out as having the weakest oversight in the western world. Although Cannataci admits his job is a complex one that is not going to be solved with a magic bullet, he says he is far from starting from scratch and believes there are at least four main areas – including a universal law on surveillance, tackling the business models of the big tech corporations, defining privacy and raising awareness among the public. [Before Its News]

US – NSA and BfV Surveillance Exchange Revealed

The National Security Agency (NSA) and its German equivalent, the Office for the Protection of the Constitution (BfV), traded access to the U.S. Internet surveillance program XKeyscore for targeted surveillance information on German citizens. While former German Data Protection Commissioner Peter Schaar claimed that he “knew nothing about such an exchange deal,” an official memo obtained by Die Ziet-the outlet that broke the story-indicates that Germany pledged to “(u)tilize XKeyscore in a manner consistent with German law and in a manner reasonably likely not to result in the targeting of U.S. persons,” the report continues. [National Journal]

WW – Global Think Tank Calls for Global Digital Privacy

After an open hearing earlier this month aimed at formulating a group stance, the Diplomatic Council, a UN-registered global think tank, called for more transparency when it comes to government surveillance across the world. Attorney Thomas Lapp, chairman of the Global Information Security Forum of the Diplomatic Council, proposed worldwide stipulations on any judge who approved interception measures. He called for judges to be required to document each interception approved and provide annual reports that provide details on the outcomes of surveillance, including whether the activities led to convictions. Lapp feels the stipulations would influence authorities to better examine eavesdropping requests while making the process more transparency to the public. In addition, the Diplomatic Council is mulling global legislation to curb data collection by large internet corporations. Lapp contended that big companies circumvent the strict data protection laws of several countries. [SC Magazine]

WW – Companies Fight Back with “Warrant Canaries”

There are challenges of running privacy services—specifically the legal challenge of keeping promises to customers despite government pressure for access to data. To cope, companies have created “warrant canaries.” Companies publish transparency reports listing the number of “secret, gag-ordered surveillance warrants,” where they would list that number as zero. In the next report, if there’s been a secret warrant, the listing would be omitted. Users would notice this and stop using the service, the message to the government being: Serve us with a secret warrant, and everyone you want to spy on will stop using this service. “The idea of warrant canaries is not to voluntarily go out of business, it’s to make business-destroying secret warrants useless,” the report states. [The Guardian]

US – City Considers License-Plate Readers on Garbage Trucks

In San Jose, CA, the city’s mayor and one city councilman have put forward a new proposal that would allow sanitation vehicles—garbage trucks—to use license-plate readers to feed data automatically to city police. “We can cover every street at least once a week and possibly deter thieves from coming into our city,” said Councilman Johnny Khamis. If the proposal were to pass, the city would likely be the first in the country to expand license-plate readers beyond law enforcement to another public entity, the report states. Khamis said the city would consult with the ACLU over privacy concerns before moving forward. [Ars Technica]

US – Companies Fight Back with “Warrant Canaries”

There are challenges of running privacy services—specifically the legal challenge of keeping promises to customers despite government pressure for access to data. To cope, companies have created “warrant canaries.” Companies publish transparency reports listing the number of “secret, gag-ordered surveillance warrants,” where they would list that number as zero. In the next report, if there’s been a secret warrant, the listing would be omitted. Users would notice this and stop using the service, the message to the government being: Serve us with a secret warrant, and everyone you want to spy on will stop using this service. “The idea of warrant canaries is not to voluntarily go out of business, it’s to make business-destroying secret warrants useless,” the report states. [The Guardian] and [People are freaking out over a feature in Windows 10’s family accounts]

US – Firefighters’ Helmet-Mounted Video Cameras Controversial

One rescue squad in Maryland believes the use of helmet-mounted cameras is invaluable, as such video allowed firefighters to later determine what they could have done better to stay safe. But in a California case, helmet-camera video of a plane crash showed a survivor being accidentally run over, and San Francisco’s “fire chief later reminded staff that all cameras are banned without prior approval,” the report states. The International Association of Fire Fighters (IAFF) does not support helmet cameras. The IAFF’s Jim Brinkley explained national standards for the cameras’ use are in development but said “that’s a long process.” [CBS News]

WW – Study: Mobile Companies Using Supercookies Outside U.S.

A study by Access Now finds that while mobile wireless companies no longer employ “supercookies” in the U.S., some do so in other parts of the world. Supercookies, or “unique identifier headers,” are codes that permit surreptitious tracking of mobile web use. Access Now’s Deji Olukotun suggested the “use of supercookies outside the U.S. is potentially more invasive because many people use smartphones as their primary way to access the Internet,” the report states. Verizon said it offers an opt-out service to users. “Most users don’t even know what to opt out of,” said Jacob Hoffman-Andrews of the Electronic Frontier Foundation, adding, “This technology is so intrusive that opt-outs are not appropriate.” [The Wall Street Journal] [Anti-privacy unkillable super-cookies spreading around the world | Study]

Telecom / TV

US – New FCC Rules Could Change Telecom Business Models

The FCC is planning to develop new privacy rules for Internet providers this fall following its net neutrality decision earlier this year, and those rules “could have big implications for companies like AT&T, Verizon and Comcast.” “FCC Chairman Tom Wheeler has declined to say when the agency might formally launch a rule-making process,” the report states, noting that if the FCC approves its new privacy policies for Internet providers, it could “powerfully affect the industry’s business model.” For example, the FCC’s new rule could limit such practices as AT&T’s recently launched package allowing customers a discount if the company can track their web history. [The Washington Post]

WW – UN Contacting AT&T About Alleged U.S. Wiretapping

The United Nations (UN) has said it plans to contact AT&T following a report “it allowed the U.S. National Security Agency (NSA) to wiretap all Internet communications at UN headquarters.” A UN spokeswoman said U.S. officials had assured the UN “they are not … monitoring our communications” when past allegations were made. A piece in The New York Times indicated “AT&T provided technical assistance in carrying out a secret U.S. court order permitting the wiretapping of all Internet communications” at the UN’s New York headquarters, the report states. Meanwhile, AT&T’s and other telecoms’ ability to monitor consumers and making it “deliberately tough“ for them to opt out of marketing “and having their personal data shared.” [Associated Press]

AU – 60 Minutes Uncovers Huge Mobile Phone Security Vulnerabilities

It’s the dirty little secret that’s facilitating what’s being called the biggest breach of privacy ever. Government, security agencies and the telecommunications industry will be forced to explain a security hole that allows hackers to listen in to conversations and hijack Australians’ mobile phones after it’s exposed by a 60 Minutes investigation, the program claims. By tapping in to SS7, a signalling system in use by more than 800 telecommunication companies across the world including major Australian providers, hackers are able to listen in to conversations, steal information stored on mobile phones, and track the location of the phone’s user. The system has long been in use by spies and has been a secret of perpetrators of international espionage. It’s believed to be the very tactic used by Australian spies in tracking the phone calls of the wife of the Indonesian president. But recently, organised crime, commercial spies and potential terrorists have been exploiting this security loophole for their gain, 60 Minutes claims to have uncovered. [Source]

WW – Google Unveils Onhub, A Wi-Fi Router for The Smart-Home Era

The search giant’s newest device is a router Google hopes you’ll display proudly, and gives the company a beachhead for tech in your home too. The search giant unveiled the OnHub, a sleek new router that Google developed with the networking hardware company TP-Link. The $200 device is also meant to eventually help control all the other disparate Internet-connected devices in your home. The idea is this: Most Wi-Fi routers are ugly, with unruly cords, so people put them on the floor or out of the way where they can’t be seen. But that also causes the device to emit a weaker Wi-Fi signal, Google said. The company hopes the answer is making a better-looking device that people don’t mind displaying out in the open. It has subtle blinking lights and all its antennas are packed inside its black, cylindrical shell. The device also displays the Wi-Fi password if someone taps on it. [CNET]

WW – IAPP Launches First Privacy eBook

The IAPP has launched its first eBook, Introduction to IT Privacy: A Handbook for Technologists, which is now available from the Kindle bookstore on Amazon. “In an effort to provide our members access to privacy training content in the ways they find most useful, we decided to pursue offering our first eBook title for those privacy professionals who prefer to access this material digitally,” said IAPP Training Director Marla Berry.”We look forward to the response to this initial offering and anticipate we may be providing future texts to our members in this format as well.” The Privacy Advisor has all the details in this “Live from the IAPP” feature. [Full Story]

US Government Programs

EU – Sites Have Until September 30 To Meet Google’s User-Consent Requirements

It’s likely EU users have noticed an increase in the number of cookie notices they’re presented with while surfing the web—the result of a change in Google’s user-consent policy. The policy “requires website publishers who use Google cookies to obtain their European site visitors’ consent before dropping and reading cookies,” the report states. The change reflects EU regulators’ increasing focus on U.S. companies that serve EU customers. Sites, including ad publishers using Google services as a platform, have until September 30 to comply. Google has released a website to help guide companies implement changes. [Silicon Republic]

US Legislation

US – Gov. Vetoes Notification Bill Expansion

A recent attempt by the Illinois legislature to significantly expand the scope of the Illinois data breach notification legislation was vetoed by Gov. Bruce Rauner. Rauner said Illinois Senate Bill 1833 “goes too far,” and the proposed legislation includes “duplicative and burdensome requirements” that other states don’t have. He added such requirements will hurt the state economy. Specifically, he said, including geolocation information and consumer marketing data under the types of protected information is unnecessary because it “does not pose the same risk of identity theft that justifies the extraordinary and costly security and notice requirements imposed by the Personal Information Protection Act.” [HealthITSecurity]

US – State Assembly Approves Drone-Trespassing Bill

The California State Assembly has approved a measure that would restrict the use of drones over private property without owners’ permission. The bill, proposed by Sen. Hannah-Beth Jackson (D-Santa Barbara), would make flying a drone less than 350 feet above private property without consent a trespassing violation. While some voiced concerns about harming industry, Assemblyman Mike Gatto (D-Los Angeles) said drone operators, not manufacturers, would be held liable. Meanwhile, a bill that would require local law enforcement agencies to set up policies governing their use of body cameras “fell flat after facing criticism from some Democrats that it did not go far enough,” the report states. [Los Angeles Times]

US – New Drone Bill Draws Industry’s Ire

Proposed legislation is inspiring ire from drone developers who argue it could smother the fledgling trade, citing as an example SB 142, which Sen. Hannah-Beth Jackson (D-CA) proposed in an effort at safeguarding privacy by keeping drones at least 350 feet above private property. “The industry argues—and the legislative committees acknowledge—myriad efforts are going on between state and federal authorities to hammer out a regulatory regimen,” the report states. Bruce Parks of the Association for Unmanned Vehicle Systems International argued “the threats are coming from hobbyists, not potential commercial users.” [The San Diego Union-Tribune]

US – Other Legislative News

Workplace Privacy

CA – Privacy Commissioners Urge Caution on BOYD

The Offices of the Privacy Commissioner and of the BC and Alberta Information and Privacy Commissioners have created new guidelines forBYOD programs. “Allowing employees to use their mobile phones, tablets and laptop computers for both personal and professional use carries significant privacy risk—particularly when one world collides with the other,” said Privacy Commissioner Daniel Therrien, adding, “Companies need to consider the risks in advance and prepare to manage them effectively. Only then could they conclude whether a BYOD program is right for them.” A Privacy This Week report suggests the commissioners may use the guidance as a benchmark. [Vancouver Sun]

HK – PDPC Offers Workplace Tips

The Personal Data Protection Commission (PDPC) has published its “Workplace Tips on Personal Data Protection“ in DPO Connect. “Controls also have to be put in place to make sure that only authorised personnel have access to personal data,” the PDPC’s report states, noting organizations should also protect users’ passwords by requiring they be changed, limiting the number of failed login attempts that are allowed before the account is locked and hiding password characters. The PDPC also “advocates for weaving the awareness of personal data protection into the fabric of organisational culture,” the report states. [Full Story]

WW – EFF Announces 2015 Pioneer Award Winners

The Electronic Frontier Foundation has announced its 2015 Pioneer Award recipients. The award recognizes “leaders who are extending freedom and innovation on the electronic frontier.” This year’s recipients, to be recognized at an event on September 24 in San Francisco, include the late Caspar Bowden, a privacy advocate; the human rights and global security researchers at The Citizen Lab, whose work has “put a spotlight” on companies selling state-sponsored surveillance malware and the governments that use them; international Internet access champions Anriette Esterhuysen and the Association for Progressive Communications, and digital community advocate Kathy Sierra. [Full Story]

US – Survey: Federal Employees Using Personal Phones for Work

Half of federal employees access government email and documents from their personal smartphones and mobile devices. A survey commissioned by cybersecurity company Lookout found that out of 1,000 workers from 20 civilian, intelligence and military agencies, 60% said they are aware of the risks, and 85% of those individuals said they use their smartphones anyway. Approximately 40% of employees who work at agencies that prohibit the use of smartphones for work said the rules have little to no impact on their behavior, the report states. Cybersecurity expert Roger Cressey said the challenge for security professionals is “to accept that reality, and come up with proactive solution.” [USA Today]


01-15 August 2015


AU – Agencies to Take Fingerprints from Kids

Children who fight with extremist groups could be prevented from returning to Australia under plans to expand powers to gather biometric data. The Senate has passed legislation to beef up the country’s biometrics system, permitting the collection of data from children as young as 10 without parental consent. Fingerprints, and potentially iris scans and facial images, will be used to match people entering and leaving Australia to a database of known criminals and suspected terrorists. [SBS News]

WW – Facial-Recognition Tech Getting Attention from Apple, Police

A patent filed by Apple in 2014 and published this week “describes various methods for streamlining the sharing of photos by linking faces to contact data, also utilizing facial recognition tech.” Apple’s patent, entitled “Systems and methods for sending digital images,” is similar to Facebook’s Moments app, which “uses facial-recognition tech to help distribute photos to the people in them,” since the patent “describes various methods for streamlining the sharing of photos by linking faces to contact data, also utilizing facial-recognition tech,” the report states. Meanwhile, The New York Times reports on facial-recognition software used by the U.S. military that “is being eagerly adopted by dozens of police departments around the country to pursue drug dealers, prostitutes and other conventional criminal suspects.” [TechCrunch]

WW – HTC Caught Storing Fingerprints as World Readable Cleartext

Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max. The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open “world readable” folder. “Any unprivileged processes or apps can steal user’s fingerprints by reading this file,” the team says, adding that the images can be made into clear prints by adding some padding. It is one of four vulnerability scenarios in which biometric data normally secure in an Android phone’s TrustedZone can be pilfered. [The Register]

CA – Biometrically-Authenticated Wearable Payments With Mastercard, TD

The wearables market is beginning to pick up steam, and Toronto’s Nymi is already working on the next generation of wearables technology with a pilot project to complete credit card payments using a wearable with the credentials biometrically authenticated by a heartbeat. Nymi has been developing its biometric authentication wearable technology, which uses a heartbeat as a unique biometric identifier and maintains the authentication as long as the wearable is being worn. As soon as it’s taken off – or the user’s heart stops beating – the authentication ends, making it a unique approach to security. This summer, Nymi has been working with TD Bank Group and MasterCard to pilot using the Nymi Band to make contactless payments using a TD Bank Mastercard with the credentials stores on the wearable. Using Nymi’s proprietary HeartID technology as well as a Nymi Band prototype enabled with near field communications, 100 TD employees in Toronto, Ottawa and Regina are testing making payments using the contactless Tap & Go payment terminals already at many Canadian retailers. [Source]

Big Data

US – Draft Report Outlines Big Data Challenges

The Office of the National Coordinator’s Health IT Policy Committee Privacy and Security Workgroup (PSWG) completed a draft report outlining the healthcare privacy and security challenges of using big data and recommending steps to address them. “The complex legal landscape around health privacy creates obstacles for individuals trying to access their personal information and hurdles for researchers,” the study states. In addition to governmental transparency regarding its handling of big data, the group also suggests “that current laws around the use of such information should be evaluated and modified to ‘incentivize’ privacy, but that voluntary codes of conduct also could improve security efforts,” the report states. [FierceHealthIT] [The Sound Of Silence: New Video Tech Looks Beyond The Internet Of Things] [Connected medical devices: The Internet of things-that-could-kill-you]


CA – Sask. Privacy Commissioner, SHRA At Odds Over Privacy Breach

Saskatchewan’s privacy commissioner and the Saskatoon Health Region Authority (SHRA) are at odds over whether disciplinary action taken against a snooping employee should be disclosed. The employee in question had viewed her own along with other individuals’ health records without a need-to-know. According to Ronald Kruzeniski, Saskatchewan’s information and privacy commissioner (IPC), the health records clerk viewed the personal health information to satisfy curiosity and alleviate boredom. The privacy breach came to light in early 2015 through a regular audit. The employee was found to have viewed the personal health information of six people, including her own. [Global News]

CA – BC: Sex-Abuse Case Review a Breach of Privacy: Mom

B.C.’s privacy commissioner has been asked to investigate concerns about an external review of the Ministry of Children and Family Development by retired deputy minister Bob Plecas. Elizabeth Denham’s office confirmed that it has received a complaint about the review, but offered no further comment. Plecas was hired last month to review the ministry’s handling of a high-profile sex-abuse case. In that case, B.C. Supreme Court Justice Paul Walker found that social workers ignored or misled the courts and allowed a sexually abusive father unsupervised access to his four children. The government has appealed Walker’s decision. [The Times Colonist]

CA – Federal Govt’s New Healthy Living App Rewards Canadians With Points

The federal government is unveiling a new app in the fall that will reward Canadians for making healthier lifestyle decisions. The “Carrot Rewards” app aims to push Canadians to eat better, exercise more and live healthier lives, by rewarding them with various types of points. “Canada is the first country in the world to create a national app, a national mobile platform for rewarding its citizens for healthier lives,” said Andreas Souvaliotis, Founder and CEO of Social Change Rewards, which is marketing the app for the government. [Global News] [Canadians are victims of China-based VPN network and new malware kit, say vendors]

WW – IPC: Balancing Transparency, Privacy and the Internet

While providing services to the public, municipalities are often required to collect, use and disclose personal information from and about their community members. Some information received and processed by municipalities is legally required to be made publicly available for the purposes of allowing public participation in decision-making and for maintaining transparency and accountability with respect to the activities of these institutions. Municipalities should balance the need to protect the privacy of their community members, in compliance with the provincial privacy legislation and the need to meet their other legislated obligations. The new guide Transparency, Privacy and the Internet: Municipal Balancing Acts describes a number of policy, procedural and technical options available to municipalities to mitigate the privacy risks associated with publishing personal information on the Internet. [Office of the Information and Privacy Commissioner, Ontario]


WW – Google, Facebook Privacy Polices Rank Highest

Time and the Center for Plain Language reviewed the privacy policies of seven of the most ubiquitous tech companies and ranked them based on the clarity of language, finding Google and Facebook’s to be the most straightforward. “A privacy policy that consumers are unlikely to read or understand provides no protection whatsoever,” the report states. “The results of our study are quite consistent, especially at the top and bottom of the rankings: Google and Facebook do a good job of communicating their privacy policies in a way that allows consumers to understand and make decisions—at least motivated consumers. According to the analysis, Lyft and Twitter do a poor job of communicating those policies. The remaining companies—LinkedIn, Uber and Apple—do better in some areas than others.”[Full Story]

US – Consumers Want to Sell Their Own Data, But What’s It Worth?

Digital Catapult, a working group bringing together academics and industry, recently commissioned a study showing that consumers want ways to collect and manage their personal data and want to make money from sharing that data. However, while that may be the case, The Conversation reports that determining a value for a person’s data is no easy task. The Digital Catapult study showed 62% of respondents would be willing to receive 30 GBP per month for sharing their data; however, that was the maximum amount allowed in the study. “No doubt they’d not turn down 100GBP or 1,000 GBP either.” Compounding that is the question of “who holds the reins: government, business or the third sector?” [Full Story] see also: [How to protect your wireless network from Wi-Fi Sense] [Cellphone Projects in Developing World Need Better Privacy, Security Measures] [How your phone’s battery life can be used to invade your privacy] [New Windows 10 scam will encrypt your files for ransom] [Windows 10 sends identifiable data to Microsoft despite privacy settings] [Microsoft on Windows 10 and Privacy] [Microsoft responds to Windows 10 privacy policy concerns]


UK –Fears Over “Lax” Council Data Security

Sensitive personal information has been lost or misused by councils on thousands of occasions, according to a study by privacy campaign group Big Brother Watch. The study found that local authorities recorded 4,236 data breaches over a three-year period from April 2011. Emma Carr, Big Brother Watch director, said: “Despite local councils being trusted with increasing amounts of our personal data this report highlights that they are simply not able to say it is safe with them. The report, based on responses to Freedom of Information requests sent to local authorities throughout the UK, shows that, amongst other things, “some 197 mobile phones, computers, tablets and USBs were lost or stolen” and “data was lost or stolen on 401 occasions, with 628 instances of incorrect or inappropriate information being shared on emails, letters and faxes”.[Digital By Default News]

US – Data in Clinton’s ‘Secret’ Emails Came from Five Intelligence Agencies

The classified emails stored on former Secretary of State Hillary Clinton’s private server contained information from five U.S. intelligence agencies and included material related to the 2012 fatal attacks in Benghazi, Libya, the McClatchy news service has learned. Of the five classified emails, the one known to be connected to Benghazi was among 296 emails made public in May by the State Department. Intelligence community officials have determined it was improperly released. Revelations about the emails have put Clinton in the crosshairs of a broadening inquiry into whether she or her aides mishandled classified information when she used a private server set up at her New York home to conduct official State Department business. While campaigning for the 2016 Democratic presidential nomination, Clinton has repeatedly denied she ever sent or received classified information. [thestar.com]

US – Study: Gov’t Weaknesses “Deep, Pervasive”

A George Mason University Mercatus Center study of the government’s 30-day “cybersecurity sprint” indicates that while improvements were made, major weaknesses in cybersecurity persist, with 10 agencies declaring noncompliance. “Federal agencies lag far behind the cybersecurity goals that policy-makers have crafted and amended over the past decade. In only one category, security training, do a majority of agencies report full compliance,” the study states, noting the “government’s cybersecurity weaknesses are not merely superficial issues that can be quickly resolved in a few short weeks; they are deep, pervasive and systemic problems resulting from decades of poor information security practices.” [InsiderOnline]

NZ – Justice Minister Tackles ‘Privacy Paralysis’

Justice Minister Amy Adams says privacy laws significantly hamper the ability to detect and deal with domestic violence because government officials and those working with children and families are often over-cautious when it comes to sharing information. Ms Adams will today release a discussion document with proposals to tackle domestic violence which is understood to contain more provisions for sharing information between the courts, police and the agencies and community organisations which deal with families. [The New Zealand Herald]

US – Government’s Privacy Push Garners Results

After the conclusion of the White House Office of Management and Budget-initiated 30-day “cybersecurity sprint” across federal government agencies, there was a 30% increase in more sophisticated password use. While the jump from 42% to 72% was positive, White House Chief Information Officer Tony Scott said he believes “we still have more work to do,” adding that a team of experts would review the government’s “policies, procedures and practices” relating to cybersecurity. Scott said an assessment will be issued in the months ahead, the report states. [Reuters]


US – Yahoo Class-Action Appeal Denied

U.S. District Court Judge Lucy Koh’s ruling to elevate an email privacy suit against Yahoo to a class-action still stands, according to the Ninth Circuit Court of Appeals, which rejected Yahoo’s request to overturn Koh’s decision. Plaintiffs said, “Yahoo violated the federal wiretap law and a California privacy law by allegedly intercepting messages without the consent of both the sender and recipient,” but Yahoo argued “consumers aren’t entitled to class-action treatment because the key issue in the privacy dispute—whether people consented to Yahoo’s email scans—will require individualized assessments,” the report states. Koh had determined “that the consumers raised the kinds of ‘common’ questions that don’t require separate determinations for every affected web user,” the report continues. [Media Post]

WW – Email Marketing Laws and the Results of Compliance

Kissmetrics looks at anti-spam laws, highlighting certain laws and outlining what marketers need to know and the results complying with them can mean for their businesses. “Email marketing is one of the most effective marketing tactics online,” the reports states, noting, “however, there are a number of best practice techniques that you need to comply with to ensure that you don’t irritate your customers or run afoul of regulators.” The report offers the major points of laws in Europe, specifically the UK, and the U.S., stating that “if you protect customer privacy and allow customers to opt out of marketing emails, you will build goodwill … ensure that your marketing will go to customers who are receptive and open to your messages” and “protect you financially.” [Full Story] [Want to be totally secure on the Internet? Good luck]

Electronic Records

CA – Lifelabs to Make Patients’ Test Results Available Online

Ontario’s biggest medical lab company says early access will help patients be better informed when talking with their doctors. For the first time, some patients using Ontario laboratory testing centres will be able to access their results online. Canadian laboratory testing company LifeLabs has announced the launch of an online portal, called My Results, which will allow patients to access their medical test results 24 to 48 hours after testing. The new portal will only offer results from LifeLabs centres, which is Ontario’s biggest medical lab company. The Ontario Association of Medical Laboratories estimates there are 325 licensed laboratories and specimen collection centres across the province, 240 of which are owned by LifeLabs. Despite privacy concerns that come with a move online, LifeLabs believes its system is secure.[The Star]


WW – Full-Disk Encryption Debate Continues

Manhattan District Attorney Cyrus Vance Jr., Paris Chief Prosecutor François Molins, City of London Police Commissioner Adrian Leppard and High Court of Spain Chief Prosecutor Javier Zaragoza wrote an op-ed making the argument that the full-disk encryption offered in Apple and Google operating systems blocks justice. “Now, on behalf of crime victims the world over,” they write, “we are asking whether this encryption is truly worth the cost.” Later that day, Jenna McLaughlin wrote a counterpoint in The Intercept, stating they posed a “flawed argument” that “misstated the extent of the obstacles to law enforcement” while failing “to acknowledge the value to normal people of protecting their private data from thieves, hackers and government dragnets.” [The New York Times] SEE ALSO: [Post-Snowden, Cryptography Companies Find Success]

WW – ICANN User Information Accessed

The Internet Corporation for Assigned Names and Numbers (ICANN) reported a breach of “user names, email addresses, encrypted passwords and other data, such as bios, interests and newsletter subscriptions.” “Encrypted passwords appear to have been obtained as a result of unauthorized access to an external service provider,” ICANN said, but it has not named the provider. The investigation is ongoing, the report states, noting ICANN site users are being required to update their passwords. This is the third data compromise incident for the organization within the past year. [IT World]

US – Tokenization in the Cloud; Ex-DHS Official: Encryption Is Key

A recent report from Cipher Cloud reveals that 68% of the 50 banks it surveyed use tokenization, most notably to protect personally identifiable information, IBM’s Security Intelligence reports. The use of tokenization, too, is spreading into the retail industry, the report states. In a CSO Q&A, Dropbox’s Patrick Heim discusses the privacy and security concerns for businesses moving to the cloud. Meanwhile, Richard Marshall, former director of global cybersecurity management for the U.S. Department of Homeland Security, has said businesses need to do a better job at encrypting their services. “There was no thought (at the Office of Personnel Management) to encrypt that data because it was deemed too difficult and too complex to do. Well that’s not accurate,” he said. [CipherCloud]

EU Developments

UK – High Court Strikes Down Data Retention Law

Not long after privacy advocacy groups found six EU member states have data retention laws that “appear to be in contravention to the Charter of Fundamental Rights,” the UK High Court this week declared the UK’s Data Retention and Investigatory Powers Act 2014 (DRIPA) “incompatible with human rights” and “unlawful.” The section of the law requiring retention of data should be “disapplied,” the court ruled, but suspended that ruling until March 31 to give the government time to rewrite the law. Further, the secretary of state has permission to appeal the ruling to the Court of Appeal. [Lexology] [The UK High Court this week declared the UK’s Data Retention and Investigatory Powers Act 2014 “incompatible with human rights” and “unlawful.”]

EU – Safe Harbor Agreement Could Be Reached “After Summer”

The Safe Harbor talks between the EU and U.S. are in their final stages, An agreement could be finalized “after the summer.” The negotiations, which began in January of 2014, aim to ensure U.S. Safe Harbor companies will not be able to “circumvent the EU’s tough data protection regime by passing data on to another company not certified under the data-sharing deal and therefore not adhering to the same privacy standards,” the report states. Under the new Safe Harbor plan, “U.S. registered companies will face stricter rules when transferring data to third parties,” the report continues, noting the negotiations took time “because the EU has wanted to ensure the U.S. guarantees are watertight.” [ReutersSafe Harbor talks between the EU and U.S. are in their final stages and an agreement could be finalized “after the summer.”

EU – Potential Last-Minute Resistance to Safe Harbor

Safe Harbor negotiations may face opposition from the Europe of Nations and Freedom (ENF) group of EU Parliamentarians, Sputnik reports. “I do not think that the U.S. will only collect basic data,” said Austrian parliamentarian and ENF member Georg Mayer. “We know from the past how hungry the American services are for every data. So no trust in that, also under the experience we made in the negotiations for TTIP. I think—I have to talk to the rest of the ENF group—we will not vote in favor for that agreement.” The EU and the U.S. are reportedly working out the “final details” of the agreement. [Full StorySafe Harbor negotiations may face opposition from the Europe of Nations and Freedom group of EU Parliamentarians.

US – Europe News Briefs

The General Data Protection Regulation may not only mandate breach notification but also increase fines “from tens of thousands to a one-million-euro punishment or 5% of global annual turnover, whichever is greater.”

Lokke Moerel analyzes the three iterations of the General Data Protection Regulation to assess whether the Binding Corporate Rules for Processors function remains in the legislation.

Facts & Stats

WW – Estimated Privacy Advisory Market Worth $3 Billion and Counting

The privacy advisory market is worth over $3 billion and is poised to continue its “meteoric rise,” according to estimates by PwC’s Jay Cline, who attributes the uptick to a mixture of the growth of global government privacy regulation, the greater use of big data for corporate competitive edge, technological advances and criminal data breaches. “Today’s privacy advisory market looks like the information-security market did 10 years ago … And where is that market heading today? Last month, Gartner projected that spending on information-security vendors will hit $101 billion by 2018,” Cline said. “If the $3 billion estimate is in the ballpark, and it’s true there’s no one dominant market leader, an upcoming wave of corporate spending is totally up for grabs.” [ComputerWorld]

US – 2015 Health Data Hacks: Stunning Stats

The health data breach statistics for 2015 are stunning. So far this year, just the top five breaches have impacted a total of 99.3 million individuals. And all five involved hacker attacks – which were relatively rare until this year. As of Aug. 4, the official federal tally of major health data breaches since September 2009 listed 1,282 breaches affecting a total of 143.3 million individuals. That means the five recent hacker attacks represent almost 70% of all victims on the six-year tally. And just one of those attacks – the hacking of health insurer Anthem that affected nearly 79 million – accounts for 55% of the total impacted. Top 5 Health Data Breaches in 2015, So Far: Anthem, Premera, UCLA Health, mie, CareFirst. In addition to the five biggest hacker breaches, the “wall of shame” breach tally from the Department of Health and Human Service’s Office for Civil Rights, which tracks breaches affecting 500 or more individuals, lists another 33 hacking incidents this year, affecting nearly 2.4 million individuals combined. So, the grand total of victims affected by hacking breaches reported this year is 101.7 million. And it’s only August. [Health Information Security]

WW – Report: Companies Face Consequences for Lack of Privacy

A new Forrester report shows there are consequences for companies that don’t meet their customers’ privacy expectations. Forrester’s research shows that one in three adult Americans has cancelled a transaction due to privacy concerns. “In most cases,” the report states, “a person’s willingness to buy from, work for and invest in a company is driven by their perceptions of the company.” With increasing cyberattacks aimed at acquiring consumer data, “The problem is that the internal security many organisations have in place isn’t enough to secure customers … Understanding where all those assets are and managing them holistically is critical.” [Information Age]

WW – Breach Victims Paying Less and Less

The financial impact breaches have on individual victims is becoming increasingly less substantial, thanks to strides in data protection and the nature of what thieves are looking for. “Only a tiny number of people exposed by leaks end up paying any costs, and for the rare victims who do, the average cost has actually been falling steadily,” the report continues. “For the bad guys, your five-year growth plan is not data breaches and stealing credit cards,” said The Nilson Report’s David Robertson. “It involves stealing all the info you can and opening legitimate accounts in people’s names.” And while “the bad guys are getting good … the good guys are getting even better,” he added. [The New York Times]


US – Appeals Court: Netflix Didn’t Violate VPPA

The Ninth Circuit Court of Appeals has upheld an earlier decision by U.S. District Court Judge Edward Davila to dismiss a potential class-action lawsuit that alleged Netflix violated the Video Privacy Protection Act (VPPA). The appeals court decided Netflix did not violate the VPPA “by displaying information about subscribers’ movie-watching history to their friends, families and guests,” the report states. Meanwhile, ZDNet reports on the Seventh Circuit Court of Appeals’ recent decision overturning “a district court that had tossed a class-action lawsuit against Neiman Marcus over a 2014 data breach.” [US Appeals Court Sides With Netflix In Privacy Battle Over Home Page] [MediaPost] [Toronto woman’s webcam hacked while watching Netflix]


US – New Payment Cards Coming this Fall

This fall marks the official switch from swiping cards at the register to utilizing cards with chips for greater security. Small businesses that either don’t know about the change or are overwhelmed at the prospect of getting new readers to facilitate the chips are nervous, the report states. Square is offering 250,000 card-readers for free, the report states, noting the move is important because retailers “could be on the hook for damages from a breach if they don’t upgrade their equipment.” [The Washington Post]

US – CFOs Increasingly Investing in Security

For the first time, Bank of America Merrill Lynch’s 2015 CFO Outlook Pulse Survey asked chief financial officers (CFOs) about data security and fraud issues. The survey found that 82% of U.S. companies have a formal data security plan, and 69% showed an increase in the investment in data security, the report states. In addition, 10% of the companies said they’ve had a data breach, and 48% said the impact of the breach was minimal. Companies are increasingly investing in anti-virus spyware detection programs and installing actively managed firewalls, and 83% are using malware software, the report states. [SC Magazine]

WW – Is Yodlee Selling Data the Right Way?

For Yodlee, which provides personal financial tools, roughly 10% of the company’s 2014 revenue came from selling anonymized data to investment firms. Yodlee says it “adheres to strict privacy standards to ensure that the transaction data in our data products is anonymized and does not contain personally identifiable or attributable information,” adding the data is used “to develop more sophisticated analytic solutions.” Peter Swire, who Yodlee hired to review its privacy practices, said it is “doing the technical and administrative things that regulators have recommended” to protect the anonymity of the data,” and is “not in the business of playing spy” to figure out transaction histories of individuals or their names. [The Wall Street Journal]

Health / Medical

WW – Need to Brush Up on Your BA Agreements?

A report discusses third-party partnerships between healthcare associations and business associates (BAs) and the importance of ensuring HIPAA compliance. “All parties should have a thorough understanding of their relationship and how they are expected to maintain patient data security,” the report states. Under HIPAA rules, BAs are responsible for keeping protected health information (PHI) secure—it’s not just the covered entity that bears the burden. This should be ensured through the covered entity’s agreement with the BA. “Not only does the business associate agreement dictate how and when PHI could be disclosed, it also outlines the potential consequences should sensitive information be exposed,” the report states. [HealthITSecurity]

US – Judge Orders NHL to Turn Over Injury and Concussion Data

The National Hockey League has been ordered by a judge to turn over reams of data about player injuries and concussions to lawyers representing former NHL players who are suing the league. The roughly 80 former players who are suing the NHL, including Bernie Nicholls, Gary Leeman and Butch Goring, allege NHL and team executives knew or ought to have known about the links between head trauma and long-term cognitive problems but failed to do enough to protect players, all the while profiting from the violence of hockey. The NHL has argued interested players could have read medical research and news reports on their own and put “two and two together” about the dangers of repeated head hits and concussions. In an order released late week, U.S. Federal Court judge Susan Nelson agreed to some but not all of the requests for discovery filed by the former players’ lawyers. “The Court finds that the (NHL’s) blanket application of the physician-patient privilege – protecting all medical data from disclosure – is inapplicable here,” the judge wrote in her ruling. “The clubs are ordered to produce any internal reports, studies, analyses and databases in their possession (whether initiated by the U.S. clubs, NHL, or retained researchers) for the purpose of studying concussions in de-identified form. The U.S. clubs shall produce any responsive correspondence and/or emails between themselves, themselves and the NHL, or with any research or other professional about the study of concussions.” [tsn.ca]

WW – WADA Urges Athletes to Report Privacy Breaches From Leaked IAAF Doping Inquiry

The World Anti-Doping Agency invited athletes to come forward if they feel their privacy was breached by leaked results of suspicious blood tests. WADA said its independent commission will “urgently” investigate the allegations of widespread doping in athletics aired by German broadcaster ARD. The inquiry, led by IOC member and former WADA head Dick Pound, began after ARD alleged systematic doping in Russian athletics last December. A follow-up program broadcast last Sunday alleged that IAAF files showed 800 suspicious results in blood samples from 5,000 athletes in the years from 2001-12. ARD and British newspaper The Sunday Times suggested the IAAF did not act on the evidence. [The Associated Press]

UK – Boots, Tesco and Superdrug to Get Access to NHS Medical Records

High street pharmacies such as Boots, Tesco and Superdrug will be given access to NHS medical records, under a national scheme which privacy campaigners fear could expose patients to “hard sell” tactics. Health officials have drawn up plans to send sensitive data from GP surgeries to pharmacies across the country, starting this autumn, without considering the views of patients. NHS England says the scheme will ease pressures on family doctors, and improve the care given to patients in the High Street. But campaigners fear major commercial chains will be able to exploit the valuable data, and use it to push the sales of their products. Officials have now ordered the national rollout of the scheme, on the basis of an evaluation of pilots in 140 pharmacies which they say showed “significant benefits”. But the official report shows that the research garnered responses from just 15 patients – a sample so small that their views were discarded from the research. [The Daily Telegraph]

Horror Stories

US – Hackers Breach Sabre, American Airlines; More OPM Fallout

A group of China-backed hackers believed to have accessed the databases of the Office of Personnel Management (OPM) and Anthem is allegedly behind similar breaches at American Airlines and Sabre, which processes reservations for airlines and hotels. Meanwhile, in a memo to OPM Director Beth Cobert, Inspector General (IG) Patrick McFarland said the OPM’s Office of the Chief Information Officer (CIO) has “hindered and interfered with” IG oversight and “has created an environment of mistrust by providing my office with incorrect and/or misleading information.” Additionally, in a letter to Cobert, Rep. Jason Chaffetz (R-UT), who repeatedly called for the resignation of the previous OPM Director Katherine Archuleta, is calling for current OPM CIO Donna Seymour—appointed by Archuleta—to resign. [Bloomberg Business] [Stolen Consumer Data Is a Smaller Problem Than It Seems]

US – Fitness Firm Says Ex-Employee Stole Data

Exercise chain Planet Fitness has been granted a restraining order,, against a former payroll manager after successfully arguing the ex-employee is in possession of sensitive data that he threatened to release publicly. The ex-employee was mistakenly emailed the data because he shared the name of one of the company’s lawyers. After being asked to delete the email and its contents, and saying he did so, the ex-employee later revealed he had downloaded the attachment along with other data, such as the PII of 900 Planet Fitness employees, including the executive team. The restraining order says the ex-employee cannot “use, copy, destroy, disseminate, transmit, secret, print, publish, tamper with or alter Planet Fitness’ confidential information.” However, the judge did not grant a request to seize all of the ex-employee’s electronic media. Meanwhile, an unnamed man employed by an unnamed federal agency is highlighted in a SFGate feature after complaining that he can’t turn off the GPS function on his employer-issued smartphone. [Seacoastonline.com] [Privacy breach no more: Eastern Health finds missing USB in file folder] [Michael’s Breach: What We’ve Learned]

US – Faulty Record Disposal by Business Associate Exposes Physician Practice

FileFax Inc., a Chicago-area record storage and disposal company, is being sued by the Illinois attorney general’s office for improper disposal and exposure of thousands of patient medical records, which belonged to Suburban Lung Associates, a pulmonology group. Suburban Lung Associates had hired FileFax to dispose of the medical documents. Instead of properly disposing of the medical documents, FileFax dumped the records into an unlocked, public garbage dumpster. The documents that were placed in the dumpster contained records for about 1,500 patients and included information such as Social Security numbers, names and phone numbers, among other information. According to Elizabeth G. Litten, an attorney at Fox Rothschild LLP, many companies outsource the storage as well as disposal of records to a third party. [Mondaq News] [Breached Retailer: ‘I Wish I Had Known How Sophisticated …‘]

US – AG Investigating MIE Breach

The Indiana Office of the Attorney General (AG) is investigating the recent Medical Informatics Engineering’s (MIE) 3.9 million-victim data breach of Social Security numbers and medical information, which could spell big trouble for the organization. “MIE is going to be in the limelight throughout the process,” the report states, noting AGs have the power to broaden the scope of investigations beyond HIPAA violations to include state laws. Meanwhile, James Young, one of the victims in the breach, is suing MIE, claiming it didn’t “take adequate and reasonable measures to ensure its data systems were protected” and did not “take available steps to prevent and stop the breach from ever happening.” [FiercEMR]

US – White House Details Contractor Data Breach Guidelines

The Office of Management and Budget (OMB) has released detailed guidance for data breach contract clauses for federal agencies. The newly proposed “Improving Cybersecurity Protections in Federal Acquisition“ aims to make sure federal data is protected, both inside a federally owned system or in a corporate vendor’s system. The guidance is open to comment until September 10. Once finalized, agencies’ senior privacy officers along with their chief information officers, chief acquisition officers, chief information security officers and other officials “shall immediately begin working together to apply the guidance,” the proposal states. [Next Gov] See also: [Is the FTC Guide a Sure-Fire Way To Stay Out of Trouble?] [Careers can end with the click of a mouse]

WW – ICANN Resets Passwords After Website Breach

The overseer of the Internet’s addressing system said that someone obtained information related to user accounts for its public website, although no financial information was divulged. ICANN, short for the Internet Corporation for Assigned Names and Numbers, said user names, email addresses, encrypted passwords and other data, such as bios, interests and newsletter subscriptions, were contained in the accounts. Despite the breach, the accounts as well as internal ICANN systems do not appear to have been accessed, the organization said in a post on its website. Although an investigation continues, ICANN said the “encrypted passwords appear to have been obtained as a result of unauthorized access to an external service provider.” It did not name that provider. [ComputerWorld]

US – Investigation Reveals HHS Incidents; IRS Breach Announced

A review of the Department of Health & Human Services (HHS) by the House Energy & Commerce Committee has revealed evidence of five breaches within three years. “What we found is alarming and unacceptable,” said Reps. Fred Upton (R-MI) and Tim Murphy (R-PA). “At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack,” they continued. This announcement follows the IRS’s disclosure that a flash drive containing the personal information of some 12,000 Texas school district employees was “misplaced” by an IRS worker completing an audit of the district. [The HIll]

US – Shutterfly Wants Suit Dismissed

Shutterfly is asking a federal judge to dismiss a lawsuit accusing the company of “violating a state privacy law by compiling a database of ‘faceprints’.” The request responds to a lawsuit filed in June by Brian Norberg, who claims Shutterfly and its subsidiary ThisLife violated an Illinois biometrics privacy law by including his faceprint even though his photo was uploaded by someone else. But Shutterfly wrote in its dismissal motion, filed Friday with U.S. District Court Judge Charles Norgle in Illinois, “Helping a user re-identify his own friends within his own digital photo album does not violate any law.” [MediaPost]

US – Florida: DCF Employee, Husband Stole Identities to Get Public Assistance

As an employee of Florida’s Department of Children & Families, Clara Builes was in charge of approving applications for public-assistance benefits for the poor. But Miami-Dade prosecutors say that for nearly four years, she used her position to help steal the identities of several unsuspecting people, getting fraudulent benefit cards used to buy nearly $20,000 in food and groceries. Builes and her husband, Gonzalez Builes, 53, surrendered Wednesday to face an array of white-collar charges, including official misconduct, grand theft and public assistance fraud. [The Miami Herald]

Identity Issues

US – OCR Reaches First-Ever Transgender Privacy Settlement

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a voluntary settlement with a New York City medical center establishing a new standard of care for transgender patient privacy. The OCR reached the agreement with The Brooklyn Hospital Center (TBHC) after a patient alleged the Affordable Care Act was violated when TBHC assigned “a transgender female who presented as a female at the hospital … to a double-occupancy patient room with a male occupant,” the report states. Under the new agreement, TBHC will adopt and train employees on new transgender policies. Apgar & Associates Attorney Chris Apgar said, “The next settlement may not be a voluntary settlement and may include the levying of civil penalties.” [AIS Health]

WW – Hacker Demonstrates Ease of “Killing” Virtually Anyone

At the DEF CON event in Las Vegas, Chris Rock, CEO of Kustodian, demonstrated the ease with which he was able to have living people legally declared dead. Using online databases to pose as a doctor or funeral director, Rock was able to “game the system,” reports CSM’s Passcode, and have death certificates issued for living people. Similarly, Rock showed how he could create a “totally new virtual baby,” exploiting similar vulnerabilities in the birth registration process for many countries. Rock initially focused on the Australian system and “was shocked to find (death registration) was an online system without any protection at all.” With no verification process for doctors or funeral directors, “you can kill someone in about 10 minutes,” Rock said. [Full Story] [Just how easy is it to digitally fake a death? ]

Internet / WWW

WW – Interpol is Training Police to Fight Crime on the Darknet

Interpol has just completed its first training course designed to help police officers to use and understand the Darket. The five-day course was held in Singapore, and attended by officers from around the world. According to Interpol, the next course will be held in Brussels. The students did not, it seems, explore the Darknet itself. Interpol said in a statement that its Cyber Research Lab “created its own private Darknet network, private cryptocurrency and simulated marketplace, recreating the virtual ‘underground’ environment used by criminals to avoid detection.” Police forces have had some successes in the past two years, taking down the Silk Road drug-dealing site in 2013 and more than 400 services in Operation Onymous in November 2014. However, new services soon emerge to replace them. [ZD Net]

WW – Beacon Project: Privacy-Conscious Data Sharing?

The Global Alliance for Genomics and Health’s (GA4GH) Beacon Project utilizes beacons to allow organizations to share genomic data with greater ease. “A beacon is a web server that answers the question, ‘Have you observed this allele or mutation?’” explains GA4GH’s Marc Fiume explains, and does not ask for the specifics of how or where. “Within this climate of data protectionism, the Beacon Project is a clever way to ask organizations to share even a little bit of information,” the report states, noting institutions can create “online search functions that let anyone in the world take a peek at their databases—but only to find a particular kind of information that was carefully chosen not to overly expose privacy or security risks.” [Bio-IT World]

WW – Coalition Issues Stronger DNT Standard

Digital rights group Electronic Frontier Foundation and a coalition of privacy-enhancing companies that includes Disconnect, Adblock, Mixpanel, Medium and DuckDuckGo, have issued a stronger Do-Not-Track (DNT) standard. EFF Chief Computer Scientist Peter Eckersley said, “We are greatly pleased that so many important web services are committed to this powerful new implementation of Do Not Track, giving their users a clear opt-out from stealthy online tracking and the exploitation of their reading history.” Disconnect Chief Executive Casey Oppenheim said, “The failure of the ad industry and privacy groups to reach a compromise on DNT has led to a viral surge in ad blocking, massive losses for Internet companies dependent on ad revenue and increasingly malicious methods of tracking users and surfacing advertisements online.” [The Guardian] [Privacy pressure group EFF announces stronger Do Not Track standard]

WW – Ad-Blocking Technology Expected to Cost Industry Billions

“If I don’t know what data is being collected on me, I’d rather block it.” That’s Guillermo Beltrà’s policy on pop-up advertisements. Beltrà is one of an increasing number of Internet users who are taking sophisticated measures to sidestep online revenue-generating efforts by using ad-blocking software,. That’s according to a new report by Adobe and PageFair, which said such ad-blocking will lead to almost $22 billion of lost advertising revenue this year, which is up 41% compared to the last 12 months. That kind of trend is causing grave concerns for firms relying on online advertising for revenue, the report states. [New York Times] [Online ad-blocking is on the rise. That’s bad news for everyone.]

Law Enforcement

UK – Breach May Have Affected 2.4 Million

The UK Information Commissioner’s Office is “making inquiries” after retailer Carphone Warehouse said the personal details of up to 2.4 million customers may have been accessed in a cyber-attack discovered last week. The encrypted credit card details of up to 90,000 individuals may have been accessed, the company said. The other data accessed could include names, addresses, dates of birth and bank details. Those affected are being contacted. Dixons Carphone, which owns Carphone Warehouse, said additional security measures have been brought in and the affected websites have been taken down. [BBC News]

WW – Google to Restructure Into Alphabet Conglomerate

Google Cofounders Larry Page and Sergey Brin announced a massive restructuring of Google under the umbrella holding company now called Alphabet. Page writes, “Alphabet is mostly a collection of companies,” adding, “The largest of which, of course, is Google.” Under the new structure, Page will assume the role of CEO and Brin will be president of Alphabet, while Sundar Pichai—known for his work on Chrome and Android—will become the new CEO of Google. Each business under Alphabet will have a CEO “with Sergey and me in service to them as needed,” Page writes. X labs as well as Capital and Ventures, for example, will be broken out from Google under Alphabet. [Full Story]


US – Appeals Court Says Warrant Required for Cell Location Data

The Fourth US Circuit Court of Appeals has ruled that law enforcement must obtain a warrant prior to requesting cell phone location data from service providers. According to the decision, that information is protected under the Fourth Amendment. [SC Magazine[] [The Register]

WW – “Marauder’s Map” App Revealed Facebook Users’ Locations

Harvard student Aran Khanna built a Chrome extension called “Marauder’s Map” that uses location data contained in interactions through Facebook’s Messenger app to determine users’ whereabouts within a meter. Khanna explained how he found an acquaintance’s dorm room by “looking at the cluster of messages sent late at night.” He then realized he could also locate users he was not friends with but were part of a certain group chat. Facebook asked Khanna to take down the app, which he did, though he uploaded the code to Github—while also directing readers to a page on protecting their privacy. Facebook promptly launched an update to Messenger and has revoked Khanna’s internship at the company. [Wired] [How Facebook could affect your chances of getting a loan]

WW – Software Engineer Obtains Thousands of Facebook Users’ Data

After a software engineer was able to access data on thousands of users by simply guessing their mobile telephone numbers, Facebook has been urged to tighten its privacy settings. Reza Moaiandin, the software engineer who alerted Facebook of the flaw through its “bug bounty” program, obtained the names, profile pictures and locations of users who had linked their mobile numbers to their Facebook accounts but hadn’t made it public, the report states. Moaiandin said the vulnerability leaves the system open to abuse and urged the site to add a second layer of encryption, which he says would have prevented him from finding the users’ information. [The Guardian] [Facebook urged to tighten privacy settings after harvest of user data]

Online Privacy

WW – EFF Launches Ad-Block Extension

After a period of beta testing, the Electronic Frontier Foundation (EFF), just days after announcing an alternative do-not-track (DNT) coalition and standard, has officially launched a Privacy Badger 1.0 browser extension that aims to stop advertisers and other third parties from secretly tracking users. “If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser,” the EFF states. Alan Chapell said, “There’s no mechanism for anyone in the digital media ecosystem to trust any DNT signal they receive. As a result, the entire framework is open to question.” [Consumer Affairs]

WW – Google, Facebook Privacy Polices Rank Highest

Time and the Center for Plain Language reviewed the privacy policies of seven of the most ubiquitous tech companies and ranked them based on the clarity of language, finding Google and Facebook’s to be the most straightforward. “A privacy policy that consumers are unlikely to read or understand provides no protection whatsoever,” the report states. “The results of our study are quite consistent, especially at the top and bottom of the rankings: Google and Facebook do a good job of communicating their privacy policies in a way that allows consumers to understand and make decisions—at least motivated consumers. According to the analysis, Lyft and Twitter do a poor job of communicating those policies. The remaining companies—LinkedIn, Uber and Apple—do better in some areas than others.” [Full Story]

WW – Twitter Makes All Public Tweets Available to Advertisers

Twitter has announced that every public tweet posted since the beginning of the social network, more than nine years ago, will now be available to brands and advertisers. The more than 500 billion tweets will be searchable through a new API. “The dream of mining this data for real-time, in-depth, unbiased insights on a global scale is getting ever closer,” said Brandwatch’s Giles Palmer. Additionally, Twitter released its new Transparency Report, announcing it will expand its scope to include two new sections on trademark notices and email privacy practices. Message Systems also announced a new reporting tool developed with Twitter called the Email Privacy Report, which “details email encryption as it is transferred between domains and ISPs,” a report states. [Wired]

WW – Device Battery Life May Allow For Online Tracking

A new report from four French and Belgian security researchers reveals that a device’s battery status could allow websites to track users across the Internet without the users’ knowledge. A feature in the HTML5 specification allows websites to see users’ battery life in order to provide them with a lower-energy mode when their battery is getting low. The specification, introduced by the World Wide Web Consortium (W3C), allows sites to collect the data without consent because “the information disclosed has minimal impact on privacy or fingerprinting and therefore is exposed without permission grants,” W3C stated. The researchers disagree, however, pointing out that websites receive specific data on battery life, rendering such data as a sort of unique ID for a device. [The Guardian ]

WW – Twitter’s Tweet-Sharing Is Troubling

Twitter’s declaration that companies will now have the ability to access over 500 billion public tweets is a problematic one, Rochester Institute of Technology’s Evan Selinger and Samford University’s Woodrow Hartzog write in an op-ed for CSM’s Passcode. “If you care about privacy, you’ll be troubled by the deepening commodification of our online conversations,” they write. Selinger and Hartzog point out that when we’re communicating with friends via social networks it is “easy to forget we’re really speaking directly to companies that need to monetize our data to grow. If these companies don’t give us good options for responding to diminished obscurity, they aren’t taking our privacy seriously.” [Full Story]

WW – The Shaky State of the Cookie Opt-Out

A report on the state of opt-outs in mobile devices and the challenges the industry faces. With a growing debate around consumer choice and ad blocking, “it’s clear that existing opt-out mechanisms aren’t exactly cutting it,” particularly with regard to cross-device tracking, the report states. Stanford University’s Jonathan Mayer wrote earlier this summer in a blog post that if the industry offers “an opt-out, they can only do so with a likelihood, but no guarantee, that the opt-out will transfer to other devices.” Experian Marketing Services’ Brienna Pinnow said, “How can the consumer understand this ecosystem if we ourselves are struggling with the best way to do it?” [Full Story]

Other Jurisdictions

WW – New Accountability Paper to Be Released at Nymity Workshops

Nymity heralds the publication of “Getting to Accountability: Maximizing Your Privacy Management Program,” a paper that works in conjunction with the corporation’s “Getting to Accountability” global workshop series, Nymity said in a statement. “The Nymity accountability paper is unique as it takes a resource-based approach to building a privacy management program,” said the company’s President, Terry McQuay. “It helps privacy offices overcome the challenges of communicating and evaluating a definitive privacy management program, leveraging and motivating individuals throughout the organization, and justifying the business case to obtain the necessary resources.” The paper will be released at the workshops. [Full Story]

WW – Other Jurisdiction News

China has issued a draft Network Security Law.

India’s Department of Biotechnology has released a modified draft of the Human DNA Profiling Bill, but according to one legal researcher privacy concerns remain unaddressed.

At a consultation meeting in Islamabad, a Pakistani cyber-crime bill received criticism over concerns that it is overly broad and could criminalize dissent.

India’s constitutional bench of the Supreme Court will decide if privacy is a fundamental human right, a move catalyzed by pushback on the government-mandated Aadhaar system, which utilizes biometric information for its citizen ID cards.

The Australian Labor Party is urging a rethink on the proposed Telecommunications Act.

23 individuals and 10 companies are being indicted by a Korean Supreme Prosecutors’ Office task force for violating the Personal Information Protection Act.

Chinese search engine Baidu has won its appeal in the Intermediate People’s Court of Nanjing City, which said its “use of cookies to personalize advertisements directed at consumers on partner third-party websites does not infringe consumer rights of privacy.”

Colombia’s Supreme Court has ruled that parents who monitor their under-18-year-old children’s online activity do not violate the minors’ privacy.

Russia’s data protection authority has been holding meetings with business associations to clarify the country’s localization law that goes into effect September 1.

Privacy (US)

US – Neiman Marcus Continues Battle against Class-Action

A Seventh Circuit panel that allowed a data breach suit against Neiman Marcus to proceed misapplied the Supreme Court’s precedents on standing and, if the decision is allowed to stand, it “will impose wasteful litigation burdens on retailers and the federal courts.” That’s the argument Neiman Marcus made in a petition asking the full Seventh Circuit to rehear the case. Last month, the panel ruled Neiman Marcus customers whose credit card information was potentially exposed in a 2013 breach could proceed with their proposed class-action, finding the customers alleged sufficient injuries associated with subsequent identity-theft protection and fraudulent charges. Editor’s Note: A recent post for Privacy Tracker analyzed the Neiman Marcus case. [Full Story] [US – Donald Trump offered access to the Republican National Committee’s voter file]

US – Protester Arrests Draw Attention to SCOTUS Decisions

After Black Lives Matter protesters Johnetta Elzie and DeRay Mckesson were arrested on Monday along with 57 other protesters in St. Louis, MO, their social media posts pronounced disquiet about procedural cheek-swabbing. This draws attention to a 2012 Supreme Court decision that protects the move’s legality. Alonzo King first challenged the idea of DNA swabbing upon arrest after his genetic information was matched to an unsolved rape, which he was later convicted of, a move that he argued infringed his Fourth-Amendment rights. In the resulting case, Maryland v. King, the Supreme Court narrowly disagreed. Similarly, the protestors’ reliance on cell-phone video and social media posts draws attention to 2014’s Riley v. California, which found that police cannot search cell phones during arrest without a warrant. Without that decision, the report argues, “you don’t have to be Fox Mulder to see the potential for government abuse.” [Full Story]

US – NTIA Drone Talks Begin

The National Telecommunications and Information Administration (NTIA) held its first meeting with stakeholders to discuss best practices for drone usage. The NTIA’s John Verdi explained the goal is to “inform” the technology’s development, the report states. “We are not regulators,” said the NTIA’s Angela Simpson. “We are not developing rules or bringing enforcement actions,” noting that unifying stakeholder perceptions of “common-sense best practices” would permit a “major boon” for drones. While groups like the Motion Picture Association of America expressed support for the NTIA gathering, they argued that “existing laws and regulations and the good conduct of their members will do most of the heavy lifting on privacy protections for the new technology.” Further meetings are scheduled for the fall. Editor’s Note: Joseph Jerome recently wrote a piece for Privacy Perspectives on why privacy pros should be involved with drone discussions. [Full Story] [NZ: First TV drone complaint: No breach] [Vancouver woman says drone appeared to be trying to get images of her suntanning topless on balcony]

US – Jeep Owners File Complaint

A potentially massive lawsuit may follow Jeep’s hacking scandal, Wired reports. Three Jeep Cherokee owners have filed a complaint against Fiat Chrysler Automobiles and Harmon International—the maker of the Connect dashboard computer in millions of Chrysler vehicles, the report states. A security flaw in the Connect dashboard was the entry point for the security researchers who last month demonstrated they could wirelessly hack into a 2014 Jeep over the Internet, interfering with its steering, brakes and transmission. The plaintiffs are inviting anyone with a Connect system to join the complaint, which accuses the companies of fraud, negligence, unjust enrichment and breach of warranty. [Full Story] [–Chrysler Knew of Vulnerability for More than a Year | Bloomberg | Wired] SEE ALSO: [VW Hid Security Flaw For Two Years] [Tesla Patches Model S Software Vulnerabilities | Wired | CNET | BBC]

US – NHTSA Investigating Car Cybersecurity

The National Highway Traffic Safety Administration (NHTSA) is expanding its investigation into automobile cyber security concerns. Initially the agency was focusing on Chrysler, which last week issued a recall to fix a software issue in 1.4 million cars. Now NHTSA wants to find out what other car manufacturers may have used similar parts. [The Hill] [slate.com: The Fourth Amendment and Driverless Cars – Should cops need a warrant to access data from your self-driving vehicle?]

IN – Supreme Court to Rule on Right to Privacy

India’s constitutional bench of the Supreme Court will decide if privacy is a fundamental human right, a move catalyzed by pushback on the government-mandated Aadhaar system, which utilizes biometric information for its citizen ID cards. “The government had told the court last month that privacy was not a fundamental right and there were several restrictions related to the subject,” the report states. “Some rights activists however have argued that the collection of biometric data (for the Aadhaar system) including iris scans and finger printing is a violation of privacy. They added that as private agencies were contracted to collect the personal data, there are serious concerns about the safety of the sensitive personal data in private hands. [Full Story] [India: Supreme Court slams Govt: No right to liberty if no privacy]

US – FTC Closes Morgan Stanley Investigation

The FTC will not pursue disciplinary action against Morgan Stanley after concluding an investigation of the corporation’s 2015 breach. In a letter to Morgan Stanley’s legal team, FTC Associate Director of the Division of Privacy and Identity Protection Maneesha Mithal explained the move, which the report argues “suggests that if an entity has appropriate policies in place, but there’s a failure due to ‘human error,’ then the FTC will not necessarily pursue a case,” adding that “in this case, the access controls for one narrow set of reports was configured improperly, and Morgan Stanley corrected the problem as soon as they become aware of it.” [Full Story]

US – FTC Seeks Public Comment on New Potential Consent Method

The FTC has issued a request for public comment on a proposed verifiable parental consent method under the Children’s Online Privacy Protection Act (COPPA) Rule. Riyo submitted a proposal for a consent method that involves “validating a parent’s face against an online presentation of verified photo identification.” The method is based on a fraud-prevention tool currently in use, Riyo said, adding the method differs from those in the COPPA Rule because it uses computer vision technology, algorithms, image forensics and multi-factor authentication. The FTC is seeking public comment through September 3 on whether the method is covered under COPPA already and whether the benefits of the program outweigh risks to consumer data. [Full Story]

US – Judge Won’t Dismiss Sony Suit

A California court has upheld a class-action suit against Sony in which nine of the corporation’s 15,000 victims of the 2014 breach claim Sony showed “negligence, breach of implied contract … and violation of the California Confidentiality of Medical Information Act.” While “Sony argued that the plaintiffs endured no current or threatened injury that is impending,” U.S. District Court Judge R. Gary Klausner disagreed. “The information included financial, medical and other personally identifiable information, was used to threaten the individual victims and their families and was posted on the Internet,” Klausner stated, adding, these “alone are sufficient to establish a credible threat of real and immediate harm, or certainly impending injury.” [Full Story]

US – FTC Charges Data Brokers in $7 Million Financial Scam

The FTC has charged data brokers with illegally selling the sensitive financial information of payday loan applicants “to a scam operation” that effectively bilked more than $7 million from approximately 500,000 applicants. According to the FTC press release, scammers debited individuals’ bank accounts and charged their credit cards without consent. “Scammers used consumer information they bought from this operation to make millions in unauthorized charges,” said FTC Bureau of Consumer Protection Director Jessica Rich. “Companies that collect people’s sensitive information and give it to scammers can expect to hear from the FTC.” The defendants are Sequoia One, Gen X Marketing Group, Jason A. Kotzker, Theresa D. Bartholomew, John E. Bartholomew and Paul T. McDonnell. [Full Story]

US – NYC Hospitals Ban Filming of ER Reality TV Without Prior Written Consent

New York City hospitals will no longer allow the filming of reality TV in their wards without prior written consent. According to the New York Post, the Greater New York Hospital Association said in a statement that the ban “effectively puts an end to ‘reality TV’ in New York’s emergency rooms.” The ban was sparked by an April 2011 accident that claimed the life of an 83-year-old man struck by a garbage truck in Manhattan. ABC “NY Med” filmed the efforts to save the victim and the exchanges between the doctors and his relatives. Although the family’s faces were obscured, the family said they recognized themselves when the show aired in August 2012. Manhattan City Councilman Dan Garodnick says “reality TV has no place in our emergency rooms.” [680 News]

US – Target Joins the Beacon Bandwagon with Trial in 50 Stores

Target, the nation’s second-largest discount chain, is testing beacon technology in 50 of its stores. The retailer joins a growing number of retailers that hope to attract customers with timely deals sent to their smartphones and smartwatches on products based on their location. At the same time, use of beacons worries privacy experts, who say that too much personal data is being collected and stored by retailers or third parties. That data, they said, could become vulnerable to hackers. The use of beacons will only add to the growing pool of personal data available to hackers, analysts said. The primary focus of Target’s announcement Wednesday was on ways that customers can improve their in-store experience by connecting to the egg-sized beacons that are spread around the store. The beacons use Bluetooth technology to connect to the customer’s device via an updated Target app. The app is available now for iPhones and is coming soon to Android devices. [Computerworld]

US – Commissioners: Simmer Down, FCC

The FCC’s Michael O’Rielly and the FTC’s Maureen Ohlhausen take umbrage with the FCC’s Open Internet Rules initiatives, which they argue will create onerous privacy restrictions for Internet providers. “The FCC should refrain from imposing its Byzantine privacy regime on broadband and Internet providers,” they write in an op-ed for The Wall Street Journal. “If it doesn’t, Congress may need to reemphasize the roles it has set for agencies regarding privacy and data security issues.” They also discuss the change in FTC and FCC jurisdiction. “Privacy enforcement over Internet service providers … previously resided with the FTC,” The Hill reports. “But when the FCC took the controversial step of reclassifying Internet access, it also snatched up that role.” [Full Story] [US — Rand Paul and Chris Christie tangle over surveillance during Republican debate]

US – Commissioner Wright to Leave FTC

The FTC announced that Commissioner Joshua Wright will resign his post, serving his last day on August 24. He has served since his appointment by President Barack Obama in January 2013. “The agency has benefited greatly from his perspective as a lawyer and economist,” said FTC Chairwoman Edith Ramirez. “We are going to miss him.” Wright writes in his resignation statement that he will return to George Mason University School of Law as a professor of law. Notably a dissenter on recent FTC reports and settlements, including the IoT report in January and Nomi Technologies settlement in April, Wright said of his colleagues, “While we agreed upon the right course of action for the Commission more often than not, when we did disagree, our discussions were always productive and respectful of the diverse perspectives within the agency.” [Full Story]

US – Court Upholds FCRA Dismissal

The Seventh Circuit has upheld the dismissal of a suit alleging Advocate Health and Hospitals violated the Fair Credit Reporting Act (FCRA). The proposed class-action alleged Advocate Health and Hospitals failed to protect health data that was stolen from its offices, the report states, noting the Seventh Circuit indicated the hospital is not a “consumer reporting agency.” The Seventh Circuit said Advocate Health and Hospitals does not “get paid for assembling information on patients; instead, it sends information to insurers and government agencies in order to get paid. This excludes Advocate from being considered a consumer reporting agency under the FCRA,” the report states. [Full Story]

US – Strippers’ Info Kept Away from Praying Man

A group of Washington strippers and club managers do not have to disclose their personal information requested by a man who wants to pray for them, a federal judge ruled. Tacoma resident David Van Vleet filed a Public Records Act request with the Pierce County auditor as a private citizen, seeking the personal information of dancers at DreamGirls at Fox’s, a strip club in Parkland, Washington. Van Vleet told local reporters that he requested the information because he wanted to pray for them. “I’m a Christian,” Van Vleet said. “We have a right to pray for people.” [Courthouse News Service]

US – Other Privacy News

The FCC’s Michael O’Rielly and the FTC’s Maureen Ohlhausen take umbrage with the FCC’s Open Internet Rules initiatives, which they argue will create onerous privacy restrictions for Internet providers.

U.S. District Court Judge Lucy Koh’s ruling to elevate an email privacy suit against Yahoo to a class-action still stands, according to the Ninth Circuit Court of Appeals, which rejected Yahoo’s request to overturn Koh’s decision.

The Seventh Circuit has upheld the dismissal of a suit alleging Advocate Health and Hospitals violated the Fair Credit Reporting Act.

The Ninth Circuit Court of Appeals upheld the dismissal of a class-action suit alleging Netflix violated the Video Privacy Protection Act.

The Seventh Circuit Court of Appeals overturned a district court ruling that had tossed a class-action lawsuit against Neiman Marcus over its 2014 data breach.

Privacy-minded members of Congress aim to curb federal use of Stingrays, which function similarly to cell-phone towers, allowing phones within a certain space to connect and unknowingly share information with agencies like the FBI.

In two separate cases, judges have ruled that owning a cell phone does not equate to an agreement allowing law enforcement to access and use location data.

The Shutterfly biometric case is challenging the Illinois Biometric Information Privacy Act.

Court cases involving the collection of biometric information may mean Illinois’ biometric privacy law will serve as a guide for other states looking to implement similar legislation.

Privacy Enhancing Technologies (PETs)

WW – Mozilla to Offer Anti-Tracking Tool; Privacy-Based Browsers Grow

Mozilla is testing enhancements to private browsing in Firefox that would prevent third parties from tracking users across sites. While many browsers have a do-not-track option, many companies don’t honor them, the report states. Mozilla’s experimental tool would block outside parties from tracking users via cookies and browser fingerprinting. Search engines aimed at protecting user privacy are seeing a surge in business. DuckDuckGo reports its daily search query numbers have grown 600 percent since the Snowden revelations. Meanwhile, Microsoft is refuting allegations that it’s collecting specific consumer data through its Windows 10 operating system. [Full Story] [WW – As browser wars get personal, Firefox gives privacy a try]

WW – NII Releases Privacy Visor

The National Institute of Informatics has released the newest iteration of its privacy visor, and it’s set to go on sale next year. The device aims to conceal the privacy-conscious from photo-recognition technology by employing “light-reflective material and a mask, which uses angles and patterns to disrupt facial-recognition technology through both absorbing and bouncing back light sources,” the report states. “Photos taken without people’s knowledge can violate privacy,” the team of researchers behind the product said. “For example, photos may be posted online together with metadata including the time and location. But by wearing this device, you can stop your privacy being infringed in these ways.” [Full Story] [‘Privacy Visor’: Japan designs eyewear to prevent facial recognition]

Winning Study Has Lessons for Product Design

It’s relatively intuitive that the more tech knowledge individuals have, the more likely they are to identify privacy risk as they use tech products. The award-winning paper, “My Data Just Goes Everywhere,” confirms this. However, that ability to identify privacy risk helps very little, researchers found, in spurring people to actively avoid that risk. Jedidiah Bracy looks into why this is, what does trigger risk-avoidance and what that suggests for product design and privacy policy, in this post for Privacy Tech. Meanwhile, ITBusiness Edge encourages technologists to ask “are we abetting the data collectors in something that might be bad for society’s—and our own—best interest?” [Full Story]

Apps for Keeping Conversations Private

Companies are addressing consumer concerns with “dark social” apps that allow users to send messages without the “traceable footprint,” CNBC reports. Privacy is “getting more and more to the forefront of people’s consciousness,” said Open Garden Chief Marketing Officer Christophe Daligault. “There’s chatter about the snoopers. Geotargeting and governments are trying to provide a number of ways for people to not be able to communicate privately, and there’s a growing concern of a cat-and-mouse game.” Enter apps like OM, Open Garden’s messenger that allows “completely off-the-grid conversations.” These apps have proven successful, with 93% of respondents to a 2014 RadiumOne poll indicating they had used a “dark social” tool “more than three times the rate they used Facebook for the same purposes,” the report states. Editor’s Note: Privacy communications start-ups Confide, Personal, and Disconnect.Me will discuss their technology at the Privcy.Security.Risk. conference’s “New Innovations in Privacy and Security” panel in Las Vegas Sept. 30-Oct. 1. [Full Story]


US – New IoT Guidelines Open for Comments

The Online Trust Alliance (OTA) has published a series of guidelines for corporations like Microsoft and Target involved in the production and sale of Internet-of-Things devices, calling for tighter privacy policies, greater use of encryption and an attitude of long-term privacy sustainability. Without a framework of best practices, it “could lead to hackers remotely opening garage doors and turning on baby monitors that are no longer patched, to infiltrating fitness wearables to spy on health vitals, or creating mayhem by sabotaging connected appliances,” said the OTA in a statement. The group is accepting comments on its guidelines until September 14. [Full Story] See also: [Wearable tech will transform sport – but will it also ruin athletes’ personal lives? ] and [A DEFCON-Black Hat Roundup for the Privacy Pro] SEE ALSO: [Wearable tech will transform sport – but will it also ruin athletes’ personal lives?  ] AND [Brookings: Building Economies with Privacy in Mind]

US – Online Trust Alliance Develop IoT Security Guidelines

The Online Trust Alliance (OTA), whose members include Microsoft, Symantec, and Verisign, say that the manufacturers of smart home devices and other Internet-connected products that make up the Internet of Things (IoT) are not paying attention to the need to build in security. They have issued suggested guidelines for manufacturers, developers, and retailers, and are inviting public comment. [The Register] [ZDNet] [CNET} [NYT: Why ‘Smart’ Objects May Be a Dumb Idea]

UK – Apple’s Airdrop Abused By ‘Cyber-Flashing’ London Train Perv

Perverts have latched onto Apple’s AirDrop as a means of pushing unsavoury content at unsuspecting commuters. Lorraine Crighton-Smith, 34, received two unsolicited pictures of a unknown man’s penis on her iPhone via AirDrop as she was travelling to work on a train in south London. Officers are investigating the case, which they reckon is the first of its type that they have come across. AirDrop is a documents transfer technology that works between supported Macs and iDevices. Apple introduced the Bluetooth-based tech with the release of iOS 7 back in 2013. It’s supported by devices from the iPhone 5 onwards. By default AirDrop is restricted to “contacts only” to but this is changed to “everyone” as soon as a user accepts a message from a previously unknown contact. From that point on users run the risk of being sent all sorts of undesirable content by strangers. [The Register]


US – White Houses Calls for Increased Cybersecurity Budgets

The Obama administration has proposed a $14 billion budget increase for the IRS, Department of Health and Human Services and other agencies’ 2016 cybersecurity allotments, a figure that represents a 72-percent increase in security funding, National Journal reports. Budget documents indicated that with the greater resources, “the IRS would take especially aggressive steps to fight identity theft and stolen identity refund fraud,” including “systems improvements and new information-sharing with states and industry to help detect and prevent identity theft before tax refunds are paid.” [Full Story]

US – Hackers Compromised Emails from “All” Top Security, Trade Officials

According to a secret document, Chinese hackers compromised “the private emails of ‘all top national security and trade officials’” since 2010. The unnamed source indicated the attacks were ongoing. The revelation has opened the doors for criticism of the U.S. government’s attitudes regarding cybersecurity. “The U.S. government has proven itself incompetent” in protecting its data, said Fight for the Future’s Evan Greer, adding, “Information-sharing bills like CISA would make us even more vulnerable by dramatically expanding the amount of private data the U.S. government keeps in its databases and the number of government and law enforcement agencies who would house that data.” [NBC News]

US – FTC Recommends 10 Steps to Help Ensure Data Security

While there is no generally applicable federal law in the U.S. requiring all businesses to take particular steps to secure their sensitive data, the FTC has investigated and penalized numerous companies for failing to implement “reasonable” data security standards. In an effort to help guide U.S. businesses on the question of what constitutes “reasonable” security measures, the FTC launched a “Start with Security Initiative” on June 30th, to provide information to businesses about data security and the protection of consumer information. The initiative comprises three elements: a publication containing lessons from more than 50 data security cases brought by the FTC; a series of educational conferences across the country aimed at small- and medium-sized businesses in various industries; and a website that consolidates the Commission’s data security information for businesses at fkks.com.
1) Start with Security.

2) Control Access to Data Sensibly.

3) Require Secure Passwords and Authentication.

4) Store Sensitive Personal Information Securely and Protect It During Transmission.

5) Segment Your Network and Monitor Network Activity.

6) Secure Remote Access to Your Network.

7) Don’t Forget About Security for New Products.

8) Make Sure Your Service Providers Implement Reasonable Security Measures.

9) Update Security Practices.

10) Secure Paper, Physical Media, and Devices. [Source]

WW – Lenovo Installs Unremovable Unwanted Software

Lenovo has been using code in the firmware of some devices to make unwanted software persist even after users reinstall operating systems. Lenovo is exploiting Microsoft’s Windows Platform Binary Table feature, which is built into Windows machines. [v3.co.uk] [ZDNet] and see also: [Intel Architecture Flaw Lets Attackers Install Rootkits ]

WW – Security Flaws in ZigBee Wireless Standard

Several flaws have been found in the ZigBee wireless security standard; they could be exploited to compromise vulnerable devices and take control of other devices on the same network. ZigBee is used in many IoT devices and in smart home networks. [ZDNet] [The Register]

WW – (Some) Android (Users) to Get Monthly Updates

Google and companies that manufacture Android devices are distributing a fix for the critical Stagefright vulnerability. Android users have usually not received security updates in a timely manner; now Google, Samsung, and LG now say they will issue monthly security updates for Android devices. [ComputerWorld] [The Register] [Ars Technica] [WW – Where did the principle of secrecy in correspondence go? ]

WW – Hacking Printers to Send Data as Sound Waves

A team of security researchers has demonstrated the ability to hijack standard equipment inside computers, printers and millions of other devices in order to send information out of an office through sound waves. The attack program takes control of the physical prongs on general-purpose input/output circuits and vibrates them at a frequency of the researchers’ choosing, which can be audible or not. The vibrations can be picked up with an AM radio antenna a short distance away. [The Whig]

Smart Cards

US – Stingrays in Congressional Crosshairs

Privacy-minded members of Congress aim to curb federal use of Stingrays, which function similarly to cell-phone towers, allowing phones within a certain space to connect and unknowingly share information with agencies like the FBI, USA Today reports. “I don’t see how you can use a Stingray without it raising very substantial privacy issues,” said Sen. Ron Wyden (D-OR). “I want police to be able to track dangerous individuals and their locations, but it ought to be done with court oversight under the Fourth Amendment.” This summer, the House passed an amendment to the Justice Department’s funding bill to “bar funding for the use of Stingrays without a warrant,” the report states, noting the Justice Department has said it is “reviewing its policies” regarding the use of Stingrays.
Full Story

US – App Will Help RNC Manage Updated Voter Database

A new app to be unveiled by the Republican National Committee’s (RNC) chief technology officer includes a toolkit for helping campaigns manage their field operations, Bloomberg reports. The product is called Republic VX and allows campaigns to look at the efficacy of specific volunteers, for example, or even detect when volunteers are lying by claiming they’d knocked on more doors than they had, the report states. It will use the RNC’s voter file, automating updates to it by the end of each election season to keep the database fresh. It’s an indication of the RNC’s new seriousness about using and improving data systems for campaigning, the report states. [Full Story]


CN – China to Establish Police Presence at Major Internet Companies

The Chinese government plans to put “network security offices” staffed by police at large Internet companies in that country. The goal is to “catch criminal behavior online at the earliest possible point.” There is some suspicion that the plan is also part of the country’s efforts to censor what people in that country can view on the Internet. [CNET] [ComputerWorld] [Wired] [What does the panopticon mean in the age of digital surveillance?] [It’s incredibly difficult to stop the Internet from knowing you’re pregnant

US – EINSTEIN’s Effectiveness Called Into Question

As the Department of Homeland Security (DHS) pushes the Carper-Johnson Federal Cybersecurity Enhancement Act of 2015, a bill that would hasten the adoption of network-monitoring program EINSTEIN, critics question EINSTEIN’s effectiveness in light of the Office of Personnel Management breaches, Federal Times reports. “It’s not necessarily the best out there, but if that’s the fastest way to get government agencies to catch up to the rest of the world on protecting themselves, the bill could be a good thing,” said the SANS Institute’s John Pescatore. “But if that happens at the expense of the deployment of best-in-breed detection and prevention systems, then that’s a bad thing.” He added that deploying EINSTEIN would “at least get each agency to square one … but unfortunately, the attacks have moved on to square three and four.” [Full Story]

WW – ECHELON: The Surveillance Program that Predated Snowden

There is a long history of government data collection—even before digital surveillance was possible. Over the last 50 years, Project ECHELON enabled the U.S. and UK to track enemies and allies within and outside national borders. It’s a program that’s evolved from keywords intercepted in faxes to today’s “all-encompassing data harvesting,” the report states. Privacy advocate Duncan Campbell first made reference to ECHELON in 1988, and in 2000, 60 Minutes published a report on the scope of the program. In 2005, some speculatively pointed to ECHELON as a potential tool the Bush Administration was using, but it wasn’t until the Snowden revelations that it became clear the program exists. [TechCrunch]

CA – Hidden Camera Discovered at Ontario Federation of Labour Headquarters

The discovery of a hidden video camera at the Ontario Federation of Labour headquarters has shaken employees and triggered bitter finger pointing and strong denials among current and former top union brass. In early July, a staff member discovered a concealed working camera in an exit sign near the reception area of the building at 15 Gervais Dr. in Toronto. Ontario Federation of Labour president Sid Ryan confirmed a grievance has been filed by a staff member with respect to the camera. He says he was told cameras were installed in the building “for security reasons” but says he had no idea there was a hidden camera in the reception area until it was discovered by a staff member this summer. [Waterloo Region Record]

WW – Airline Begins Weighing Passengers for ‘Safety’

In a recent statement, Uzbekistan Airways, the country’s flag carrier announced it will weigh passengers and their carry-on luggage prior to flights to determine how much weight they’ll be adding to the plane. “According to the rules of International Air Transport Association, airlines are obliged to carry out the regular procedures of preflight control passengers weighing with hand baggage to observe requirements for ensuring flight safety,” says the airline’s statement. An IATA spokesperson, however, tells CNN the organization isn’t aware of any such regulation. “We are not aware of an IATA rule concerning the weighing of passengers and their hand luggage prior to flight,” says Chris Goater, manager of IATA corporate communications, via email. [CNN]

Telecom / TV

US – AT&T Helped U.S. Spy on Internet on a Vast Scale

The National Security Agency’s ability to spy on vast quantities of Internet traffic passing through the United States has relied on its extraordinary, decades-long partnership with a single company: the telecom giant AT&T. While it has been long known that American telecommunications companies worked closely with the spy agency, newly disclosed N.S.A. documents show that the relationship with AT&T has been considered unique and especially productive. One document described it as “highly collaborative,” while another lauded the company’s “extreme willingness to help.” AT&T’s cooperation has involved a broad range of classified activities, according to the documents, which date from 2003 to 2013. AT&T has given the N.S.A. access, through several methods covered under different legal rules, to billions of emails as they have flowed across its domestic networks. It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters, a customer of AT&T. The N.S.A.’s top-secret budget in 2013 for the AT&T partnership was more than twice that of the next-largest such program, according to the documents. The company installed surveillance equipment in at least 17 of its Internet hubs on American soil, far more than its similarly sized competitor, Verizon. And its engineers were the first to try out new surveillance technologies invented by the eavesdropping agency. One document reminds N.S.A. officials to be polite when visiting AT&T facilities, noting, “This is a partnership, not a contractual relationship.” The documents, provided by the former agency contractor Edward J. Snowden, were jointly reviewed by The New York Times and ProPublica. The N.S.A., AT&T and Verizon declined to discuss the findings from the files. “We don’t comment on matters of national security,” an AT&T spokesman said. [New York Times]

AU – Pilgrim Prods Telcos on Data Retention Privacy

Acting information commissioner Timothy Pilgrim has reminded telcos of their privacy obligations when it comes to retaining customer information in order to comply with the government’s data retention regime. Under the data retention scheme, telcos will need to retain for at least 24 months a range of customer information, ranging from billing information to call and email records. [computerworld.com.au]

US – Cybersecurity Bill Could ‘Sweep Away’ Internet Users’ Privacy, Agency Warns

The Department of Homeland Security (DHS) said a controversial new surveillance bill could sweep away “important privacy protections”, a move that bodes ill for the measure’s return to the floor of the Senate this week. The latest in a series of failed attempts to reform cybersecurity, the Cybersecurity Information Sharing Act (CISA) grants broad latitude to tech companies, data brokers and anyone with a web-based data collection to mine user information and then share it with “appropriate Federal entities”, which themselves then have permission to share it throughout the government. [The Guardian]

US – Judges: Users Shouldn’t Be Forced to Give Up Phones for Privacy

Two judges in two separate cases that dealt with the use of smartphones have ruled that owning a cell phone does not equate with a wholesale agreement for law enforcement access and use of location data. “We cannot accept the proposition that cell-phone users volunteer to convey their location information simply by choosing to activate and use their cell phones and to carry the devices on their person,” said Fourth Circuit Judge Andre Davis. And in a California case, U.S. District Court Judge Lucy Koh said “making it this easy to track Americans is a violation of the constitutional right to be protected against unreasonable searches,” adding that “it is untenable to force individuals to disconnect from society just so they can avoid having their movements subsequently tracked by the government.” [Fusion]

WW – BYOD’s Potential Headaches

Forbes and IT News Africa report on the challenge organizations face in protecting bring-your-own-device (BYOD) tools from attack while not impairing user privacy. “Simply locking down mobile devices, however, is not a realistic response. Instead, organizations should give users freedom to use devices as they like, while assuming that they may in fact become compromised,” said Lookout CTO Kevin Mahaffey. “This requires appropriate security controls that can detect compromise and react in real-time to isolate the device from sensitive data until it recovers.” Meanwhile, Canada’s Office of the Privacy Commissioner, as well as the Offices of the Information and Privacy Commissioner in Alberta and BC, are cautioning businesses regarding potential BYOD security risks and have issued a joint publication for organizations.

US – Groups Want FCC to Stop Requiring Telecoms to Store Data

A coalition of tech and privacy groups is asking the FCC not to make telecommunications companies store customer data. Current policy requires companies to keep caller names, addresses and telephone numbers as well as “telephone number called, date, time and length of the call” for 18 months for billing purposes. Privacy groups say that opens Americans up to inappropriate surveillance and data breaches. In a letter to the FCC, the 26 groups—led by the Electronic Privacy Information Center—called the policy “outdated and ineffective,” adding, “It is not necessary or proportionate for a democratic society.” [The Hill]

US Government Programs

US – FTC to Consumers: Give Us Your Complaints

In a FTC post, FTC Division of Consumer and Business Education’s Lisa Weintraub Schifferle writes about a new easier way for consumers to report their privacy complaints to the agency. “Did a company share your personal information without your knowledge or consent? The FTC wants to know,” she writes, adding, “Just go to the FTC’s Complaint Assistant and click the banner that says: ‘Concerned about how a company is handling your personal information? Click here to report privacy concerns.’” Schifferle’s post includes a list of what types of consumer privacy complaints the FTC might address—such as companies knowing more about consumers than they expect. [Full Story] [US: Conservative video-maker James O’Keefe: Homeland Security targeted me, asked intrusive questions]

US – Proposed Cyber Security Requirements for US Government Contractors

The US Office of Management and Budget (OMB) has issued proposed cyber security rules for federal government contractors. The new rules would establish baseline security requirements and oblige contractors to disclose breaches to authorities. The draft rules would also allow the Department of Homeland Security (DHS) to establish monitoring programs on contractors’ systems if they are not abiding by the rules. OMB is accepting public comment on the draft document through September 10, 2015. [NextGov] [The Hill] [CIO]

US – Poll: Voters Support Gov’t Monitoring of Social Media

A recent poll indicates a majority of voters support the government monitoring social media to assist in the fight against terrorists. The report notes that many tech companies are opposing Bill S 1705, which would require them to “report potential terrorist activity on their sites to law enforcement,” but states that 61% of voters responding to the poll “said they were in favor of the government monitoring social media sites to defend against potential terrorist attacks, while 27% opposed it.” The poll which was conducted from July 31 through August 3, focused on “a national sample of 2,069 registered voters,” the report states. [Morning Consult]

US Legislation

US – Mental Health Bills Continue to Raise Privacy Questions

Proposed legislation including the Senate’s Mental Health Reform Act and the House’s Helping Families in Mental Health Crisis Act that aim to “improve federal oversight and give patients more access to services” have incited debate over mental health treatment and patient privacy, according to U.S. News and World Report. “The bills will be a tremendous violation of freedom that we wouldn’t be okay with if it were any other group of people,” said the Western Mass Recovery Learning Community’s Sera Davidow. Meanwhile, a judge ruled against therapists who argued it was a violation of patient privacy to disclose that their clients were viewing child porn. [Full Story]

US – Congresswoman Details Forthcoming Revenge Porn Bill

Upcoming federal “revenge porn” legislation will be proposed by Rep. Jackie Speier (D-CA) in September. Speier co-authored the bill with a yet unnamed Republican, while a mirror bill is expected in the Senate. “This is not just about jilted lovers trying to get revenge,” Speier said. “This is about protecting an individual’s right to privacy … It is something that we value in the First Amendment, and it’s something that I think cries out for a federal solution.” The bill is expected to meet resistance from free-speech advocates concerned that it will stifle online expression. Meanwhile, convicted revenge porn website operator Kevin Bollaert—who is serving an 18-year sentence—claims he ran his site in defense of free speech. [National Journal ]

US – CISA Stalls for Now

A Senate effort to pass the controversial Cybersecurity Information Sharing Act (CISA) stalled this week, potentially leaving the fate of the bill uncertain. There is a chance the Senate could revisit the legislation when it comes back from summer recess in September, but the upper chamber will have a slew of other big issues, including a nuclear deal with Iran and a measure to fund the federal government, the report states. Senate Majority Leader Mitch McConnell (R-KY) was going to allow debate on the 21 amendments placed on CISA, but time ran short on such an effort. Sens. Ron Wyden (D-OR), Al Franken (D-MN) and Patrick Leahy (D-VT) have all called for more privacy protections within the bill. [The Wall Street Journal]

US – Governor Signs Four Privacy Laws

Delaware Gov. Jack Markell has signed four new privacy laws aimed to “protect the personal information of school-aged children, prevent the distribution of victim’s personal information and stop the practice of employers demanding access to their employees’ personal social media accounts,” Government Technology reports. “While the Internet has revolutionized the way we live and work, and made possible countless advances in our society, we must also recognize that it has made our citizens’ personal information more vulnerable than ever,” Markell said. “Some restrictions on how personal information is shared are reasonable, and I commend the legislators, Attorney General Denn and everyone involved in working on these bills for finding a balance between online commerce and personal privacy.” [Full Story] [US: Delaware Governor Signs Internet Privacy, Safety Package into Law]

US – Other Privacy Legislation

California and Nevada are expanding the definition of personal information and requiring stronger security for companies that share personal information.

North Carolina’s Senate passed SB 446, which aims to develop guidelines for operating drones.

Wisconsin Rep. Amy Loudenbeck (R-Clinton) has introduced AB 303 to prohibit the Workforce Development from requiring that job seekers to provide a Social Security number to search for jobs on the Job Center of Wisconsin’s website.

Despite its governor’s unwillingness to sign the legislation, among others, Maine has a new drone privacy bill.

Wyoming lawmakers are moving to change the state’s constitution to add privacy and open-government protections.

Sens. Orrin Hatch (R-UT) and Tom Carper (D-DE) have introduced the Federal Computer Security Act of 2015, which would require inspectors general and the Government Accountability Office to report on security practices and software.

Delaware has passed a suite of four laws aimed at protecting citizens’ and children’s privacy, including legislation to prevent ed-tech providers from selling student’s personal information and limitations on advertising on sites and apps targeted at children, reports Delaware 105.9.

A Senate effort to pass the controversial Cybersecurity Information Sharing Act stalled last week, leaving the fate of the bill uncertain.

The Department of Homeland Security has warned that the proposed Cybersecurity Information Sharing Act will “sweep away important privacy protections.”

Rep. Jackie Speier (D-CA) will introduce a bill to battle so-called revenge porn on September 9.

A mental health reform bill introduced by Sens. Chris Murphy (D-CT) and Bill Cassidy (R-LA) could mean updates for HIPAA

Upcoming federal “revenge porn” legislation will be proposed by Rep. Jackie Speier (D-CA) in September.

Proposed legislation including the Senate’s Mental Health Reform Act and the House’s Helping Families in Mental Health Crisis Act have incited debate over mental health treatment and patient privacy.

A District Court judge has ruled unconstitutional a Burlington North Carolina ordinance requiring hotels to furnish police with names on their guest registries.

Workplace Privacy

WW – Anti-Doping Agency Asking Athletes for Info on Breach

The World Anti-Doping Agency (WADA) invited athletes to come forward if they feel their privacy was breached by leaked results of suspicious blood tests. WADA said its independent commission will “urgently” investigate allegations of widespread doping in athletics aired by German broadcaster ARD, The Associated Press reports. ARD alleged files indicated 800 suspicious results in blood samples from 5,000 athletes from 2001 to 2012. “WADA is committed to protecting the confidentiality of athletes,” said WADA President Craig Reedle in a statement, adding WADA “deplores” the way the data was obtained and leaked to the media. He urged any athlete concerned that their rights “are being eroded” come to the commission. [Full Story]

US – Appeals Court to Hear Employee Data-Theft Case

A Massachusetts Appeals Court will hear a case that illustrates the question of employer liability when an employee takes company data for personal reasons, Privacy and Security Matters reports. In Adams v. Congress Auto Insurance Agency, Inc., a customer argued the insurance company did not adequately protect his data after one of its employees passed his phone number to her boyfriend to dissuade the customer from pursuing police action against him. Superior Court found the employee’s “alleged theft of personal information from a secure database” and her boyfriend’s “subsequent misuse of that data were both criminal acts that severed the chain of causation between Congress’ alleged negligence and the harm” to the customer. [Full Story]


16-31 July 2015


IN – In Effort to Expand Biometric ID Scheme, India Says Privacy Not Fundamental Right

During the course of defending the legality of the Aadhaar biometric scheme before India’s Supreme Court this week, the chief lawyer for India’s central government argued that privacy is not a fundamental right bestowed by the country’s constitution. India’s government also asked the court to reconsider all Supreme Court judgments over the past two decades that defined privacy as a constitutional right. India’s central government made the argument in order to defend extending the use of the Aadhaar biometric system for security and crime-related surveillance. The government is currently piloting the use of the biometric scheme for airport security. Ironically, the Modi government, which came to power last year, was highly critical of the previous government’s administration of the biometric ID system during a contentious election campaign, when it characterized Aadhaar as a “failure” and a “waste of money” that needed to be eliminated. However, after the new government came to power, it decided not only to maintain, but expand the system, with a view to expanding social services, along with enhancing attendance monitoring over government employees. [Biometric Update]

US – GAO Tells Congress to Revisit Facial-Recognition Tech

The Government Accountability Office (GAO) has released a new report on facial-recognition technology, specifically on its commercial uses, privacy issues and the applicable federal law. Although the report does not put forth any recommendations, it proposes that Congress look into “strengthening the consumer privacy framework” to keep up with emerging technology such as facial recognition. Sen. Al Franken (D-MN) announced the new report and issued a press release on it, writing that “what we really need are federal standards that address facial-recognition privacy by enhancing our consumer privacy framework.” [TechCrunch] [All forms of biometric authentication are not created equal]

WW – Facebook’s Facial-Recognition Tool Draws Privacy Ire

When you are identified in a picture on Facebook, biometric software remembers your face so it can be “tagged” in other photographs.  Facebook Inc. says this enhances the user experience. But privacy advocates say the company’s technology — which was shut off in Europe and Canada after concerns were raised — should only be used with explicit permission. The U.S. government is participating in a working group to develop rules for companies using facial recognition — even if those are voluntary. “Face recognition data can be collected without a person’s knowledge,” said Jennifer Lynch, an attorney for the Electronic Frontier Foundation, a San Francisco-based privacy rights group. “It’s very rare for a fingerprint to be collected without your knowledge.” Privacy groups such as Lynch’s last month cited the business community’s opposition to requiring prior consent as the reason they walked out on the government meetings. The Department of Commerce’s National Telecommunications and Information Administration, which sponsored the talks, plans to continue the process without most of the privacy advocates. [Bloomberg News 8]

WW – Researchers’ Breakthrough Means Faces on CCTV, Infrared-Footage Identifiable

The problem with infrared surveillance videos or CCTV videos thus far has been it can be difficult to recognize the people in them. That’s because “the link between the way people look in infrared and visible light is highly nonlinear,” so matching images of people in such surveillance footage to how they look in real life has been an unresolved challenge, the report states. But Saquib Sarfraz and Rainer Stiefelhagen at the Karlsruhe Institute of Technology in Germany may have solved the problem by teaching a neural network to do the work. One way this has become possible is because of an increase in vast databases of facial images, the report states. [MIT Technology Review] [Deep Neural Nets Can Now Recognize Your Face in Thermal Images]

US – NetChoice Praises NTIA Facial-Recognition Talks

NetChoice, which represents online commerce companies and advocates, has announced it is pleased with the results of the latest National Telecommunications & Information Association (NTIA) facial-recognition discussion. The NTIA discussion aimed to “vet two proposed privacy best practices for facial recognition,” the report states. “Today was extremely productive as a diverse group of stakeholders made clear steps toward establishing facial-recognition technology policies and regulations that foster transparency, control and closure,” said NetChoice’s Carl Szabo. “I think we all agree that companies using facial-recognition technologies should provide people with meaningful control when their facial image data is shared with others,” he added. [Multichannel News]

WW – Keystroke-Monitoring Identified as Anonymity Threat

Monitoring a user’s keystrokes, “a sort of digital fingerprint that can betray its owner’s identity,” has been identified by security researchers as a threat for Tor users. “The risk to anonymity and privacy is that you can profile me and log what I am doing on one page and then compare that to the profile you have built on another page,” said security researcher Runa Sandvik. “Suddenly, the IP address I am using to connect to these two sites matters much less.” Researchers Per Thorsheim and Paul Moore developed a Chrome plugin to ward off these attacks. “For oppressive regimes, this is most certainly of high interest,” Thorsheim said. [Ars Technica]

WW – Phones Help Detect Depression Symptoms

A Northwestern University Feinberg School of Medicine study has found that tracking consumers’ smartphone usage could indicate with 86% accuracy whether or not they were depressed. Northwestern Center for Behavioral Intervention Technologies Director David C. Mohr, dubbing phones part of the “fabric of people’s lives,” found the study important as it indicated that critical mental health information may be gleaned “without asking (patients) any questions.” He continued, “We now have an objective measure of behavior related to depression. And we’re detecting it passively. Phones can provide data unobtrusively and with no effort on the part of the user.” [Full Story]


CA – Foreign Visitors to Canada to Face Electronic Screening

Millions of travellers will soon face another layer of red tape when they try to visit Canada. Starting Saturday, Ottawa will start accepting applications for electronic travel authorization (eTA) from people who wish to travel to Canada by air. Prospective travellers have until March 15 to submit their biographic, passport and other personal information through Citizenship and Immigration Canada’s website for pre-screening or face being denied entry when the border enforcement kicks in. The new measure — part of the harmonization with the United States’ travel security system — will apply to most air passengers, including all applicants for study and work permits, as well as those who come from countries that currently do not require a visa to come to Canada. Critics view the initiative as another attempt to block refugees from arriving on Canadian soil and raise concerns over the use of the data in storage. [Source] See also: [Mondaq News: Canada: Data Protection Agreements]

CA – Ottawa Says Little About CSIS Document Breach Claimed by Anonymous

The federal government is saying little about an apparent breach involving classified information. Digital hacking collective Anonymous made good late Monday on a threat to release what it says is the first of many secret documents. An apparent Treasury Board memo about funding of the Canadian Security Intelligence Service’s overseas communications capabilities was posted online. The Canadian Press could not confirm the document’s authenticity and Jeremy Laurin, a spokesman for Public Safety Minister Steven Blaney, had no immediate comment. In an accompanying video statement, Anonymous denounced the recent shooting of an Anonymous supporter in British Columbia during a confrontation with the RCMP. [The Star] [RCMP national website goes offline, Anonymous claims responsibility]

CA – Manitoba WRHA Putting Personal Health Info at Risk

The Winnipeg Regional Health Authority’s cybersecurity “weaknesses” threaten to allow personal health information to fall into the wrong hands, according to Manitoba’s auditor general. Auditor General Norm Ricard’s report found sensitive patient information can be accessed by personal flash drives, laptops, smartphones and tablets, so-called “end-user devices” that aren’t properly protected.  Ricard noted that more than 3,900 personal devices are now connected to WRHA emails, which could potentially include personal health information. Flash drives are also a concern. Manitoba’s auditor general made the following 12 recommendations to the Winnipeg Regional Health Authority to enhance cybersecurity:

  1. Identify and assess all risks associated with end-user devices in the WRHA environment
  2. Share assessment results with WRHA CEO and document residual risks
  3. Implement controls to reduce risks associated with end-user devices
  4. Develop a strategic plan for information and communication technology services to the WRHA, including plans for remote access through personal devices
  5. Create an information classification scheme based on the sensitivity of information
  6. Develop guidance for Personal Health Information Act (PHIA) trustees on how to audit their security safeguards
  7. Monitor trustees’ compliance with PHIA’s audit of security safeguards requirements
  8. Develop a risk-based audit program
  9. Update information security training to target higher risk positions and outline incident procedures
  10. Require associated physicians, medical staff, contractors, students, researchers and employees periodically attend PHIA awareness training
  11. Require same individuals to attend security awareness training upon hiring
  12. Implement additional information security awareness techniques to reinforce training

The WRHA said it is committed to making all of the changes and some are already underway. [The Winnipeg Sun]

CA – Medical Marijuana Class Action Certified by Federal Court

The Federal Court of Canada has certified a class-action lawsuit involving 40,000 people in the medical marijuana access program. The case was launched in 2013 after Health Canada sent letters to people with the program’s name on the envelope. Before that, mail sent to individuals in the program didn’t mention marijuana. Recipients were upset, saying their privacy had been violated. Some said they worried they’d lose their jobs or become victims of a home invasion. In March this year, the Office of the Privacy Commissioner of Canada ruled that Health Canada had violated federal privacy laws. That ruling didn’t allow for any compensation. In a press release, the Halifax law firm that launched the case says the certification shows the Federal Court has decided the class-action lawsuit is necessary to allow people access to justice. The plaintiffs are seeking damages for breach of contract, breach of confidence, invasion of privacy and charter violations.  The federal government now has 30 days to appeal the Federal Court’s certification. [Source] See also: [Canadian Appeals Monitor: Overview of Ontario Court of Appeal ‘s Decision in Hopkins v. Kay] SEE ALSO: [RCMP overrides rights of bereaved families: Editorial]

CA – TPP Likely to Force Canada to Repeal Local Data Protection Laws

U.S. negotiators are pushing hard to eliminate national laws in TPP countries that require sensitive personal data to be stored on secure local servers, or within national borders. This goal collides with the B.C. Freedom of Information and Privacy Act and similar regulations in Nova Scotia, which are listed as “foreign trade barriers” in a 2015 United States Trade Representative (USTR) report. According to that report, the B.C. privacy laws “prevent public bodies such as primary and secondary schools, universities, hospitals, government-owned utilities, and public agencies from using U.S. services when personal information could be accessed from or stored in the United States.” Irrespective of your views on whether such local storage requirements are reasonable or not, what’s significant here is that TPP, ostensibly a trade agreement, may force Canada to repeal local privacy laws. That fact underlines why the secret nature of the negotiations is profoundly anti-democratic: matters are being decided behind closed doors that should rightly be debated openly.  [Techdirt] [Pacific trade deal could raise health costs, lower privacy protection: Geist]

CA – File Breach at Electronic Spy Agency Prompts Mandatory Privacy Training

Canada’s electronic spy agency introduced mandatory privacy awareness training for all employees in March following an internal breach involving personal information. When Greta Bossenmaier became chief of the Communications Security Establishment in February, the ultra-secret eavesdropping outfit was under intense public scrutiny over alleged spying on citizens. But less than two months into the job, Bossenmaier was informing the spy agency’s staff of a privacy violation inside its own walls. [The Canadian Press ]

CA – Ontario Hit With Hundreds of Privacy-Breach Complaints

Ontario has been hit with more than 200 privacy complaints about the mishandling of personal information by the provincial government or its agencies over the past 18 months, according to the information and privacy commissioner. Most of them can be chalked up to human error or computer glitches, but the common thread in the complaints is that detailed personal information ended up in the wrong hands. As recently as last week, a misdialed fax machine was blamed for a privacy breach affecting hundreds of Ontario Disability Support Program recipients in Hamilton.  In 2014 the Information and Privacy Commissioner’s office received 61 reports of breaches from provincial ministries and government agencies, and 73 from individuals, plus nine others that the office initiated on its own, Beamish said. This year so far there have been 29 from ministries and agencies, 35 from individuals and four self-initiated. [The Toronto Star]

CA – Complaint filed with Ontario Press Council

The Ontario Press Council has received a complaint against Bullet News Niagara. The complaint is for a story the online media outlet published last week about an anonymous poster, whose identity became known to his employer and ultimately led to the employee losing his job. [Source]

CA – Other Canadian Privacy News Roundup


US – Study: Consumers Want To Know If Companies Are Collecting Data

An Annenberg School for Communication study indicates consumer support for the trade of their data for discounts is largely “overstated.” The survey found 91% disagree and 77% strongly disagree that “If companies give me a discount, it is a fair exchange for them to collect information about me without my knowing,” the report continues. “By misrepresenting the American people and championing the trade-off argument, marketers give policy-makers false justifications for allowing the collection and use of all kinds of consumer data often in ways that the public find objectionable,” the report stated. “Data collection in itself isn’t inherently evil, but companies have to be more forthright about what they are doing because customers are watching,” Digital Clarity Group’s Tim Walters said. [TechCrunch] See also: [Big Data Knows You Like Losers] and [Men who harass women online are quite literally losers, new study finds]

US – Tool Diagnoses Severity of Leaked PI

The New York Times published an online tool to gauge not only which elements of your personal information have been leaked but also how many times it was accessed by hackers depending on your online registrations, purchases or enrollments with companies such as Target, Anthem or Neiman Marcus. “How can you protect yourself in the future? It’s pretty simple: You can’t,” the report states. “But you can take a few steps to make things harder for criminals,” like two-factor authentication, frequent password updates and encryption. The report also includes links to each breached corporation’s public statement regarding the hacks. [Full Story]

US – Sparapani Outlines “Consumer Data Compact”

ACLU and Facebook veteran Tim Sparapani outlines a “Consumer Data Compact” for the Digital Age. The “fundamental question” of the time, he writes, could be, “Are businesses returning at least as much, if not more, value to their customers from using their data than the businesses obtain from that data? Answering this question can allow both businesses and regulators to evaluate the privacy impact of products and services.” He continues, “When businesses are able to answer this question in the affirmative, they have aligned their interests with those of consumers. The FTC and state regulators should work to align its policy and enforcement work to incentivize companies to make just such an analysis.” [Forbes] See also: [Slate: Turning the Tables: A Privacy Policy from the Users] See also: [Why Netflix and HBO don’t care if they lose $500M a year to password sharing]

US – Digital Trust Foundation Grants $1.6M to Address Cyber Abuse

The Digital Trust Foundation (DTF) announced that it will award $1.6 million in grants for research, education and support for “understanding, preventing and responding to digital abuse.” DTF Board Member Larry Magid said, “Cyberbullying, cyberstalking, and other forms of digital abuse are far too common.” Three of the grants will go toward research on digital abuse related to cyberstalking and digital domestic violence; two will go toward abuse in schools; one will go toward creating an online platform for victims, while three more will focus on the legal system. [Full Story]


HK – Personal Data Checks Fail to Register in Public Lists

Just one in 10 commonly used government public registers have safeguards against the misuse of private data, the Office of the Privacy Commissioner for Personal Data has found.  The 10 registers that it examined covered bankruptcies, births, business, companies, land, marriages, notice of intended marriages, licensed persons, vehicles and voters. Personal data available include identity card numbers, residential addresses and signatures on the companies and land and vehicles’ registration information.  Privacy Commissioner Allan Chiang Yam-wang said cyber bullying, financial loss and personal safety risks may ensue from people with malicious intent getting access to the information. “The ideal scenario would be that the legislation responsible for setting up the public registers is clearly defined,” Chiang said. The register of electors is the only public list in the survey that has legislative safeguards written in to guard against data misuse. Of 82 public register-related laws, only 32 state the purposes of the publication of the data. Just five of these 32 contain explicit measures against misuse of the data. Chiang said the Personal Data (Privacy) Ordinance cannot be fully applied to public registers as those are bound by corresponding legislations. [Pogo Was Right]

US – Clearer, More Stringent Cybersecurity Rules for Government Contractors

The White House wants government contractors to have strong, clear, and consistent rules for protecting sensitive data. Recent breaches underscore problems in the current contactor arrangements, including inconsistent data security standards in federal contracts as well as in various guidelines established by different agencies. A proposal for new rules will soon be available for public comment. [The Hill] [Amazon] See also [The blue pages conspiracy blues: Why Ottawa doesn’t want you to call]

US – White House to Release Vendor Data Policy

The White House will release a new policy that aims to create consistency amongst vendors and their storage of government data. “The increase in threats facing federal information systems demand that certain issues regarding security of information on these systems is clearly, effectively and consistently addressed in federal contracts,” an Office of Management and Budget notice states. Meanwhile, the Pentagon has chosen Leidos to handle the modernization of its electronic healthcare records. “We wanted to make sure we took adequate steps to protect the information that will be on this system, as well as the privacy of health care information,” said Undersecretary of Defense for Acquisition, Technology and Logistics Frank Kendall. [Nextgov]


US – Email Privacy Act Could Bypass Debate

With 291 cosponsors, the Email Privacy Act, which would modernize the 1986 Electronic Communications Privacy Act (ECPA), is in a position to bypass debate and move straight to approval. “When ECPA was written, the Internet as we understand it did not exist,” said Rep. Kevin Yoder (R-KS), author of the Email Privacy Act. “Only 340,000 Americans even subscribed to cell-phone service. Mark Zuckerberg was only two years old. But as our society and technology has evolved, our digital privacy laws remain stuck in 1986. With our bill now receiving the support of a veto-proof majority of the House of Representatives, the time has arrived to fix that.” [Multichannel]


US – Dept. of Commerce to Revisit Wassenaar Export Rules

A US Department of Commerce spokesperson said that the government plans to revise export controls on hacking tools after members of the information security community spoke out against the government’s first iteration of the rules, required by the Wassenaar Arrangement. The rules are aimed at restricting the export of cyber tools that could be used for malicious purposes. Security experts have said that the rules would have a chilling effect on research. [The Register]

PL – Pakistan Bans Blackberry Enterprise Server

Pakistan’s Ministry of the Interior has issued a notice to the Pakistan Telecommunication Authority (PTA) to order telecommunications companies that serve that country to stop access to BlackBerry Enterprise Services as of December 1, 2015. The directive was issued “for security reasons,” according to a PTA spokesperson. [The Register] [v3.co.uk] [ArsTechnica]

EU Developments

EU – EDPS Provides Detailed Recommendations for Final GDPR Text

As the trilogue process continues toward a final draft of the EU’s proposed General Data Protection Regulation, the European Data Protection Supervisor has not stood idly by. Today, the EDPS released a detailed draft of its own, creating a new “fourth text” for the trilogue process to consider. Further, it has released its own mobile app that allows one and all to both read its recommendations and compare all of the texts against one another. [Privacy Tracker]

EU – Data Privacy Chief Criticizes Air Passenger Bill

EU data privacy chief Giovanni Buttarelli has said a forthcoming law gathering detailed information on air passengers is too invasive and is unlikely to stop terrorism. Buttarelli said it makes more sense to target specific categories of flights, passengers, and countries. “I’m still waiting for the relevant evidence to demonstrate, even in terms on the amount of money, and years to implement this system, how much it is essential,” he said. His comments come after MEPs in the civil liberties committee on 15 July agreed a legislative proposal that will allow the collection of detailed information – such as credit card details and addresses – of all people flying in and out of the EU. Buttarelli is due to give a formal opinion on it in September. [euobserver.com]

UK – High Court: Parts of Data Retention Law Illegal

The UK High Court has struck down a key provision in the nation’s surveillance legislation. The Data Retention and Investigatory Powers Act (DRIPA) was considered “emergency” legislation after the EU’s highest court struck down the EU data retention directive. DRIPA required communications providers to retain customer data in case intelligence services needed to investigate crimes. The UK High Court  agreed with MPs David Davis and Tom Watson that the law did not include enough privacy or data-protection safeguards. Sections 1 and 2 of DRIPA were found unlawful on the basis that:

  • they fail to provide clear and precise rules to ensure data is only accessed for the purpose of preventing and detecting serious offences, or for conducting criminal prosecutions relating to such offences.
  • access to data is not authorised by a court or independent body, whose decision could limit access to and use of the data to what is strictly necessary. The ruling observes that: “The need for that approval to be by a judge or official wholly independent of the force or body making the application should not, provided the person responsible is properly trained or experienced, be particularly cumbersome.”

The government has nine months to rewrite the law, and the Home Office said it will appeal the ruling. [Politico EU] [UK High Court smacks down ’emergency’ UK spy bill as UNLAWFUL]: Government has until March 2016 to write new legislation]

EU – Google Changes User Consent Policy to Comply With Cookie Reg

Google has announced a change to its user consent policy, which will affect website publishers using Google products and services including Google AdSense, DoubleClick for Publishers and DoubleClick Ad Exchange. Google says that under the new policy, publishers will have to obtain EU end-users’ consent before storing or accessing their data. The change is in direct response to the EU’s cookie compliance regulation, the report states, and follows Google’s CookieChoices website, launched earlier this month. The site was launched to help digital publishers obtain tools and access other resources in their endeavor to gain user consent. [TechCrunch]

EU – Google Appeals CNIL’s RTBF Order

Google is appealing the CNIL’s formal notice that the company honor right-to-be-forgotten requests globally. In a blog post, Google Global Privacy Counsel Peter Fleischer writes, “We’ve worked hard to implement the right-to-be-forgotten ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so … But as a matter of principle, we respectfully disagree with the idea that a national data protection authority can assert global authority to control the content that people can access around the world.” Fleischer also suggests a global implementation would have a “chilling effect” on the Internet. Meanwhile, in the U.S., the Association of National Advertisers is urging the FTC to dismiss a Consumer Watchdog complaint that claims not honoring takedown requests is an unfair and deceptive trade practice. [Full Story]

EU – AEPD Names New Director

The Council of Ministers on Friday announced that Mar España Martí has been named the new director of the Spanish Data Protection Agency (the AEPD). She replaces José Luis Rodríguez Álvarez, who served in the role for four years. The new director, according to a press release in Spanish, is a lawyer and civil servant with extensive experience working on the protection of human rights. Her work with the presidency has included a focus on electronic administration and information security, promoting quality of data and transparency efforts in the Spanish government. She will serve a term of four years as the head of the AEPD. Rodríguez reports that he will return to his work at Universidad Complutense de Madrid and will remain active with data protection issues. [Full Story]

EU – Nymity Announces New EU Headquarters, New Roles

Nymity has announced it will open a new European headquarters in London, UK, and Lauren Reid will assume the role of director of EU privacy solutions. Reid has worked for two years at Nymity’s corporate headquarters in Toronto, Canada. “I am excited for the opportunity to be on the ground in Europe during what promises to be an eventful fall, with the EU regulation just around the corner and evolving expectations for the privacy office,” Reid said. Nymity President Terry McQuay said the London expansion gives the company an opportunity “to further our commitment to EU data protection and accountability.” Nymity has also announced it is welcoming Jorge Molet in the newly created post of Privacy Research Lawyer, Latin America. [Full Story]

EU – Ireland: Right to Access Birth Cert For Up to 50,000 Adopted

As many as 50,000 adopted people will have the right to their birth certificate for the first time under new legislation being drawn up by the Government. The Adoption (Information and Tracing) Bill, due to be discussed at this week’s Cabinet meeting, is expected to operate retrospectively and will apply to all future adoptions.  At present many adoptees are unable to access birth certs listing their original parents’ names due to legal obstacles, including a constitutional right to privacy on the part of birth parents. To help resolve this, adopted people would be required to sign a statutory declaration obliging them to respect the wishes of birth parents in cases where they do not wish to be contacted. This mechanism is regarded by those involved in drafting the legislation as a way of striking a balance between the right to privacy of birth parents and the identity rights of adopted people. [Irish Times]

EU – European News Roundup

Facts & Stats

WW – Average Black Market Identity Cost? Twenty Bucks

The going rate for a stolen identity is about $20. That’s according to Quartz, which analyzed listings for a full set of someone’s personal information—known as “fullz”—on the black market, using data collected by dark web search engine Grams. More than 600 listings came up, some identities including credit card information, some not. The listings ranged in price from less than $1 to about $450, the report states—the median price being $21.35. The most expensive identity, from a vendor called “OsamaBinFraudin,” came for $454.05, because, the vendor said, the identity came with a high credit score. Another identity, selling for $248.22, came with an American Express card with a $10,000 limit. [Full Story] See also: [Why Russian Cybercrime Markets Are Thriving]


WW – Apple Proposes Ads Based On Your Credit Balance

Apple has once again aimed squarely at the FinTech market and followed up its recent patent application for P2P banking with another: e-commerce advertising based on your available bank balance. With it’s latest filing with the USPA, Apple is looking at a; “Method and system for targeted advertising of goods and services to users of mobile terminals, based for example on the users’ profile. Goods and services are marketed to particular target groups of users sharing a common profile which may be selected to increase the likelihood of the users responding to the advertisements and purchasing the advertised goods and services. The common profile of users may be based on the amount of pre-paid credit available to each user. An advantage of such targeted advertising is that only advertisements for goods and services which particular users can afford, are delivered to these users.” [Forbes]


EU – Privacy Trumps Journalistic Freedom, European Court Rules

The European Court of Human Rights (ECHR) has ruled that journalists can be prevented from publishing publicly available information in cases where a person’s right to privacy is violated. In the case of Satakunnan Markkinapörssi and Satamedia v. the Republic of Finland , the ECHR decided that the Finnish magazine could be prevented from publishing publicly available tax data in order to protect the privacy rights of individuals. Finland’s data protection ombudsman advised the companies to stop publishing such data, but the companies felt it violated their freedom of expression. Pinsent Masons’ Ian Birdsey said, “The case highlights the difficulties that the courts often face when seeking to balance competing rights,” adding, “It will be interesting to see how the courts will assess the ‘public interest value’ on a case-by-case basis.” [Out-Law.com]

US – US Census Bureau Data Dump

Cyber activists have taken information from servers used by the US Census Bureau and made the data available online. The compromised data do not include citizens’ census records, but instead they include information about Census Bureau employees, including email addresses, password hashes, and the IP addresses from which they last logged in. Much of the information was already accessible online. [The Register] [NextGov]


WW – Genetics Company, Pharma-Research Looking to Extend Lifespan

Personal genetics company AncestryDNA has announced a partnership with Google-owned biotech firm Calico. AncestryDNA, the genetic branch of Ancestry.com, has a “massive database of genetic information on its paying customers” to help Calico search for genes that affect lifespan and potentially develop drugs to lengthen it. The partnership is just the latest in a growing trend. For example, genetics company 23andMe recently partnered with Pfizer. “The logic behind these partnerships is clear,” the report states, as the genetics companies collect and store DNA swabs participants have consented to, which is valuable for research, while “typically, it takes a lot of cajoling to get people … to part ways with their biological bits.” [Wired] See also: [Kuwait DNA tests violate right to privacy: HRW] and See also: [indiatimes.com: Is the Upcoming DNA Profiling Bill The End of Physical Privacy?]

Health / Medical

US – Healthcare Org Calls for Improved Privacy Laws

It’s time for Congress to sophisticate both “our antiquated medical privacy laws and … our technological capabilities,” Health IT Now Coalition Executive Director Joel White writes, citing a whitepaper from the organization. “We call on Congress to systematically review the costs and benefits of privacy laws in light of recent scientific and technical advances,” White writes. “There are less burdensome models for protecting privacy—we use them every day.” He also considers HIPAA, arguing, “Enforced by a punitive regime of fines and jail terms, HIPAA elevates even the most mundane health records to the level of national security secrets.” [The Hill] See also: [Software turns smartphones into tools for medical research]

US – Halamka and McGraw: HIPAA Helps Patients

Beth Israel Deaconess CIO John Halamka and Office for Civil Rights Deputy Director for Health Information Privacy Deven McGraw write that HIPAA is neither as antique nor as cumbersome a regulation as recent critiques make it out be. “Although intersecting federal and state laws on this topic can often be confusing and are a significant source of frustration, providers should still seek to avoid over-interpreting,” Halamka and McGraw write. “Low tolerance for risk with respect to compliance with privacy laws can … actually impose significant risks on patients … there no longer needs to be a tradeoff between privacy and safety.” [FierceHealthIT]

US – Advocates Say Legislation is Problematic

Patient Privacy Rights’ Deborah Peel believes recent legislative moves such as the 21st Century Cures bill lack innovation and put the patient second. “The problems of interoperability of data, the 21st Century Cures bill and the calls to create a national patient identifier are all proposals to solve today’s problems with yesterday’s technology—pressure to open up commercial use of health information. This doesn’t have anything to do with research and cures,” Peel said. “The promise of electronic health information was supposed to be to help with treatment, not to create massive, hidden business models where people are using your data for purposes we don’t even know about,” she added. [FierceHealthIT]

US – The Many Misinterpretations of HIPAA

There are many ways that “people use, misuse or abuse HIPAA.” For example, in 2012, a woman called a Pennsylvania hospital to alert staff of her mother’s medical history, only to have the staff refuse to take the information, citing HIPAA. As a result, her mother was nearly given a medication to which she was allergic. In such scenarios, said Carol Levine of the United Hospital Fund’s Families and Health Care Project, HIPAA has become “an all-purpose excuse for things people don’t want to talk about.” Rep. Doris Matsui (D-CA) has introduced legislation that would clarify the law, noting “it’s just misunderstanding what is and isn’t allowed under HIPAA.” [The New York Times]

US – Court Upholds Waiver of Privacy Rights in Malpractice Suits

A Florida appeals court upheld the constitutionality of a controversial change in Florida’s medical-malpractice law, “ruling in part that some privacy rights are waived when people pursue malpractice lawsuits.” The decision stems from a 2013 law that requires patients to sign forms authorizing “ex-parte communications” before filing malpractice claims. Emma Gayle Weaver filed a challenge to the law, arguing it violates the right to privacy in medical-malpractice cases. But the three-judge panel wrote in its decision that any privacy rights pertaining to medical information “are waived once that information is placed at issue by filing a medical malpractice claim.” [Orlando Sentinel]

US – Court Examining Pocket-Dial Privacy Implications

The U.S. Court of Appeals for the Sixth Circuit has found no expectation of privacy for Cincinnati/Northern Kentucky International Airport Board Chairman James Huff, who inadvertently dialed a coworker, Carol Spaw, who recorded Huff’s conversation with his wife and another board member about personnel matters, noting he “failed to take ‘simple and well-known measures’“ to protect against pocket-dials. However, the court “revived Bertha Huff’s claims, finding she had a privacy expectation even if she was aware that her husband’s phone could accidentally make phone calls,” the report states, sending the case back to district court to determine if Spaw’s actions “met the standard for an ‘intentional use of a device’ to intercept Bertha Huff’s statements.” [The National Law Journal] See also: [US – Privacy and the Data Toothpaste Problem]

US – Uncertainty Surrounds 21st Century Cures Bill

Wiley Rein’s Kirk Nahra discusses the 21st Century Cures Bill, recently passed by the House of Representatives. Two of the bill’s provisions, Nahra says, raise a lot of questions about whether they’re good ideas and address problems that need to be dealt with on HIPAA’s privacy rule. One provision, for example, allows for disclosures of health information for research purposes to pharmaceutical companies and medical device manufacturers and “seems to allow these companies to pay an unlimited amount of money to obtain that data,” Nahra notes, adding, “Usually you can’t pay for protected health information, so that’s … creating some significant potential privacy concerns.” [Healthcare Info Security]

US – Appeals Court: Neiman Marcus Suit Can Proceed

In a reverse of a previous ruling, the U.S. Court of Appeals in Chicago found that victims of the 2013 Neiman Marcus LLC data breach will be able to sue the corporation. Unlike U.S. District Judge James B. Zagel’s initial ruling, the court found victims could indeed measure “concrete injuries” and therefore had grounds for a suit, believing that “unreimbursed payments weren’t the only possible harm” and “citing the cost of credit monitoring and the hackers’ ability to use the fraudulent data for years,” the report states. “Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities,” the court said. [Bloomberg Business]

UK – NHS Official Demands Details of Millions of Confidential Appointments

A top health official has demanded confidential details of millions of GP appointments. Sparking yet another NHS privacy row, she has ordered the firm in charge of bookings at most English surgeries to hand over the sensitive data urgently. The information includes the date, time and duration of appointments as well as the reason for the consultation. Most of the postcode of the patient is also asked for, as well as their date of birth. The information is intended to gauge demand for the Government’s planned seven-day NHS. But privacy campaigners say it is incredible that neither patients nor their GPs have been consulted about the move. They warned there was enough information within the files for patients to be identified. [The Daily Mail]

Horror Stories

US – OPM, Anthem Hackers May Have Breached United Airlines

The same hacking group that stole sensitive records from the Office of Personnel Management (OPM) and Anthem also breached United Airlines. Manifests were compromised, which include passenger names, travel times, arrivals and departures. Security professionals believe such data can be cross-referenced with other data stolen from Anthem and the OPM to create detailed maps of U.S. citizens and increase the possibility of advanced and precise targets for blackmail and espionage. United Airlines is also one of the biggest airline contractors with the U.S. government, “making it a rich depository of data on the travel of American officials,” the report states. [Bloomberg Business]

US – Planned Parenthood Says Hackers Trying to Steal PI

Planned Parenthood announced Monday that anti-abortion hackers are attempting to breach the organization to access and potentially expose sensitive data on its employees. Planned Parenthood Executive Vice President Dawn Laguens said the attempts are a “gross invasion of privacy” that could put its staffers at risk. “Planned Parenthood has notified the Department of Justice and separately the FBI that extremists who oppose Planned Parenthood’s mission and services have launched an attack on our information systems,” she said. An adversary called “E” has taken some credit for the attack. Hackers have also threatened to release more information, including internal emails, though it hasn’t been confirmed if such data has been accessed. [The Hill] [Planned Parenthood confirms attack from anti-abortion hackers]

US – Class-Action Filed Over Data Theft

Experian is the target of a class-action lawsuit alleging it “failed to detect for nearly 10 months that a customer of its data broker subsidiary was a scammer who ran a criminal service that resold consumer data to identity thieves.” Hieu Minh Ngo, who used the guise of a private investigator to gain access to Experian-owned Court Venture’s 200 million profiles, was recently sentenced to 13 years in prison. Ngo scammed victims out of “$65 million in fraudulent individual income tax returns,” the report continues, noting plaintiffs are suing for complimentary credit monitoring as well as a fund “for reimbursement of the time and out-of-pocket expenses they incurred to remediate the identity theft and fraud caused by customers of Ngo’s ID theft service.” [KrebsOnSecurity]

US – Health System Faces Potential Class-Action

Children’s National Health System is facing a potential class-action lawsuit following the hack of up to 18,000 patients’ personal data last year. Patient Fardoes Khan filed the suit after being informed her data was compromised. [Washington Business Journal]

US – Insurer and State Program Announce Breaches

In New York, insurance payer Healthfirst is notifying members of a data breach affecting approximately 5,300 individuals, and, in Georgia, approximately 3,000 clients of Community Care Services Program are being notified that the state’s Division of Aging Services program inadvertently emailed their personal data to a contracted provider not authorized to view the information.

US – More Stores Shut Down Photo Centers

CVS recently disabled its online photo center following news of a potential breach through PNI Digital Media, following a similar action by Walmart in Canada , and now other stores in the U.S. and UK—including Rite Aid, Sam’s Club and Tesco’s—have moved to the do the same after PNI, which either manages or hosts the sites, examined the possible extent of the breach. “We take the protection of information very seriously,” said Kirk Saville of Staples, which purchased PNI last year. “PNI is investigating a potential credit card data issue, and outside security experts are assisting in the investigation,” he continued. “The retailers’ main websites and other services were not affected by the potential breach,” the report states. [Reuters] [Hacking fears close photo websites]

WW – Anonymous Behind Census Bureau Hack

“Online activist collective” Anonymous took credit for the United States Census Bureau’s hack and subsequent data leak, citing displeasure with the “secretive” drafting of the Trans-Pacific Partnership (TPP) and Transatlantic Trade and Investment Partnership (TTIP) agreements as its impetus. The Census Bureau deemed the information released by Anonymous as “non-confidential,” the report continues. “Security and data stewardship are integral to the Census Bureau mission,” the organization said in statement. “We will remain vigilant in continuing to take every necessary precaution to protect all information.” [The International Business Times] [CA – Public service labour board taken offline after breach discovered last week

US – Class-Action Filed Following UCLA Breach Admission

Following UCLA Health’s admission last week that it had been hit by a massive data breach in May, a former patient has filed a class-action lawsuit in U.S. District Court claiming the health system broke its contractual obligations to protect patients’ data. Allen filed the suit on behalf of “several millions of individuals,” the report states, claiming personal data entrusted to the hospital was “left in an unencrypted state and stolen by cyber thieves.” Meanwhile, in an op-ed on The Hill’s Congress Blog, attorney Karla Grossenbacher makes the case for a single, federal standard on data breach notification. [ConsumerAffairs]

US – Senate Votes to Fund OPM Victims, Not OPM

The Senate Appropriations Committee voted to provide the 22 million-plus victims of the OPM hack with 10 years of credit monitoring and a $5 million fund for damage reparation, but did not vote in favor of providing the organization itself with additional funds. The affected’s “vulnerability will go on for a number of years,” said Sen. Barbara A. Mikulski (D-MD), who introduced the amendments based on the proposed RECOVER Act. “They deserve our protection.” But some feel more work needs to be done. Sen. John Boozman (R-AR), himself a victim of the hack, has called for additional hearings, adding, ”this is something that our country has to get straight.” [Roll Call]

US – OIG Finds Lack of Cybersecurity Tech and Training Among Reasons for Breach

In a newly released study, the Office of the Inspector General (OIG) identifies the U.S. Postal Service’s “undertrained employees, lack of accountability for risk acceptance decisions, ineffective collaboration among cybersecurity teams and continued operation of unsupported systems” as contributing factors to its data breach in 2014, which affected 2.9 million people. “Although USPS was in compliance with fundamental legal and industry requirements, it did not have a security operations center providing round-the-clock incident analysis and response,” the report continues, adding that the agency is moving to update its cybersecurity technology. Meanwhile, a new ruling mandates that the Inspector General must gain permission to obtain sensitive information from the organization it audits, a move that “significantly impaired“ the role, said Inspector General Michael E. Horowitz. [FierceGovernmentIT]

US – Ashley Madison Site Followed Standard Practice. That’s Bad

On the hack of the controversial Ashley Madison website, known for promoting extramarital affairs, the site followed standard web security practices and failed to implement simple privacy and security design features, making such a breach “inevitable.” The site’s password-reset feature allowed other users to see who used the site, for one, and the site kept real names and addresses on file. Johns Hopkins Cryptographer Matthew Green makes the point that customer data is often a liability and not an asset. Ashley Madison’s site also charged users $19 to delete their data, “a practice that now looks like extortion in the service of privacy.” A column in The Washington Post states that the breach should be a “warning to all of us—cheaters or not.” [The Verge] [Online Cheating Site AshleyMadison Hacked] [Privacy sacred, even for the unscrupulous]

WW – Health System, Adultery Site, Photo Center Breached

UCLA Health System’s computer network sustained a data breach in which as many as 4.5 million unencrypted personal health records were accessed. Patient Privacy Rights’ Deborah Peel said, “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links.” In a separate breach , hackers claim to have in their possession the personal information of 37 million users of AshleyMadison—a website that connects people who want to have extramarital affairs. The hackers, reports journalist Brian Krebs, have said they will release personal data until the site, along with other Avid Life Media sites, are taken down. In yet another data breach, CVS shut down its online photo center after an intrusion may have accessed customer credit card information. [Los Angeles Times] [Sask. Cancer Agency employees snooped on 48 patients] [SK: Snooping cases worry privacy commissioner] See also:  [CA – NB Horizon notifying patients after laptop stolen in Fredericton: Stolen laptop contained Medicare information and was not password protected] See also: [Misdialed fax number led to privacy breach, Liberals say: A wrong fax number resulted in privacy breach in Hamilton affecting some 500 recipients of disability payments]

US – BCBS Post-Breach Response May Set New Precedent

Blue Cross Blue Shield’s move to provide complimentary identity monitoring to the 106 million victims of its recent breach “for as long as they’re enrolled in the plans’ insurance coverage” may set a new breach-response precedent. As corporations usually extend monitoring for one or two years post-breach, the decision is seen as landmark. “Something like this may eventually become standard business operations,” said Medical Identity Fraud Alliance Senior VP Ann Patterson. However, it’s problematic as “it requires the data breach victim to affirmatively ‘opt in’—they aren’t automatically included, and it only lasts as long as you are insured by Blue Cross,” said Cohen & Malad’s Lynn Toops. [BankInfoSecurity] [UK – Morrisons data leak ‘a warning to companies’ about importance of fraud prevention policies says expert]

Identity Issues

EU – DPA: Facebook Can’t Change Pseudonyms to Real Names

In Germany, Facebook has been prevented from disallowing users to create accounts under false names. The Hamburg data protection authority has said the social network cannot change individuals’ chosen usernames or ask them to provide official identification, the report states. The ruling follows a woman’s use of a pseudonym for her Facebook account “to avoid unsolicited contact in relation to her business” that the social networking site changed to her actual name. Facebook has expressed disappointment with the ruling. “The use of authentic names on Facebook protects people’s privacy and safety by ensuring people know who they’re sharing and connecting with,” the company said. [BBC News]

US – De-Identify Data for Research’s Sake

The de-identification of healthcare data permits research innovation while not sacrificing patient privacy, noting, “both the healthcare and pharmaceutical industries are beginning to adopt this approach.” Eli Lily Office of Medical Transparency Director Ben Rotz notes, “As we have a set of rules that are followed, as we start to see standards in place for how the data are collected, then we’re going to start to see more and more technologies emerge that allow for a standard way to anonymize the data,” adding, “As more and more of that tends to happen, people can concentrate on the why and the what of what they’re doing instead of the how do they make it happen from a technology perspective.” [HealthITSecurity]

CA – Transgender Activist Wins Court Battle Over IDs

The Newfoundland and Labrador government will change the Vital Statistics Act to allow transgender people to change their birth certificate and government identification to match their gender identity. The change comes after transgender activist Kyra Rees in St. John’s took the provincial government to court in a battle to get her birth certificate to reflect the gender she identifies with. With legislative changes, Rees and other transgender people can go out in public without fear of ‘outing’ themselves because of the gender marker on their identification cards. Similar changes have been made in Ontario, Alberta, British Columbia and Manitoba. Changes will be made to the act during the next session of the House of Assembly. Rees is urging the province to convene a fall sitting in the House of Assembly so that there is no delay in passing the legislation. [CBC News]

US – Use Synthetic Data to Protect Census Data

Since the first U.S. Census was carried out in 1790, the Census Bureau has expanded its mission and now collects information about occupation, education, income and other personal data. The datasets are useful, but confidentiality becomes harder to preserve. A research team led by a Duke University Prof. Jerry Reiter and Cornell University Prof. John Abowd has developed an approach to solving this problem by using synthetic data or “simulated data generated from statistical models,” the report states. “A query that can be asked of the confidential data can also be asked of the synthetic data,” Abowd said. [Nextgov]

WW – Finding the De-Identification Middle Ground

De-identification plays a major role in protecting privacy while allowing for data to flow and constitutes a big part of a privacy pro’s toolbox. There have been robust debates about its feasibility and whether it’s even possible to truly de-identify data, but, earlier this month, the Future of Privacy Forum (FPF) and Ernst & Young held a workshop to work through these issues in an attempt “to drill down into some challenges that privacy pros face in (their) day-to-day practice.” FPF Policy Counsel Joseph Jerome recaps the event and includes insight from industry, practitioners, academics and regulators about striving toward a workable and practical de-identification solution. [Privacy Tech]

Internet / WWW

WW – UN Gives U.S. Failing Grade on Privacy

The U.S. scores very low on protecting its citizens’ privacy, according to a new United Nations Human Rights Committee Review. The committee’s midterm report cards for several countries, including Bolivia, Hong Kong, Norway, Portugal and the U.S., look at how well the countries have adhered to and implemented UN recommendations on the International Covenant of Civil and Political Rights. In several aspects of protecting privacy, the U.S. was graded “not satisfactory.” Specifically, the U.S. government has not established an adequate oversight system to ensure privacy rights are being upheld, the report states. [The Intercept]

Law Enforcement

CA – RCMP Tracked Toronto Activists With Fake Facebook Profile

Officers with the national police force used a Facebook profile to pose as a broke student so as to communicate with protest groups in Toronto, according to documents obtained under the Access to Information Act.  The social media account, which went by the name of Bebop Arooney and had a profile picture of three penguins frolicking on a beach, tracked the Facebook pages of more than two dozen organizations in Toronto, ranging from Black Lives Matter Toronto and Idle No More to the Ukrainian Canadian Congress. Six Jewish and Palestinian groups were also monitored. WWF wrestler Mick Foley also attracted the Mounties’ attention. A second RCMP social media account — @angrycitizen123 — followed Foley on Twitter. The RCMP confirmed it created both profiles but said they were not used for surveillance purposes. “The (Facebook) account mentioned was opened in 2005 for operational reasons, and since that time, the RCMP’s social media practices have changed and evolved and now we used an official media account for such purposes,” a spokesperson said. “The Facebook account is historical and no longer relevant.” The Facebook profile was deleted Thursday. The Twitter account is still online. “If there are no criminal investigation ongoing, then monitoring these groups is potentially problematic,” said Cara Zwibel, director of the Canadian Liberties Association’s Fundamental Freedoms Program. “Even though we think of social media as stuff that is out there in the public, the privacy commissioner’s office made it clear that it doesn’t cease to be personal information just because it is in that kind of forum.” The Facebook profile also appears to have contravened Facebook’s own terms of use. A spokesperson for the social media giant said bogus accounts, even those created by law enforcement agencies, are subject to removal. [Toronto Star]


US – MAPPS Publishes Best Practices

Following the FTC request that companies “protect the privacy of individual citizens’ ‘sensitive’ data as outlined in its Protecting Consumer Privacy in an Era of Rapid Change report,” national private-sector geospatial firms association MAPPS has published its “Best Practices Guideline“ for handling users’ geospatial data, Directions Magazine reports. Announced during MAPPS’ yearly conference, the guidance provides assistance to companies when determining whether they “should obtain individual consent for collection of geospatial data and when it is not needed to protect privacy,” the report states. “This document helps engage in lawful, ethical and professional practice that is respectful of individual citizens,” said MAPPS Executive Director John Palatiello. [Full Story]

WW – Google Rolls Out User-Friendly Location History Tool

Google is rolling out a new “your timeline” feature for Google Maps in coming weeks “that is certain to thrill some folks—and horrify others.” The feature allows users to view their entire location history on Google Maps based on data pulled from devices upon sign-in to Gmail. Google says it’s a useful way to remember where you’ve been on any given point in time and that it’s only viewable to the user. [PCWorld]

Online Privacy

WW – New Operating System Brings Cheers and Privacy Concerns

With the rollout Wednesday of Microsoft’s new operating system, Windows 10, many praised its new features while others expressed concerns about user privacy. For those using Windows 7 or 8, the upgrade is free, but some are pointing out that comes with a privacy trade-off, as has been demonstrated in Microsoft’s new privacy policy and services agreement, the report states. Microsoft Deputy General Counsel Horacio Gutiérrez said the company’s new dashboard creates a “straightforward resource for understanding Microsoft’s commitments to protecting individual privacy with these services.” [Information Age] [Windows 10 may be free, but it comes at a huge price to your privacy] [Microsoft’s Windows 10: Some issues to consider before you upgrade]

WW – Microsoft to Honor Revenge Porn Takedown Requests

Calling it a “first step,” Microsoft announced it will honor takedown requests for so-called “revenge porn” in its Bing search engine and content access removal from Xbox Live and OneDrive upon a victim’s requests. “Much needs to be done to address the problem,” Jacqueline Beauchere wrote in a Microsoft blog post. “As a first step, we want to help put victims back in control of their images and their privacy.” The company has also set up a new reporting site for victims to inform Microsoft of particular photos or videos in question. Beauchere added, “It’s important to remember … that removing links in search results … doesn’t actually remove the content from the Internet—victims still need stronger protection across the web and around the world.” [Full Story]

WW – W3C: Fingerprinting, Supercookies Undermine Trust in the Web

In a new post, the World Wide Web Consortium (W3C) Technical Architecture Group (TAG) says digital fingerprinting, supercookies and other forms of pervasive tracking of users’ web behavior undermine trust in the Internet. “Tracking users’ activity without their consent or knowledge is … a blatant violation of the human right to privacy,” the post states. One of the group’s major concerns is that users have no means by which to prevent these “unsanctioned tracking” tools. Ad-tech companies have argued such tools are not privacy-invasive because they anonymize user data, but the TAG writes, “Unsanctioned tracking can be harmful even if non-identifying data is shared.” In a separate post in The Guardian, Felix Salmon opines that advertising technology is “killing the online experience” through privacy invasions and the excessive use of bandwidth. [MediaPost] See also: [US: The myth of online privacy]

WW – Most Android Phones at Risk From Simple Text Hack, Researcher Says

A security research company claims to have found a vulnerability baked into Android that could endanger nearly all devices running the popular mobile software. The flaw, says researcher Zimperium, exists in the media playback tool built into Android, called Stagefright. Malicious hackers could take advantage of it by sending to an Android device a simple text message that, once received by the smartphone, would give them complete control over the handset and allow them to steal anything on it, such as credit card numbers or personal information. So far, Zimperium told National Public Radio, the flaw has not been exploited, but in a blog post on its own website, it said that 95 percent of Android devices worldwide are vulnerable. [CNET] See also: [Thousands of Apps Secretly Run Ads That Users Can’t See]

WW – Adobe Aiming to Compete on Cross-Device ID Data

Adobe is working at its own cross-device ID that would aim to rival such platforms as Facebook and Google. The company has begun “actively recruiting co-op members” and has slated a beta release for November. Adobe’s privacy product manager told a group of consumers and partners on a recent conference call, “We are asking permission to use some of your anonymous data to build both a declared graph as well as a stitched graph to help fill in for situations where a consumer might not have signed in on a particular device.” But potential participants have cited concerns with how the co-op could conflict with current opt-out systems. [Ad Exchanger]

US – Senators Want FCC to Limit Info-Sharing

A group of senators wants the FCC to ensure that broadband providers do not share data about users’ web behavior without the users’ consent. “ISPs should gain affirmative express consent from consumers before using or sharing information beyond what a consumer would reasonably expect an ISP to use and share in order to deliver service and manage its networks,” wrote the group, which includes Sens. Ed Markey (D-MA), Richard Blumenthal (D-CT), Al Franken (D-MN), Patrick Leahy (D-VT), Ron Wyden (D-OR), Bernie Sanders (I-VT), Jeff Merkley (D-OR), Cory Booker (D-NJ) and Elizabeth Warren (D-MA). “This includes sharing information with affiliates, as well as for advertising or marketing purposes,” the senators added. [MediaPost]

US – White House Responds to Snowden, ECPA Petitions

The White House responded in separate statements to two petitions—the first calling for the pardon of Edward Snowden and the second calling for Electronic Communications Privacy Act (ECPA) reform. Regarding Snowden, the White House responded that his “dangerous decision to steal and disclose classified information had severe consequences for the security of our country,” adding, “He should come home to the United States and be judged by a jury of his peers.” However, the White House agreed with petitioners that “ECPA is outdated, and it should be reformed,” adding that while it won’t “endorse a single ECPA-reform bill at this time,” it is “encouraged by the strong bipartisan support for updating this legislation.” [Full Story] [After two years, White House says ‘no’ to petition asking for pardon of Edward Snowden]

US – The EFF Turns 25

The Electronic Frontier Foundation (EFF) celebrated its 25th birthday last week and the privacy community reflected on its colorful and impactful history. The report highlights some of the EFF’s landmark legal victories, such as the 1999 case in which the court agreed with the EFF that computer code was protected under free speech. Those within the industry expressed support and gratitude for the organization. “When the EFF is behind you, businesses have a fighting chance to protect their assets,” said Blancco Technology Group’s Paul Henry. “Many of the things that they have suggested are now considered best practices globally,” added Nok Nok CEO Phillip Dunkelberger. [CSO Online]

Other Jurisdictions

IN – Government: Citizens Have No Right to Privacy

The Modi government told India’s Supreme Court that citizens cannot invoke the concept of the fundamental right to privacy in attempts to scrap the Aadhaar national identity card program. Attorney General Mukul Rohatgi told Justice J. Chelameswar that the “constitution does not confer (the) right to privacy of citizens,” referring to a 1950s Supreme Court judgment in which eight justices ruled that citizens do not have such a right. Rohatgi added, “The law on right to privacy is vague in the country, and a larger bench should be constituted to pass an authoritative verdict on the issue. To be frank, question of violation of right to privacy does not arise when it does not exist.” [India Today]

AU – Immigration Department Sought Private Medical Records ‘for Political Reasons’

The personal medical records of asylum seekers have been handed over by International Health and Medical Services (IHMS) to Australia’s immigration department for “political purposes” and potentially in breach of privacy laws, according to leaked internal briefing notes from within IHMS. The revelations are contained in the meeting notes of a clinical directors’ meeting at IHMS on confidentiality in September 2013, obtained by Guardian Australia. In response IHMS and the immigration department strongly denied they had inappropriately provided or sought access to asylum seekers’ medical records. [The Guardian]

CN – Aliyun Publishes Data Protection Pact

At the first-annual Data Technology Day in Beijing, Aliyun, e-commerce company Alibaba’s cloud computing company, released its Data Protection Pact. “We aim to make cloud computing the engine of the data technology economy, and big data a driving force of economic development,” said Aliyun President Simon Hu. “Aliyun will continuously be committed to building a cloud-computing ecosystem to efficiently and securely serve global clients.” The document details Aliyun user rights, including the ability to “freely and safely access, share, exchange, transfer or delete their data at any time,” as well as the opportunity “to select whatever services they choose to securely process their data.” [MarketWatch]

WW – Asia-Pacific News Roundup

Privacy (US)

US – Appeals Court Overturns Neiman Marcus Dismissal

On Monday, July 20, the US Court of Appeals reinstated a liability case against Neiman Marcus for potential damage to consumers from the data breach that exposed data for 350,000 Neiman Marcus customers. The company acknowledged that at least 9,200 of those accounts were later used for fraud. This appears to be the first time an appeals court has recognized the actual damage associated with consumers having to research and repair credit card accounts after data breaches. [WSJ]

US – FTC Announces New Workshop on Lead Generation

The FTC announced it will host a new workshop on the increased use of lead generation across industries, including those in consumer lending and education. The FTC explained that lead generators “identify or cultivate consumer interest in a product or service, and sell the consumer ‘lead’ information to third parties.” In so doing, consumer leads often “contain sensitive personal and financial information” that travels through several businesses before reaching its final destination. The October 30 workshop will bring together representatives from industry, consumer advocacy and government to explore how lead generation works, what types may be unlawful, best practices and how consumers can avoid bad actors. [Full Story]

US – LifeLock Violated 2010 Settlement: FTC

The FTC has filed documents in U.S. District Court alleging identity-theft protection service LifeLock violated its 2010 settlement with the agency. The FTC alleges LifeLock made deceptive claims about its services, failed to implement a comprehensive information-security program to protect sensitive consumer data, falsely advertised that it protected customer data at a high level and did not meet the 2010 order’s bookkeeping requirements, an FTC press release states. “It is essential that companies live up to their obligations under orders obtained by the FTC,” said Consumer Protection Bureau Director Jessica Rich. “If a company continues with practices that violate orders and harm consumers, we will act.” The FTC voted 4-1 on the order, with Commissioner Maureen Ohlhausen in opposition. [Full Story] [FTC Charges LifeLock with Deception]

US – Senators Receive Millions of Faxes Protesting CISA

Opponents of legislation in the US Senate may have stalled a vote on the bill that aims to improve cyber threat information sharing between private companies and the government. Legislators were hoping to vote on The Cybersecurity Information Sharing Act (CISA) prior to the summer recess, which begins on August 10. A privacy advocacy group, Fight for the Future, sent more than six million faxes to Senate members protesting the proposed legislation. [ComputerWorld] [SCMagazine]

US – Trade Group, Privacy Advocates Launch Public-Facing Campaigns

Beginning next week and until August 28, trade group ACT-IAC is collecting recommendations from academia and the public and private sectors on ways to strengthen federal security. In September, the groups will submit the recommendations to the Office of Management and Budget and will release a public report outlining its findings. Meanwhile, operators behind the viral campaign “Operation: #FaxBigBrother” announced that concerned Internet users have generated more than 6.1 million faxes in opposition to the Cybersecurity Information Sharing Act, Fight for the Future has announced. The faxes were sent as part of a week of action organized by privacy advocacy and civil liberties groups. [NextGov]

US – Privacy Groups Turn to Fax Machines in Cyber Bill Fight

A broad coalition of civil liberties advocates and digital privacy groups have teamed up to create a one-week website — stopcyberspying.com — which lets anyone write up and send a fax to senators. Photos are optional. The move is part of the ongoing battle over a stalled cybersecurity bill that may hit the floor sometime later this week. The bill, known as the Cybersecurity Information Sharing Act (CISA), would boost the public-private exchange of data on hackers.  Industry groups and many in Congress believe the enhanced sharing of this type of information is necessary to help the country better understand and counter the growing cyber threat. But privacy advocates believe the measure would simply create another outlet for the government to collect sensitive data on Americans. The website calls CISA “a surveillance bill in disguise” and “the Darth Vader bill.” [Source]

US – RNC Offers Voter File to Presidential Candidates

The Republican National Committee (RNC) has offered to share its voter file with Donald Trump’s presidential campaign. The RNC has the names, voting history and consumer data of roughly 250 million Americans, the report states. The Trump campaign’s attorneys are reviewing the data-sharing agreement, which has been offered to all 17 of the Republican presidential candidates, 11 of whom signed off on it. The RNC said every indication points to Trump entering into the agreement. The RNC offer runs in contrast to the decision by political operation Freedom Partners, which denied Trump access to its voter data. [Yahoo Politics]

US – Trump Shares Graham’s Cell Number

At a Tuesday speaking engagement, Republican presidential hopeful Donald Trump took aim at political rival Sen. Lindsey Graham (R-SC) by releasing Graham’s personal cell-phone number, which led to an “influx of calls.” With Trump, Graham said, “nothing surprises me anymore. It’s just too bad, really,” adding, “I think the beginning of the end has come. The beginning of the end has arrived because he’s crossed a line with the American people that will not be tolerated.” When asked if he would confront Trump on his actions, Graham added, “What good would that do, calling (him)? I’m more worried about the Iran nuclear deal than I am Donald Trump.” [Politico]

US – Lawsuit Filed Over City’s Garbage-Snooping Law

Seattle’s recent law requiring garbage collectors to look through trash to determine no more than 10 percent is recyclables or food has sparked a privacy lawsuit. “In short, this program calls for massive and persistent snooping on the people of Seattle,” said the Pacific Legal Foundation’s Brian Hodges. “This is not just objectionable as a matter of policy; it is a flagrant assault on people’s constitutional rights.” Currently, violators of the law can expect to be fined anywhere from $1 to $50. “The law makes garbage collectors the judges and the juries,” Hodges told The Seattle Times. [KiroTV] [Does Seattle’s Trash Monitoring Violate Privacy Rights?]

UK – Supreme Court to Hear Google Appeal of Vidal-Hall

The England and Wales Court of Appeal delivered a decision in April that IAPP VP of Research and Education Omer Tene called “the European Judicial Privacy Decision of a Decade,” invalidating a section of the UK Data Protection Act and establishing affirmatively that “moral damage” is recoverable under privacy law. On Tuesday, however, the UK Supreme Court agreed to hear Google’s appeal of Google v. Vidal-Hall, and the impact of the decision will be wide-ranging. [The Privacy Advisor]

US – CISA Critics Speak Out

Sen. Ron Wyden (D-OR) argues that a classified 2003 National Justice Department memo has grave relevance to the ongoing debate on the Cybersecurity Information Sharing Act (CISA), which could potentially be voted on before the August recess. “I remain very concerned that a secret Justice Department opinion that is of clear relevance to this debate continues to be withheld from the public,” Wyden wrote. The senator isn’t the only one concerned about CISA, with groups like the ACLU and the EFF joining together to create stopcyberspying.com, a one-week only site that allows critics to send faxes to senators. “Congress is stuck in 1984,” the site states. “We’re going to communicate with it in a way it’ll understand: With faxes.” Meanwhile, the Senate Homeland Security and Governmental Affairs Committee is moving to enact additional anti-hacking legislation. [National Journal]

US – Gerstell Appointed as NSA’s General Counsel

Glenn Gerstell, a Washington, DC, attorney and “significant Obama fundraiser,” has been appointed as the NSA’s general counsel. While the move hasn’t yet been officially heralded, it’s already sparked debate. “His résumé shows no deep experience working with intelligence and national security issues that the NSA’s counsel contends with on a regular basis,” the report states. “That said, sources familiar with his appointment … noted that his experience running a large law firm would prepare him for overseeing the team of more than 100 lawyers in NSA’s general counsel’s office, who provide advice and guidance on everything from surveillance operations to contracts and procurement.” [The Daily Beast]

US – Appeals Court Rules Facebook Can’t Refuse Warrants

A New York state appeals court has ruled Facebook does not have the right to refuse search warrants for its users. “We continue to believe that overly broad search warrants—granting the government the ability to keep hundreds of people’s account information indefinitely—are unconstitutional and raise important concerns about the privacy of people’s online information,” said Facebook’s Jay Nancarrow. The court, however, “disagreed with Facebook’s claim that the federal Stored Communications Act gave it the standing to contest the warrants, saying the company had misinterpreted the law,” the report continued. [The New York Times]

US – Gunshot Detection System Prompts Privacy Concerns

While many believe ShotSpotter, SST’s new gunshot-detection program, is a breakthrough security offering, some are concerned with the privacy implications. Within 30 seconds of gunshot, the program’s microphones are able to distinguish the shot, analyze it and report it to law enforcement. Cities and college campuses are installing it in droves. However, “many have questioned whether ShotSpotter could constitute a fourth-amendment violation-warrantless search and seizure of public sounds,” the report states. “How can we be sure that the technology is in fact confined to listening for gunshots?” the ACLU’s Jay Stanley asked, adding, “How can we ensure that it won’t expand over time to more and more uses?” [The Guardian] [ShotSpotter: gunshot detection system raises privacy concerns on campuses]

US – Master’s in Cybersecurity Can Be Conduit to Lucrative Career

For students interested in pursuing a Master’s degree in cybersecurity, not only are more and more universities offering courses to that end, but the career path post-graduation is also proving to be increasingly lucrative and expansive. Schools like Carnegie Mellon University, Fordham University and the University of Southern California are among 10 schools profiled in the report, which notes that cybersecurity professionals had the eighth highest entry on the “100 best jobs for 2015” list. Additionally, “the profession is growing at a rate of 36.5% through 2022,” the report states. [CSO]

US – School District Discusses Body-Camera Policy

Iowa’s Burlington Community School District is considering student and teacher privacy implications as its school board works to define its new body-camera policy. “We hope to have a tool in place that will allow us to accurately address any issues or concerns that arise in our district,” said Director of Human Resources Jeremy Tabor. The board’s privacy considerations have run from “limiting the use of the cameras to student disciplinary situations” to “giving people the option to say ‘no’ to being recorded,” the report states. “We don’t want to rush this,” said Tabor. “We want to make sure we’re taking the proper amount of time to vet this and make sure we have a good, effective policy in place.” [Government Technology]

US –Legislators Want to Increase DHS’s Cyber Authority

US legislators have introduced a bill that would give the Department of Homeland Security (DHS) a greater role in overseeing the cyber security of federal agencies. The FISMA Reform Act would give DHS the authority to conduct risk assessments on federal networks and use defensive measures without the permission of an agency. [SCMagazine] [NextGov] [SCMagazine]

US – Legislation Aims to Establish Automobile Cyber Security Standards

US Senators plan to introduce legislation that would require cars sold in the country to meet certain cyber security standards. It calls for the National Highway Traffic Safety Administration and the Federal Trade Commission to establish those standards, which will include isolating critical systems from other parts of the vehicle’s network. The bill also includes provisions for customer data protection and privacy. [Wired] Earlier this year, members of the US House Energy and Commerce Committee write to 17 car manufacturers and the National Highway Traffic Safety Administration to ask for information about how they plan to address cyber security concerns. [EnergyCommerce]

Privacy Enhancing Technologies (PETs)

WW – Google, Silent Circle Pair Up on Next Version of Blackphone

Google and Silent Circle, the maker of a privacy-centric Blackphone have formed a partnership. Through this partnership, the next version of the Blackphone will come equipped with Google’s Android for Work software, which allows users to compartmentalize personal and professional use and also “collects huge amounts of user data to sell advertising,” the report states, asking, “So why would Silent Circle, which is intensely concerned with privacy, team up with the largest data collection company in the world?” The answer, according to Silent Circle, “comes down to marketing … Most users of Blackphone and Silent Circle’s other encrypted-communication products are in Europe. The Google deal will raise the company’s profile in the U.S.,” the report states. [The Wall Street Journal]

WW – Researchers Say They’ve Created Faster Onion Router

A group of researchers claim they have created a better, faster alternative to the Tor network. In a newly published paper, researchers from the Swiss Federal Institute of Technology and the University College of London describe an anonymizing network called HORNET (High-speed Onion Routing at the NETwork layer), saying it could be part of the next generation of Tor. The researchers state HORNET moves anonymized data at 93 gigabits per second and can be scaled to handle large quantities of users. Though the researchers said the system couldn’t fully protect against targeted attacks, widespread use could stymy mass surveillance, they claim. [Ars Technica]

WW – Snowden Describes Privacy-Focused Internet, Calls for SPUD Protocol

Former U.S. National Security Agency contractor Edward Snowden remotely spoke at an Internet Engineering Task Force (ITEF) meeting, urging attendees to design an Internet for users, not spies. “Who is the Internet for?” he asked. “Who does it serve; who is the IETF’s ultimate customer?” He said the growing use of credit cards on the web is pinpointing users’ identities. “We need to divorce identity from persona in a lasting way,” he said. “If it’s creating more metadata, this is in general a bad thing.” Snowden urged the engineers to implement the SPUD protocol, reducing the number of intermediaries through which data passes by a combination of transport protocols. [Snowden Describes How to Build an Internet Focused on Privacy]

US – Start-Up Aims to Puts Users in Control

Given what they called a lack of regulations to protect consumers against potential harms as a result of increasingly pervasive and surreptitious online tracking, college buddies Chandler Givens and Ryan Flach decided to do something about it themselves. Seeing the kinds of concerns consumers have around companies doing things that, if not unlawful, felt wrong to them, Givens saw an opportunity in their combined skillset; Givens is a privacy lawyer and Flach a software engineer. Now they’ve launched TrackOFF, software designed to put power back in consumers’ hands by letting them combat digital tracking from their own computers. [The Privacy Advisor]

WW – Baidu Launches Privacy Protection App ‘DU Privacy Vault’

New Android Security Solution Protects Apps, Photos, Videos and More…  Baidu, a lsrge Chinese language Internet search provider and developer of PC, Web and mobile products, has launched DU Privacy Vault, Baidu’s first mobile app focused exclusively on protecting people’s privacy. Free to download, DU Privacy Vault enables users to easily and safely secure all the apps, photos and videos on their phone. In the name of preserving privacy, DU Privacy Vault showcases the following features:

  • App Lock: Lock all of your apps with a single gesture-based password.  Secure your smartphone and completely protect your privacy.
  • Lock Cover: Disguise your lock screen as something else. A fake ‘App Crash’ screen cover and a ‘Fingerprint Scan’ screen cover are now included. More screen covers will be available for download soon.
  • Photo/Video Safe Vault: Hide and encrypt your photos and videos with DU Privacy Vault. Never again worry about other people peeking in on your gallery.
  • Prevent Uninstall: After you turn on the Prevent Uninstall feature,  other people won’t be able to delete DU Privacy Vault from your phone  without your authorization.
  • Lock Delay: Within the time limit you set, you won’t need to unlock your apps again when you reopen them.

DU Privacy Vault runs on Android 5.0 and up, and is available as a free download on Google Play. [Source]

EU – CyberGhost Talks Privacy

As CyberGhost, a Romania-based VPN start-up, invests in a EU pro-privacy boot camp for interested start-ups, it also has lots to say about privacy and data collection. “What we are doing here (with the boot camp) is to prove you can grow a company, sustainable, on the long term, with success and profitability, without using all this data. It’s just not necessary. It’s just a myth that you need data to run all businesses,” said CyberGhost Cofounder and CEO Rob Knapp. “We have a security industry that protects data because we store data. So why do we start storing data? The best data security is not to store it. It’s very simple.” [TechCrunch] [VPN Maker CyberGhost Aims To Grow A Privacy Hub In Eastern Europe]

EU – Hornet Gives Wings to Onion Privacy Technology

European researchers may have stumbled upon a new anonymised internet browser that is like Tor on rocket fuel. Hornet, or high-speed onion routing at the network layer to give it its full name, can move internet traffic at some 93Gbps and still offer the same level of protection as the sluggish Tor network, according to Ars Technica. The new method appears in a paper penned by a group of from the Swiss Institute of Technology in Zurich and the University College London. [Source]


WW – Power of IOT Means Great Responsibility

Experts say that while incredibly promising, the Internet of Things brings with its advent much to consider. “Just imagine smart meters, which are great for reducing energy use and shrinking bills,” said KPMG’s Mark Thompson. “You could have the energy regulator, Ofgem, involved as well as Ofcom, because the data’s going over a broadband connection. Then, because there’s data involved, the Information Commissioner’s Office is bound to have an interest.” When data crosses borders, “you could have a perfect storm of countries not always having the same security and privacy standards,” he adds. To address the privacy issues, Privitar’s John Taysom recommends “disassociation”—through which “companies and governments get the data without a risk to privacy,” the report states. [The Guardian]

US – Connected Car Remotely Hacked; Legislation Introduced

Two years ago, Wired reported how security experts hacked a Ford Escape and a Toyota Prius by directly connecting computers into the cars’ online diagnostics port. Now, those same hackers have successfully demonstrated they can remotely hack a Jeep Cherokee miles away from the vehicle. Charlie Miller and Chris Valasek plan to discuss their findings at next month’s Black Hat conference in Las Vegas, NV. Remotely, Miller and Valasek were able to stop the vehicle, turn the ignition on and off and control the radio as well as all of the vehicle’s dashboard features. [Hackers hijack Jeep, taking control of speed, brakes: Two hackers remotely took control of a Jeep Cherokee and changed its speed and other features]Meanwhile, Sens. Ed Markey (D-MA) and Richard Blumenthal (D-CT) introduced legislation today aimed at setting new security standards for connected vehicles. [Full Story] See also: [Yahoo Finance: Ford CEO on Balancing Consumer Privacy Expectation]

US – Lawmakers Look Into Data Security

A House Judiciary Committee hearing examined the deluge of new Internet-of-Things devices that are proliferating in the marketplace and whether government needs to step in with new legislation. “The time of the ‘Dick Tracey’ watch is here,” said Rep. Ted Poe (R-TX). As automobiles, transportation systems and other devices increase the amount of data they collect, Rep. Jarrold Nadler (D-NY) cautioned that “unless cities integrate strong security … (they are) vulnerable to attack.” Poe also added that it’s Congress that “needs to set the expectation of privacy” for users. Consumer Electronics Association President Gary Shapiro cautioned against stifling data collection, noting, “There’s so much happening from an innovation point of view.” [Nextgov]

US – NHTSA Head Says Driverless Cars Must Have Privacy Protections

National Highway Traffic Safety Administration Administrator Mark Rosekind said this week that the agency encourages development and deployment of connected and driverless cars, but the industry must work to build in privacy and cybersecurity protections for widespread adoption. Rosekind said the industry must not only focus on traffic safety but information security as well. “We will have to help people who can’t tell LIDAR from a coffee maker,” Rosekind said. “Whether for profit of for malicious intent we know these systems will become targets for bad actors,” adding, “We must reassure vehicle owners that their data is secure, the vehicles are secure.” On Tuesday, a new privacy bill for connected cars was introduced. [USA Today]


US – Survey: Execs Consider Cyber-Threats a Top Concern

A new survey reveals that three-quarters of executives from U.S. businesses, law enforcement and other organizations, as well as security practitioners, have said they are more concerned about cyber threats this year than they were last year. Conducted by PwC, the survey questioned more than 500 individuals. “Heightened awareness and concern are well-warranted,” the report states, noting, “A record 70% of survey respondents said they detected a security incident in the past 12 months. Many incidents go undetected, however, so the real tally is probably much higher.” PwC’s David Burg said 2015 is a “watershed year for cybercrime.” [Fierce Government IT]

WW – How Security Experts and Non-Experts View Online Safety

Researchers from Google have posted results that surveyed security experts and non-experts to determine how each group prioritizes online safety measures and explore why any differences between the two exist. Password management was a key priority for both groups, but their approach differed. Security experts said they rely on password managers, while non-experts relied on strong passwords and frequent password changes. “Our findings suggested this was due to lack of education about the benefits of password managers and/or a perceived lack of trust in these programs,” the researchers wrote in a Google blog post. Another key difference involved non-experts’ reliance on antivirus software. Security experts rely instead on software updates and noted that antivirus software “might give users a false sense of security since it’s not a bulletproof solution.” [Full Story] [37 million Americans don’t use the Web. Here’s why you should care]

US – New OPM Report: Hack Not Sophisticated; CSID Responds to Criticism

A new report on the Office of Personnel Management (OPM) hacks from the Institute for Critical Infrastructure Technology points to poor governance and old technology and not sophisticated cyber-intrusions as the reason for the breaches. “The failure of (the Department of Homeland Security) or OPM systems to detect the breach does not indicate a level of sophistication on behalf of the adversary,” the report states. Meanwhile, CSID President and Cofounder Joe Ross defended the company’s work in helping the OPM notify and respond to the initial hack of 4.2 million individuals. “We took a beating early on for doing what in our mind (was) the right thing to do,” he said. A column for The Washington Post states that there are currently not enough cybersecurity experts in government agencies. [Fierce Government IT]

US – Government Asks Bidders on Hack Contract

The government plans to award a sweeping five-year contract in August to a private company to monitor the hacked security clearance data of 21.5 million people for identity theft — and ensure that the records are protected from further intrusions. The winning bidder will be asked to monitor financial and health information of the breach victims — contractors and federal employees and their families — for fraudulent activity; set up call centers to answer questions;  train government employees how to prevent other hacks and restore stolen identities. And the contractor must be on constant alert for further risks to the  hacked background investigation files, among the most sensitive data in the government, according to a 55-page solicitation the General Services Administration issued last week. GSA has asked potential bidders if they have the capacity to host such a large trove of data: “In light of these requirements, does your company have the ability to host and protect in excess of 21.5 million records?” [The Washington Post]

WW – Windows 10 Wi-Fi Sense Feature Shares Wi-Fi Passwords With Contacts

One of the new features of Microsoft’s newest operating system is that Windows 10 will automatically share an encrypted version of your Wi-Fi network password with contacts in Outlook and Skype unless users specifically opt out. The password will not be disclosed, but the sharing mechanism will allow those contacts to use your Wi-Fi network if they are in the area. The Express settings for installation enable this feature by default. Some say that the feature is not as scary as people would like to think it is. [Krebs] [v3.co.uk] [ZDNet]

WW – Hackers Could Use Cell Phones as Spycams

Stagefright, a “multimedia playback engine” unique to Google Android phones, has a vulnerability so profound that “that attackers could send a text message with a malicious video file and infect the mobile device without a recipient actually clicking to open the file,” effectively rendering it a “spycam,” reports. Google has released a patch for the flaw, but “the fix won’t help millions of users with older versions of the system that Google no longer supports,” the report continues. Meanwhile, Israeli researchers discovered how to hack into an air-gapped computer “using the GSM network, electromagnetic waves and a basic low-end mobile phone,” Wired reports. [The Christian Science Monitor]

US – CDOs a Growing Necessity

The need for a chief data officer (CDO) is growing as more organizations express concern about the increasing amount of data they must manage, according to TM Forum Transformation Research Center Managing Director Rob Rich. While “many service providers have successfully consolidated and modernized systems and simplified programs … there is lots more work to do to tap big data’s potential and to protect the organization’s (not to mention customer’s) data,” Rich writes. “Clearly, the more fragmented a company’s data, the more difficult it is to manage and protect, and the more likely it is that sensitive data could be compromised.” A CDO’s role may include data strategy, education and data governance, the report states. [FierceCIO]

US – OPM Changes Privacy Policy; Hunt for New Contractor Underway

The Office of Personnel Management (OPM) announced it has changed its privacy regulations in order to allow investigators to probe its databases for security vulnerabilities. The OPM is also in the middle of finding a contractor for notifying and providing identity-theft protection services for the 21.5 million victims of the second hack of the agency. Jedidiah Bracy reports on the latest efforts by the OPM and the White House to shore up information security and appropriately respond to the second hack, as well as the latest moves by lawmakers to assess the relevance of providing such credit-monitoring services. [Privacy Tech]

WW – Stagefright Vulnerabilities Affect Nearly All Android Devices

Nearly all Android smartphones contain remote code execution vulnerabilities that could be exploited simply by sending the device a maliciously crafted text message. The vulnerabilities lie in Stagefright, an Android component that is used in playing, recording, and processing multimedia files. Google has developed a fix for the issue, but because the wireless carriers and device manufacturers must also take action, it is unknown if and when the devices will be patched. [SANS.edu] [ArsTechnica] [DarkReading] [Forbes] [ComputerWorld] [CNET]

Smart Cards

WW – Sony Moves into the Drone Camera Business

Sony is partnering with autonomous driving start-up ZMP for the creation of a new camera drone company called Aerosense. The new company will use Sony’s imaging, sensing and networking technology for aerial surveillance capabilities for businesses, while ZMP will implement its robotics know-how to help them fly. According to the report, Sony will not sell the drones, but will lease them for “measuring, surveying, observing and inspecting.” Meanwhile, Google is joining forces with Amazon, Verizon and the Harris Corp to help create an air-traffic control system for drones in order to prevent mid-air accidents. David Vos, who is in charge of Google’s Project Wing, said, “We think the airspace side of this picture is really not a place where any one entity or any one organization can think of taking charge … The idea really is anyone should be free to build a solution.” [The Guardian]

WW – Automakers Consortium to Buy Nokia’s HERE Mapping Software

Several car makers, including Audi, BMW, Daimler, and Volkswagen, have made a successful bid to purchase Nokia’s HERE mapping software, which will become an open platform. Daimler CEO Dieter Zetsche said his company is interested in building security into the system. [BetaNews] [Forbes] [The Hill] [CNET] Earlier this week, hackers proved they could remotely hack into and turn a connected car off while it drove. [Full Story]


US – NSA to Lose Access to Section 215 Data

According to an announcement from the Office of the Director of National Intelligence, the NSA will start to purge data collected under its Section 215 surveillance program that expires later this year. NSA analysts will no longer be permitted to search the database after November 29, 2015. Technicians will be able to access the database for three additional months for the purpose of comparing what they had collected before to what is permitted under the new system. [NextGov] [NYTimes]

EU – Governments Step Up Domestic Surveillance

There has been a rise in domestic government surveillance in EU member states. Last month, in response to the Charlie Hebdo terrorist attacks, France passed what many are calling an intrusive surveillance law, and just this week, the European Parliament stepped down in a fight against new passenger name record regulations. Plus, the EU is spending hundreds of millions to develop security technology that is raising concerns among privacy advocates and civil liberties organizations, the report states. “Funding these programs is not per se problematic,” said the Council of Europe’s Nils Muiznieks. “It is how the new technologies will be used that poses a series of human rights concerns.” The European Commission’s Natasha Bertaud said the EU has the highest privacy standards in the world, but added, “There can be no security without freedom and no freedom without security.” [Reuters]

WW – White-Hat Hacker Discovers OnStar Vulnerability

A white-hat hacker has discovered a vulnerability in the mobile app for GM’s OnStar vehicle communications system that can permit hackers to “locate, unlock and remote-start” participating cars. In response, General Motors is developing a patch for the bug that is “days away” from release and working to quell fears. “We believe the chances of replicating this demonstration in the real world are unlikely,” said GM’s Terrence Rhadigan. “In addition, the action involves one user at a time, and would impact only that specific user’s account.” This comes on the heels of Fiat Chrysler’s recent voluntary recall of 1.4 million vehicles after the Jeep Cherokee was found susceptible to hacking. [Reuters] [Ars Technica]

US – Fiat Chrysler Recall

Chrysler has issued a safety recall for 1.4 million vehicles following the publication of a story in which hackers were able to take control of a Jeep. Users have several choices for fixing the vulnerabilities. They can go to a Chrysler dealer and have the software updated; they can download the patch onto a USB drive and plug it into their vehicle; or they can choose to receive a USB drive in the mail from Chrysler that already has the fix on it. Some have criticized the USB from Chrysler option because it asks users to trust a USB drive they receive in the mail. [v3.co.uk] [Wired] [ZDNet] [ArsTechnica]

US – Report Studies Impact of Drones on Data Security

A study by Tractica indicates that as widespread interest in drone use grows so will the need for more sophisticated data analysis and protection. “There are many other IT considerations,” Tractica’s Bob Lockhart said in the report. “Just like other mobile devices, drones are targets for theft of data and intellectual property, and drone inputs could affect certifications such as ISO9001 or ISO27001 for information security.” Data storage policies should also be in place. “Drones could produce huge amounts of data for organizations that are not used to large data volumes, so organizations should have a data science program ready in advance, he said, and know where the data be stored and processed,” the report states. [IT Canada] [IT departments must prepare for the impact of commercial drone deployment]

US – Drone Shooter Cites Privacy Concerns

A Kentucky man who shot an $1,800 drone that was hovering over his house and his subsequent arrest for “first degree criminal mischief and wanton endangerment” has sparked a privacy law debate. “You know, when you’re in your own property … you have the expectation of privacy,” said William Meredith. “We don’t know if he was looking at the girls. We don’t know if he was looking for something to steal. To me, it was the same as trespassing.” While critics of the shooting contend “the law frowns on self-help when a person can just call the police instead,” Prof. Michael Froomkin argues “it’s reasonable to assume robotic intrusions are not harmless and that people may have a right to ‘employ violent self-help.’“ [Fortune]

US – Constitutional Court Upholds Law

France’s Constitutional Council upheld a controversial surveillance law that permits intelligence agencies to gather metadata with the only necessary approval from “an independent body created to oversee surveillance activities.” Dissenters argue the legislation “undermines privacy and civil liberties because it allows a wide range of surveillance activities without prior approval by a judge” and that its “terminology … is so vague as to permit any kind of surveillance,” the report continues. However, the court did move to “strike down a provision … that would allow emergency surveillance without the approval of the prime minister or another minister in the government.” [The Wall Street Journal]

WW – Surveillance News Roundup: [Nursery camera hacked at southwestern Ontario home: Internet cameras, cars and computer files becoming easier for hackers to break into] and [UK: George Clooney’s home security plans rile Oxfordshire neighbours: Installation of 18-camera CCTV system at the actor’s £10m property would violate privacy and be a visual intrusion, says parish council] [Baby monitors, cars and your sex life: Nothing is safe from hackers] [Will the internet listen to your private conversations?] [US – New MileHi app: Tinder of the skies?]

US – Pittsburgh Seeking to Implement Surveillance Camera Privacy Policy

A long-shelved City of Pittsburgh privacy ordinance is finally seeing daylight this summer, with the launch of police training in video surveillance rules and an effort to identify security cameras held by neighborhood groups. The big caveat: The U.S. Coast Guard has warned the city not to reveal camera locations, effectively barring civilian involvement in surveillance decisions. It’s unclear, though, whether the restrictions placed on the city really come from Washington, or rather from a local interpretation of a federal directive. Privacy advocates, meanwhile, argue that excluding civilians from surveillance decisions makes it impossible to ensure that civil liberties are respected. [Source]

Telecom / TV

US – NIST Draft Guidance on Mobile Devices for Healthcare Organizations

The US National Institute of Standards and Technology (NIST) has released draft guidance for health care providers regarding the use of mobile devices to access and transfer sensitive data. NIST is accepting public comments on the document through September 25, 2015. [ComputerWorld] The guide covers topics ranging from how to best administer privacy throughout an organization to what risks are the most significant. It also stresses how “implementing security must be balanced with making sure healthcare workers can easily use the technology to perform their duties,” the report states. NIST is accepting feedback on the draft guide until September 25. [CSO Online]

US – Brady’s Smartphone Privacy “On Solid Ground” for Now

Tom Brady’s reported destruction of his personal smartphone before meeting with the NFL’s “Deflategate investigator” Ted Wells was “on solid ground legally.” “The NFL has no power to issue their own subpoena,” said defense lawyer Peter Elikann. “They’re not a court. They’re not law enforcement.” He added. “Smartphones are something that we’ve never had in history before. Your entire life is on a smartphone: your financial records, your personal photographs, your private romantic communications.” The report suggests if the NFL can get a judge to require texts to be produced by Brady’s smartphone provider, “Brady will find he enjoys significantly lower privacy protections than if the government had accused him of a crime and Fourth Amendment search-and-seizure protections applied.” [NECN] See also: [Pakistan to shut down BlackBerry services by December over ‘security’ ]

US Government Programs

US – ODNI: NSA’s Technical Personnel to Have Metadata Access for Additional Three Months

On June 29, the Foreign Intelligence Surveillance Court approved the government’s application to resume the Section 215 bulk telephony metadata program pursuant to the USA FREEDOM Act’s 180-day transition provision. The Office of the Director of National Intelligence says that while the NSA has decided that analytic access to historical metadata collected under Section 215 will cease on November 29, the NSA will allow technical personnel to maintain access to the data for an additional three months in order to “verify the records produced under the new targeted production authorized by the USA FREEDOM Act,” the report states. [IC on the Record]

US Legislation

US – Sens. Introduce Second EdTech Bill

Sens. Steve Daines (R-MT) and Richard Blumenthal (D-CT) have introduced the Safe Kids Act, aimed at restricting the sale and use of student data by education-technology companies. The second student privacy bill to be introduced in the Senate this year, the Safe Kids Act would require companies to meet set data security standards and would empower federal regulators to punish those who violate the bill’s provisions. “The perils of privacy invasion and data abuse must be stopped at the classroom door with laws that match advancing technology,” Blumenthal said. The House currently has a similar, White House-backed bill, and Sens. Orrin Hatch (R-UT) and Ed Markey (D-MA) introduced a similar student privacy bill in May. [The Hill]

US – Blumenthal Hopes Lawmakers Will Join Forces on Student Privacy

Sen. Richard Blumenthal (D-CT), who introduced the Safe Kids Act with Sen. Steve Daines (R-MT), hopes to work with other legislators to work out the differences between their bill and one proposed by Sens. Orrin Hatch (R-UT) and Ed Markey (D-MA). The Safe Kids Act would prohibit “education companies … from selling or using student data for targeted ads and require them to meet certain data security standards when handling student information,” the report states, while the Hatch-Markey bill aims to update FERPA. “I think we’ll probably work out the differences,” Blumenthal said. If senators can agree on one bill, the report states, it has “chances of moving sometime after the August recess.” [The Hill]

US – CISA Unlikely to Have its Day Before Congressional Recess

A Congressional vote on the Cybersecurity Information Sharing Act (CISA) before its August recess is “unlikely.” “I’m sad to say I don’t think that’s going to happen,” said Senate Majority Whip John Cornyn (R-TX), adding,”I think we’re just running out time.” NationalJournal reports that “extra time could help” as CISA “has numerous political hurdles to clear that may not be easily negotiated during the first week of August.” Critics have picked apart CISA’s issues, even going so far as to say that passing it into law would be a mistake. Meanwhile, a Vormetric poll has found that 92 percent of Americans are in favor of “retaliation in the wake of cyberattacks that compromise sensitive government data.” [The Hill]

US – Another Student Privacy Act Introduced

Yet another student data protection bill was introduced Wednesday, this one dubbed the Student Privacy Protection Act and championed by Reps. Todd Rokita (R-IN) and Marcia Fudge (D-OH). “The measure would update the Family Educational Rights and Privacy Act (FERPA), which many agree has outdated digital privacy protections,” the report states. “It is time our laws reflect today’s technological reality,” Fudge said. The Student Privacy Protection Act could serve as a companion bill to an effort from Sens. Orrin Hatch (R-UT) and Ed Markey (D-MA), since both revise FERPA to achieve similar goals, the report states. [The Hill] See also: [Students under surveillance: Universities are increasingly using personal data to predict performance. But at what cost to privacy?]

US – Senators Introduce FISMA Reform Bill

Sen. Susan Collins (R-ME) and Sen. Mark Warner (D-VA) introduced the FISMA Reform Act, a bill that would formalize the Department of Homeland Security’s (DHS) role in protecting government networks and websites. While the DHS “has the mandate to protect the .gov domain, it has only limited authority to do so,” Collins said. “There is no minimum standard,” added Warner. “This voluntary system has resulted in an inconsistent patchwork of security across the whole federal government.” However, Connecticut state officials are taking aim at federal security bills out of concern they could preempt state laws. “It is just inconceivable to me that the federal government could do as thorough a job on the ground as we can in Connecticut,” said Connecticut Attorney General George Jepsen. [The Hill]

US – Post-Breach Bill Stalls

A bill that aims to serve as a legislative guideline for organizations post-breach has lost traction in Congress, with opponents claiming it would preempt state laws and suggesting there is “no bipartisan path forward.” Bill sponsor Rep. Marsha Blackburn (R-TN) “stressed that the measure was narrowly tailored by design to avoid complications in the Senate,” but detractors, including the bill’s initial Democratic sponsor, Rep. Peter Welch (D-VT), claim that the “biggest problem is the definition of personal information in the bill” as well as its “preemption of 47 state laws, some of which are stronger than the federal bill,” the report states. [Roll Call]

US – Privacy News Roundup

  • Pennsylvania Sen. Dominic Pileggi (R-Delaware County) wants to expand the state’s DNA-collection law, Pennsylvania Independent reports, noting Pileggi is “arguing police could stop repeat offenders if the authorities didn’t have to wait for a conviction before swabbing a suspect, as current law requires.”
  • A “sharply divided” Federal Communications Commission has issued its Telephone Consumer Protection Act (TCPA) Declaratory Ruling and Order with “a range of new statutory and policy pronouncements that have broad implications for businesses of all types that call or text consumers for informational or telemarketing purposes.”
  • The House of Representatives passed the 21st Century Cures bill, which “contains a controversial provision calling for significant changes to the HIPAA Privacy Rule,” by a vote of 344 to 77.
  • Beth Israel Deaconess CIO John Halamka and Office for Civil Rights Deputy Director for Health Information Privacy Deven McGraw write that HIPAAis neither as antique nor as cumbersome a regulation as recent critiques make it out be.
  • The FTC’s case against Nomi Technologies is based on presumption, George Mason University School of Law’s James Cooper writes.
  • Nine House Democrats have unveiled the Recover Act, a bill that would provide “lifetime identify-theft monitoring” for victims of the Office of Personnel Management breaches, as a companion to a bill from Sen. Ben Cardin (D-MD).
  • Massachusetts-based St. Elizabeth’s Medical Center has entered into a $218,400 settlement with the Department of Health and Human Services for failing to comply with HIPAA.
  • Filmmaker Laura Poitras is suing the U.S. government after receiving no response to her Freedom of Information Act requests for documents pertaining to the government’s targeting of Poitras at airports.
  • Seattle’s law requiring garbage collectors to look through trash to determine that no more than 10 percent is recyclables or food has sparked a privacy lawsuit.

Workplace Privacy

WW – New Service Aims to Ease BYOD Use

Good Technology aims to ease bring-your-own-device (BYOD) reimbursement procedures with its Enterprise Split Billing program. The Good Enterprise Suite with Data Service portion of the application permits employees to safely utilize office tools from their devices in a way that doesn’t incur personal data charges, the report states. “Companies can streamline their mobility rollouts and mitigate potential legal and HR complications, while employees don’t have to worry about personal data usage or incursions on privacy,” said Good Technology CEO Christy Wyatt. [FierceMobileIT] [Good enables BYOD firms to distinguish between personal, corporate data use]

US – Survey Finds Organizations Lack BYOD Policies

A tyntec survey indicates that corporations are not implementing bring-your-own-device (BYOD) policies. “Staffers are using their own devices to call, text and otherwise stay in touch with colleagues and customers … many voice concerns about the privacy of their personal messages on these devices,” the report states. “BYOD is the new norm,” said tyntec’s CTO and co-founder, Thorsten Trapp. “And the sooner enterprises embrace sound BYOD policies and user-friendly features, the sooner they can increase productivity and eliminate concerns from employees and IT.” [CIO Insight]


01-15 July 2015


US – FBI: Next Generation ID Doesn’t Use Social Media Profile Pics

The FBI has said its new facial-recognition software, dubbed the Next Generation Identification System, does not utilize photographs from social media sites but only “official images like driver’s license photos or mugshots.” The software, which uses biometrics like DNA and fingerprints, has met with criticism, but the agency merely aims to “narrow (suspects) down from essentially a pool of everybody to a smaller, maybe in single digits or a few more than 10, that gives the investigator a place to start,” said FBI Special Agent Patrick Dugan. [CBS Baltimore]

WW – MasterCard Experimenting with Facial Recognition

A new project by MasterCard is testing various biometric identifiers—including fingerprints and facial recognition—for authorizing financial transactions. Users would download the MasterCard app, look into their phone screens and blink once to authorize transactions. “The new generation, which is into selfies … I think they’ll find it cool. They’ll embrace it,” said MasterCard’s Ajay Bhalla, noting data would be securely transmitted to company servers. “From a privacy perspective, it’s awful—from a business perspective, I don’t understand why’d they accept that risk,” said Dragos Security’s Robert M. Lee. Nok Nok Labs’ Phillip Dunkelberger downplayed the concerns. “They’re storing an algorithm, not a picture of you. And I’m sure they’re doing all the appropriate stuff to guard it.” [CNN] Bhalla explained how it works in this video. [Information Week] See also: [How Mark Zuckerberg’s vision for telepathic communication could work]

WW – Churches Using Facial Recognition to Monitor Attendance

Churches are joining the widening group of entities using facial-recognition software to track people. In four months, approximately 30 churches around the world have started using a facial-recognition software called Churchix, according to Moshe Greenshpan, the CEO of Face-Six, which sells the technology. Churchix uses CCTV footage or photos to match churchgoers against a database of high-resolution pictures collected by a church. It can be used to monitor attendance, alert church officials if members stop coming to services or screen for people banned from the church, the report states. [RT]

Big Data

US – Work Group Reports on Big Data’s Potential Harms

Following President Barack Obama’s request that the Department of Health and Human Services look at how to best protect individual privacy while capitalizing on big data, the Health IT Policy Committee’s Privacy and Security Workgroup has come up with preliminary recommendations. The group’s co-chair, Stanley Crosley, presented the recommendations last week. “Patients should not be surprised or harmed by collections, uses or disclosures of their information,” Crosley said. “Nowhere is this more difficult than with big data.” The work group found that while some U.S. laws prohibit discriminatory uses of big data, some uses are actually expressly permitted. [HealthData Management] See also: [When your scale and fridge conspire to make you lose weight, the Internet of Things will have gone too far]

US – Data Mining’s Big Role in the 2016 Election

The 2016 election will be employing data mining in an unprecedented manner. Utilizing data from email-forwarding and social media, “these new methods are like switching from a hand-held Dustbuster to an industrial-strength Shop-Vac to suck that data up, and from a 1984 Macintosh to a 2015 MacPro to crunch it. So it has the potential to make the hair stand up on the napes of privacy-rights activists—and perhaps a lot of average voters,” the report continues. “There’s probably a fine line to walk: If you push it too far, it does look a little like the things that bother people most about the digital world: surveillance and invasion of privacy,” said Grinnell College’s Barbara Trish. [TNS]


CA – RCMP Quietly Stops Naming Victims, Citing Privacy Act

The RCMP has quietly stopped releasing the names of people who die in car crashes and other tragic accidents across Canada. The police force says it is following the Privacy Act. However, the RCMP will not disclose why it has started enforcing the policy now. In a written statement, an RCMP spokeswoman said there are exemptions under which personal information may be disclosed, including when:

  • The information is already publicly available (Section 69(2)).
  • Disclosure is necessary to further an investigation (Section 8(2)).
  • When in the opinion of the head of the institution, public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or disclosure would clearly benefit the individual to whom the information relates (Section 8(2)(m)).

David Fraser, privacy lawyer at McInnes Cooper, said: “There certainly haven’t been any legislative changes that have happened to our privacy laws that would cause this, nor have there been any significant findings from the privacy commissioner or any high-profile circumstances that I can think of that might have brought about this change in policy.” Fraser also doesn’t buy the sudden affection for the law. “Not disclosing the information very likely makes their jobs easier, and not having to ask the next of kin or the family to disclose whether they can disclose this information, it’s one less thing that they have to do. “It’s always easier — we see this across government — to just point to the privacy legislation as a reason to not do something … to not provide information to the media.” [CBC]

CA – Secret Deal Between Canada’s Spies and Border Guards Raises Concerns

A secret deal between Canada’s spies and border guards proposed more information sharing and joint operations without the need for political sign-off. A 2014 deal between the Canadian Security Intelligence Service (CSIS) and the Canada Border Services Agency (CBSA) proposed the two agencies be allowed to share information and resources without the prior approval of their political masters. “The Framework (Memorandum of Understanding) will also authorize (CSIS) to enter into more specific arrangements with CBSA, as required, without the necessity to seek your approval each time,” wrote CSIS director Michel Coulombe in a memo explaining the deal to Public Safety Minister Steven Blaney. Blaney’s office won’t say whether or not the deal has been approved. [The Star]

CA – Federal Election 2015: Groups Seek Court Order to Ease New Voter ID Rules

A left-leaning advocacy organization and a national student group will be in Ontario Superior Court hoping to relax voter identification rules for the looming federal election. The court factum prepared by the Council of Canadians and the Canadian Federation of Students argues that tens of thousands or more of eligible voters will be denied a ballot this October due to changes enacted last year by the Conservative government. The groups want the court to issue an interim injunction allowing Elections Canada to recognize as valid ID the voter identification cards that are mailed to everyone on the voters’ list. Some 400,000 Canadians used the voter identification cards in the 2011 election as part of a pilot project that Elections Canada wanted to expand to the whole country. Instead, the Harper government — citing fear of voter fraud — passed a new law that increases the ID requirements of would-be electors while ruling out the use of the Elections Canada mail-outs that tell people where to vote. Critics of the changes, including past and present chief electoral officers from across the country, say the strict ID rules will primarily impact the young, the elderly in care, students who move often, the homeless and natives on reserves — groups that might be less inclined to vote for the governing Conservatives. The court factum states that in some elections, as many as 95% of electors used a driver’s licence to vote. For the estimated 14% of Canadians over age 18 who don’t have a driver’s licence, photo ID that includes a name and home address is almost non-existent. Until 2007, Canadians who were on the list of electors were not required to show ID at the polls, but could simply state their name and address to be provided with a ballot. The Harper government brought in voter ID rules in 2007, then toughened them further with the 2014 Fair Elections Act. It also ended the practice of vouching, in which a voter with ID could attest for the identity and local residence of another elector. A study by former B.C. chief electoral officer Harry Neufeld found that about 120,000 people voted in 2011 after being vouched for, in addition to the 400,000 Canadians who used their voter identification cards as a piece of ID. Neufeld found no evidence of voter fraud. [The Huffington Post]

CA – Canadian Activists Turn to UN with Challenge to Anti-Terror Bill

The Bill increasing powers of spy agency and federal law enforcement has met with accusations it is too broad and infringes on rights to privacy and free speech. Opponents claim the bill is overly broad, lacks sufficient oversight for national security and law enforcement agencies and infringes on a series of rights, including the right to privacy and the right to freedom of speech. [The Guardian]

CA – Senate Report on Terrorism Shows Government’s Lack of Understanding of Muslim Canadians

Last week, a senate report on terrorism suggested the government help train and certify Canadian imams. Imagine the same call aimed at priests or rabbis. [Source] Canada’s anti-terrorism laws and taxes – what’s the connection? The increased sharing of confidential taxpayer information is consistent with a trend that continues to develop. For example, the Canadian and U.S. governments entered into an agreement to implement FATCA which requires Canadian financial institutions, under specified circumstances to provide account information to CRA and requires CRA, under specified circumstances, to in turn provide the information to the IRS. Similarly, in June of this year the Minister of National Revenue issued a news release announcing that she signed an international Multilateral Competent Authority Agreement which is described as “an important step towards implementing the Common Reporting Standard for the automatic exchange of financial account information with other tax jurisdictions.” According to the announcement, the Agreement is part of the government’s commitment to addressing international tax evasion and improving tax compliance. [Source]

CA – Secret Government Mass Surveillance Decried at Montreal Conference

Even though Snowden’s leaked secret documents sparked some changes to surveillance laws and caused outrage around the world, David Lyon (director of the Surveillance Studies Centre at Queen’s University) says the general public still isn’t angry enough because they have bought into the idea that governments need mass surveillance to keep us safe, and because they are so comfortable with the computers we rely on and the cameras that surround us. [Source]

CA – RTBF: BC Supreme Court Denies Injunction to Compel a Search Engine to Remove Search Results Worldwide

Although the Court found that Mr. Niemela may be able to establish that the words were defamatory, he would be unable to satisfy the second and third parts of the test. On the basis of the evidence presented, the Court found that Mr. Niemela had not established that he would suffer irreparable harm. First, the Court considered evidence from Google that 90% of searches for Mr. Niemela on its platforms originated from google.ca. The Court noted, that many of the searches, both on google.ca and google.com, likely originated from Mr. Niemela himself. Second, the Court found that there were other possible explanations for the decline in Mr. Niemela’s law practice: namely, a prominently displayed disciplinary history with the Law Society. Lastly, the Court was reluctant to make the Order as it could not be complied with. Legislation in the United States prevents Google from complying “with an order compelling it to block defamatory search results” due to the possible infringement on the right to free speech. [Source]

CA – Lost Student Loan Data Class-Action Lawsuit Expanded by Court

The Federal Court of Appeal has ordered the expansion of a class-action lawsuit brought by thousands of students after the government lost their personal loan data.And the lawyer representing the students says that decision could have far-reaching implications for other similar cases. The appeal court this week overturned a prior decision limiting the avenues the students had to pursue their case, on the grounds that they had failed to prove they actually suffered certain kinds of damage when the data was lost. A portable hard drive with information on 583,000 Canada Student Loans Program borrowers from 2000 to 2006 went missing in 2013 and has still not been found. But the appeal court overturned the decision, saying that in negligence and breach of confidence matters the specific details of damages don’t need to be proven before a class action can go ahead. Lawyer Ted Charney called the decision pioneering because for the first time the court has laid down legal markers for certifying class-action lawsuits around privacy breaches. The students are also suing for breach of contract and warranty, and the tort of intrusion upon seclusion — basically, invasion of privacy. The lost files include student names, social insurance numbers, dates of birth, contact information and loan balances, as well as the personal contact information of 250 department employees. Among the cases that could be impacted is a lawsuit being brought by users of a medical marijuana program who had their identifies exposed in a government mailing. [The Canadian Press via Toronto Star]

CA – Zurich Registers As Lobbyist Amid Data Breach Risk Concerns

In a filing with the Office of the Commissioner of Lobbying of Canada, Zurich Insurance indicated the subjects of its lobbying activity are Bill S-4 (the Digital Privacy Act), Bill C-59 (which implements some provisions of the budget tabled April 21) and Bill C-51 (the Anti-Terrorism Act), with respect to “identifying concerns for information breaches and mitigating such risks.” [Source] The requirements of complying with the Digital Privacy Act involves the challenge of keeping and maintaining “a record of every breach of security safeguards involving personal information under its control” as require by the law. [Viewpoint: Canada’s Digital Privacy Act Receives Royal Assent, but Breach Notification Provisions Lag Behind] [Knowing The Unknowable: The Challenge of Complying with the Digital Privacy Act] See also: [The Digital Privacy Act – part 1: the calm before the storm]

CA – Common Areas of Condos Subject to Privacy Rights: Ontario Top Court

Residents of condominiums have a reasonable expectation of privacy in the common areas of their buildings, Ontario’s top court has ruled. In upholding the acquittal of an accused drug trafficker, the Court of Appeal said police had breached his rights by snooping around the stairways, hallways and storage rooms of his 10-unit building without a warrant. “Some limits on police activity are necessary if privacy is to be protected,” the court stated. “The home is entitled to the greatest degree of protection from unreasonable search, and in my view, the police conduct in this case had a serious impact on the respondent’s privacy rights.” In challenging the acquittal, the Crown argued White had no reasonable expectation of privacy in the common areas of his multi-unit building, saying it would be perverse to make such areas a “zone of protection for criminal activity” that would undermine their safety and quality of residents’ lives. The Appeal Court disagreed. “There is nothing ‘perverse’ about providing a measure of privacy protection to the many Canadians who live in multi-unit dwellings,” the Appeal Court said. [GlobalNews] [The Canadian Press]

CA – Alberta Shredding of Government Documents Resumes After Review

Government staff in Alberta can start shredding documents again following a review into allegations that documents were improperly destroyed after the 44-year-old PC government was swept from office on May 5th. A memo was sent to government departments clearing the way for the resumption of shredding. The ban remains in place for the environment department however. Two months ago all departments were ordered to stop shredding until the new government could assume office. At that time Alberta’s Information and Privacy Commissioner and the province’s Public Interest Commissioner announced they were launching a joint investigation after receiving complaints that documents were improperly destroyed by the province’s department of Environment and Sustainable Resource Development. [CBC News]

CA – Toronto: City’s 311 Hotline Faces a New Challenge: Suicide Calls

Operators at the city-run hotline are used to fielding complaints about garbage pickup or potholes. Now they’re being trained to respond to distress calls from people considering suicide, which are up in the past six months. Gary Yorke, director of 311, attributes the influx to concerns about confidentiality. “In the last few months there has been a dramatic increase of those calls,” says Yorke. “When you call 911, you’re forced to make an official record of (the call) and the police are dispatched. So some people don’t necessarily want that articulated.” [Source]

CA – NL Privacy Commissioner Issues Video Surveillance Guidelines

A new set of guidelines released by the province’s information and privacy commissioner has Ed Ring wondering just how much video surveillance is considered too much. Ring said the guidelines apply to public bodies and spaces only, but he says the basic questions are universal. He said that even though more surveillance cameras are being installed at public buildings and in public spaces, there have been no complaints — and that worries him.. [CBC News]


US – Survey: Millennials More Concerned About PI Loss than Revenge Porn

A MasterCard survey indicates that for 62% of Millennials, the thought of having personal information compromised is more egregious than the thought of naked photos being “leaked online.” “Today’s digital lifestyle means consumer concerns regarding safety and security have moved online,” said Robert Siciliano, an identity theft expert. “Information is the currency of the Millennial generation. It is far more important to them, in many cases, than most physical possessions or an image—even an embarrassing one,” the report continues. However, the same survey found that while information-security concern was high in this age group, 53% of Millennials fail to regularly update their passwords. [Reuters] [The Daily Beast: Are Surveys Asking the Wrong Questions?] SEE ALSO: [Opinion: A New Model for Consent]

WW – Ello Issues ‘Bill of Rights’ for Social Network Privacy and Transparency

Social networking side Ello has released a “Bill of Rights” with 10 articles to “serve as guiding principles for Ello” that the company believes “should extend to other companies.” “These rights would give users the ability to turn off data tracking … allow users to retain full control and ownership of posted content … the option to use a pseudonym and limit what personal information is required … and access to terms and conditions written in simple language,” the report states. “We believe these are the basic rights of every social media user in the world, on every social network,” Ello CEO Paul Budnitz said. [International Business Times] [How to see everyone who’s unfriended you on Facebook (and everywhere else, welp]

US – DMA: Secretive Brand Use of Consumer Data ‘Unsustainable’

A new report from the Direct Marketing Association (DMA) found brands need to be much clearer with consumers about how and why they collect data if they are to gain consumers’ trust. The report found trust was the most important factor for consumers deciding whether to share their personal information with a brand. Forty% of respondents said trust outweighed freebies, discounts or tailored offers. While to date brands have been relying on consumers’ tacit understanding of the benefits and drawbacks of handing over their information, the DMA report said this lack of total transparency is unsustainable. “Without trust, brands will not grow,” said DMA CEO Chris Combemale. [Marketing Magazine]


UK – Privacy Campaigners Win Concessions in UK Surveillance Report

Privacy campaigners have secured significant concessions in a key report into surveillance by the British security agencies published last week. The 132-page report, A Democratic Licence To Operate, which former deputy prime minister said Nick Clegg commissioned last year in the wake of revelations by the US whistleblower Edward Snowden, acknowledges the importance of privacy concerns. The report affirms privacy as a human right and says that there are “inadequacies in both law and oversight that have helped create a credibility gap that has undermined public confidence”. The report proposes that the intelligence services retain the power to collect bulk communications data on the private lives of British citizens, but it also now concedes that privacy must be a consideration throughout the process. The report, written for the Royal United Services Institute (RUSI) by a panel that includes three former heads of UK intelligence agencies, also calls for an overhaul of existing legislation. Despite its concessions to the privacy lobby, the report overall is more favourable to the police and intelligence services than to the campaigners. Key points in the report include:

  • Its claim that the UK intelligence agencies are not knowingly acting illegally, though it leaves open past behaviour.
  • Its proposal that the security services retain the power to collect bulk communications data, one of the key concerns raised by Snowden.
  • Its acknowledgment that privacy concerns should be integral to considerations at the start of bulk data collection rather than left towards the end of the process.

Its proposal that judges rather than ministers take responsibility for authorising warrants related to criminal issues but that, subject to judicial review, ministers retain responsibility for warrants related to national security – something the intelligence agencies wanted. The report concludes: “Despite the disclosures made by Edward Snowden, we have seen no evidence that the British government knowingly acts illegally in intercepting private communications, or that the ability to collect data in bulk is used by the government to provide it with a perpetual window into the private lives of British citizens. “On the other hand, we have seen evidence that the present legal framework authorising the interception of communications is unclear, has not kept pace with developments in communications technology and does not serve either the government or members of the public satisfactorily. A new, comprehensive and clearer legal framework is required.” Clegg, who will be at the RUSI on Tuesday for the formal launch of the report, said: “We are now seeing an emerging consensus in favour of a new settlement, with clearer rules and stronger safeguards. I hope that this report, together with the recent report by David Anderson QC, can provide the basis for a stable new system that protects our security while doing much more to preserve the privacy of ordinary citizens online.” [Theguardian.com]


US – SEC Doesn’t Think Due Process Should Apply to Your Email Inbox

Although there are currently attempts underway in Congress, overwhelmingly supported by a broad bipartisan consensus, to amend ECPA by pushing for uniform search warrant requirements for all email communications, the Securities and Exchange Commission (SEC) has called for an agency-specific exemption that would allow them to be excused from meeting the burden of acquiring a warrant. Instead, as it outlined in a letter to the Senate Judiciary Committee, the SEC has argued that any reforms to ECPA should permit civil agencies to obtain this digital content, sans any warrant, from the third party service providers that host individuals’ email and social media accounts. This request is troubling, especially in light of the impending reform amendments meant to scale back ECPA’s powers. [Source] See also: R Street looks at the history of the Email Privacy Act, which aims to update the U.S. Electronic Communication Privacy Act of 1986. “It is possible email privacy is next on the ‘to-do list.’ There has been chatter on the Hill that the legislation could receive committee and House floor action in July,” the report states, and [CA – Porter Airlines Agrees To Pay $150,000 for Alleged Violations of CASL]


US – FBI and DOJ Target New Enemy in Crypto Wars: Apple and Google

In some of the latest discussions in the long-running debate about the role default encryption plays in consumer products and the obstacles it presents to law enforcement, federal officials told the Senate Judiciary Committee they’d like Silicon Valley to come up with a solution to the so-called “going dark” issues around encrypted technology. [Privacy Tech] What Yates really meant was that she wants companies to stop providing end-to-end encryption, or find ways to circumvent it. Comey and Yates insisted that there must be some new technology that Silicon Valley could develop that would give them the access they want without risking strong encryption. But privacy and cryptology experts have insisted for years that this would be impossible without compromising overall security and opening holes for criminals to exploit. [FirstLook]

WW – Security Experts Oppose Govt Access to Encrypted Communication

An elite group of code makers and code breakers says in a new paper there is no viable technical solution that would allow American and British governments to gain “exceptional access” to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger. The 13 cryptographers, computer scientists and security specialists released the report a day before FBI Director James Comey Jr. and Sally Quillian Yates of the Justice Department are scheduled to testify before the Senate Judiciary Committee on concerns that new encryption technologies will prevent government agencies from monitoring criminals’ communications. [The New York Times] [FBI Director Says Scientists Are Wrong, Pitches Imaginary Solution to Encryption Dilemma]

US – News Site Begins Encrypting for Reader Privacy

The Washington Post began encrypting parts of its website this week, aiming to make it more difficult for hackers, government agencies and others to track readers’ habits, the publication reported on its blog. The added security will immediately apply to the Post’s homepage, stories on its national security page and technology policy blog. The rest of the site will be encrypted over coming months, the report states. “The biggest gain is letting users feel secure,” said Post CIO Shailesh Prakash. The ACLU’s Christopher Soghoian said, “The articles you read paint a picture of your life” and can reveal personal details including sexuality and political interests. [WashPost] [The Washington Post becomes first major news publisher to secure website]

US – MIT’s Bitcoin-Inspired ‘Enigma’ Lets Computers Mine Encrypted Data

Two Bitcoin entrepreneurs and the MIT Media Lab have revealed a prototype for a system called Enigma, which allows data to be encrypted in a way that it “can be shared with a third party and used in computations without it ever being decrypted.” Enigma would allow untrusted computers to “accurately run computations on sensitive data without putting the data at risk of hacker breaches or surveillance,” the report states. “The actual data is never revealed, neither to the outside nor to the computers running the computations inside,” said MIT Media Lab’s Guy Zyskind, one of Enigma’s co-creators. [Wired]

WW – Study Finds VPNs Exposing Personal Data

11 out of 14 virtual private network (VPN) providers are exposing personal information through a vulnerability linked to IPv6, according to a study by the UK’s Queen Mary University in London. Since the Snowden revelations, VPN providers have seen an increase in users, the report states, with those users often seeking to avoid mass surveillance or to circumvent censorship. “There are a variety of reasons why someone might want to hide their identity online, and it’s worrying that they might be vulnerable despite using a service that is specifically designed to protect them,” said Gareth Tyson, co-author of the study. [v3.co.uk]

EU Developments

EU – Passenger Data Retention System Ready for Take-Off, Says Parliament

As the EU moves to implement its airline passenger name record system, critics are concerned about its privacy implications. A European Parliament media release indicates the data is only from flights in and out of the EU and kept “only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime.” Parliament’s Civil Liberties, Justice and Home Affairs Committee “quickly dealt with almost 900 amendments … before agreeing to enter negotiations on a final text with the European Commission and the Council of the EU,” the report states. “The Commission has still not produced evidence for the necessity and proportionality of an EU PNR scheme,” said MEP Jan-Philipp Albrecht. [IDG News Service]

EU – Stage Two of GDPR Trilogue Commences; Progress Made

Negotiators involved in the second round of trilogue negotiations to hammer out a finalized General Data Protection Regulation said progress was made. According to the report, a tentative agreement was reached on Chapter 5 and Article 3—sections that focus on territorial scope and international data transfers, respectively. Exceptions for national security proved to be a sticking point for negotiators this week, but “an avenue is clear for agreement,” sources said. The next trilogue meeting is scheduled for September 1 and may not find as much consensus, the report states. [The Register] [Unraveling the Mysteries of the Trilogues]

EU – Austrian Court Dismisses Facebook Suit; Schrems “Will Go to a Higher Court”

Activist Max Schrems’ suit alleging that Facebook’s “terms of service and data collection policies violate EU law and their consumer rights” was dismissed by Vienna District Court, which cited lack of jurisdiction and a blurring of personal and professional use of the service. “It is clear that the complainant is using the enormous media interest in his case against Facebook … for the sales of his book and his career, even if it was credible that this is a social-societal concern for the complainant,” said Judge Margot Slunsky-Jost Schrems said he “will go to a higher court … The court is simply passing the hot potato on.” [The Irish Times] [Wall Street Journal]

UK – “Snooper’s Charter” to Move Forward

British Prime Minister David Cameron will officially move forward with anti-terror surveillance legislation, once dubbed the “Snooper’s Charter.” “The question we must ask ourselves is whether … we are content to leave a safe space … for terrorists to communicate with each other,” Cameron said. “My answer is no, we should not be,” he continued. Tech company In.die has pledged to take its business elsewhere. “We’re not going to stay in a country where we might be forced to backdoor our products—and possibly not even be allowed to tell anyone about it,” the company said in a statement. [Politico]

EU – Privacy Advocate, NSA Critic Caspar Bowden Has Died

Privacy advocate Caspar Bowden has died, according to German site Netzpolitik.org. Bowden was well-known in the privacy community as an outspoken activist, concerned about mass government surveillance, even before the Snowden revelations broke. Bowden worked as Microsoft’s chief privacy advisor from 2002 to 2011. Fellow privacy advocate Justin Brookman said “Caspar was a dedicated and brilliant advocate and a deeply caring person. He knew as much about intelligence law as anyone I’ve ever met … He was one of the first to fully recognize just how the rise in cloud processing empowers state surveillance. He spent his life trying to protect individual liberty, and I will miss him.” [The Privacy Advisor] SEE ALSO: [Hustinx Awarded Honorary Degree from University of Edinburgh]

EU – Facebook Questions Use of ‘Right To Be Forgotten’ Ruling

Europe’s emerging country-by-country attitudes toward privacy regulation as opposed to the “one-stop shop” approach has Facebook frustrated. “A number of authorities in Europe are using that judgment to challenge the status quo that’s existed for many years,” said Stephen Deadman, global deputy chief privacy officer at Facebook. “We think they’re wrong. We think the model we have is right.” Deadman expressed support for a pan-European “super data regulator” for privacy. “There should be order within Europe and a single regulator that regulates you, not multiple regulators all trying to regulate everything in their own different ways,” Deadman said. The Belgian data protection commission recently sued Facebook over what it sees as a disregard for Belgian citizens’ private lives in terms of the social network’s tracking of users for advertising. Deadman said: “[Facebook] don’t agree that the Irish data protection authority isn’t doing its job. The academic report, which forms the foundation of [the Belgian privacy commission lawsuit], was not conducted by reviewing our practices, there was no interface with us, it was purely done without engagement with us or trying to find out the facts from Facebook.” [The Guardian] See also: [Hong Kong privacy watchdog’s order to remove names from website would create an ‘Orwellian memory hole’, says market analyst]

EU – BBC Anti-RTBF Actions Criticized

The BBC’s displeasure with the right to be forgotten and its subsequent republishing of 182 of its Google-delisted links “needs to be viewed with considerable caution,” indicating that Google had already found the links to be conduits to “personal information that is inaccurate, irrelevant or out of date and holds no public interest,” and that the site “misleadingly” promoted the links. “It was a deliberate journalistic choice that causes public shame and has not meaningfully contributed in any way to better policy making,” the report states, continuing, “It looks petulant, not constructive. And in some cases, it deceptively withholds crucial details … without also identifying that the original story has been modified simultaneously to remove the complainant’s name. So much for transparency.” [The Guardian]

EU – Other EU News

Facts & Stats

WW – Data Loss Affects Mergers and Acquisitions

In April and May in the U.S. alone, there were almost 2,000 mergers and acquisitions. In the Asia-Pacific region, mergers and acquisitions totaled $367.7 billion in the first half of 2015, and during the same period, activity increased by 37% in Europe. Data loss incidents at organizations can significantly change the value of an acquisition target. For example, a cybersecurity incident could mean a target’s intellectual property is no longer theirs alone. “Once a breach occurs, competitors could already have the most valuable data and it could impact the value of acquiring the company,” the report states. [FireEye] SEE ALSO”: In this Privacy Tracker exclusive, IAPP Westin Research Fellow Arielle Brown examines the wholesale transfer of consumer data in the context of corporate mergers, acquisitions and bankruptcy transactions and the “all-encompassing privacy policy” in the context of Section 5 of the FTC Act.

US – AAM Creating Smart Car Data-Sharing Center

The Alliance of Automobile Manufacturers (AAM) has announced it is creating an information-sharing and analysis center, ISAC, as a hub for car companies developing smart cars to “swap cybersecurity data and keep each other abreast of the latest hacking threats targeting vehicles.” The AAM, which is made up of 12 manufacturers, hopes to “further enhance the industry’s ongoing efforts to safeguard vehicle electronic systems and networks,” said AAM Vice President of Safety Robert Strassburger. ISAC is expected to open later this year, with governmental protection to “facilitate cybersecurity information sharing,” Strassburger added. [Fortune]


UK – BBC Forgotten List ‘Sets Precedent’ A List of Removed Links Will be Published Every Month

David Jordan, head of editorial policy said “It’s impossible to have a meaningful debate if you’ve not got an idea about what’s being de-listed.” He said while it was up to individual media organisations to decide how best to be transparent with audiences over what has been removed, he felt the BBC had taken the lead “without being provocative”. He denied the suggestion that publishing the links was bringing more attention to those who had wanted to be forgotten. “It doesn’t make [the stories] more findable for anybody looking for a name,” he said. “What it does is give a sense of and a flavour of what kind of material is being delisted. That’s important.” [BBC]


US – Rand Paul Sues IRS Over Foreign Account Taxes, Disclosures

“On the most fundamental level, FATCA deprives individuals of the right to the privacy of their financial affairs,” according to the complaint. “On a practical level, FATCA is severely impinging on the ability of U.S. citizens to live and work abroad.” …Those accords, which didn’t get congressional approval, are unconstitutional because they exceed the president’s authority, Paul claims. He asked a judge to strike down the Canadian, Czech, Israeli and Swiss agreements. [Bloomberg] [Rand Paul Suit Blasts Foreign Banking Rules]


CA – New Canadian Telecom Transparency Rules Fall Short

Industry Canada has released new transparency reporting guidelines “to help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities.” While the Privacy Commissioner of Canada lauded their release, the guidelines raise several significant concerns.

First, for rules purporting to enhance transparency, their development was surprisingly secretive. The Privacy Commissioner states that they were developed in consultation with the government and “industry stakeholders”, yet the public and privacy groups appear to have been excluded from the process. Given the importance of guidelines that are fundamentally about the rights of the public to know when their personal information is being disclosed, a secretive, exclusionary process badly taints the final result.

Second, the guidelines effectively create new limitations on the transparency where previously none existed. For example, TekSavvy’s transparency report provides specific aggregated number of disclosures (e.g. 52 requests for data on customer usage of devices in 2012 and 2013). The government guidelines prohibit specific disclosures where the number is less than 100, requiring companies to instead present a range of 0 – 100. The result is less transparency, not more. Moreover, the guidelines prohibit regional information (it must be Canada-wide) and their release must be delayed by at least six months from the time of the original request.

Third, the limits on transparency come without an appropriate regulatory or legal process. The government could have addressed the issue of transparency reporting within the Digital Privacy Act, which recently received royal assent. Indeed, the issue was repeatedly discussed during committee hearings. Yet by adopting a closed-door, non-transparent approach, the government has pushed new limitations on Internet and telecom companies without the opportunity for public comment or debate.

Fourth, disclosure under the guidelines is not mandated as the government has been careful to note that disclosure is merely an option. However, the law requires organizations to be open about their privacy practices, which arguably would include transparency reporting on personal information requests and disclosures. Further, individuals are entitled to demand that companies provide access to their information file, including details on how their personal information is used and whether it has been disclosed. By emphasizing the voluntary nature of the guidelines and declining to establish a clear legal requirement, the government may have actually weakened corporate transparency obligations. [Source]

US – New Federal Government App Solves the Wrong FOIA Problems, Poorly

The Department of Homeland Security (DHS) released its Freedom of Information Act (FOIA)-related mobile app to provide users with the ability to submit FOIA requests, check the status of requests and access resources. DHS said the app has reduced the FOIA complaint backlog by 20 percent. In its announcement of the app, DHS said it “is committed to transparency and accountability,” adding that the app aims to help modernize FOIA processes and improve the customer experience.” Privacy protections in the app make it more difficult to use. “On the one hand, in minimizing data collection from the app, the DHS Privacy Office is doing something laudable. On the other, it makes using it much more onerous,” the report states. [The Huffington Post]

Health / Medical

US – DHHS Settles With Hospital Over HIPAA Violation

After an information-sharing incident gone awry and a data breach, St. Elizabeth’s Medical Center faces a $218,400 settlement with the Department of Health and Human Services (DHHS) for failing to comply with the Health Insurance Portability and Accountability Act (HIPAA). “Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications,” said DHHS Office for Civil Rights Director Jocelyn Samuels, adding, “In order to reduce potential risks … all workforce members must follow all policies and procedures.” A hospital spokesperson said, “St. Elizabeth’s has taken steps to ensure this will not happen again.” [The Boston Globe]

US – NFL Player’s Medical Records Go Public

ESPN’s Adam Schefter tweeted a photo of the New York Giants’ Jason Pierre-Paul’s medical records indicating he had a finger amputated after a July 4 accident, and critics of the move are calling it Health Insurance Portability and Accountability Act (HIPAA) violation. ESPN disagreed, tweeting in response, “HIPAA does not apply to news organizations.” The report states, “HIPAA originally was designed to provide workers access to health coverage when they change or lose jobs. But a key provision of the law defines policies designed to guard the privacy of patients.” [MarketWatch]  [Modern age leaves little room for athletes’ privacy]

US – Project Using Apple Watch for Remote Health Monitoring

Nebraska Medicine’s mHealth technology research project is using Apple Watch and related apps to study “the impact of remote health monitoring of chronically ill patients.” The $10 million project uses an Apple Watch-based app that allows patients and physicians to communicate and access data like test results and appointment information. “We want to push the envelope, but we want to do it in a way that is very, very safe, so we haven’t turned on every feature and we haven’t enabled every device to communicate with our electronic medical record,” said Chief Transformation Officer Michael Ash. “We are looking at each area, each app and even each vendor to make sure they are meeting HIPAA requirements and that they are demonstrating the ability to securely transmit their information back and forth.” [FierceMobile Healthcare]

CA – Govt. Prosecutes Health Workers for Snooping into Rob Ford’s Medical Records

Three Toronto hospital workers face prosecution for snooping into former Toronto Mayor Rob Ford’s medical records at the Princess Margaret Cancer Centre. If convicted, it will be the first successful health privacy prosecution in Ontario’s history. Information and Privacy Commissioner Brian Beamish said he could not comment on the prosecution because it was now before the courts. [Source] SEE ALSO: [CA – IPC Blog: Disclosing Disciplinary Action]

Horror Stories

US – Second OPM Breach Hits 21.5 Million; Director Resigns

In the biggest theft of U.S. government records in the nation’s history, the Office of Personnel Management (OPM) announced that the sensitive information of 21.5 million individuals was compromised in the second major hack of its IT systems this year. In the wake of the announcement, and after several calls for her resignation, OPM Director Katherine Archuleta resigned this week. Privacy Tech reports on the latest OPM announcement, Archuleta’s resignation, reaction from Capitol Hill and what the Obama administration is doing to help strengthen the country’s cyber-infrastructure. [Forbes] [ArsTechnica] [Source] [GovExec: Acting OPM Director Promises Better Breach Response] [Officials: OPM Has Yet To Notify 21.5 Million Affected By Breach] [NTEU Sues OPM Over Breach] [Union Files Class-Action Against OPM] SEE ALSO [Should Sony Have Seen It Coming?] [Brian Krebs: OPM Breach Timeline and Analysis] [Analysis: Why the OPM Breach Is So Bad]

US – St. Elizabeth’s to Pay $218,000 to Settle Privacy Charges

St. Elizabeth’s Medical Center will pay $218,400 in a settlement with the federal government for failing to comply with rules to safeguard private patient information. The Brighton hospital, owned by Steward Health Care System, also must adopt a “robust corrective action plan” to comply with federal laws in the future, the US Department of Health and Human Services said in a statement. The settlement concerns violations of HIPAA. It comes after federal regulators investigated a 2012 complaint that employees at St. Elizabeth’s used an Internet-based document sharing program to store health information of at least 498 patients. In August 2014, St. Elizabeth’s also reported a data breach involving information about 595 patients on a former employee’s personal laptop and flash drive. [bostonglobe.com] See also  [50 Cent must pay $5M to woman who sued over sex tape]

US – 25-Year-Old Sentenced to 13 Years in Court Ventures Breach

A Vietnamese man has been sentenced to 13 years in prison for his role in a breach involving 200 million personal records from Court Ventures, a subsidiary of credit-monitoring firm Experian. The Department of Justice said Hieu Minh Ngo, 25, was sentenced this week in the U.S. District Court of New Hampshire on charges including wire fraud and identity fraud. Ngo “tricked Court Ventures into giving him access to a personal records database by posing as a private investigator from Singapore,” the report states. Ngo was arrested in Guam in 2013 and had been selling personal information, including credit card numbers and Social Security numbers, since 2007. [IDG News Service]

US – Army National Guard Breached

Officials from the Army National Guard announced that current and former members’ private information might have been compromised in a breach that is unrelated to the Office of Personnel Management hack. “All current and former Army National Guard members since 2004 could be affected by this breach,” said National Guard Bureau Spokesman Maj. Earl Brown, noting files that contained personal information were “inadvertently transferred to a non-DoD-accredited data center by a contract employee.” He added the incident involved members’ names, Social Security numbers, dates of birth and home addresses. “After investigating the circumstances of these actions, and the information that was transferred, the Guard has determined, out of an abundance of caution, to inform current and past Guard personnel,” he noted. [Source]

US – Hospital Investigating Potential Leak of NFL Player’s Records

A Florida hospital has announced it will investigate the possible leak of a National Football League player’s medical record after it was tweeted out by an ESPN anchor. The anchor tweeted out a photo of the New York Giants’ Jason Pierre-Paul’s medical record after he had a finger amputated following a fireworks accident. Some media outlets said the records were leaked by an employee at Miami-based Jackson Memorial Hospital. Hospital CEO Carlos Migoya said the hospital has initiated an “aggressive internal investigation” into the allegations. “We do not tolerate violations of this kind,” he said. [Modern Healthcare]

US – Harvard University Acknowledges Breach

Harvard University says that the Faculty of Arts and Sciences and Central Information networks were breached and that system and email login credentials may have been compromised. The intrusion was discovered in mid-June, but the school chose to wait until mitigation work had begun before disclosing the incident. [SC Magazine] [The Register] [DarkReading]

US – Trump Hotel Properties Investigating Reports of Breach

A breach of the systems at Trump Hotel Properties has compromised payment card information. The breach was detected when a pattern of fraudulent transactions were traced to cards that had been used at the hotels. The attack may have begun in February 2015. The company has acknowledged the incident and says it is investigating. [Krebs] [BBC] [TheRegister]

US – Telecom Companies Fined for Poor Customer Data Security

Two US telecommunications companies will pay a combined US $3.5 million to resolve a Federal Communications Commission (FCC) investigation that found the companies stored customer data on servers that were unprotected and accessible from the Internet. The issue affects more than 300,000 customers of TerraCom and YourTel America. [ComputerWorld] [FCC.gov]

CA – Four Canadian Firms Hit by Criminal Group, Says Symantec

A criminal group has been systematically targeting large corporations — including four Canadian organizations — over the past three years to steal confidential information and intellectual property, warns Symantec. The security vendor said the group, which it has dubbed Butterfly, has hit 49 organizations in more than 20 countries including Twitter, Facebook, Apple, Microsoft and firms in the pharmaceutical, legal and oil and precious metals sectors. More details on the group are in this Symantec report. [IT World Canada] See also: [Walmart Canada Looks Into Possible Credit Card Data Breach] [Govt. Prosecutes Health Workers for Snooping Into Rob Ford’s Medical Records] [Small Canadian Gold Firm Suffers Computer Hack] [Hacking Team hacked: firm sold spying tools to repressive regimes, documents claim] [CBC News: Walmart Canada Shuts Online Photo Store After Possible Data Breach]

Identity Issues

WW – Surveys: Consumers Want Innovative Authentication

Two new surveys indicate consumer attraction to more sophisticated and innovative approaches to their online privacy beyond usernames and passwords. reports on Accenture’s Digital Trust in the IoT Era survey, which indicates “77% of digital consumers would be interested in alternatives to usernames and passwords,” while “60% of the 24,000 respondents across 24 countries believe usernames and passwords are cumbersome to use.” And the 2015 State of Consumer Privacy & Personalization, conducted by OnePoll and Gigya, found “consumers demanding increased privacy and personalization are now opening up to the idea of using more advanced authentication methods, like biometrics and payment providers like PayPal and Amazon.” [ZDNet]

WW – Start-Up Launches Campaign to Boost Two-Factor Authentication

In June, mobile identity company TeleSign commissioned a study on consumers’ concerns about online security and their exposure to breaches. It found that, amidst increasing breach reports, 80% of consumers are worried about their online security and 40% have experienced a security incident within the past year. It also found, however, that 73% of online accounts use duplicated passwords and more than half of consumers use five or fewer passwords across their entire online life. Given statistics like those, TeleSign has launched a campaign aimed at educating consumers on what it says is the future of mobile identity: two-factor authentication. [Source] [US – Is the SSN a De Facto National ID?]

WW – Bevy of Surveys Indicate Data Protection Woes

An Online Alliance survey of 1,000 company sites indicates 46% “were found vulnerable to known online security threats,” finding a specific trend of weakness in Internet of Things sites. These results come on the heels of an additional SANS Institute report suggesting, “Financial services organizations are still being breached too often, most frequently by those with insider access,” with 46% of respondents citing “abuse or misuse by internal employees or contractors.” In South Africa, Check Point Software Technologies’ Security Report found, “Mobile devices are the weak link in a company’s security chain,” and Romania’s Business Review reports that privacy pros now believe there isn’t a “one-size fits all” approach to security. [ITProPortal]

US – Parents Concerned About Data Collection

A survey from The Learning Curve indicates that while 75% of parents feel technology has enriched education, 79% are uneasy about the security of the data said technology gathers. “The fear is that the multibillion-dollar education technology industry that seeks to individualize learning and reduce dropout rates could also pose a threat to privacy, as a rush to commercialize student data could leave children tagged for life with indicators based on their childhood performance,” the report continues. “Technology has tremendous potential to improve the lives of students and teachers. But none of it will come to pass if we don’t set higher standards for student data security,” said Clever CEO Tyler Bosmeny. [The Intercept]

UK – The Verify Identity Scheme Puts Privacy Considerations Front and Centre

Conventional identity schemes, such as those that issue official “identity cards”, utilise data from official government databases to provide proof of the identity of an individual, ideally with a very high level of assurance. These databases in turn rely on data from civil registration systems (births, marriages, deaths) perhaps cross referenced against other official records (voter lists, driver licenses, tax records etc.). Such large databases of identity data are at risk of being hacked, as are databases containing key biographical information that can be used for identity verification purposes such as data used when applying for US government jobs that require security clearance. Additionally, these databases can help enable a surveillance state. The GOV.UK Verify service approaches identity policy very differently, drawing on the technology specific capabilities. Rather than focusing on maintaining a gold standard of identity data, in a centralised database, providing a single digital identity it takes a risk-based perspective on the whole identity transaction drawing on a broad range of (public and private) identity-related data, assessing the quality of validation and verification processes of that data and processing the data in a way that minimises privacy risks, although not necessarily perfectly. A series of certified identity providers work with Verify to provide the verification services to enable access to government services. Verification with an identity provider is a one-time activity. Once an individual has a verified identity, they can use it to access any government service linked to Verify. During the verification process, each identity provider draws on its own set of data sources to determine whether it has confidence in the identity claims made by the individual. The data sources cover evidence categories related to being a Citizen, Money and Living and can come from both public and private sources. Whilst no single piece of evidence is considered as proof of identity, when combined with other pieces of evidence (particularly from different categories) they can be used to determine a level of assurance as to the identity of an individual. Once a certain level of assurance is reached, the identity is verified and the individual can, for example, file their tax returns. Some government services (e.g. tax credits) require a lower level of assurance than filing tax returns and the Verify service has recently completed a trial of the use of a basic identity account that provides this lower level of assurance. The Verify service emerged from the 2010 coalition government as a response to concerns about the surveillance state. It includes various privacy enhancing mechanisms including data minimisation. For example, the verification process does not require identity providers to store details of an individual’s passport. Instead, all they need to store is whether, at the time of verification, the individual’s passport was valid. To ensure that these privacy principles are being followed in the design and operation of Verify, the Cabinet Office Privacy and Consumer Advisory Group (PCAG) has published a series of Identity Assurance principles that guide the operation of the Verify service. These nine principles place the user at the centre of identity assurance activities (“I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them”) and explicitly discuss data minimisation (“My interactions only use the minimum data necessary to meet my needs”) and the multiplicity of identity providers (“I can use and choose as many different identifiers or identity providers as I want to”) as well as explicitly considering consumer options for dispute resolution (“If I have a dispute, I can go to an independent Third Party for a resolution”). The Verify service is currently a beta service. [LSE (London School of Economics and Political Science)]

Intellectual Property

WW – Chorus Against ICANN Anti-Piracy Proposal Grows

There is growing opposition from women’s rights and privacy advocacy groups to an Internet Corporation for Assigned Names and Numbers (ICANN) proposal aimed at combating online piracy. A coalition—including celebrities and academics—sent ICANN a letter protesting the proposal that would require website operators to reveal users’ personal information. The letter argues the move will “physically endanger many domain owners and disproportionately impact those who come from marginalized communities.” Breakthrough VP for Communications Lynn Harris, a signatory of the letter, said, “I don’t want my personal information out there,” adding, “(This is) kind of like being doxxed by ICANN. I know the intent is not malicious, but a lot of people are sadly forced to work hard to keep their personal information private.” [BuzzFeed News]

US – IAPP Announces PLSC Winners

This year’s Privacy Law Scholars Conference featured some of the leading thinking in the field, and yet again the IAPP was proud to award $2,500 and a speaking role to those two papers voted as the best of the best. After a couple of years featuring co-written papers, this year we’ve awarded two single authors for work that on the one hand looks back at the history of the Social Security number and on the other offers a path toward a new and better form of consumer-protection regulation. [Full Story]

Internet / WWW

WW – Do Not Track 2.0 Working Draft Standard Published

The World Wide Web Consortium (W3C) has released a “Last Call Working Draft” for a proposed do-not-track (DNT) compliance standard. The road travelled by DNT has been a long and at times contentious one, but W3C Tracking Protection Group Co-Chair Justin Brookman says “the technical mechanism will soon be certified for widespread implementation.” [Privacy Perspectives] The city of Oakland, CA, has moved to pass legislation that specifies how law enforcement purchases surveillance equipment]

WW – UN to Appoint Special Rapporteur for Privacy

The United Nation’s Human Rights Council (HRC) will announce its appointment for a special rapporteur on the right to privacy. President of the Human Rights Council Joachim Ruecker announced that the HRC’s Consultative Group ranked first Katrin Nyman-Metcalf of Estonia, though “concerns were raised as to whether she was the best qualified candidate for this specific position.” As such, Ruecker recommends for the job the Consultative Group’s second-rank pick, Joseph Cannataci of Malta, “who has long-standing experience in the field of human rights.” A total of 30 candidates applied, including former German Data Protection Commissioner Peter Schaar and Dutch DPA Chairman Jacob Kohnstamm. [Full Story]

WW – Top Choice Blocked For U.N. Digital Privacy Investigator Post

Katrin Nyman-Metcalf was the candidate ranked first by a “consultative group” of five ambassadors – from Poland, Chile, Greece, Algeria and chaired by Saudi Arabia. But when it came to approving her appointment, Joachim Ruecker said he was over-ruling their choice and proposing the second-ranked candidate instead, Malta’s Joseph Cannataci. Nyman-Metcalf said …Ruecker had told her that civil society groups felt she was not “activist” enough. “It seemed in this criticism that he had received about me, these people who criticized me wanted somebody to wave a flag for (former U.S. security contractor Edward) Snowden,” she said.Nyman-Metcalf said she also found it bizarre that she had been criticized for saying there was no such thing as total privacy. [Reuters] [WW – Estonian blocked as UN’s first digital privacy investigator] [Slate: The U.N.’s New Digital Privacy Investigator Should Have Been Estonian]

WW – UAE Heads Global ‘Internet of Things’ Expert Group

The UAE was elected as the head of a new research committee for the Internet of Things (IoT) that was formed during a recent meeting of the International Telecommunication Union (ITU) in Geneva. The group focus is on implementing the Internet of Things to smart cities and communities in order to meet the needs of standardization of the IoT technologies. This will be achieved by creating a single platform combining engineers and experts from industry, telecom operators, ITU Member States and concerned organizations, to exchange visuals, examine the challenges and solutions while coming up with recommendations and unified global standards in this field. [TradeArabia News Service]

US – Lawmakers Want Internet Sites to Flag ‘Terrorist Activity’

Social media sites such as Twitter and YouTube would be required to report videos and other content posted by suspected terrorists to federal authorities under legislation approved this past week by the Senate Intelligence Committee. The measure, contained in the 2016 intelligence authorization, which still has to be voted on by the full Senate, is an effort to help intelligence and law enforcement officials detect threats from the Islamic State and other terrorist groups. It would not require companies to monitor their sites if they do not already do so, said a committee aide, who requested anonymity because the bill has not yet been filed. The measure applies to “electronic communication service providers,” which includes e-mail services such as Google and Yahoo. Companies such as Twitter have recently stepped up efforts to remove terrorist content in response to growing concerns that they have not done enough to stem the propaganda. Twitter removed 10,000 accounts over a two-day period in April. The bill, passed in a closed session Wednesday, is modeled after a federal law — the 2008 Protect Our Children Act — that requires online firms to report images of child pornography and to provide information identifying who uploaded the images to the National Center for Missing and Exploited Children. The center then forwards the information to the FBI or appropriate law enforcement agency. Google, Facebook and Twitter declined to comment on the measure, but industry officials privately called it a bad idea. “Asking Internet companies to proactively monitor people’s posts and messages would be the same thing as asking your telephone company to monitor and log all your phone calls, text messages, all your Internet browsing, all the sites you visit,” said one official, who spoke on the condition of anonymity because the provision is not yet public. “Considering the vast majority of people on these sites are not doing anything wrong, this type of monitoring would be considered by many to be an invasion of privacy. It would also be technically difficult.” [The Washington Post]

WW – Pinterest Updating Privacy Policy to Match Changes

Pinterest is revising its privacy policy to coincide with its move to include “buyable pins” and personalized “Promoted Pins” based on users’ activity. The site has indicated it plans to store credit card information, explaining, “We’ll save this info so you don’t have to type it in next time you make a purchase. We’ll also share this info with the seller, and they’ll treat it as if you bought from their website directly.” Pinterest said of its Promoted Pins that it hopes they will be “more relevant and useful to Pinners” and that it would include an opt-out function should users decide they are not interested in promoted material. [eCommerce Bytes]

WW – Powerful Coalition Letter Highlights Danger of ICANN’s New Domain Registration Proposal

Even without the ban on privacy for “commercial” websites, the proposal creates serious privacy problems for website owners. Accusations of copyright and trademark infringement are easy to make and easy to abuse, and the working group proposal doesn’t impose any consequences for false or abusive accusations. [EFF] [Google Hates ICANN’s Attempt to Eliminate Whois Privacy Calling it “Impractical & Ineffective] SEE also: [WW – Internet Runs out of New Addresses] and [Is IoT going to be squashed because of privacy concerns?] and [Internet of cars goes beyond self-driving vehicles]

Law Enforcement

CA – Halt to Warrantless Disclosures Not Hindering RCMP, Say Documents

An internal RCMP survey conducted months after the Supreme Court limited the police’s ability to access personal information without a warrant says the ruling has had no “significant negative effects” on operations. According to the documents, there is a general sentiment within the force that the court’s decision, known as Spencer, would cause investigative delays. But only 18% of Mounties responding to the survey said they had any difficulty obtaining a production order for sensitive information they previously got informally. “It appears that the biggest shift is that law enforcement is no longer able to rely on voluntary enforcement requests, and that the process of drafting and obtaining a production order or other judicial authorization is more time-consuming and rigorous,” reads the internal report, obtained by the Star under access to information law. The report also notes that while the number of warrantless requests has dropped sharply, there has been only a slight increase in production orders. The RCMP survey was conducted two months after the Spencer decision, and the report warns that the full impact will be known only in the coming years. The report recommends the RCMP begin to track data related to informal law enforcement requests for information, and how many production orders are sought by each division. Up to now, that data has not been tracked, which has led Privacy Commissioner Daniel Therrien’s office to conclude they could not investigate the RCMP’s use of warrantless requests. [Toronto Star]


WW – Google Unveils New Suite of Beacon Products and Services

Google introduced several new products around Bluetooth Low Energy beacons that include an open beacon format, tools and APIs for building services on top of beacons. Google also unveiled a new service for developers looking to manage and monitor large beacon deployments. The so-called cornerstone of the new set of products is called the Eddystone format. Released on Github, the new format provides developers with a “more robust and extensible way” for working with beacons, the report states, noting the releases from Google allow it to compete with Apple iBeacon technology. [TechCrunch]

US – Car Companies Limiting Driver Data Shared With Tech Companies

Auto companies, increasingly collecting data about drivers through connected cars, are limiting the data they share via new systems that link smartphones to cars with technology partners Apple and Google. “We need to control access to that data,” said Don Butler, Ford’s executive director of connected vehicle and services, adding, “We need to protect our ability to create value” based on digital services built on vehicle data. GM told investors earlier this year it expects to see an additional $350 million in revenue over the next three years from the high-speed data connections it’s building into its cars. [Reuters]


RU – Parliament Backs Sweeping RTBF Law

The Russian parliament has approved a bill that will require online search engines to remove search results about specific individuals at their request, regardless if the person is a public figure or not. Though somewhat similar to the EU’s right-to-be-forgotten concept, the Russian version has no balancing test for the public’s right to information. Individuals may request that search engines remove search results if the data about them is “no longer relevant,” the report states. Russia’s largest search engine Yandex said last month that such a law would impede “people’s access to important and reliable information,” while Russian lawmaker Leonid Levin defended the bill, saying it “will create an efficient tool for clamping down on blackmail and Internet bullying.” [NDTV] [RU – ‘Right to Be Forgotten’ Exposes Russia to Risks] [In Russia, Parliament has given its approval to an Internet privacy bill] [Russia’s Parliament has approved a bill that will require online search engines to remove search results about specific individuals at their request, regardless if the person is a public figure or not]

CN – China’s Cyber Security Law

A new draft law in China would give the government the authority to shut down Internet access during major “social security incidents.” The law would also require technology companies to ensure protection of user data. People would be required to register for services with their real names, and companies would be required to store user data within the country. [QZ.com] [Ars Technica] [The Register] [China Law Translate] [China Releases Draft of New Network Security Law: Implications for Data Privacy & Security] [China’s highest legislative body, the National People’s Congress, has released text of proposed national legislation that would bolster privacy protection, outlaw hacking activity and give authorities a mandate to control Internet access] [The Chinese government’s new National Security Law “calls for strengthened management over the web and tougher measures against online attacks, theft of secrets and the spread of illegal or harmful information”]

NZ – New Zealand Makes Internet ‘Trolling’ Illegal

Internet trolls face up to two years’ jail in New Zealand under a controversial new law which bans “harmful digital communications”. And under a parallel amendment to New Zealand’s Crimes Act, a person who tells another to kill themselves faces up to three years in prison. The law will help mitigate the harm caused by cyber-bulling and give victims a quick and effective means of redress, supporters said. But critics said the law harms free speech and its fine print could threaten public interest journalism in the country. Under the Harmful Digital Communications Act in effect from this week, anyone convicted of “causing harm by posting digital communication” faces two years in prison and a $50,000 (NZ) (£6,500) fine, while businesses face fines of up to $200,000 (NZ). Harmful communications can include truthful as well as false information, and “intimate visual recordings” such as nude or seminude pictures or video shared without permission. The bill was introduced after a public outcry over the horrific “Roast Busters” scandal, in which a group of teenage boys from Auckland was accused of sexually assaulting drunk, under age girls and boasting about the acts on social media. [The Telegraph] [New Zealand’s Harmful Digital Communications Act makes some changes to the scope of the Privacy Act, including closing a “revenge porn loophole where complainants’ ex-partners could distribute intimate photographs or videos without breaching the Privacy Act”]

NZ – Privacy Commissioner to Trial Corporate Transparency Reporting

“Transparency reporting has the potential to increase public awareness of the information gathering activities of law enforcement and security agencies and encouraging companies that hold the information to be open with consumers about the limitations of confidentiality, and the ways in which they cooperate with agents of the state. This year we intend to trial asking companies to keep a standardised record of requests for information from law enforcement agencies and to report this information to us. We will then publish this information.” – Privacy Commissioner John Edwards [Source] SEE ALSO: [As unmanned aircraft popularity burgeons, concerned parties like the New Zealand Privacy Commission and even drone experts believe that regulations like those due to be released next month are necessary]

HK – Time for Hong Kong’s privacy commissioner to go

Chiang has taken to advocating the disastrous “right to be forgotten” law of the European Union in the typically me-too mentality of the Hong Kong bureaucrats – he was for a long time postmaster general after all. In that spirit, he has been harassing people and websites that provide a genuine public service. His office, for example, is now fighting corporate governance advocate David Webb at the Administrative Appeals Board after Webb refused an order to redact the names of people who appeared in reports on three court judgments handed down between 2000 and 2002. Webb has rightly argued that publishing judgments is a judicial function, so personal data that appear in judgments should be exempt from data protection principles. It’s Chiang’s job to “keep private data private”, Webb pointed out, but “not to make public data private” [Source]

AU – OAIC to Be Left Without Statutory Officers

The Privacy Commissioner’s appointment expires this week, while the Australian Information Commissioner formally resigns on July 31, leaving the OAIC potentially without any statutory officers. The government will need to find a solution to avoid FOI chaos. [Source] SEE ALSO: [AU – The New South Wales Parliament’s Law and Justice Committee “has begun a fresh inquiry into the long-debated need for legal measures that would let Australians sue over serious breaches of their privacy.]

WW – Other Offshore News

Online Privacy

WW – W3C Publishes DNT Compliance Draft

The World Wide Web Consortium (W3C) has published a “Last Call Working Draft” for a proposed compliance standard that defines a set of practices for complying with users’ do-not-track (DNT) requests. While browsers currently have DNT functionality, “those headers don’t actually prevent anyone from tracking users,” the report continues. “Instead, the headers send a signal to publishers and ad networks—which are free to honor them or not.” The initiative, which has struggled to gain consensus since it began in 2011 , aims to ensure a common definition of DNT so that users can understand what an entity means when it claims adherence. “This eliminates the industry’s excuse of not knowing what the do-not-track signal means,” said Digital Content Next CEO Jason Kint. Comments on the draft are welcome to the W3C through October 7. [MediaPost]

EU – Google Updates Privacy Policy After DPA Threatens Fine

The Dutch Data Protection Authority (DPA) has announced Google “has improved its privacy policy” after the DPA threatened the company with a 15-million-euro fine. According to the DPA, Google has “updated the information on its privacy policy and now also asks new users’ permission to combine their personal data throughout Google services,” the report states. The DPA has not required Google to pay the fine, but it “may still face a fine of up to five million euros if it does not get permission of Google-users to combine their personal data by December,” the report states. [NL Times]

EU – RTBF Data Shows Types of Requests

Data gleaned from archived versions of Google’s transparency report revealed statistics related to right-to-be-forgotten takedown requests, potentially demonstrating that more than 95% of the takedown requests involved “everyday members of the public” and not criminals, politicians or other high-profile public figures. According to the report, more than 95% of the requests are related to private personal information and nearly half of those have been granted. Google said, “The data The Guardian found in our Transparency Report’s source code … was part of a test to figure out how we could best categorize requests. We discontinued that test in March because the data was not reliable enough for publication. We are however working on ways to improve our transparency reporting.” [The Guardian]

US – Group Wants Right To Be Forgotten for U.S.

A consumer watchdog is filing a formal complaint with the FTC arguing that, by not providing Americans with the same right-to-be-forgotten measures existent in the EU, Google is exercising an unfair and deceptive trade practice. In the complaint, the group urges the FTC to “investigate and act.” Consumer Watchdog Privacy Project Director John Simpson said, “Google holds itself out as so concerned about users’ privacy, but denies fundamental privacy protection—that’s deceptive.” [The Washington Post]

US – Researchers Find Platform Capable of Facilitating Discriminatory Practices

A new research paper suggests that Google “may lack the ability to keep discriminatory and privacy policy-violating advertisements off its services.” Three computer scientists from Carnegie Mellon University and the International Computer Science Institute found that Google’s AdSense platform “is capable of discriminating against women looking for employment and targeting consumers based on their health information,” the report states. The researchers built a tool called AdFisher and used more than 17,000 simulated user profiles to look at how different user traits would impact which ads they were served. In one experiment, ads for drug and alcohol rehabilitation centers were shown to accounts that had accessed substance abuse websites. [WIRED]

WW – Google: ICANN Proposal Unfair for Small Businesses, Individuals

Google says the proposal of the Internet Corporation for Assigned Names and Numbers (ICANN) aimed at combating online piracy by prohibiting commercial domain registrants from using proxy or privacy services is unfair to small businesses and individuals. Google says companies will still be able to use shell companies to hide ownership of domain names, but small businesses and individuals won’t be able to do the same. “Corporations, in particular, often use proxies or subsidiaries to provide local contacts … to provide privacy as in the case of law firms or ‘shell companies’ acting on behalf of their principals,” the company said in its comments, citing its own Charleston Road Registry. [The Domains]

WW – Berners-Lee Calls for Access to Research Data

World Wide Web founding father Tim Berners-Lee made comments regarding individuals’ rights to their digital data and the need for government transparency and researchable clinical data. “We may have a revolution where people are demanding their data back,” he said. “Consumers of the world need to make it very clear that they want control; they want access to their data, they want access to open government data.” He has also called for a bill of online rights that would be respected by both governments and businesses. Plus, he said, “Clinical data should be available to research by default,” adding, “It’s such a valuable thing; the medical community could do such valuable things with it.” [Bloomberg]

WW – Adobe Patches Critical Flash Vulnerability

Adobe has rushed out a patch for its Flash Player to address a vulnerability that had been leaked and was being used in active attacks. Users should update to Flash version for Windows and Mac; version for Linux; and version for users on the extended support channel. The Flash plug in on Google Chrome and on Internet Explorer on Windows 8.x will be updated automatically. [ComputerWorld]

WW – Facebook CSO Calls for End to Flash

Facebook’s new chief security officer has said, via Twitter, that it’s time for Flash to go. Alex Stamos tweeted, “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.” Stamos became Facebook’s CSO in June after less than a year as CISO at Yahoo. Steve Jobs called for an end to Flash in 2010. [ZDNet] [CNET] [Second Flash Player zero-day exploit found in Hacking Team’s data]

WW – Social Media Network Wants Privacy in User’s Hands

Privacy activists have long complained that large social networks like YouTube, Twitter, Facebook and others use members’ private information without consent or transparency. But so far, there have been few alternatives. That’s something Bill Ottman is hoping to change. Ottman is the founder and CEO of a new social network called Minds.com, a social network that’s free, completely open-source coded, and fully encrypted. Still only a few weeks old, Minds has already received one high-profile vote of confidence from the privacy-centric hacker collective called Anonymous. [VOA] See also: [A Third of the World Is Using Social Media, But 90% Are Concerned About Privacy]

WW – A $200 Privacy Device Has Been Killed, and No One Knows Why

A security researcher has abruptly cancelled next month’s scheduled unveiling of a privacy device designed to mask Internet users’ physical locations. It’s a move that has both disappointed privacy advocates and aroused suspicions. Ben Caudill, a researcher with Rhino Security Labs, took the unusual step of saying he no longer plans to release the software or hardware schematics for his so-called ProxyHam box. He said the devices already created have been destroyed. Caudill has offered no explanation for the killing of the project, but he has reportedly ruled out both intellectual property disputes and Federal Communications Commission licensing concerns. That has left some people to speculate a secret government subpoena known as a National Security Letter is at play in the decision to kill the project. The ProxyHam device was able to mask the location of an Internet user by broadcasting on a 900MHz radio frequency so the owner could connect from up to 2.5 miles away from the source of the Internet connection. As a result, even if someone tracked down the location of an IP address, the user wouldn’t automatically be discovered. The box was billed as using open-source software and requiring less than $200 in hardware. It was scheduled to be the topic of a now-canceled talk at next month’s Defcon hacker conference in Las Vegas. Whatever the reason for the cancellation, it wouldn’t be hard for someone else with expertise in hardware to create a box that does exactly what Caudill described. So far, there’s no word of anyone offering to sit in for Caudill. [arstechnica.com] [CSO: The Implications of ProxyHam’s Sudden Disappearance]

Other Jurisdictions

KY – Kenya Establishes Regulations to Combat Cyber Crime

Kenya Communications Authority’s Francis Wangusi has announced a new set of regulations to fight cybercrime. The new rules will require all users of devices with wireless networking capability to register their devices with the Kenya Network Information Centre, the report states. The registry will allow Kenyan authorities to “be able to trace people using national identity cards that were registered and their phone numbers keyed in during registration” if the devices are associated with criminal activity on the Internet, Wangusi said. In addition, all Kenyan businesses will be required to host their websites within Kenya. [Ars Technica] [Kenya to require users of public Wi-Fi to register with government]

CN – China Mulls Privacy Protection, Further Curbs on Internet

The Chinese government’s newly minted National Security Law “calls for strengthened management over the web and tougher measures against online attacks, theft of secrets and the spread of illegal or harmful information.” “Externally speaking, the country must defend its sovereignty, as well as security and development interests, and … it must also maintain political security and social stability,” a spokeswoman said. “Companies worry that (the legislation) could undermine their ability to send encrypted emails or operate the kind of private corporate networks commonly used to secure communications,” the report states. Members of the Chinese public are worried that their right to speech may be further curtailed in the name of national security. China already has some of the most restrictive Internet controls. It blocks popular Web sites such as Twitter, Facebook, YouTube, Instagram and various Google services. Search results are severely filtered to scrub out information deemed offensive to the authorities, and online posts are routinely removed if they are considered to have potential to unsettle the public. [Source]

Privacy (US)

US – No-Harm-Big-Foul: The FTC’s Latest Overreach in Data Privacy

By enforcing the FTC act against trivial misstatements in privacy policies that nobody reads, the Commission has been able to put an increasingly large number of firms in the digital economy under 20-year orders. The orders often mandate intrusive monitoring and reporting. What’s more, the FTC can obtain substantial monetary penalties for order violations—just ask Google, which was hit with a $22.5 million fine for a misstatement on its FAQ page about how to disable cookies in Safari (which by all indications impacted nobody). [Source]

US – FCC Releases Declaratory Ruling on TCPA

A “sharply divided” FCC has issued its Telephone Consumer Protection Act (TCPA) Declaratory Ruling and Order with “a range of new statutory and policy pronouncements that have broad implications for businesses of all types that call or text consumers for informational or telemarketing purposes,” Laura Phillips and Eduardo Guzman of Drinker Biddle & Reath write. Key areas of the ruling include scope and definition of auto-dialers; consent and revocation of consent; treatment of text messaging and Internet-to-phone messaging, and service provider offering of call-blocking technology, they write, noting the FCC “states that the new interpretations of the TCPA are effective upon the release date of the Declaratory Ruling. Requests may be lodged, however, to stay its enforcement pending review.” [TCPA Blog]

US – Court Again Rejects Suit Against Google

Google users were blocked for a fourth time from suing the company by a judge that felt their claims of breach of personal privacy could not be proven. In this iteration of the suit, “plaintiffs focused on claims that Google violated its own privacy policy by disclosing to third parties the names, email addresses and account location of Android users,” the report continues. However, U.S. Magistrate Judge Paul Grewal found that there was a lack of evidence supporting the allegations, “especially as plaintiffs claim injury without alleging any actual disclosure to third parties from plaintiffs’ own devices,” he said. [Bloomberg Business]

US – ITIF Calls on Congress to Ban Revenge Porn

The Information Technology and Innovation Foundation (ITIF) is calling on Congress to ban revenge porn. The ITIF released a report entitled “Why and How Congress Should Outlaw Revenge Porn,” recommending Congress pass legislation like the bill Rep. Jackie Speier (D-CA) will release July 23 to ban photos of genitalia if a nonconsenting person is identifiable by face or name, as well as create a special FBI unit to provide immediate assistance to revenge porn victims and “direct the Department of Justice to work with the private sector on developing best practices for how online services can quickly remove nonconsensual pornography.” [The Hill] [NY Mag: Could Affirmative-Consent Model Stop Revenge Porn?]

US – FCC Reaches $3.5 Million Breach Settlement with Companies

The FCC Enforcement Bureau has announced a $3.5 million settlement with TerrCom, Inc., and YourTel American, Inc., to resolve an investigation into whether the companies failed to properly protect the confidentiality of personal information they received from more than 300,000 consumers. An investigation found the companies’ vendor stored consumers’ personal information on unprotected servers that were accessible over the Internet. “Consumers rightly expect that companies will take every reasonable precaution to protect their personal information,” said FCC Enforcement Bureau Chief Travis LeBlanc. In addition to the penalty, the companies will notify all consumers whose information was subject to unauthorized access and will provide complimentary credit monitoring services for all affected. [Full Story]

US – AGs to Congress: Don’t Preempt States’ Rights

The attorneys general (AGs) from the 47 states that have data breach notification laws sent Congressional leaders a letter urging them to not preempt states’ rights in investigating breaches. The AGs write that “any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.” Virginia AG William Sorrell said, “Given the almost constant stream of data security breaches, state attorneys general must be able to continue our robust enforcement of data breach laws,” adding, “A federal law is desirable but only if it maintains the strong consumer protection provisions in place in many states.” [The Hill]

US – Uber’s Targeted Messaging Draws Criticism

A targeted message from Uber to its Brooklyn, NY, users urging them to challenge New York City travel legislation has drawn criticism from users and a consumer security expert who feel that the move was a breach of privacy. “It is not uncommon to email riders and driver-partners based on neighborhood,” Uber has responded. Gary Miliefsky, CEO of SnoopWall, disagrees. “They need to know where you are for your ride, not to know who to send political documents to,” Miliefsky said. “Can we at least be upfront and clearer with the privacy risk we are putting customers at?” [CNBC]

US – White House Orders Immediate Adoption of Basic Security Measures

Following the news of breaches of the OPM’s networks that compromised security clearance data, the White House has ordered federal agencies to immediately adopt basic security practices. The required procedures include applying patches for critical flaws promptly; using anti-virus products and checking logs for attack indicators; deploying two-factor authentication; and strengthening controls for privileged users. [ComputerWorld] [The Register] [NextGov]

Privacy Enhancing Technologies (PETs)

UK – ICO Approves CA Technologies for BCRs

New York City-based CA Technologies has received approval of its binding corporate rules (BCRs) from UK Information Commissioner Christopher Graham. “Being one of the first technology companies to receive approval for our BCR is an incredible achievement and one that demonstrates that CA not only creates secure solutions but also implements the highest level of data privacy and protection as a matter of company policy,” said CA Technologies General Counsel Michael Bisignano. CA Technologies joins a growing list of companies choosing BCRs as a data-transfer mechanism. [Source]

WW – Uniting Privacy and Customization

“Computer scientists and legal experts from Trinity College Dublin and SFI’s ADAPT centre are working to marry two of cyberspace’s greatest desires” via “Privacy Paradigm,” an online privacy system that aims to both customize and protect data on popular sites and apps “so that users signing up would know exactly how private, or otherwise, their personal information would be.” “It’s a grand target we’re setting ourselves and the research is ongoing,” said Trinity Prof. Owen Conlan, “but the big-picture vision is to make the way online services use our personal—and often privacy-sensitive—information as transparent and easy to understand and manipulate as possible for ordinary users.” [Phys.org]


WW – Study: Users Don’t Totally Grasp IoT, But They Know Their Data Is Being Sold

An Altimeter Group study Consumer Perceptions of Privacy in the Internet of Things discovered that while 40% of consumers still have little understanding” regarding cookies and 87% of consumers are unsure of what the Internet of Things is, exactly, they have a fundamental understanding of “the data implications of fitness trackers, connected cars or connected home appliances. And most don’t like it,” adding that consumers’ chief concern is having their data sold. Jessica Groopman, who conducted the research, said, “It’s clear that there’s a communication and consent gap today. It isn’t smart for companies to move forward ruthlessly and relentlessly. It should be a bit more of a joint effort where companies educate consumers and get their opt in.” [Fortune]


US – Increased Spending Not Improving US Government Cyber Security

Although the US federal government has increased spending on cyber security over the past few years, the government’s systems continue to experience serious attacks, such as those lunched against networks at the Office of Personnel Management (OPM), the Internal Revenue Service (IRS), and the State Department. Some of the increase in cyber security events can be attributed to privacy violations, lost and stolen devices, and attempted break-ins, and better incident awareness and detection. A recent survey found that government agencies are having trouble keeping up with changing threats and that incident response times have not changed. Agencies are also hiring contractors who are not equipped to interpret the data generated by the security tools the agencies have in place. [CSMonitor]

US – Cyber Sprint Could Reveal Many More Intrusions

The federal government could find many more cyber intrusions following the White House-initiated 30-day “cyber sprint.” Office of Management and Budget Chief Information Officer Tony Scott said, “I think it’s a realistic chance, and I think this is true no matter where you go … It’s not unique to the federal government.” The 30-day sprint is now completed, and, according to the report, Scott plans to publicly release which agencies have achieved the goals of getting up to speed on critical information-security protections. “Some will get there, and some won’t,” he said. “There’s probably no CIO in any federal agency now who wants to be the bottom of the list.” [Reuters] v[#AntiCanadaDay Attacks On Government Sites]

US – NTIA Announces First Cybersecurity Multi-Stakeholder Process

The National Telecommunications and Information Administration (NTIA) announced its first cybersecurity multi-stakeholder process will launch in September and focus on vulnerability research disclosure. The goal of the process will be to bring together security researchers, software vendors and “those interested in a more secure digital ecosystem to create common principles and best practices around the disclosure of and response to new security vulnerability information.” The multi-stakeholder process follows the Department of Commerce’s announcement in March of an initiative to address key cybersecurity issues facing the digital economy. [NTIA blog post]

US – Survey Finds Cybersecurity Viewed as Increasingly Important

A Healthcare Information and Management Systems Society survey indicates that 87% of healthcare professionals have used the last year to elevate the importance of cybersecurity, while an additional two-thirds of those surveyed have had a “significant security incident in the recent past.” “On average, the survey-takers’ organizations use 11 different technologies to try to secure their networks and data, in part because hackers, phishers and other scammers are getting more sophisticated,” the report states. Meanwhile, the healthcare profession doesn’t “have a system in place that is practical or financially viable at scale for securing medical devices, and innovation is essential.” [MedCity News]

WW – Darkode Cybercriminal Hacker Marketplace Shut Down

Investigators have shut down what they call the world’s largest-known English-language malware forum, an online marketplace called Darkode where cybercriminals bought and sold hacked databases, malicious software and other products that could cripple or steal information from computer systems, the Justice Department announced Wednesday. 12 people linked to the site have been charged. [Associated Press]

WW – Investors Pour $1.2 Billion into Security Start-Ups

Data breaches are resulting in more investment in cybersecurity companies. “Five years ago, it would have been a very hard sell,” said Max Krohn, cofounder of encryption start-up Keybase with Chris Coyne. “Probably, it would have been, ‘Sorry, no one cares about security, therefore this product doesn’t have much of a hope.’” Keybase, a new Dropbox-style file-sharing service that employs public-key encryption, has landed $10.8 million in funding from venture capital firm Andreessen Horowitz; UK big-data privacy start-up Privitar recently landed $1 million . Such investors “say they likely wouldn’t have invested in a company like Keybase even two years ago,” the report states, noting that in the first half of this year, “venture firms invested $1.2 billion in cybersecurity start-ups … up sharply from $771 million in 2013’s first half.” [The Wall Street Journal]

WW – Critical Security Controls Draft Available for Public Comment

The Center for Internet Security has released Critical Security Controls Draft Version 6c for public comment. Changes in this draft include the reprioritization of certain Controls due to the evolution of threat, the restructuring of some Controls for simplification, and better alignment with other frameworks, including the NIST Cybersecurity Framework. [CISecurity]

WW – Shared Passwords and No Accountability Plague Privileged Account Use

In its State of the Corporate Perimeter survey, a new survey out from Centrify found that nearly 60% of US IT decision-makers share access credentials with other employees at least somewhat often. Conducted among 200 of these decision-makers, the survey also found that 52% of US-based IT employees also shared credentials with contractors. About three-quarters of respondents estimate that more than 10% of employees have access to these kinds of privileged accounts, whether legitimately or through sharing. And over half of respondents in the US reported that it would be easy for a former employee to log in to access systems or data with old passwords. Unsurprisingly, 74% of those surveyed in the US reported that their organization needed to do a better job monitoring who is accessing data and 62% believe their organization has too many privileged users. The concern grows as new models in cloud and mobile computing have obliterated the corporate perimeter. As things stand, 92% of organizations in the US currently have some form of user monitoring in place. However, only a 56% have some sort of privileged identity management. Of those, nearly a third companies do not have someone formally analyzing or auditing how and when employees or contractors are performing privileged access to systems in the organization on at least a weekly basis. Even something as simple as updating passwords on a regular basis is only performed by about 58% of US organizations. [Dark Reading]

US – The FBI is Willing to Pay $4.2 Million to Get These Hackers

They aren’t the murderers, drug traffickers and rapists who usually are on the FBI’s lists, but cyber criminals are still some of agency’s most-wanted bad guys. The top five most-wanted cyber criminals, based on the amount of money offered for their capture and prosecution, are responsible for hundreds of millions of dollars in losses, according to FBI statistics, and authorities are willing to pay a combined $4.2 million for information leading to their arrest. [The Washington Post]

US – Why Webcam Indicator Lights Are Lousy Privacy Safeguards

A recent academic study found that few computer users notice indicator lights and even fewer realize that the camera is always recording when the light is on. The lack of awareness, say researchers, makes people more vulnerable to webcam spying. The webcam light is a type of privacy indicator, which is a notification that a user’s data is being collected in some way. Other privacy indicators include the green Secure Socket Layer lock in the website address bar that indicates a secure connection or the pop-up on a smartphone asking for consent to share your location with an app. “One of the big problems we see today is that it’s really hard to know how an application is using your data,” says Serge Egelman, a research scientist at UC Berkeley’s Department of Electrical Engineering and Computer Science. “Once you’ve granted access to it, it’s essentially gone.” Until better indicators are developed for the webcam, Portnoff and Egelman recommend placing a sticker over the webcam and using antivirus software. For other applications, pay attention to what permissions they ask for. [csmonitor.com]


UK – New Snowden Docs Revealed

The Intercept has released a new trove of documents accessed via the Edward Snowden leaks, providing a detailed look into the capabilities of the U.S. NSA program known as XKEYSCORE. First reported in 2013, the program is one of the agency’s “most powerful tools of mass surveillance” and “makes tracking someone’s Internet usage as easy as entering an email address,” the report states, adding the program “provides no built-in technology to prevent abuse.” [Full Story] Meanwhile, UK Prime Minister David Cameron doubled down on his promise to not “leave a safe space … for terrorists to communicate with each other.” Additionally, the Investigatory Powers Tribunal has found the UK’s GCHQ reportedly spied on Amnesty International’s private communications. The human rights organization called the agency’s actions “outrageous.”

UK – NSA Collecting Voice Calls, Photos, Passwords, and Much More After All

NSA documents leaked to the Guardian in 2013 described a covert program called XKeyscore, which involved a searchable database for intelligence analysts to scan intercepted data. Now, new documents show the breadth of this program and just what sort of data XKeyscore catalogs. According to a new report from The Intercept, the amount of data XKeyscore scoops up as well as the sort of data it collects is much larger than originally thought. Here are a few highlights from the new report: The XKeyescore database is “fed a constant flow of Internet traffic from fiber optic cables that make up the back of the world’s communication network, among other sources, for processing,” the new report writes. Its servers collect all of this data for up to five days, and store the metadata of this traffic for up to 45 days. Web traffic wasn’t XKeyscore’s only target. In fact, according to the documents posted by The Intercept, it was able to gather data like voice recordings. A list of the intercepted data included “pictures, documents, voice calls, webcam photos, web searches, advertising analytics traffic, social media traffic, botnet traffic, logged keystrokes, computer network exploitation (CNE) targeting, intercepted username and password pairs, file uploads to online services, Skype sessions and more.” How the search works is very advanced. The new documents detail ways that analysts can query the database for information on people based on location, nationality, and previous web traffic. XKeyscore was also used to help hack into computer networks for both the US and its spying allies. One document dated in 2009 claims that the program could be used to gain access into unencrypted networks. Using XKeyscore was reportedly insanely easy. “The amount of work an analyst has to perform to actually break into remote computers over the Internet seems ridiculously reduced — we are talking minutes, if not seconds,” security researcher Jonathan Brossard told The Intercept. “Simple. As easy as typing a few words in Google.” While XKeyscore has been known as an intelligence tool for years now, these new documents highlight just how advanced and far-reaching the program’s surveillance is. The NSA, in a statement to The Intercept, claims that all of its intelligence operations are “authorized by law.” It added, “NSA goes to great lengths to narrowly tailor and focus its signals intelligence operations on the collection of communications that are most likely to contain foreign intelligence or counterintelligence information.” [Source]

UK – Government’s Surveillance Plans Could Put Citizens, Economy and Entire Internet at Risk, Argue Leading Computing Experts

Proposals are ‘unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when internet vulnerabilities are causing extreme economic harm’, leading experts argue [Source] [Why We Must Fight the ‘Snoopers Charter’]

UK – Would an Encryption Ban Kill the UK’s Bitcoin Businesses?

Reports that the government’s plan would result in a ‘ban’ on PGP, Apple Messages or WhatsApp have been based on speculation so far. The government has not stated explicitly how it intends to handle the issue. Inserting backdoors into encrypted systems for government agencies, however, would effectively render them open since it would be impossible for the provider and end user to ever be certain their communications were not being monitored. …At this stage it is not clear whether the plan to ban encryption is even possible. The technology has been in the wild for decades now, and previous attempts to limit its use have been unsuccessful. The UK’s own Parliamentary Office of Science and Technology said in a briefing that a ban on encryption is “infeasible” from a technological standpoint – though its report is not binding on government decisions. [Source]

UK – Surveillance Report Makes Concessions to Privacy Lobby

Report in response to Edward Snowden’s revelations concedes privacy should be a greater concern in data collection and that current laws are outdated. The report proposes that the intelligence services retain the power to collect bulk communications data on the private lives of British citizens, but it also now concedes that privacy must be a consideration throughout the process. …There was vigorous debate between the former intelligence heads and privacy advocates over Snowden’s disclosures and whether British intelligence agencies had acted illegally. The intelligence agencies had wanted the report to give them a clean bill of health, but instead several caveats were added at the request of privacy advocates such as the inclusion of the word “knowingly” [Source]

UK – UK Government Now Says it is NOT Going to try to Ban Encryption

Business Insider has seen a letter sent from Baroness Shields, the minister for internet safety and security, to an MP in which Shields says “this government supports encryption, which helps keep people’s personal data and intellectual property safe from theft by cyber means. It is fundamental to our everyday use of the internet. Without the development of strong encryption allowing the secure transfer of banking details there would be no online commerce.” [Source]

UK – Mass Surveillance: My Part in the Reform of GCHQ and UK Intelligence Gathering

“When I sat down with an ex-minister, former security chiefs, internet execs and others, today’s report on oversight of bulk data collection seemed a long way off. Yet we did. The Royal United Services Institute panel was set up by Nick Clegg, the then deputy prime minister, in response to revelations from the US whistleblower Edward Snowden about the scale of intrusion by US and British intelligence agencies into private lives. Our remit: to look at the legality, effectiveness and privacy implications of government surveillance; how it might be reformed; and how intelligence gathering could maintain its capabilities in the digital age. It wasn’t easy and there were several times when I thought I would be writing a minority report with one or two of the panel members. But in the end we reached consensus: the report – published today – proposes that the security services continue with bulk collection of communications data, but with improved oversight and safeguards. [Source]

UK – Review Clears UK Spies of Illegal Surveillance, Says Laws Need Overhaul

“We have seen no evidence that the British government knowingly acts illegally in intercepting private communications or that the ability to collect data in bulk is used by the government to provide it with a perpetual window into the private lives of British citizens,” the ISR concluded. “On the other hand, we have seen evidence that the present legal framework authorising the interception of communications is unclear, has not kept pace with developments in communications technology, and does not serve either the government or members of the public satisfactorily.” [Source]

US – New Privacy Debate Focuses on Government Access to Emails, Texts, Calls

The power, which comes from Section 702 of the 2008 FISA Amendments Act, was supposed to be aimed at foreign nationals living outside the USA but has ended up being used to collect massive amounts of personal communication from Americans. That data, which can also include photos, texts and instant messages, can be gathered by U.S. intelligence agencies without a warrant as long as it crosses the U.S. border electronically at some point. Given the fluid nature of electronic communications and data storage, that happens all the time …A majority of House members agreed, voting 255-174 in June for legislation by Massie and Rep. Zoe Lofgren, D-Calif., to prohibit intelligence agencies from using federal funds to search the data they collect under Section 702 for information about Americans. …But security hawks in Congress and the Obama administration are pushing back, vowing to fight any effort to weaken government surveillance programs at a time when terrorist threats from the Islamic State and other terrorist groups are on the rise. [Source] See also: [Spying on the Internet is Orders of Magnitude More Invasive Than Phone Metadata ] [It’s Not Just the NSA — the IRS Is Reading Your Emails Too ]

US – NSA Collection Fight Will Return to Second Circuit

Instead of clarifying the matter, Congress sparked another controversy with the passage of the USA Freedom Act, which gave the government a 180-day transition period before it goes into effect on Nov. 29. The government interpreted this clause as giving the NSA a window to continue with the same program that the Second Circuit had recently found illegal. Late last month, a judge from the Foreign Intelligence Surveillance Court endorsed that view, and the ACLU immediately vowed to return to New York to continue its fight. [Source]

US – Court Asked to Kill Off NSA’s ‘Zombie Dragnet’ of Americans’ Bulk Phone Data

Its (ACLU) major contention in support of the requested injunction is that despite the Freedom Act’s provision for a transition period, the underlying law authorizing the bulk surveillance remains the same Patriot Act provisions that the second circuit held do not justify the NSA phone-records collection. “There is no sound reason to accord this language a different meaning now than the court accorded it in May. [The Patriot Act] did not authorize bulk collection in May, and it does not authorize it now,” reads the ACLU brief. [The Guardian]

US – USA FREEDOM Act: Protector of Civil Liberties or Window Dressing?

In the month since Congress’ action, however, debate has continued about whether the USA FREEDOM Act actually curtailed government surveillance programs or whether it is mere window dressing. …the weeks since June 2 have seen a more measured and increasingly negative view of the real impact of the act. Several commentators have argued that the NSA’s bulk telephone collection program is only one minor NSA surveillance program and that too many others run by the government remain intact. Freedom Watch’s founder Larry Klayman called the act a “sham,” arguing that the NSA—and the Central Intelligence Agency (CIA)—will “do as they please” in surveillance activities. InfoWorld’s security columnist Roger A. Grimes argued that under the USA FREEDOM Act, only a “small part of a single NSA data collection program was barely modified,” while “nearly every other NSA program is intact.” Other commentators have described the act as “Orwellian,” “Inscrutable,” and “a Virtual Scam.” [Source]

US – EPIC Calls on FTC, DOJ for Inquest

The Electronic Privacy Information Center (EPIC) wrote to the FTC and DoJ to formally request an investigation of Google, Samsung, Mattel and other companies’ “always on” devices in an attempt to identify and curtail potential privacy issue. EPIC cited among its items of concern everything from Barbie dolls that record voices to Samsung’s smart TV. The letter asks “whether the products store people’s communications and whether security measures like encryption are in place to protect the recorded data,” the report states. Among the target companies and government agencies, only Samsung and home camera-maker Canary Connect have responded, the report states. [CIO]

US – Advocates Cynical as NTIA Drone Talks Approach

On August 3, the National Telecommunication and Information Administration (NTIA) will meet with privacy groups in an effort to understand the regulatory privacy measures necessary for drones. This is the third iteration of talks of this nature, which thus far have ended without consensus and with privacy groups leaving frustrated. “Consumer and privacy groups don’t have confidence in the process,” said Center for Digital Democracy Executive Director Jeffrey Chester. “Protecting privacy from the use of drones requires a serious effort that the NTIA has so far failed to demonstrate.” [PCWorld]

WW – Surveillance Company Hacked

Hacking Team (HT), a controversial surveillance technology developer, was itself hacked over the weekend. The company has been criticized by digital activists in the past for allegedly supplying repressive governments with powerful surveillance technology, potentially used to spy on political dissenters, human rights activists and journalists. On Sunday, the company’s Twitter handle was hacked and included several screen shots of stolen data, including the user names and passwords of company executives. According to the report, approximately 400 gigabytes of data was stolen from the firm. The ACLU’s Christopher Soghoian said the data “dump includes an .xls spreadsheet listing every government client, when they first bought HT and revenue to date.” [PCWorld]

US – Hacking Team Leak Indicates FBI Dealings, TOR Circumvention

A 400 gigabyte online “document dump” of data stolen from spyware organization Hacking Team highlights the technology developer’s alleged dealings with the FBI and other groups. One of the hacked spreadsheets indicates the FBI has paid Hacking Team more than $773,226 since 2011 “for services related to the Hacking Team product known as ‘Remote Control Service,’ which is also marketed under the name ‘Galileo,’” the report states. Another document discusses Hacking Team’s ability to bypass the HTTP strict transport security mechanisms designed to make HTTPS website encryption more reliable and secure. “Our solution is the only way to intercept TOR traffic at the moment,” the document said. [Ars Technica]

WW – Alibi App Lets Smartphones Record Video, Audio, Location 24/7

It could be an argument with a friend over what was said, an uncomfortable interaction with a co-worker or a routine police stop that turns sour. These are the kinds of situations that leave people wishing they could hit rewind on their lives and re-watch the situation to prove they were in the right. A new smartphone app could be that reliable witness. Alibi works in the background to record audio, video and location 24 hours a day, seven days a week, to document what really happened when there are conflicting accounts. Users download the app onto their smartphones. They only have to start it up once and Alibi will continuously work in the background to record audio, video and location. After the app records for one hour all of the data is automatically deleted. None of the recordings are stored by the company. If someone finds themselves in a situation where they want the data saved after an encounter, users can open the app and hit save. Alibi will save the last hour of recordings and hide the file on the person’s phone so it cannot be tampered with by anyone else. [CBC News]

NZ – New Drone Rules Protect Home Privacy

New drone regulations come into effect on August 1, banning the small aircraft from flying over houses without the property owner’s consent. “The Privacy Commission has only received one complaint to date, but it’s hard to tell how many the police have fielded to date because they don’t really much about it, they’ve got no policy.” Part of the reason for the lack of complaints was because of the lack of regulations concerning drones. The most significant new rule that will come into effect in August is that drone operators will have to gain the consent of property owners before flying over their house and people who they fly over. “That covers things like sporting events, music events… unless there is an exemption obtained by the Civil Aviation Authority, they can’t cover those events without the consent of every single person they will fly over.” The rules are prompted by both privacy and security concerns, says Mr Iorns. “That comes down to a safety consideration – we don’t want drones of up to 15kgs dropping out of the sky and landing on people’s heads.” [3news.co.nz]

US – Oakland Seeks Control of Law Enforcement Surveillance

Fed up with unwarranted spying by police, residents of the California port city of Oakland are pushing back by developing the first enforceable city legislation to regulate the purchase and use of surveillance equipment by law enforcement agencies. If approved, the legislation could make Oakland a national trailblazer for privacy rights campaigners alarmed at the rise of cameras, “stingrays” and other surveillance technologies used by law enforcement. Activists are hopeful that in the coming months the city council and mayor’s office will appoint members of a privacy advisory committee to draft a city ordinance on surveillance. They say this will be a big win for residents and a significant change from 2013, when the Oakland police, fire and port officials proposed to use $2m in federal grant money to expand a surveillance program from the port of Oakland to the entire city. [The Guardian]

UK – Body-Worn Cameras Pose Data Protection and Privacy Concerns, Warns CCTV Commissioner

The rise of body-worn cameras poses serious data protection and privacy concerns for the public, according to the UK government’s surveillance camera commissioner. Tony Porter noted that while police use of body warn cameras, such as by the Metropolitan Police, is governed by strict rules and regulations, other organisations that use the technology lack the same oversight. “I’m talking about door supervisors at night clubs, traffic enforcement officers and environmental officers,” he said. As such, Porter said questions need to be asked about training, data security and who has access to recordings of the public. Porter also discussed the UK’s automatic number plate recognition (ANPR) system which captures around 27 million images every day. The commissioner questioned the transparency surrounding the number of ANPR cameras that currently exist. Porter is currently reviewing the operation of the Surveillance Camera Code of Practice and will present his findings to home secretary Theresa May later this year. The code was introduced in 2013 to curb the excessive use of cameras for surveillance by increasing numbers of private and public sector organisations and an updated version was issed in 2014 by the Information Commissioner’s Office. [v3.co.uk] See also: [A new Florida law “shields the footage taken by police body cameras from public view.” The new measure includes a privacy exception preventing the disclosure of such videos, including those taken in homes, at hospitals or at the scenes of medical emergencies]

UK – Home Secretary Named “Internet Villain” for Surveillance Powers Push

Congratulations, Theresa May! The internet hates you. The British cabinet secretary in charge of home affairs, policing, and counter-terrorism received a gong, part of the annual UK Internet Industry Awards, for “forging ahead with communications data legislation that would significantly increase capabilities without adequate consultation with industry and civil society.” Privacy International, a civil liberties group, picked up the award on her behalf. The home secretary, who unshackled from her Liberal Democrat coalition partners following a surprise majority victory earlier this year, is pushing ahead with a rapid expansion of the UK’s investigatory and law enforcement powers. The so-called “snoopers’ charter” would allow police and intelligence agencies to grab British phone and email records to prevent terrorism. But the bill has been pushed through parliament with almost no consultation with phone and internet providers who will be affected the most. The “snoopers’ charter” bill is due before parliament in the coming months, though no specific date has been set. [zdnet.com] [EU – Head of EU data protection says trading privacy for security is a “false fad” ]

Telecom / TV

US – Paypal Walks Back Its Controversial Robocalling Policy

PayPal is changing its tune on sending you automated phone calls and text messages in the face of pushback from regulators and consumers. The company is again amending its user agreement just two days before its updated policies were to take effect. Under the changes, PayPal promises not to robocall you unless you’ve previously given the company your prior, express written consent. That means it also won’t require users to opt-in to receiving robocalls as a condition of continuing to use the mobile payments service. And the company is also clarifying its user agreement to state that PayPal will primarily use robocalling to “detect, investigate and protect our customers from fraud” or to notify users about account activity. That’s a significant turnaround from its previous proposed revisions, which required that all customers agree to accept robocalls if they wanted to keep using PayPal. The proposal sparked letters from concerned lawmakers and even the Federal Communications Commission, which has strict rules about robocalling and telemarketing. [The Washington Post]

US Government Programs

US – New Docs Shed Light on EO 12333; Former NSA GC Discusses Privacy

The Christian Science Monitor’s Passcode reports on a slew of documents released by the ACLU about Executive Order (EO) 12333. Signed by President Ronald Regan in 1981 and strictly run under the executive branch, EO 12333 permits the Central Intelligence Agency (CIA) to collect foreign Internet communications in bulk. However, the documents show that the CIA can direct the NSA or FBI to conduct domestic surveillance on its behalf. Meanwhile, former NSA General Counsel Rajesh De discusses the role privacy plays in the agency, saying it is highly regulated and that the Foreign Intelligence Surveillance Act “is anything but a rubber stamp.” [Full Story]

US – Poitras Suing Over Unanswered FOIA Requests

Filmmaker Laura Poitras is suing the U.S. government after receiving no response to her Freedom of Information Act requests for documents pertaining to the government’s targeting of Poitras at U.S. and foreign airports, The Intercept reports. Poitras was searched, interrogated and detained more than 50 times over six years. Officials seized her notebooks, laptop, cell phone and other personal items. “I’m filing this lawsuit because the government uses the U.S. border to bypass the rule of law,” said Poitras in a statement. The filmmaker, who won an Oscar for Citizenfour, said she hopes the suit will also bring attention to those who are less well known but are also harassed at the border. [Full Story]

US – CFPB Wants Companies to Build In Privacy

As private-sector corporations move to streamline their online payment processes, making them faster and more convenient for customers, the Consumer Financial Protection Bureau (CFPB) has released its guiding principles for organizations to protect consumers. “Companies developing new financial technologies should be building systems from the outset with consumer protections in mind,” said CFPB Director Richard Cordray. “It is a lot easier to build something right from the start than it is to retrofit it. The CFPB will continue our work to help ensure that financial services marketplaces are safe and transparent for consumers.” [Full Story]

US – FTC Announces Data Security Education Initiative

The FTC announced a new initiative aimed at educating businesses on data security best practices. The agency also announced a series of workshops to help flesh out specific data security needs for start-ups and small- to medium-sized organizations. The “Start with Security” initiative also includes new guidance for businesses . “Promoting good data security practices has long been a priority of for the FTC,” said FTC Bureau of Consumer Protection Director Jessica Rich in a press release. “The new Start with Security initiative shares lessons from the FTC’s 54 data security cases,” she noted, adding, “Although we bring cases when businesses put data at risk, we’d much rather help companies avoid problems in the first place.” [Full Story]

US Legislation

US – Recover Act Aims to Assist OPM Breach Victims

Nine House Democrats have unveiled the Recover Act, a bill that would provide “lifetime identify-theft monitoring” for the millions of victims of the recent Office of Personnel Management (OPM) breaches. “Much of the OPM data is lifetime and permanent background information that cannot be changed like a credit card number,” said Rep. Eleanor Holmes Norton (D-DC), whose bill is a companion to one from Sen. Ben Cardin (D-MD). The bill has support from National Treasury Employees Union President Colleen Kelly, who said it “will go a long way toward protecting individuals from ID theft problems stemming from these devastating data breaches.” [The Hill]

US – 21st Century Cures Bill Passes House

The House of Representatives passed the 21st Century Cures bill, which “contains a controversial provision calling for significant changes to the HIPAA Privacy Rule.” The House approved the bill by a 344 to 77 vote, the report states, noting, “Among the 309-page bill’s many provisions is a proposal that the Secretary of Health and Human Services ‘revise or clarify’ the HIPAA Privacy Rule’s provisions on the use and disclosure of protected health information (PHI) for research purposes.” Patient authorization would not be needed to use PHI for research “if only covered entities or business associates, as defined under HIPAA, are involved in exchanging and using the data,” the report states. [Gov Info Security]

US – Bill Calls for 30-Day Notification for “Sensitive” Data Breaches

Rep. David Cicilline (D-RI) introduced The Consumer Privacy Protection Act as a companion bill to a Senate bill from Sen. Patrick Leahy (D-VT). The bill, which would apply to companies with information about more than 10,000 customers, would require them to notify consumers within 30 days if hackers obtain “sensitive information” and implement security procedures to, in part, minimize the amount of sensitive information they collect. Chris Lewis of Public Knowledge said it creates “a strong federal standard of privacy protections” without preempting more stringent state laws, while the Direct Marketing Association supports a national data breach bill that would preempt state legislation. This week, 47 state AGs wrote to Congress urging it not to pass laws that would preempt state rights. [MediaPost]

US – Senate Intelligence Committee to Push Bill for Site Reporting

The Senate Intelligence Committee will file a bill mandating that if an “electronic communication service provider” has knowledge of terrorist activity on its site, it must report the activity to authorities. The bill has already catalyzed privacy and First Amendment concerns. “Considering the vast majority of people on these sites are not doing anything wrong, this type of monitoring would be considered by many to be an invasion of privacy. It would also be technically difficult,” said one industry official, who requested anonymity. Others disagree. “Ultimately this is a higher-tech version of ‘See something, say something.’ And in that sense, I believe that there is value,” said Leidos Executive Vice President, Michael Leiter. [The Washington Post]

US – Legislators Say It’s Time for Section 702 to Go

Critics of Section 702 of the 2008 FISA Amendments Act are urging Congress to revise it. The act makes data, “which can also include photos, texts and instant messages,” viewable sans-warrant by law enforcement “as long as it crosses the U.S. border electronically at some point,” the report continues. “It’s really troubling, and it’s a clear violation of the Fourth-Amendment prohibition against unreasonable searches and seizures,” said Rep. Thomas Massie (R-KY). The call for a revision has majority support in the House, but security officials disagree. “These queries can, among other things, enable analysts to identify terrorist plots,” countered National Intelligence Director James Clapper. [USA Today] Critics of Section 702 of the 2008 FISA Amendments Act, including Rep. Thomas Massie (R-KY), who said the act is “really troubling, and it’s a clear violation of the Fourth-Amendment prohibition against unreasonable searches and seizures,” are urging Congress to revise it.

US – States Tighten Data Security Laws

Washington, Oregon, Wyoming, Illinois, and North Dakota have updated their data breach laws this year, and Alabama is on its way to becoming the 48th state to adopt such legislation in the wake of unprecedented data breaches in healthcare, finance, and retail. [Source] [2015 Data Breach Legislation Six Month Review: Many Proposals, Few Changes] Attorneys general from the 47 states that have data breach notification laws have sent Congressional leaders a letter urging them to not preempt states’ rights in investigating breaches.

US – Other Legislative News

Workplace Privacy

CA – Arbitration Decision Rules Employer Not Vicariously Liable for Employee’s Privacy Breach

A recent decision of the Ontario Grievance Settlement Board raises the interesting question of an employer’s vicarious liability for an employee’s privacy breach. Vicarious liability occurs when the law holds one person responsible for the misconduct of another because of their relationship. The most common relationship giving rise to vicarious liability is the employer and employee relationship. In Ontario Public Service Employees Union v. Ontario 2015 CanLii 19325 [ON GSB] one employee (“Employee X”) inappropriately accessed the employment insurance file of a co-worker (“Ms. M”) who was away from the workplace due to sickness. The inappropriate access took place during work hours and Employee X discussed Ms. M’s personal information with other employees. There was no work reason for Employee X to be accessing Ms. M’s EI file. The Employer had appropriate policies in place that prohibited the use of the Employer’s IT resources for unacceptable activities and was proactive when hiring new employees to instruct them in connection with their obligations to keep information private. Upon being made aware of the unauthorized accesses to Ms. M’s EI file the Union representing Ms. M filed a grievance. During the hearing of the grievance the Union put the Employer on notice that it would bring a motion before the Grievance Settlement Board to determine the effect of the tort of intrusion upon seclusion to the disposition of the grievance. After reviewing the law in relation to vicarious liability in the employment context and the evidence pertaining to the incident, including the Employer’s hiring practices and the Employer’s privacy policies, the Board concluded that the Employer was not vicariously liable for the actions of Employee X. The Board was of the view that the “wrongful act” of snooping in Ms. M’s EI file was not sufficiently related to conduct authorized by the Employer to attract vicarious liability. Employee X’s actions were viewed by the Board as being the actions of a rogue employee who, for her own purposes accessed Ms. M’s EI file. It was not an action that could be seen to “further the employer’s aims”. The actions were done without the employer’s sanction or knowledge. The Board accepted the Employer’s evidence that it knew nothing of the intrusion until being told of it by a co-worker of Ms. M. Upon learning of the intrusion the Employer took immediate action to investigate and manage the issue. The evidence indicated that Employee X had received a significant suspension. The decision, although good news for the Employer, did not leave Ms. M without a remedy. Like the plaintiff in Jones v. Tsige, Ms. M would still be permitted to sue Employee X at common law for damages for the tort of intrusion upon seclusion as a result of her unauthorized snooping. [Cox and Palmer Law Publications]


16-30 June 2015


US – Privacy Groups Walk Out of NTIA Facial Recognition Talks

Nearly two years into talks on developing a voluntary code of conduct for the commercial use of facial-recognition technology, several privacy advocacy groups have walked out in protest. “At a base minimum, people should be able to walk down a public street without fear that companies they’ve never heard of are tracking their every movement—and identifying them by name—using facial-recognition technology,” the groups wrote in a joint statement . “Unfortunately, we have been unable to obtain agreement even with that basic, specific premise.” The National Telecommunications and Information Administration’s Juliana Gruenwald said the agency was disappointed in the departure, but added it “will continue to facilitate meetings on this topic for those stakeholders who want to participate.” [The New York Times] [Facebook Unveils New Technology: Fortune examines Facebook’s new service called Moments , suggesting it expands the use of the social network’s “powerful ‘faceprint’ technology.”] [Source]

US –Company Must Pay $2.2 Million in Forced DNA Testing Case

A jury has ruled that Georgia-based Atlas Logistics must pay two employees a combined $2.2 million for forcing them to submit to a cheek swab to determine if their DNA was a match to feces being left throughout the warehouse facility. Atlas Logistics claimed the “genetic information” involved wasn’t covered by the Genetic Information Nondiscrimination Act, arguing the act excludes analysis of DNA, RNA chromosomes and other matter if they don’t reveal an individual’s propensity for disease. But U.S. District Judge Amy Totenberg “refused to toss the case,” the report states, ruling the “plain meaning of the statute’s text” was satisfactory for the case to go forward. [Ars Technica]

US – Class-Action Filed Against Shutterly

A Chicago man has filed a class-action lawsuit in an Illinois federal court claiming photo-service Shutterfly is violating a law that restricts how companies collect biometric data. Brian Norberg says he has never used Shutterfly, but someone else uploaded his photo to the site and tagged it with his name, leading to him being added to a database without his consent. The suit seeks $1,000 to $5,000 “for every Illinois resident” whose face was added to the Shutterfly database without permission. [Fortune]

US – Will Advanced Facial Recognition Quell Privacy Fears?

Fortune examines Facebook’s new service called Moments , suggesting it expands the use of the social network’s “powerful ‘faceprint’ technology.” The facial-recognition technology has 83% accuracy at identifying users. And it doesn’t need to see your face to identify you, which the company argues will assuage privacy concerns. Facebook’s Yann LeCunn “imagines such a tool would be useful for the privacy-conscious—alerting someone whenever a photo of themselves, however obscured, pops up on the Internet,” the report states. Not everyone agrees. The Christian Science Monitor suggests that “once a face is converted to data points and made machine-readable, it ceases being a public-facing part of ourselves that we voluntarily expose to others. It becomes a resource that others control.” [New Scientist] [Think it’s cool Facebook can auto-tag you in pics? So does the government] [Technology is growing accustomed to our face]

UK – Police to Scan Concert Crowds with Facial Recognition

Police in a UK county are going to use facial recognition technology to surveil an upcoming concert. The Leicestershire Police, responding to a Freedom of Information request filed by reporters at The Register, said that surveillance cameras positioned at the Download Festival will scan faces of attendees and compare them to a local mugshot database. It’s a policing strategy that’s on the rise in the UK, but it has also been subject to some intense scrutiny. English and Welsh police have faced criticisms over their uploading of the mugshots of innocent people to a national database, and more recently Police Scotland has had to deal with some PR issues having been compelled to disclose its own such practices. But such systems are undeniably useful to police; earlier this year the head of Scotland Yard went so far as to call on British citizens to install their own CCTV security in their homes so that police could use facial recognition technology in the event of a burglary or other such incident. [Source] See also: [Churches are using facial recognition software to spy on members]

WW – Auto Company Considering Brain-Monitoring Tech

Jaguar hopes to utilize “brain-monitoring technology” to improve car safety. “These research projects are investigating how we could exploit this for the benefit of our customers and other road users,” said Jaguar’s Wolfgang Epple. The company views this step as a conduit between self-driving cars and the current state of affairs. “The car may have to hand off control to a driver at some point, and it’s critical to know if the driver is ready,” the report states, noting the company is also interested in “monitoring its drivers’ health” and is “testing a ‘medical-grade sensor’ that can be embedded in a seat and monitor heart rate and breathing through vibrations.” [The Verge]


CA – PIPEDA Changes Finally Pass

Parliament has finally amended the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”). The Digital Privacy Act (the “DPA”), which amends PIPEDA, received royal assent on June 18, 2015. Significant changes to PIPEDA include:

  1. Breach Reporting

Under the DPA, organizations will be required to notify the Office of the Privacy Commissioner of Canada (the “OPC”) and affected individuals of a breach of security safeguards.  Furthermore, organizations will be required to keep a record of all data breaches (whether or not they meet the harm threshold), and must report all breaches to the OPC upon request. Knowingly failing to report or record a breach will be an offence punishable by fines of up to C$100,000. The provisions of the DPA relating to privacy breaches have not yet come into force, but will become mandatory once the associated regulations have been enacted.

  1. Amendment to the definition of “personal information” and new provisions respecting “business contact information”

Previously “personal information” excluded certain information about an employee of an organization. Now “personal information” includes any information about an identifiable individual. However, a new definition of business contact information has been added to PIPEDA, and such information is excluded from the application of Part 1 of the Act.

  1. Changes to Consent

The DPA amends PIPEDA to explicitly state that consent is only valid if it is reasonable to expect that the individual would understand the nature, purposes and consequences of the collection, use or disclosure of his/her personal information. In addition, new exceptions to PIPEDA consent requirements have been introduced, which apply to:

  • PI in witnesses statements related to insurance claims.
  • PI produced by an individual in the course of his/her employment, business or profession.
  • Disclosure for the purposes of communicating with the next of kin or authorized representative of an injured, ill or deceased individual.
  1. Changes affecting employee privacy

The DPA introduces exceptions to the consent requirements in PIPEDA where collection, use or disclosure of personal information is necessary to establish, manage or terminate an employment relationship. However, notice must still be provided to the individual. PIPEDA has also been amended to clarify that it applies to job applicants. However, it is important to remember that PIPEDA only applies to employees and applicants of federally-regulated employers.

  1. Business Transactions

The DPA introduces exceptions to the consent requirements in PIPEDA in the context of business transactions (broadly defined), provided that certain conditions are met.

  1. Compliance Agreements

The DPA amends PIPEDA to explicitly allow the OPC to enter into compliance agreements with organizations. Such agreements may contain any terms that the OPC considers necessary to ensure compliance with Part 1 of the Act. [Source]

CA – The Digital Privacy Act: What You Need To Know Now

Parliament has passed the Digital Privacy Act, or Bill S-4. “The act received Royal Assent on June 18, with some amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) going into force immediately,” Timothy Banks writes, adding, “These are the first major amendments to PIPEDA since it was enacted 15 years ago.” And while the mandate requiring breach reporting to the Office of the Privacy Commissioner is not yet in effect, Banks notes, “there are still a number of amendments that are important for organizations to consider now” and provides a “cheat-sheet” of key amendments. [Privacy Tracker]

CA – Canada’s Mandatory Breach Notification and More

The Digital Privacy Act, or Bill S-4, makes a number of important amendments to the Personal Information Protection and Electronic Documents Act, most of which are now in force. In this web conference, hear from Fasken Martineau DuMoulin Partner Alex Cameron, who has written on the changes to the law , and from Peggy Byrne, managing counsel and privacy for CIBC Legal Department, about the key changes and their potential impacts for all organizations handling personal information about Canadians. Topics to be covered during the July 23 web conference include mandatory breach notification, mandatory record-keeping, new consent and disclosure requirements and penalties, enforcement and reputational considerations. [Full Story] [Toronto Star’s View: Lift veil of secrecy on detainee deaths in Border Services custody]

CA – Spies Wanted Mere Tweaks, Government Launched Privacy Overhaul

The Conservative government alarmed privacy advocates by overhauling the law to give Canada’s spy agency easier access to federal data, even though the spies themselves said greater information-sharing could be done under existing laws, newly released documents show. In a presentation to federal deputy ministers last year, the Canadian Security Intelligence Service said “significant improvements” to the sharing of national-security information were possible within the “existing legislative framework.” Earlier this year the government introduced an omnibus security bill that included the Security of Canada Information Sharing Act, intended to remove legal barriers that prevented or delayed the exchange of relevant files. The legislation, which recently received royal assent, permits the sharing of information about activity that undermines the security of Canada, something law professors Craig Forcese and Kent Roach called “a new and astonishingly broad concept.” Privacy commissioner Daniel Therrien denounced the scope as “clearly excessive,” saying it could make available all federally held information about someone of interest to as many as 17 government departments and agencies with responsibilities for national security. The government still hasn’t made a case for dismantling barriers to information-sharing, said Carmen Cheung, senior counsel at the B.C. Civil Liberties Association. [Source] [Canada: How the budget bill quietly reshapes privacy law: Geist] [CA – Human Rights Tribunal finds Ottawa retaliated against First Nations Child Rights Worker]

CA – Snowden Leaks Hurt Canada, Spy Agency CSE Says

Canada’s electronic spy agency says leaks by former U.S. intelligence contractor Edward Snowden have “diminished the advantage” it enjoyed over terrorists and other targets, both in the short term and — of more concern — well into the future. In newly released briefing notes, the Communications Security Establishment says Snowden’s disclosures about CSE’s intelligence capabilities and those of its allies “have a cumulative detrimental effect” on its operations. The CSE spokesman declined to provide specific examples of damage to back assertion that the leaks are undermining Canada’s attempts to fight terrorism, but said the continuing publication of sensitive material was “rendering techniques and methods less effective.” [Source] [CA – The False Choice Between Security And Privacy] See also: [Schneier: China and Russia Almost Definitely Have the Snowden Docs]

CA – Ontario: Controversial Court Security Act Proclaimed Into Law

A new provincial law intended to increase security at courthouses and other facilities gives police overly broad powers and may even be unconstitutional, according to some Ontario lawyers. The government, however, is continuing to stand by the new law, insisting it doesn’t in fact provide police with any new powers at all.  The act’s most troubling feature, according to lawyers, is the fact it gives police the power to search the vehicles of people entering court premises without a warrant. Other lawyers express similar concerns. “They’ll get shot down by the Supreme Court on this,” says criminal defence lawyer Roots Gadhia. But Anthony Moustacalis, president of the Criminal Lawyers’ Association, says the act’s predecessor, the Public Works Protection Act, included a power to search the vehicle of a person entering any public work or building without a warrant. In a sense, then, the new act simply narrows that power, he suggests. [Law Times] [CA – Sensitive info used for ‘troubling’ targeted ads, watchdog warns]

SK – Non-Responses Concern Privacy Commissioner

After one year on the job, Saskatchewan’s privacy commissioner, Ron Kruzeniski, has proposed 35 amendments to significantly update more than two decades of provincial privacy and access to information legislation. The amendments are contained in the Office of the Saskatchewan Information and Privacy Commissioner’s (OIPC) annual report (It’s Time to Update) released this week. Kruzeniski also highlighted several concerns from the past year – including that public bodies did not respond to 25% of reports sent out with recommendations. In terms of the proposed amendments to the Freedom of Information and Protection of Privacy Act (FOIP) and the Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), Kruzeniski identified three that stood out from the rest – mandatory reporting of privacy breaches, the duty to protect private information collected and including municipal police in the legislation. Kruzeniski noted that Saskatchewan is one of only two provinces (the other is P.E.I.) that don’t include municipal police forces in privacy and access to information legislation. The RCMP is included in federal privacy legislation. Other proposed amendments in the report include reducing a government institution’s allowed response time to 20 days from 30 days and including consultants, advisers and information technology specialists in privacy legislation to protect personal information they collect. [Source] :

CA – Class-Action Lawsuit Against Facebook Stopped by B.C. Court

BC’s top court has stopped a class-action lawsuit filed by a Vancouver woman against Facebook Inc. over a now-defunct advertising product. Deborah Douez alleged the product known as Sponsored Stories used the names and images of Facebook members without their consent, breaching Section 4 of B.C.’s Privacy Act. But her case pitted the law, requiring lawsuits filed under the Privacy Act to be heard in B.C. Supreme Court, against a clause in Facebook’s Terms of Use, requiring legal complaints against the company to be filed in Santa Clara County, Calif. A lower court judge sided with Douez in May 2014, ruling the Privacy Act overrode Facebook’s Terms of Use and certified the class-action lawsuit. However in a unanimous decision posted online, the B.C. Court of Appeal agreed with Facebook, ruling the judge made a mistake in interpreting the law and staying the class-action proceedings. [Source]

CA – Facebook Evidence Access Delaying Nova Scotia Court Cases

Facebook is all about instantly sharing your experiences, but one lawyer says the company isn’t as quick to share evidence for court cases. Legal aid lawyer Megan Longley says many of her cases involve comments or messages made on social media, but recovering that information from Facebook can be difficult. “The only way to access that would be through Facebook headquarters in California, which involves a court order at the national level in Canada that then gets sent to the States for disclosure orders,” says Longley, the managing lawyer of Nova Scotia Legal Aid’s youth justice office. That can take months, even up to a year, she says. [Source] [Winnipeg police accidentally broadcast lewd conversation from helicopter] [Camera with photos of 12 dead forgotten by B.C. coroner at bus stop: documents] [Beware Of Mortgage or Title Fraud] [How to Fraud-proof Your Home] [CRA Phone Scam Uses Fear of Tax Man to Swindle ‘Not So Smart’ Canadians]

CA – Canada’s Privacy Commissioner Not Satisfied with How Targeted Ads Work

Online Behavioural Advertising involves tracking consumers’ online activities, across sites and over time, in order to deliver advertisements targeted to the consumers’ apparent interests. In 2011, The Office of the Privacy Commissioner of Canada (OPC) issued guidelines to help the various organizations involved in OBA ensure that their practices are fair, transparent, and in accordance with PIPEDA. In a new report, the commissioner highlights the key:

  • Any collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent. Therefore, if an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes.

And the issue:

  • Previous observations of major websites and the ads they contain suggested that, while ads are often tailored based on past web activities, there may be little notice of OBA practices and no easy ability to opt out.

“Using simple testing methods, we were able to see that OBA is being used on just over half of the websites used for the research,” Canada’s privacy watchdog concluded in its report. “We observed multiple examples where ads were targeted based on prior online activities that were related to sensitive topics without opt-in consent. We found that the procedures for opting out of OBA were often unsatisfactory.” [Source] [Genetic testing company’s use of child’s image outrages mother Christine Hoos]

CA – Advertisers React to OPC Online Behavioural Advertising Study

More than one in 10 behavior-based ads related to personal topics like divorce, bankruptcy, and pregnancy failed to comply with federal privacy guidelines, a new study shows. According to guidelines from the Office of the Privacy Commissioner of Canada (OPC), targeted digital ads involving sensitive personal information should require consumers to opt in if they want to receive such advertising. Yet 34 of the 300 targeted ads tracked in an OPC study required users to opt out, even though they dealt with that type of information. Overwhelmingly, however, the study shows Canadian advertisers are jumping onboard a new program to give consumers more information and control regarding behavior-based ads. Although almost all of the targeted ads studied by the OPC featured Ad Choices icons, the OPC report concludes that “using the Ad Choices icon (is) often difficult.” Sometimes the icons were hard to see, placed very far away from ads, led to a foreign Ad Choices site or required several steps to opt out of behavior-based ads. In April, Bell Canada responded to criticism from OPC by announcing plans to replace its behavior-based ad program – which automatically tracked customers’ mobile browsing habits – with an opt in version instead. Also in April, research by the Canadian Marketing Association found that 33% of Canadians are comfortable with OBA if the advertiser is transparent about it and gives them a chance to opt out (scroll to the bottom of this article for an infographic with this research). That rises to 41% for consumers aged 18 to 24 and hits 42% for all ages if the consumer understands how the Ad Choices icon works.  [Source]

CA – Canadian Government Websites Under Cyber Attack: Clement

The federal government says its websites were under a cyber attack this week, which affected email and Internet access. Treasury Board of Canada president Tony Clement tweeted, The websites were affected by a denial of service attack, designed to make a computer or network incapable of providing normal services to its users. He didn’t say who was responsible for taking sites, including justice.gc.ca, csis.gc.ca, Canada.ca and news.gc.ca, offline shortly after 12 p.m. Nor did he say how long the outage would last. Service for those four sites were restored later Wednesday afternoon. But sporadic outages continued. [Source]

CA – Ontario to Regulate Controversial Police Stops, Known as Carding

Ontario will regulate but not ban police street checks, a controversial tactic known in Toronto as carding and a practice critics say amounts to racial profiling. It’s not acceptable for police to stop and question a member of a racialized community for no reason then to record that person’s information in a database, Community Safety Minister Yasir Naqvi said. But when asked why he wouldn’t eliminate police street checks altogether, Naqvi said it’s important both for police to be able to engage with the communities and that they’re able to investigate any suspicious activity. [Source]

CA – Elections Canada Warns Voters About New ID Req’ts For 2015 Election

Elections Canada is urging all voters who may be missing appropriate identification to get their paperwork done in the few months remaining before the country goes to the polls. The list of acceptable forms of identification voters can use when they cast their ballots this Oct. 19, however, is quite long. The controversial Fair Elections Act the Conservative government introduced last year did away with the practice of vouching, which allowed someone with required identification to vouch for someone who did not at a polling station on the day of the vote. The legislation also removed the ability to use a voter identification card as a way to prove where one lives. [Source]

CA – Watchdog Alleges Conservatives Pressed for Speedy Gun Registry Deletion

Bureaucrats felt pressured to speed the destruction of the long-gun registry from the senior ranks of the Conservative government, the public service, and the national police force, Canada’s information watchdog alleges in new court documents. The allegations, the result of a lengthy investigation by Information Commissioner Suzanne Legault, are expected to form part of the basis for a court challenge alleging the deletion of the data violated Canadians’ charter rights. The sworn affidavit suggests public servants were ordered to speed up the deletion of the long-gun data, including backups, after Legault’s office told the Conservative government that copies must be kept for an outstanding access to information request and investigation. [Source]

CA – Changes to Ontario’s Health Privacy Laws Deserve Wide Support: Editorial

Time to chalk up a significant victory for the privacy of patients in Ontario. Health Minister Eric Hoskins has done the right thing by bringing in sweeping legal changes that will allow authorities to prosecute snoopers more easily and require hospitals to declare breaches of patient privacy. These reforms, announced this week, come after months of reporting by the Star’s Olivia Carville that showed gaping holes in the rules intended to keep patients’ health information confidential. Most strikingly, Ontario’s Personal Health Information Protection Act (PHIPA) has resulted in exactly zero successful prosecutions after more than a decade in force — even though the provincial privacy commissioner receives reports of hundreds of health-related privacy violations every year. Now the government plans to overhaul the law to get rid of some of the biggest obstacles to enforcement. It will do away with the six-month deadline to lay charges under the act, making it easier for investigators to gather sufficient evidence for a successful prosecution. And the maximum fine for those violating patients’ privacy will be doubled from $50,000 to $100,000. In addition, Ontario’s hospitals will be required to report all breaches of patient privacy to regulatory colleges and the privacy commissioner. Until now, hospitals were allowed to handle violations internally, making it impossible to track the size of the problem across the province or fix breakdowns in the system. [Source] :

CA – Privacy Watchdog Raises Awareness of Court Decisions Indexed Online

Canada’s privacy watchdog says it was the power of persuasion that helped get results for more than two dozen Canadians who had details of their legal troubles posted on a Romanian website. Daniel Therrien, the federal Privacy Commissioner, wrote in his annual report to Parliament last week that the Office of the Privacy Commissioner (OPC) received 27 complaints in 2014 about the website, which republishes court decisions from several jurisdictions with a large focus on Canada. Mr. Therrien said an absolute ban on indexing court rulings “would get into territory similar to conversations in Europe about the ‘right to be forgotten,’ which puts into play the need to ensure as much privacy as possible.” He said the OPC is studying the “right to be forgotten” in the Canadian context and plans to release a discussion paper on the topic within the year. [Source]

CA – Ontario Allows Real Estate Documents to Be Signed Electronically

Ontario is making the process of buying or selling a home easier by allowing real estate documents to be signed electronically. Effective July 1, 2015, changes to the Electronic Commerce Act will make electronic signatures legally equivalent to signatures on paper documents for real estate transactions. Under current rules, when a home or property is sold, dozens of hard copy documents such as offers and agreements of sale, must be signed by hand. Allowing these transactions to be signed electronically will also make it easier to send documents electronically and save time for anyone buying or selling property, especially when the two parties are separated by distance. [Source]


US – Privacy Tops Consumer Concerns About Tech Innovation

According to Edelman’s Earned Brand survey, privacy tops the list of reasons consumers across the globe—and specifically in Germany, the U.S. and Australia—have misgivings about innovation. Concerns regarding the environment and personal security are next on the list, the report states. “Marketers are missing out on a simple truth: Acceptance of innovation cannot be bought; it must be earned,” said Edelman President and CEO Richard Edelman. “As marketers, we need to evolve our playbook if we want to succeed. We have to address consumers’ fears before we have the permission to sell. Marketing, at the moment, is making it worse.” [Full Story]

US – Report Suggests Young People May Abandon Social Media If Privacy Breaches Continue

With all of the revelations of data snooping and privacy violations at the hands of government agencies and clandestine hacker groups, a new report suggests young people are having buyer’s remorse regarding the amount of social media accounts they’ve poured their life details into. In a report released this week (oddly) by USA Network, survey data shows that 55% of young people would eschew social media entirely “if they could start fresh.” Additionally, if major breaches of their privacy were to continue, 75% of young people said they were at least “somewhat likely” to deactivate their personal social media accounts, with 23% saying they were “highly likely” to do so. Young Americans’ sense of privacy online has been so violated that most of them believe that it’s safer to store their personal data in a box than in the cloud. Indeed, the survey said that physical filing systems were actually listed as the “most trusted” personal data storage method for young people. [Source]

US – Survey: Product Execs Out of Touch with Consumer Expectations

Many consumer product (CP) industry executives may be out of touch with consumers’ opinions on the importance of data security and privacy. That’s according to an online survey by Deloitte of 2,001 U.S. consumers and 70 CP industry executives, in which 80% of respondents said they’re more likely to purchase from CP executives they believe protect their personal information, and 72% said they avoid purchasing from companies that they believe take insufficient measures to protect it. “Many consumer product companies do not seem positioned to gain consumer trust based on their current data privacy and security strategies, policies and systems,” report states. [CFO Journal]

US – 84% of Americans Want Immediate Breach Notification

A new poll released by the Zix Corporation reveals that 84% of Americans want to be notified immediately after their personal information is breached. The poll surveyed 500 individuals between the ages of 18 to 75 to assess their views and knowledge of data breaches and whether they would change their shopping habits as a result. Ninety-two percent of those surveyed said companies should be required to notify their entire customer base no matter the size of the breach. “As the survey confirms, acknowledgement and opening a clear and honest line of communication can go a long way in rebuilding consumer trust,” said ZixCorp CEO Rick Spurr. [Full Story]

US – Privacy and Young Adults: A Complicated Relationship

A USA Network survey that found 55% of young adults would “eschew social media entirely if they could ‘start fresh’“ illustrates what some see as the inconsistency between what young adults say they feel about social media privacy and how they act online. While the survey indicates young adults trust filing cabinets more than the cloud and 75% of respondents were “‘somewhat likely’ to deactivate their personal social media accounts” if breaches continue, the report also cites a Pew Research study that found young adults were “more willing than older Americans to let companies use their personal data for commercial purposes, in exchange for the social-networking functions they value.” [Tech Crunch]


UK – Verify Programme Contains “Severe Privacy and Security Problems”

The UK government has been forced to deny allegations that its identity assurance service, Gov.uk Verify, is littered with security problems and could be used to spy on citizens. According to a research paper titled Toward Mending Two Nation-Scale Brokered Identification Systems, the service has “severe privacy and security problems” and a major flaw within its architecture that could be used to undertake mass surveillance. The main problem lies with the hub that acts as a go-between for government departments, identity providers and citizens. Verify was created by the Government Digital Service as a way for the public to prove who they are when needing to access government services online. The uptake of the service has been slow. The authors of the report claimed that Verify suffers “from serious privacy and security shortcomings, fail[s] to comply with privacy-preserving guidelines they are meant to follow, and may actually degrade user privacy.” “Notably, the hub can link interactions of the same user across different service providers and has visibility over private identifiable information of citizens. In case of malicious compromise it is also able to undetectably impersonate users,” the report said. But the government has hit back at the allegations and denied that Verify could be used in mass surveillance. “Gov.uk Verify does not allow for mass surveillance. It does not have any other connection with or ability to monitor people or their data,” it said in a blog post. The researcher said that the service could be improved by recommending that “a formal framework for brokered authentication be devised” and that such a framework would “integrate all the security, privacy and auditability properties at stake, while considering an adversarial model in which any party, including the hub, may be compromised and/or collude with other parties.” [Source]

Farmers Want EPA Suit Revived

Following a federal district court’s dismissal of a case filed against the Environmental Protection Agency (EPA) upholding the validity of the EPA’s public release of personal information about farmers and their families, the American Farm Bureau Federation (AFBF) and the National Pork Producers Council filed a brief with the U.S. Court of Appeals for the Eighth Circuit calling the release unlawful. The groups have asked the Court of Appeals to reverse the district court’s decision. The case involves the EPA’s release of a database—including home addresses, GPS coordinates and email addresses—of tens of thousands of farmers and their families in 2013. [The National Law Review]


CA – Report Suggests Law Goes Beyond What CSIS Wanted

Information found in a “heavily censored” copy of a 2014 presentation and memo to the Canadian Security Intelligence Service (CSIS) that indicates CSIS believed “significant improvements” to information-sharing could occur in the “existing legislative framework.” However, legislation that “recently received Royal Assent permits the sharing of information about activity that undermines the security of Canada,” the report states, noting Privacy Commissioner Daniel Therrien is among those who have raised concerns. Therrien “denounced the scope as ‘clearly excessive,’ saying it could make available all federally held information about someone of interest to as many as 17 government departments and agencies with responsibilities for national security,” the report states. [The Canadian Press]

CA – PEI Gets New Privacy Commissioner—Kind Of

Prince Edward Island (PEI) is getting a new privacy commissioner. Karen Rose has been chosen by the legislative management to be appointed PEI information and privacy commissioner, the report states. She was actually the province’s first privacy commissioner in 2002, but she left the post in 2005 citing personal reasons. Rose will replace Maria MacDonald, whose five-year term has expired. “The commissioner will accept appeals … from applicants or third parties who are not satisfied with the response they receive from a public body as a result of an access to information request made under the Freedom of Information and Protection of Privacy Act,” the government site for the commissioner states. [The Guardian]

CA – Supreme Court Rules in Favor of Facebook

A Supreme Court judge has upheld a BC Court of Appeal ruling in favor of Facebook in a 2014 case alleging it used member information “to endorse certain products without their consent.” While the initial suit claimed that Facebook’s actions violated Section 4 of BC’s Privacy Act, the BC Court of Appeal ruled unanimously that the judge’s 2014 interpretation of the law was erroneous. “Section 4 is a rule of subject matter competence that, like all BC law, applies only in BC. California courts determine for themselves, using California law, whether they have territorial competence over any given proceeding,” said Chief Justice Robert James Bauman. “We are pleased with the court’s ruling that our terms are fair and apply to all users,” Facebook said. [Digital Journal]

CA – Saskatchewan Commissioner’s Annual Report Includes Concern About “Non-Responses”

A report released Monday indicates Saskatchewan Privacy Commissioner Ron Kruzeniski’s 35 amendments for provincial privacy laws, including “mandatory reporting of privacy breaches, the duty to protect private information collected and including municipal police in the legislation,” have been met with 25% unresponsiveness from public bodies. “Kruzeniski said the non-responses could involve a misunderstanding or confusion over changes in his office’s procedures,” the report states, noting the office “is prepared to allow another year to clarify its expectations,” but if the non-responsiveness number doesn’t decrease, the commissioner “would be concerned that a ‘blatant disregard’ of the legislation was occurring.” Meanwhile, CBC News discusses other areas of Kruzeniski’s report, including why he feels provincial privacy law is “outdated.” [The Star Phoenix]

CA – Alberta’s PIPA Review to Begin

The Alberta government has initiated its review of the province’s Personal Information Protection Act (PIPA). The review will be conducted by the Standing Committee on Families and Communities, the report states, noting the law is slated for automatic review beginning on July 1 and then every six years. PIPA “will go to a legislative committee this fall, they’ll make recommendations that come back to the ministry,” Service Alberta Minister Deron Bilous said. “It’s a way to keep the (law) current and relevant and to ensure that we’re protecting Albertans’ privacy.” Alberta’s Freedom of Information and Protection of Privacy Act has been under review since 2012, the report states. [Edmonton Journal]

Electronic Records

US – Fitbit Tracking Data Comes Up in Another Court Case

When you wear Fitbit or any other fitness tracker and smartwatch, you not only monitor your physical activities, you also collect data about yourself — data that can apparently be used against you in investigations. In Lancaster, Pennsylvania cops responded to a 911 call by a woman who claimed she was raped by a home invader. The woman told the police she woke up around midnight with the stranger on top of her, and that she lost her tracker while struggling against her assailant. However, authorities found her Fitbit, which recorded her as active, awake and walking around all night. Combined with the evidence that was missing (tracks outside in the snow from boots she said the attacker was wearing, or any sign of them inside), an investigation led to her facing misdemeanor charges. [Source]

WW – Insurer Monitoring Your Heart Rate? Allstate’s Patent Makes It Possible

Northbrook-based Allstate, which last month floated the idea of one day selling the information it collects from policyholders’ connected cars, was issued a patent earlier this month for a driving-behavior database that it said might be useful for health insurers, lenders, credit-rating agencies, marketers and potential employers. Allstate’s patent also said the invention has the potential to evaluate drivers’ physiological data, including heart rate, blood pressure and electrocardiogram signals, which could be recorded from steering wheel sensors. Allstate’s patent acknowledged that use of the data might be subject to terms of agreement with the operator of the vehicle. [Source]

WW – Here’s What You Get With BBM’s $1 Privacy Subscription

BlackBerry has also updated the BBM messaging app and has started to roll out the feature to users of Android, BlackBerry 10, and the iOS. The most notable change brought by the update is the new Privacy and Control subscription which shall replace the previous Timed and Retracted Messages subscription. Privacy and Control, as the name implies, is designed to allow users to have more control on the messages that they share through BBM. It promises to add more security to the parties involved in a conversation as they no longer have to worry whether their messages have been captured through screenshot or have been shared with the wrong people. In the new feature, messages are sent with no names and no profile pictures. The chat also ends automatically in just a short period of time. This way, user identities are kept private since no one would know who said what except of course for those who were actually involved in the conversation. The Private Chat feature will be bundled with the newly rolled out Privacy and Control Subscription. For only $0.99 a month, users are getting Private Chat, Timed messages and pictures, Retract messages and pictures and Edit Message. The latter is also a newly added feature to the subscription wherein users are allowed to retract their message, change the content, and then send the message all over. [Source] See also: [BlackBerry/Cisco partnership to push healthcare towards digital age]


WW – More Sites Go All-HTTPS

Reddit has announced that starting June 29, it will refuse plaintext HTTP traffic. Last September, reddit allowed HTTPS connections for users who turned the feature on or used something like HTTPS Everywhere, the report states. Reddit is the latest to make the switch; it joins such sites as Wikipedia, which made the announcement less than a week ago, and Netflix. In addition, the White House Office of Management and Budget issued the “HTTPS-Only Standard directive,” which requires all publicly accessible federal websites and web services to use only HTTPS. “We genuinely value the privacy of the people who trust reddit as a platform for open communication,” reddit’s Heather Wilson said. [Ars Technica]

US – Free Digital Certificate Project

The Let’s Encrypt Project wants to increase the use of encryption on websites by offering free digital certificates. A corporation backed by technology companies, including Mozilla, Akamai, Cisco, and the Electronic Frontier Foundation (EFF), runs the project. Let’s Encrypt expects to release the first certificates in July. [ComputerWorld] [Encryption Would Not Have Protected Secret Federal Data Says DH]

EU Developments

EU – Belgium Takes Facebook to Court Over Privacy Breaches and User Tracking

The Belgian privacy commission is taking Facebook to court for its alleged “trampling” over Belgian and European privacy law. The lawsuit will be heard in a Brussels court after a report and an opinion published by the Belgian privacy watchdog that detailed Facebook’s alleged breaches of European privacy law, including the tracking of non-users and logged out users for advertising purposes. Facebook treats its users’ private lives without respect and that needs tackling, according to Willem Debeuckelaere, president of the Belgian privacy commission, who said at the time of the report that it was “make or break time”. The privacy commission has no power to fine Facebook, but threatened legal action backed by the Belgian prosecution service should the US-owned social network fail to address the report’s concerns. That threat has now been carried out. The European commission recently warned that EU citizens should close their Facebook accounts if they want to keep their information private from US security services, after finding that current Safe Harbour legislation does not protect citizen’s data. Facebook was also recently ordered by a Vienna court to respond to a class action data privacy lawsuit that was filed against Facebook in Austria by privacy activist and lawyer Max Schrems, which is seeking damages of €500 (£397) per plaintiff for alleged data protection violations. [Source] [EU – Isabelle Falque-Pierrotin: Privacy Needs to Be the Default, Not an Option] [The digital revolution is coming for us, but is it friend or foe? ]

EU – Thank Latvia: Council Gets Past Objections for GDPR Approach

After three and a half years of intense negotiations, EU ministers finally agreed to a general approach on their version of the proposed General Data Protection Regulation at a meeting of the Justice and Home Affairs Council in Luxembourg. John Bowman, former DAPIX negotiator for the UK, outlines the objections the Council had to overcome and what are likely to be the main sticking points as the privacy legislation everyone’s following now moves to the trilogue stage. [Privacy Perspectives]

WW – “Revenge Porn” Searches Axed

Google’s move to delist “revenge porn” from its search engines is a healthy step forward for the right to be forgotten. “Google has shown that the world won’t be knocked off its axis if the company goes beyond protecting financially relevant information … and takes aggressive steps to remove links to socially relevant information that can harm autonomy, reputation and emotional well-being,” the report continues. Governments and corporations share a duty to “invest in data protection rights,” the report states, noting those rights “will evolve through information-specific categories” and it’s less about being totally forgotten but rather made “obscure” online. [The Guardian]

US – Dixon: “We Will Be the Lead” Regulator of U.S. Tech Firms

Comments by Irish Data Protection Commissioner Helen Dixon on the role her office will play in regulating U.S. technology companies. “Ireland will be the leading regulator when dealing with U.S. tech companies,” she said. “We want to work actively with other regulators. But we will be the lead.” Dixon’s strong comments come the same day Ireland’s Office of the Data Protection Commission (DPC) released its annual report detailing its activities in 2014. The DPC is expected to audit Adobe, Yahoo and Apple this year, the report states. “We are responsible for millions of users,” Dixon said. “The companies accept pushback from us. They want to be compliant.” [The New York Times]

EU – EU Data Privacy Reform Moves Toward End Game

Ministers from the EU agreed to begin negotiations with the European Parliament over a comprehensive update to the union’s data privacy rules. The new regulations would give Europeans more rights in controlling what happens with their personal data, and give firms handling that data more responsibility for protecting it. After agreeing on a compromise common position on the draft, member states gave the Latvian Presidency of the Council of the EU the mandate to commence so-called trilogue negotiations. As it is a regulation rather than a directive, member states would have less flexibility in how they apply the new law nationally, meaning a higher level of harmonization across countries. The regulation would force companies processing personal data to prove that the data subjects have given their explicit consent. Multinationals would need to appoint independent data protection officers to ensure compliance. The potential fines for data protection violations could be as high as 2 percent of annual worldwide turnover. Depending on the company in question, this would be much higher than the fines that are currently levied. One of the most controversial aspects of the new regulation is that of liability for breaches. Under the current system, if a bank using a cloud provider to handle its customers’ data were to suffer a breach, the customer would only be able to sue the bank. Under the GDPR, the customer would be able to sue both the bank and the cloud provider. Another contentious issue that will surface during the trilogue discussions is the right of citizens to have their data erased. The UK is concerned that this may clash with the right to free expression. [Source]

EU – First Trilogue Meeting Begins

The three major institutions charged with creating the next generation of EU data protection law started discussions in the first of a series of trilogue meetings to finalize the proposed General Data Protection Regulation (GDPR). Several EU countries are concerned about the GDPR, including Cyprus, Italy, Belgium and Poland. Austria said it will not support a law that lowers data protection from existing standards. Leaders from the European Commission and European Parliament as well as negotiators from member states shared their thoughts during a press conference this morning, and the Alliance of Liberals and Democrats in the European Parliament shared its conditions for the EU data protection reform. [The Register]

EU – Numbers Indicate Google Tops EC Lobbying Efforts

According to figures published by Transparency International, Google and its lobbyists have had more meetings with European Commission officials than any other single company. Google lobbyists have had 32 meetings between December and June, the report states, topped only by BusinessEurope, which has 67 member companies spanning industries and including Microsoft, Facebook, IBM, Oracle and Samsung Electronics. The data shows more than three-quarters of lobbyists in that timespan were corporate; 18% were NGOs, and two percent were local authorities. The analysis “shows more clearly which companies have the greatest opportunity to influence decision-making,” the report states. [CIO Online]

EU – WP29’s Falque-Pierrotin on Key Digital Privacy, Security Issues

Isabelle Falque-Pierrotin of the Article 29 Working Party and the CNIL talks about delisting, the CNIL’s case against Google and making privacy the default. Asked what the most important digital privacy and security issue is, Falque-Pierrotin first lists “making security issues represented as really important and as a priority for all of the stakeholders. I’m not sure that’s the case right now.” And, she continues, it is important to “convince people that data protection is not against innovation and growth; on the contrary, data protection contributes to confidence. It is a key factor in the digital environment.” [Wired]

EU – New French Law Draws U.S. Comparisons

The French government’s plan to augment its anti-terror surveillance is being compared to the USA PATRIOT Act. “France’s ruling socialist government rushed through the bill earlier this year, shortly after the Islamist militant attacks in Paris in which 17 people were killed over three days,” the report states. While the law won’t be finalized until it is proven constitutional, it passed “by a simple show of hands from deputies in France’s National Assembly,” forgoing “the need for judicial warrants to use an array of spying devices including cameras, phone taps and hidden microphones,” the report continues. Earlier this week, however, the French government called revelations of eavesdropping by the U.S. government on the private conversations of senior French leaders “unacceptable.” [DW]

EU — A Look at France’s Digital Ambition Report

The French National Digital Council has released a report containing 70 proposals for the future of the digital economy in France and Europe. “The report follows a nationwide consultation of the major stakeholders, which has also sparked a debate on various issues relating to the digital economy such as how to regulate digital platforms and how to boost the competitiveness of French start-up companies,” Olivier Proust analyzes the report’s key proposals. He notes the French government also plans to “introduce a ‘Digital Bill’ before the French National Assembly in the fall aimed at regulating the use of the Internet as well as stimulating innovation and fostering growth in the digital economy.” [Full Story]

EU – WP29 Weighs In on the GDPR Trilogue Process

As the EU continues to buzz about the beginning of the trilogue negotiations and the final stage of the arduous process of bringing the General Data Protection Regulation (GDPR) to fruition, the Article 29 Working Party (WP29) has now weighed in with its thoughts on the final stages of what is likely to be historic legislation. Jedidiah Bracy and Sam Pfeifle write about those thoughts, which take the form of three letters to deeply involved members of the Commission, Council and Parliament. The letters include a hard line on government access to citizen data, a nuanced approach to a “one-stop shop” and an endorsement of a broad definition of personally identifying information. Further, the WP29 provides a 24-page document that outlines its specific problems with current versions of the GDPR text. [Privacy Tracker]

EU – Other News

Facts & Stats

US – Theft Accounts for More Than Half of “Wall of Shame” Breaches

Roughly 52% of breaches posted on the Department of Health and Human Services’ Office for Civil Rights’ “wall of shame” were the result of theft. Unencrypted devices appeared to be the most consistent source of recent trouble. “Although we’ve seen some large hacking attacks, they are aimed at higher-profile organizations than the more typical provider organization,” The Marblehead Group’s Kate Borten said. “Attackers know that these organizations have a very high volume of valuable data. But I continue to believe that unencrypted PHI on devices and media that are lost or stolen is the most common breach scenario affecting organizations of any size.” [Gov Info Security]

US – Results of 2015 Online Trust Audit Mixed

The 2015 Online Trust Audit and Honor Roll found 54% of government websites to have “inadequate domain, brand and consumer protection.” All is not completely doom and gloom, however. The audit found 42% of government sites, such as the White House, FTC and FDIC, worthy of the honor roll, having “the highest average privacy score across evaluated industries.” The audit states that its primary goal “is to help drive the adoption of best practices and provide prescriptive tools and resources to aid companies.” [Washington Business Journal]

US – OPM Says Hack Could Cost $19 Million

In the first of three consecutive hearings on Capitol Hill this week, OPM Director Katherine Archuleta testified in front of the Senate Appropriations Committee. Archuleta said the breach of the 4.2 million individuals—which is only part of the total number of those whose records have been compromised—will cost at least $19 million. “I am as upset as (those affected) are about what happened and what these perpetrators have done with our data,” Archuleta said. Financial Services and General Government Subcommittee Chairman John Boozman (R-AR) said, “The problem is something much greater than a lack of resources.” Relatedly, The Wall Street Journal reports that semantics may have initially obfuscated the true scope of the OPM breach. [CSM Passcode] [It gets worse: Two Federal OPM hacks affected up to 18 million]


EU – ECHR Finds Website Liable for Anonymous User Comments

In what some are calling a surprise decision, the European Court of Human Rights has found that Estonian news website Delfi can be held responsible for anonymous comments on its site. Access Senior Policy Counsel Peter Micek said the ruling has “dramatically shifted the Internet away from the free expression and privacy protections that created the Internet as we know it.” Media Legal Defence Initiative has summarized the reasoning behind the court’s decision. Digital Rights Ireland Chairman TJ McIntyre said the decision “doesn’t directly require any change in national or EU law,” but indirectly, “it may be influential in further development of the law in a way which undermines freedom of expression.” [Ars Technica]


WW – Feature Aims to Make Bitcoin Transactions Private

Though Bitcoin is often thought of as a private way of transacting currency, privacy issues remain, according to Blockstream Cofounder Greg Maxwell, who said an onlooker can reveal the identities of bitcoin users and determine an individual’s financial history. “You can leak this information to everyone, and they just have to attach your name to one address,” Maxwell said. As a result, Blockstream has created its Confidential Transaction feature in its Sidechain Element projects. The feature aims to hide the content of a given transaction as well as the destination and amount. [Bitcoin News Service]

US – Banks to Roll Out Real-Time Payments

Bank-owned digital payments network clearXchange announced this week that it will roll out over the next year a real-time payments platform available to all U.S. consumers who have a bank account.  All of clearXchange’s member institutions, which includes five of the six largest U.S. banks as well as several regional banking institutions, are expected to offer real-time payments to their customers, clearXchange says in a statement. The network, formed in 2011, enables banks to provide person-to-person, business-to-consumer and government-to-consumer payments. The network is equally owned by Bank of America, Capital One, JPMorgan Chase and Wells Fargo. None of the banks that own the network responded to Information Security Media Group’s request for comment. [Source]

WW – Bitcoin Big Bang Takes Anonymity Out of Transactions

The Bitcoin Big Bang project and the work of Elliptic exposing anti-money-laundering activity within the bitcoin space. The company has created an interactive data visualization of historic and real-time transactions that are public by default. Elliptic’s goal, according to CEO James Smith, is to expose criminal activity and bring bitcoin into the mainstream. “If digital currency is to take its legitimate place in the enterprise, it inevitably must step out of the shadows of the Dark Web,” he said. The company’s ability to track financial transactions should be an “eye opener” to those who think it’s all conducted anonymously, the report states. Smith said, “increased privacy does not necessarily have to equate to more freedom for criminals.” [Inside Bitcoin]


US – EFF Releases New “Who’s-Got-Your-Back” Privacy Report

The Electronic Frontier Foundation (EFF) has released its fifth data privacy report grading how well companies protect user data and how transparent they are about requests from governments. The EFF said that over the course of the last four years, companies are trending toward more transparency, but its latest report evaluates criteria more tightly. Adobe, Apple, CREDOmobile, Dropbox, Sonic.net, Wikimedia, WordPress.com and Yahoo all received the maximum five-star rating based on following “industry-accepted best practices”; informing users of “government data demands”; disclosing data-retention policies and “government content removal requests,” and having “pro-user public policy” and opposing “backdoors” to encrypted communications. [TechCrunch]

US – Amazon Releases Transparency Report

The fact that Amazon’s cloud computing services are used by 17 government agencies is spurring rumors that government interference is to blame for Amazon’s relative tardiness in releasing a transparency report. The company, however, has dismissed the allegations. “Where we need to act publicly to protect customers, we do. Amazon never participated in the NSA’s PRISM program,” Stephen Schmidt, Amazon Web Services CISO, wrote in blog post. “We have repeatedly challenged government subpoenas for customer information that we believed were overbroad, winning decisions that have helped to set the legal standards for protecting customer speech and privacy interests.” [PC Mag]

CA – Oldest Active Federal Access-to-Information Requests Stretch Back 6 Years

According to data collected as part of a Liberal question in the House of Commons, Justice Canada is the federal department with the longest running, active access-to-information request — an unfulfilled inquiry that dates back more than six years. Under the Access to Information Act passed by Parliament, departments are supposed to respond to requests for government records within 30 days, although in practice long delays have become routine. [Source]


US – Mystery Pooper: Firm to pay $2.2M Over Forced DNA Testing for Workers

A federal jury has concluded that an Atlanta grocery warehousing firm must pay two employees a combined $2.2 million for forcing them to submit to a buccal cheek swab to determine if their DNA was a match to feces being left throughout the facility. Employees Jack Lowe and Dennis Reynolds declined a combined $200,000 settlement offer from Atlas Logistics Group Retail Services. Instead, they forged ahead with the first damages trial resulting from 2008 civil rights legislation that generally bars employers from using individuals’ “genetic information” when making hiring, firing, job placement, or promotion decisions.  The two plaintiffs were singled out because their work schedules coincided with the timing and location of what the court termed the “defecation episodes.” The warehouse firm hired Speckin Forensic Laboratories to perform the buccal swab samples of the plaintiffs to compare them against the fecal matter left on site. Speckin recommended Short Tandem Repeat (STR) analysis. The tests cleared Lowe and Reynolds. [Source]

Health / Medical

US – Pharmacy Merger Creates Privacy Questions

CVS’s acquisition of Target’s pharmacy is rife with “some extremely likely data security and privacy problems and HIPAA horrors.” “Screaming in one track is Target’s collection of highly sensitive personal prescription and medical history, one of the largest in the world, while barreling in on the other track we have Target’s employees, who have little incentive to carefully follow data transfer protocols now that the data is about to be taken over by another company,” the report states. Chief among concerns is the way the data will be transferred and how, with double the amount of handlers, security will be guaranteed. California’s health insurance exchange is embarking on a data-collection project for all Affordable Care Act members. [Computerworld] See also: [CA – The Privacy of Transitioning Individuals’ Health Records Could Be at Risk]

US – FDA Using Online Forum to Track Drug Failures

The Food and Drug Administration (FDA) is partnering with PatientsLikeMe.com to track negative effects from prescriptive drugs. PatientsLikeMe is a forum for individuals to compare treatment experiences and seek advice. “With 350,000 users  logging 28 million data points on more than 2,500 conditions, the site bills itself as the largest digital patient community in the world … The company has already collected data on 110,000 adverse events from 1,000 medicines that the FDA will now be able to access,” the report states. PatientsLikeMe has partnered with other organizations in the past, including the National Institutes of Health and the Centers for Disease Control and Prevention. [International Business Times]

US – Behind-the-Scenes Government System Keeps Data ‘Indefinitely’ on Those Seeking Health Coverage

A government data warehouse stores personal information forever on millions of people who seek coverage under President Barack Obama’s health care law, including those who open an account on HealthCare.gov but don’t sign up for coverage. “A basic privacy principle is that you don’t retain data any longer than you have to,” said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. “The more data you keep, the more harm an attacker or unauthorized person can do.” The health care system, known as MIDAS, is described on a federal website as the “perpetual central repository” for information that the Affordable Care Act authorizes federal agencies to collect. “Data in MIDAS is maintained indefinitely at this time,” says another document, a government privacy assessment dated Jan. 15. [Source]

Horror Stories

US – OPM Breach Could Affect 32 Million; IG Says Plans Destined To Fail

Officials from the Office of Personnel Management (OPM) and other federal agencies as well as two vendors appeared before a House Oversight committee Wednesday to answer questions about the massive breaches of government employee data. A day after a more sober Senate Appropriations hearing, things once again heated up as House representatives grilled OPM leadership about their security precautions and choice of vendor to handle notification and credit monitoring, even at points calling for the resignation of OPM leadership. This Privacy Tech post covers the latest, including the possibility of 32 million records at risk and comments by the Office of the Inspector General about its assessment of the OPM’s handling of the crisis. [Full Story]

US – OPM Hack Quadruples; Diplomats to Query Chinese Officials

The total number of individuals affected by the hacks of the Office of Personnel Management (OPM) has officially quadrupled to 18 million, up from initial reports of 4.2 million. Additionally, the National Archives and Records Administration (NARA) has detected similar cyber-intrusion activities in its network, but the adversaries do not appear to have as deep access into NARA’s network as they did into the OPM systems. This post for Privacy Tech continues to follow the latest fallout from what is surely one of the most damaging data breaches in U.S. history. [Full Story]

US – OPM: Attackers Had Access to OPM Database for a Year

The attackers who breached the security of a database at the US Office of Personnel Management (OPM) had access to the data for at least a year. The database holds information gathered for national security clearances. [WashPost] [ComputerWorld]

US – OPM: Fraud Protection Service Security Concerns

People whose personal information was compromised have complained that they have been required to provide sensitive personal information to the company that will provide fraud protection services to verify their identities. And there appears to be some question about whether or not this information is being or will be shared. [NextGov]

US  — OPM: Breach Affected Two Different Systems

Two different systems were breached at OPM: the Electronic Official Personnel Folder system and the central database for EPIC, the software suite that OPM’s Federal Investigative Service uses to gather information for employee background investigations. [Ars Technica] [A Department of Homeland Security Official said that encryption would not have helped protect the data exposed in the OPM breach because the intruders managed to obtain valid user credentials] and [House Committee Chairman Jason Chaffetz (R-Utah) called on the president to fire OPM officials, saying “If we want a different result, we’re going to have to have different people.”]

US – Legacy Systems Are Not the Only Reason for OPM Breach

Office of Personnel Management (OPM) officials pointed to legacy systems as a central reason for the attacks on the OPM’s network. While it is true that the older systems do not support adequate encryption and other methods of data protection, other factors, including a lack of adequate talent, poor network design, and focusing on security reactively rather than proactively, contributed to the breaches as well. [ZDNet]

US – “Flash Audit” Continues OPM’s Bad Week

The story of the hack into the Office of Personnel Management (OPM) continues to be written this week, with news of a “flash audit” by the Office of the Inspector General that revealed “serious concerns” about a major IT systems overhaul at the OPM that is already underway but “has not yet addressed several critical project-management requirements.” Jedidiah Bracy examines the continuing problems at OPM and the ways in which the scope of the breach continues to expand. [Privacy Tech] [US – Millions More Affected by OPM Breach]

US – WEDI Releases Data Breach How-To

The Workgroup for Electronic Data Interchange (WEDI) has released Perspectives on Cybersecurity in Healthcare, a report discussing how healthcare organizations can best “mitigate, discover and respond” to data breach threats. “The risk of cyberattacks is no longer limited to the IT desk—it is a key business issue that must be addressed by executive leadership teams in order to build that culture of prevention,” said WEDI CEO and President Devin Jopp. WEDI-amassed statistics indicate urgency is necessary. “In the first four months of 2015 alone, more than 99 million healthcare records have already been exposed through 93 separate attacks,”the WEDI document states. [FierceHealthIT]

US – Companies Facing Consequences for Privacy Faux Paus

A judge has refused to dismiss a suit against Sony Pictures Entertainment by former employees and victims of last year’s massive breach that alleges the corporation did not exercise privacy due diligence. In other courtroom news, LinkedIn recently agreed to settle for $13 million and update privacy protocols after allegedly manipulating preexisting profiles to woo new users, and a Home Depot stockholder is suing to inspect company records “to determine whether Home Depot management breached its fiduciary duties by failing to adequately secure payment information on its data systems.” [Bloomberg Business]

WW – LastPass Servers Hacked; Data Strongly Encrypted

Password-protection cloud service LastPass announced its servers have been compromised by hackers. Compromised data included hashed passwords, cryptographic salts, password reminders and email addresses. In a blog post , LastPass CEO Joe Siegrist said his company’s encryption protections will be difficult for the hackers to breach. He wrote, “We are confident that our encryption measures are sufficient to protect the vast majority of users,” adding, “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.” [Ars Technica] [Hulk Hogan is fighting for the privacy of the world’s sex tapes] [US – Nude photos of Australian women shared on US website] [The Houston Astros were an easy hacking target: Someone reportedly reused an old password] [UK – Three exposed Brit’s privates with sloppy survey code]

WW – WhatsApp Comes Up Short Protecting User Data, Privacy Watchdog Says

WhatsApp lags behind its consumer tech peers when it comes to protecting user data from government requests, according to a prominent privacy advocacy group. In its annual Who Has Your Back? report, the Electronic Frontier Foundation awarded WhatsApp just one out of four stars when evaluating it across various categories concerning data protection. According to the EFF, WhatsApp doesn’t publish a transparency report detailing requests it’s received from the government, doesn’t promise to provide users advance notice of government data requests and doesn’t disclose its data retention policies. The messaging app does oppose creating purposeful security weaknesses known as backdoors that let government officials stealthily gather user data. Opposition to backdoor policies has become common among consumer the tech giants. [Source]  [Ten low-tech ways to protect your privacy online] [Non-creepy social networks make it to your smartphone]

Identity Issues

US – Schumer Wants Credit-Reporting Firms to do More

Sen. Charles Schumer (D-NY) has written to major credit-reporting firms requesting a “system that will notify consumers when someone is trying to get a loan or other type of credit in their name” with an option to immediately freeze their credit. “Too many people have faced the reality of learning that someone else has opened new lines of credit in their names only once their score has already been run into the ground,” Schumer wrote. The Consumer Data Industry Association has said there is an established window for threat notification and “the industry has measures in place that provide consumer protections,” the report states. [The Wall Street Journal]

CA – CancerLinQ, Privacy Analytics Working Together on Patient Data

Privacy Analytics has announced it is teaming with CancerLinQ in an effort to de-identify cancer patient data on a large scale for research purposes, stressing that adhering to privacy regulation will be paramount. “Privacy Analytics is providing CancerLinQ with software and training that will allow CancerLinQ to responsibly de-identify patient data through a proven, risk-based methodology,” the firm’s announcement states. This will allow CancerLinQ to provide oncologists with reports “that can be customized for each specific use case and objective while protecting patient privacy.” Healthcare providers will now have access to “critical patient data from electronic health records that they would not have historically been able to access and analyze through traditional methods,” said Privacy Analytics CEO Khaled El Emam. [Full Story]

US – Online Banking Provider to Use Emoji Passwords

An online banking service provider plans to use emojis as passwords. On Monday, UK-based Intelligent Environments announced it will move toward the “world’s first emoji-only passcode,” giving users a choice of 44 different emoji representations to combine into passwords. The company argues the system will be more secure than number-only PINs and passwords because it has “480 times more permutations using emojis over traditional four-digit passcodes.” IE Managing Director of Engagement David Weber said, “Our research shows 64 percent of millennials regularly communicate only using emojis.” However, Carnegie Mellon Prof. Lorrie Cranor called the move a “gimmick,” adding, “I’m not sure that it will make a difference as far as security goes.” [NPR]

Internet / WWW

WW – U.N. Sends Peacekeeping Forces to Internet of Things War

The United Nations is joining the melee for a single “internet of things” (IoT) standard. The UN-run International Telecommunications Union (ITU) has created a new “study group” that will develop international standards for the technology to enable low-power communications between machines and sensor networks. Study Group 20 will be officially called “IoT and its applications, including smart cities and communities,” and will focus first on “standards that leverage IoT technologies to address urban-development challenges.” It hopes to come up with a full end-to-end architecture for IoT, and so allow for full interoperability of both applications and datasets. Even with the weight of the United Nations behind it, the ITU faces an uphill battle. At the moment, IoT is almost defined by the fact that there are a wide range of competing standards. [Source]

WW – Potential ICANN Policy Change Creates Privacy Concerns

The Electronic Frontier Foundation (EFF) is reporting that a policy being considered by ICANN, the global domain name authority, could make it easier for third parties to discover the contact information of website owners. The impetus for the potential policy change came from U.S. entertainment companies that want “tools to discover the identities of website owners whom they want to accuse of copyright and trademark infringement, preferably without a court order,” the EFF states. According to Threat Post, smaller websites appear to be the most affected. “The limited value of this change is manifestly outweighed by the risks to website owners who will suffer a higher risk of harassment, intimidation and identity theft,” the EFF notes. [Source]

Law Enforcement

US – City May Veto Police Data-Sharing Plan

The privacy concerns of Charlotte, NC, police may keep the Charlotte City Council from voting in favor of sharing data as part of a White House initiative to create greater transparency and accountability for law enforcement. If the motion is approved, the data would be shared with University of Chicago researchers who have promised to anonymize relevant data and store information securely. Some are still unsure, however. “I think we need to put it in abeyance until they totally understand what the point of it is and the purpose of it is,” said Charlotte Councilwoman Claire Green Fallon. [USA Today]

Online Privacy

EU – France Orders Google to Scrub Search Globally in Right to Be Forgotten Requests

We do not care if a URL’s got a .fr, a .uk or a .com glued to the end, the French data protection agency told Google – if a European makes a legitimate request to be forgotten in search results, make it so on all your search engines in all countries.  CNIL said in its news release that it’s received hundreds of complaints following Google’s refusals to carry out delisting. According to its latest transparency report, last updated on Friday 12 June, Google had received a total of 269,314 removal requests, had evaluated 977,948 URLs, and had removed 41.3% of those URLs. CNIL sized up the complaints it’s received from those whom Google had declined to forget and says that it requested that Google delist several results – not just based on the extension on the URL, it said, but on all results from the whole search engine. [Source]

WW – Facebook’s ‘Moments’ App Lets You Privately Sync Camera Roll Photos With Your Friends

“With a phone at everyone’s fingertips, the moments in our lives are captured by a new kind of photographer: our friends. It’s hard to get the photos your friends have taken of you, and everyone always insists on taking that same group shot with multiple phones to ensure they get a copy. Even if you do end up getting some of your friends’ photos, it’s difficult to keep them all organized in one place on your phone,” said Facebook product manager Will Ruben. The Moments app groups the photos based on the date and the specific friends that are in each photo. Facebook uses facial recognition to determine which of your friends are in each of the photos. Once your photos are grouped, the Moments app asks you if you want to sync the group of photos with the friends it identified. If the app forgot to include one of your friends, then you can manually edit the individuals that you want to sync the photos with. The photos that you share using Moments are private and do not post to the News Feed during the syncing process. However, the Moments app lets you save the synced photos to your camera roll, send them to Facebook Messenger friends, post it to your Facebook or Instagram news feeds and SMS / WhatsApp message it to your contacts. If your friends do not have the Moments app yet, they will get a preview of the synced photos that you have sent in Facebook Messenger. And if you accidentally synced photos with someone, then there is an option to “unsync” individual photos or delete the group of photos. [Source]

WW – Major Mac Flaw Spills Passwords on Apple Devices

Apple claims that its “Keychain” software lets people securely store their passwords on their Macs. As it turns out, hackers can pull the keys off the chain. A crucial flaw found in Macs allows a malicious app to snatch the passwords from your Keychain — or even directly from other apps. That exposes the passwords to your iCloud account, notes, photos, email, banking, social media — everything. Indiana University computer science professor XiaoFeng Wang and his team of researchers found several ways a bad app could “cross over” into other apps. The researchers found that malicious software could slip into the Apple Keychain, delete old passwords, and wait for you to retype them in. When you do, it grabs them. They also found an issue with the way Apple categorizes Mac programs with a unique ID, called a BID. Hackers could assign an email app’s BID to a piece of malware, then get scooped up into a “trusted” group of programs. The Indiana University team analyzed the top 1,612 Mac apps, and found that 89% of them were susceptible to these kinds of attacks. [Source]

WW – Apple Wants To Know If You Use Protection

New features on Apple’s pre-installed “Health” app will allow users to track their sexual activity, namely whether or not they used protection and the time of day they had sex. The new Health app, which already tracks other health information like fitness and nutrition data, will be available on iOS 9, which is set to come out later this year, and will also include the ability to track other reproductive health metrics like menstruation and ovulation cycles. You can choose to store your data solely on your device without backing it up to the cloud. But Apple also let’s you choose to share your data with your doctor or anonymously with researchers. Apple is also set to release “HealthKit,” which will pool data entered into various health and fitness apps. “It just might be the beginning of a health revolution,” Apple’s Website reads. Or it could be a great way to put personal information at risk and provide hackers nuanced and specific information. [Source]

US – Advocacy Group Petitions FCC on DNT

Consumer Watchdog has announced it is petitioning the Federal Communications Commission (FCC) in an attempt to legally enforce do-not-track compliance with “edge provider” sites like Google and Facebook. “Ensuring that ISPs respect their customers’ privacy is important, but privacy rules covering companies like Google and Facebook are also necessary if people are going to trust the Internet,” said Consumer Watchdog Privacy Project Director John Simpson. “The FCC clearly has the authority it needs and must do everything it can to build that trust if it is to succeed in promoting timely broadband deployment.” [Full Story] [Emma Watson’s next movie will tackle online privacy]

WW – Potential ICANN Policy Change Creates Privacy Concerns

The Electronic Frontier Foundation (EFF) is reporting that a policy being considered by ICANN, the global domain name authority, could make it easier for third parties to discover the contact information of website owners. The impetus for the potential policy change came from U.S. entertainment companies that want “tools to discover the identities of website owners whom they want to accuse of copyright and trademark infringement, preferably without a court order,” the EFF states. According to Threat Post, smaller websites appear to be the most affected. “The limited value of this change is manifestly outweighed by the risks to website owners who will suffer a higher risk of harassment, intimidation and identity theft,” the EFF notes. [Source]

CA – OPC Releases Updated Report on Online Behavioural Advertising

The Technology Analysis Branch of the Office of the Privacy Commissioner has released its Online Behavioural Advertising (OBA) Follow Up Research Project. The report highlights the OPC’s 2011 guidelines for OBA, noting, “If these conditions and restrictions are not met, and an organization wishes to continue to use OBA, then explicit consent is required.” The report also notes in its overview that while the guidelines were shared widely and “an industry-led self-regulatory program was subsequently launched, advertising practices may not be consistent.” “While the advertising industry has made progress in giving consumers more choice about the ads that target them based on their search and browsing behaviour online, some of those ads are still getting a little too personal.” [Source] [Globe & Mail]

WW – Apple Moves to Prevent Accessing Apps for Ads

Apple will no longer share app data, “which is akin to web-browsing history,” with developers for tailoring ads to its users. Apps and social networks “have sometimes drawn on data about other apps that are already installed” on phones to determine what ads to show users, the report states, noting, for example, if a user “has downloaded a lot of games, including ones that cost money, they may be shown an ad for a paid game that they don’t already have.” The move to discontinue the “increasingly popular practice” is a part of Apple’s effort “to appear more privacy-friendly,” the report states. This may affect Twitter’s recent announcement that it would allow ad targeting based on downloaded apps. [The Information]

WW – Will Privacy Regulation Impact Facebook’s Revenue?

Research from eMarketer indicates the EU’s “mounting probes of Facebook’s privacy policies” could adversely affect the social network’s ability to release new features and increase advertising revenue. “Government privacy watchdogs from France, Spain and Italy have in recent weeks joined a group of regulators investigating the social networking company’s privacy controls,” the report states, “doubling the number of European countries analyzing the way Facebook handles the personal information and connections gleaned from more than 300 million users in Europe.” Given those actions, “It’s difficult to imagine Facebook increasing its revenue from Western Europe significantly,” eMarketer noted in its research. [The Wall Street Journal]

US – Business Opposed to TCPA Update

Business groups believe updates to the Telephone Consumer Protection Act (TCPA) have “overstepped.” The new rules “create new restrictions on important, time-sensitive, non-telemarketing communications, which go way beyond the intent of Congress when it passed the TCPA,” note the U.S. Chamber of Commerce’s Lisa Rickard and William Kovacs. [Katy on the Hill]

Study Finds Most Consumers Concerned About What Marketers Know

A University of Pennsylvania study indicates 84%- of consumers want “more control over what marketers can learn about them.” “Americans don’t think the trade-off of their data for personalized services is a fair deal,” said IAPP VP of Research and Education Omer Tene. [Ad Exchanger]

WW – The Dark Side of Proxy Servers

One researcher tested nearly 450 open web proxies and found that 79 percent forced users to load pages in http://, or unencrypted mode, which means that the proxy owners could view the traffic in plain text. In addition, 16% of the proxy servers were found to be injecting ads into the content. [Krebs] [Blog haschek] [The Dark Web as You Know It Is a Myth]

US – The Fight Against Revenge Porn Hits the Mainstream

The last week has been a good one for those who have been fighting against the online phenomenon known as revenge porn, or nonconsensual pornography. On Friday, Google announced it will honor takedown requests of sexually explicit images from victims who did not consent to their posting. That was immediately followed up by news that Rep. Jackie Speier (D-CA) plans to announce the first-ever federal legislation against revenge porn. Plus, the issue is reaching popular culture: On Sunday, Last Week Tonight with John Oliver dedicated the majority of its episode to cyber-harassment and revenge porn. This post looks into the developments and what they mean for tech companies, and includes provided comments from University of Miami School of Law Prof. Mary Anne Franks. [Privacy Perspectives] [Low-tech ways you can protect your privacy online] [How to Defeat ‘Revenge Porn’: First, Recognize It’s About Privacy, Not Revenge]  [John Oliver exposes what the Internet does to women]

Other Jurisdictions

RU – Parliament Gives RTBF Bill Initial Approval

The lower house of the Russian Parliament, the State Duma, on Tuesday gave initial approval to legislation requiring search engines to remove outdated or irrelevant personal data upon request from users. The bill, which resembles the EU’s right-to-be-forgotten concept, has some—including the country’s largest search engine, Yandex—concerned it could drive censorship and diminish information valuable to the public interest. Unlike the EU’s version, the Russian bill would require sites to delete data even if the information is in the public’s interest. Yandex said, “The limitations introduced by this bill reflect an imbalance between private and public interests,” adding, “This bill impedes people’s access to important and reliable information or makes it impossible to obtain such information.” [Reuters] [AU – How will Australia’s anti-piracy law affect you? ] SEE ALSO: [The lower house of the Russian Parliament has given initial approval to legislation requiring search engines to remove outdated or irrelevant personal data upon request from users.\

CO – Colombia DPA Issues Accountability Guidelines

Colombia’s Superintendence of Industry and Commerce (SIC) has launched the Colombian Accountability Guidelines—the first of their kind in Latin America. The result of a multi-stakeholder process, the aim of the document is to help companies implement Colombia’s Data Protection Regulation of 2012. While the guidelines aren’t binding, companies that implement their provisions are, under the law, to be looked upon more favorably in the case of a SIC investigation or enforcement action than those who don’t. José Alejandro Bermúdez Durana, deputy superintendent for data protection for SIC, says he hopes other Latin American countries will adopt Colombia’s proactive approach to incentivizing companies to create strong data protection regimes. [The Privacy Advisor] Colombia’s Superintendence of Industry and Commerce (SIC) has launched the Colombian Accountability Guidelines—the first of their kind in Latin America.

AU – Skoolbag App Gaining Popularity in New Zealand amid Privacy Concerns

An app that alerts parents to school emergencies, and tells them the date of the college disco, is gaining in popularity, despite warnings from privacy watchdogs about the safety of the data it collects. Skoolbag is the brainchild of an Australian parent Andrew Tsousis, who wanted a better way of communicating with his child’s school. It is now used by 34 schools in New Zealand and 2000 worldwide, and provides information on cancellations, school notices, school contact information, timetables, absences and parent contact details. However, the Australian privacy commission recently warned of the dangers of the inappropriate disclosure of the mountains of data being collected by Skoolbag and apps like it. [Source] See also: [Chinese Hackers Circumvent Popular Web Privacy Tools] China’s telecommunications regulator, the Ministry of Industry and Information Technology, has promulgated a new regulation aimed at cracking down on spam messages, Scott Livingston writes.

Privacy (US)

US – Supreme Court Deems Hotel Registry Rule Unconstitutional

In a 5-4 decision, the Supreme Court struck down a Los Angeles city ordinance requiring hotel operators to show a list of registered guests to the police on demand. The court held that the guest registry law violated the Fourth Amendment’s protection against unreasonable searches because it did not give hotel managers the chance to seek a ruling from a judge or magistrate before complying with police requests. Justice Sonia Sotomayor wrote for the majority that the law opened up hotel and motel owners and their guests to potentially limitless harassment because an owner who refused to give registry access to an authority “can be arrested on the spot.” [Politico]

US – EPIC Files Complaint with FTC Over Uber’s Privacy Policy

The Electronic Privacy Information Center (EPIC) has filed a complaint with the FTC regarding Uber’s new privacy policy, which permits the company to use cell phones to track users even if they’re not currently employing Uber’s services. “The complaint asks the FTC to investigate Uber’s business practices, stop the company from collecting user location data ‘when it is unnecessary for the provision of the service,’ halt Uber’s collection of user contact list information and investigate other companies that engage in similar practices, among other things.” A statement released on EPIC’s website cites “Uber’s history of misusing customer data as one of many reasons the commission must act.” [USA Today]

US – Federal CIO Backs OPM Director; Senators Press for Details

After a tough day of questioning from a House oversight panel on Wednesday, Office of Personnel Management (OPM) leadership and other government officials testified in front of the Senate Committee on Homeland Security and Government Affairs to further clarify the extent of the biggest theft of government records in U.S. history. In this post, Jedidiah Bracy reports on the hearing and includes a brief timeline of the various hacks to the OPM, KeyPoint and USIS based on testimony from witnesses. [Privacy Tech]

US – Will USA FREEDOM Act Help Restore Cross-Border Trust?

The enactment of the USA FREEDOM Act made headlines in the U.S. and beyond. However, as the Hogan Lovells Privacy Team explains in this post, “the impact that the surveillance reform legislation may have on cross-border data transfers could turn out to be newsworthy as well.” The post summarizes some of the important elements of the legislation—including how the act reforms the Foreign Intelligence Surveillance Court operations by requiring it to make important decisions, orders and opinions public—and explores the USA FREEDOM Act’s potential to influence more than government surveillance practices. [Privacy Tracker]

US – Google, Viacom Argue Lack of Standing

Google and Viacom are urging courts to reject attempts to revive a previously dismissed suit that claims Nick.com violated privacy laws and used information gleaned from the site to track users under the age of 13. The suit alleges the companies violated the Video Privacy Protection Act and utilized cookies inappropriately, while Google and Viacom see no harm done. Viacom has said, “Nick.com users lack ‘standing’ to sue, because they weren’t injured by the alleged tracking,” the report states. Viacom pointed out the users “argued that Viacom used anonymous data about their Internet activity to facilitate the delivery of the very advertising that makes Viacom’s websites available for free to them and the rest of the public.” [MediaPost] [CVS’s Target deal: Prescription for a privacy disaster]

WW – Experian Releases Breach Legislation Whitepaper

Experian Data Breach Resolution has released a whitepaper on the current state of legislation that shapes how companies must prepare for and respond to data breaches. “Currently, companies face a segmented system of state- and sector-specific data breach laws. At the same time, policy-makers in the European Union, Australia and Brazil are considering new approaches to data breach notification that could impact businesses that engage in global commerce,” Experian notes in its announcement of the new research. “Organizations must ensure they understand and are meeting both the legal requirements and expectations of regulators to protect consumers in the event of a data breach,” said Experian’s Michael Bruemmer. [Full Story] [US – Why Data Privacy Is a Real Campaign Issue in 2016]

US – Globetrotters Changing Data-Collection Methods

The Harlem Globetrotters basketball team will change its method of collecting information from newsletter subscribers, according to a Better Business Bureau (BBB) unit. The basketball exhibition team’s website invites visitors to subscribe to an email newsletter by entering their names, email addresses and ZIP codes. In a section for kids’ games, subscribers were required to check a box stating, “You are 13 or older.” But the BBB’s Children’s Advertising Review Unit said that procedure didn’t comply with children’s privacy guidelines, which require operators of sites directed at children to conduct age-screen in a “neutral” way, the report states. [MediaPost]

US – Committee Hears from Advocates, Industry on Drone Regs

Amazon is among those that don’t want drone regulations handled on a state-by-state basis. “Uniform federal rules must apply,” Amazon VP of Global Public Policy Paul Misener told a congressional committee. Privacy advocates, meanwhile, argue drones pose serious potential security concerns, especially since law enforcement use of drones has yet to be regulated. “Here is a nightmare scenario for civil liberties: a network of law enforcement UAS (unmanned aircraft systems) with sensors capable of identifying and tracking individuals monitors populated outdoor areas on a constant, pervasive basis for generalized public safety purposes,” said the Center for Democracy & Technology’s Harley Geiger. “This may seem an unlikely future to some. However, few existing laws would stand in the way.” [BuzzFeed]

WW – Nymity Releases Legal Compliance Tool

Nymity has unveiled a legal compliance requirements solution for privacy officers and lawyers. Nymity LawTables allows users to analyze and visualize compliance requirements across multiple jurisdictions; identity and compare common legal requirements; understand which rules of law require evidence, and reduce privacy risk. The solution allows privacy officers to map accountability to compliance, build tables to demonstrate compliance and map BCRs to laws, among other features. “For years, privacy officers have been asking for a simple way to compare legal requirements,” said Nymity’s Terry McQuay, adding, “After extensive research by our team of privacy and data protection experts, we have met this objective.” [Full Story]

WW – Controversy Over Uber’s Plan to Track User’s Locations When App Isn’t Running

Changes to Uber’s privacy policy, set to go into effect July 15, would allow the ridesharing app to track its users’ location data even when the app isn’t running. But the company is now facing legal troubles over the proposed changes. The U.S.-based Electronic Privacy Information Center (EPIC) submitted a complaint to the U.S. FTC citing concerns over the new data tracking policy, first outlined by Uber in May. The updated privacy policy would allow the app to collect location data about customers when the user’s GPS is turned off, or the app isn’t being used. Uber’s new policy would also allow the app to access the user’s contacts, in order to send special offers to the user’s friends and family. “This collection of users’ information far exceeds what customers expect from the transportation service,” read the complaint submitted by EPIC. “Users would not expect the company to collect location information when customers are not actively using the app.” However, Uber has also made it clear that users will be able to opt out of location tracking features. EPIC argues that forcing users to opt out “places an unreasonable burden on consumers.”  [Source]

US – Top Court Throws Out Ordinance Giving Police Access to Hotel Records

The U.S. Supreme Court ruled that a Los Angeles ordinance that lets police view hotel guest registries without a warrant violates the privacy rights of business owners, taking away what the city called a vital tool to fight prostitution and other crimes. In a 5-4 decision, the justices upheld an appeals court ruling that struck down the ordinance, saying it infringed upon hotel operators’ rights under the U.S. Constitution’s Fourth Amendment protections against unlawful searches and seizures. More than 100 other jurisdictions across the United States have similar laws that could be affected by the court’s ruling, the city’s lawyers said in court papers. [Source]

Privacy Enhancing Technologies (PETs)

New Offerings Emphasize Privacy

New social media offerings, Bill Ottman’s Minds.com and Facebook companion app Moments, are completely different in functionality and purpose but are united by the same thing: They plan to stay out of their users’ lives. Minds.com functions similarly to Facebook but places explicit emphasis on privacy by encrypting user messages and information in a way that its competitor does not. “The funny thing about Facebook’s privacy situation is they say, ‘Oh, we have all these privacy settings,’ but they don’t have the option for, ‘Hey, Facebook, I don’t want you  seeing my data,’“ Ottman said. International Business Times]

Remote Identification / IoT

WW — W3C’s Auto Division Creating Task Force

The Automotive Working Group, one of W3C’s divisions tasked with creating web standards for the automotive industry to use in smart cars, has announced the creation of a special task force to deal with security and privacy issues. “Many industry reports have confirmed that a significant majority of consumers want safe and secure access to the web from their connected car,” an official announcement states. “We hear this need resonating loudly in the automotive industry.” The task force’s activity will mainly address security-related concerns, but user privacy is also a focus. The group will consider how technologies handle user data, privacy rights and opt-in sharing agreements, the report states. [Softpedia]

US – Car Data “Pre-Standards” to Be Released

Auto Alliance will publish a list of “pre-standards” for the automotive industry regarding its current and future use of in-car data. With an initial release planned for January 1, the standards look to create “a fundamental set of expectations for the collection, use and sharing of vehicle data” and ensure “sensitive personal information” such as location and biometrics “is subject to opt-in selection when data is to be used for marketing or shared with third parties for their own use,” the report states. The standards also aim to make sure “there are restrictions on disclosure of geolocation information to the government.” [eWeek]


WW – Survey Finds Decision-Making Disconnect

The Ponemon Institute and Fidelis Cybersecurity’s Defining the Gap: The Cybersecurity Governance Survey indicates a “disturbing rift in cybersecurity knowledge between those who make decisions and manage the budgets and those who have to implement and manage the security measures.” “Cybersecurity is a critical issue for boards, but many members lack the necessary knowledge to properly address the challenges and are even unaware when breaches occur,” Fidelis noted in its announcement of the survey. “Further widening the gap, IT security professionals lack confidence in the board’s understanding of the cyber risks their organizations face, leading to a breakdown of trust and communication between the two groups.” Meanwhile, Infor COO Pam Murphy writes for Diginomica about her perspectives on cloud security. [CSO Online]

WW – Wearable Fitness Trackers Tested for Data Leakage and Poor Security

Independent IT security testing authority AV-Test.org has put nine different fitness trackers under the microscope, in order to explore how well they are protecting users’ data. In its investigation, AV-Test.org researchers examined nine fitness wristbands – Acer Liquid Leap, Fitbit Charge, Garmin Vivosmart, Huawei TalkBand B1, Jawbone Up24, LG Lifeband Touch FB84, Polar Loop, Sony Smartband Talk SWR30, Withings Pulse Ox – and found some big differences when it came to their security model. There are a variety of issues raised by the investigation, including that many fitness trackers appear to make it too easy for an unauthorised smartphone to connect to the wristband. Additionally, some of the products failed to properly authenticate that the smartphone app communicating them was legitimate, opening the door for abuse. [Source]

WW – Collaboration Key to Defense

Representatives from the government, military and academia met at the U.S. Army War College to discuss how best to tackle a large-scale technological attack, deciding that partnerships across the sectors is the best form of defense. “We have to avoid any notion of ‘my turf versus your turf’ because the problem is only going to be solved by collaboration,” said Penn State University Prof. Thomas Arminio. George Mason University Center for Infrastructure Protection & Homeland Security Director Mark Troutman agreed. “You do not want this to be a military approach,” he said. “We are Americans. We secure ourselves at the end of the day with an active and engaged citizenry.” [Government Technology]

US – NSA, GCHQ Targeted Anti-Virus Firms

In the latest leak of Snowden-acquired documents, reveals that the U.S. National Security Agency and UK Government Communications Headquarters (GCHQ) reverse-engineered software products and monitored the web and email communications of anti-virus software manufacturers, including Kaspersky Lab, particularly. “Spy agencies seem to be engaged in a digital game of cat and mouse with anti-virus companies,” the report states. “The U.S. and UK have aggressively probed for weaknesses in software deployed by the companies, which have themselves exposed sophisticated state-sponsored malware.” All of the documents supporting these conclusions are here. In related news, GCHQ was found to have illegally monitored two international human rights groups in a case triggered by earlier Snowden revelations. [The Intercept]

US – NSA and GCHQ Sought to Reverse Engineer Security Software

Intelligence agencies in the US and UK made efforts to reverse engineer antivirus and security software, as it hindered their secret investigations. The report is based on documents leaked from the NSA. It appears that the agency and GCHQ focused their efforts on companies including Kaspersky Lab, F-Secure, Avast, Eset, BitDefender, and CheckPoint. [FirstLook] [Wired] [ComputerWorld] [DarkReading]

WW – Software Applications Have on Average 24 Vulnerabilities Inherited from Buggy Components

Many commercial software companies and enterprise in-house developers are churning out applications that are insecure by design due to the rapid and often uncontrolled use of open-source components. Even worse, these software makers wouldn’t be able to tell which of their applications are affected by a known component flaw even if they wanted to because of poor inventory practices. Last year, large software and financial services companies downloaded 240,757 components on average from one of the largest public repositories of open-source Java components. Over 15,000 of those components, or 7.5 percent, had known vulnerabilities, according to Sonatype, the company that manages the repository. [Source]

WW – Irony Alert: Password-Storing Company Is Hacked

No one’s safe from hackers — not even LastPass, a company that stores people’s passwords. LastPass lets people store passwords online so they can access them all with a single master password.  You’re storing all your eggs in one basket. That could be a problem.  This week, LastPass announced that hackers broke into its computer system and got access to user email addresses, password reminders, and encrypted versions of people’s master passwords.  [Source]


WW – Samsung Addresses Bugging Vulnerability

Researchers at the Black Hat conference in London demonstrated a potentially damaging security vulnerability in Samsung phones, which could have affected up to 600 million devices around the globe. Today, Samsung reached out to Privacy Tech to note it is currently addressing concerns and will unroll security updates in the coming days. This post looks into the updates, how someone acting on the vulnerability would have taken a rare confluence of events and the growing importance of hacker culture in helping companies fix security bugs. [Privacy Tech] [WW – Samsung and LG smartwatches leave sensitive data open to hackers]

WW – Samsung Bug Could Affect 600 Million Phones

A newly discovered vulnerability that could allow adversaries to monitor Samsung smartphone cameras and microphones, read text messages and install malicious apps, potentially affecting 600 million phones around the world. Researchers demonstrated how it works at the annual Black Hat conference in London, UK. The bug resides in an update mechanism for a customized version of Swiftkey that’s available on Samsung Galaxy S6, S5 and other models, the report states. As of now, there is not much users can do to prevent attacks other than avoiding unsecured WiFi networks. Swiftkey officials said, “We take reports of this manner very seriously and are currently investigating further.”  [Ars Technica]

WW – Researchers: LG, Samsung Watches Vulnerable to Hackers

Researchers at the University of New Haven have announced they were able to “easily” extract personal data, from contacts to health information, from LG and Samsung smart watches. “It was not very difficult to get the data, but expertise and research was required,” said Ibrahim Baggili, of New Haven’s Cyber Forensics Research and Education Group. By “poking around” the watches’ internal storage and the smartphones they were linked to, the researchers were able to readily uncover the data, according to V3, because the data was not properly encrypted. Both LG and Samsung say they are currently investigating the findings, which will be presented at a digital forensics conference in August. [Full Story]

WW – Google Eavesdropping Tool Installed on Computers Without Permission

Privacy campaigners and open source developers are up in arms over the secret installing of Google software which is capable of listening in on conversations held in front of a computer. First spotted by open source developers, the Chromium browser – the open source basis for Google’s Chrome – began remotely installing audio-snooping code that was capable of listening to users. It was designed to support Chrome’s new “OK, Google” hotword detection – which makes the computer respond when you talk to it – but was installed, and, some users have claimed, it is activated on computers without their permission. [Source] [The Guardian]

WW – Listening Tool Now Optional for Chromium Users

Amidst user consternation regarding Google Chromium’s listening software, Google has made the feature optional. While the service in question “uses the computer’s microphone to listen out for the ‘OK, Google’ hotword to trigger voice searches,” users were not given the ability to opt out, the report states. Some expressed concern “Google was downloading a ‘black box’ onto their machines that was not open source and therefore could not be verified to be doing what it said it was meant to do,” the report continues. “As of the newly landed r335874, Chromium builds, by default, will not download this module at all,” Google said in response, adding that if a user so chooses, the service can be obtained via the company’s web store. [Business Insider] [Take Control of Your Google Privacy]

US – In First Opportunity, FISA Court Declines Amicus Panel

Many privacy advocates lauded the portion of the new USA FREEDOM Act that created a new amicus panel of privacy advocates to be consulted by the Foreign Intelligence Surveillance Court when making decisions. However, the FISA Court declined to empanel anyone in making its first post-FREEDOM Act decision, and is allowing the National Security Agency’s bulk collection of call data to continue for six months until a new program of retention by telecom companies can get off the ground. Judge Dennis Saylor ruled that the decision was “sufficiently clear” that the privacy panel was unnecessary. Amie Stepanovich of Access countered, however, “It is the job of the amicus to raise issues that may not be readily apparent on first blush.” [National Journal]

US – Sun Microsystems CEO Talks Surveillance

Scott McNealy is known for his role as cofounder and long-serving CEO at Sun Microsystems, though some remember him for his statement on privacy back in 1999, when he called consumer privacy issues a “red herring,” saying, “You have zero privacy anyway. Get over it.” These days, McNealy is worried about government surveillance. “It doesn’t really bother me that Google and AT&T have information about me, because I can always switch to another provider,” McNealy said. But it’s a different story with government. “It scares me to death when the NSA or IRS know things about my personal life and how I vote,” he said. [IDG News Service]

Telecom / TV

US – Phone Scamming Up 30% Last Year: Report

Retail and finance call centre phone scamming in the US is up 30% according to research. The 2014 findings are based on some 86 million scam calls a month picked up by Pindrop Security in which attackers aimed to obtain personal information on potential victims. The phone security company says one in 2200 calls are fraudulent up from one in 2900 in 2013, topping US$9 million a year. The outfit’s annual report says that credit card processors have received the highest number of fraud calls and notes that regional legislation had no effect on the instance of crime. Technical support scams are unsurprisingly the most common type of phone fraud scam chalking up eight million calls a month, followed by small credit loans, and automotive insurance. The report says brokerages which hold the highest account values are fleeced an average of $15 million annually, while credit card issuers follow with 11 million, and banks trailing at $7.6 million.  [Source]

WW – IEEE and IETF Announce Successful Trials on WiFi Privacy Risks

IEEE has announced that the IEEE 802 LAN/MAN Standards Committee and the Internet Engineering Task Force (IETF) have successfully carried out three experimental trials addressing privacy risks associated with tracking globally unique media access control (MAC) addresses in WiFi networks. The IEEE study group was formed in 2014 and aims to develop a recommended practice based on the privacy issues related to IEEE 802 technologies. “From the onset, IEEE 802 and the IETF have shared a commitment to mitigate privacy risks for nontechnical users living in a world that increasingly offers constant connectivity,” said Juan Carlos Zuniga, chair of the privacy committee. [Full Story]

US – Sens. Want Paypal To Reconsider Robocall Policy

Paypal’s new user agreement is drawing heat from four Democratic senators who are calling on the company to reconsider a policy that would force users to receive robocalls and text messages. After July 1, consumers will be unable to opt out of the new terms if they still want to use PayPal services. “Consumers should not have to agree to submit themselves to intrusive robocalls in order to use a company’s service,” wrote Sens. Ed Markey (D-MA), Al Franken (D-MN), Ron Wyden (D-OR) and Robert Menendez (D-NJ) in a letter to PayPal’s president and CEO. [The Hill]

US Government Programs

US – FTC Proposes Gramm-Leach-Bliley Amendment

The FTC has proposed an amendment to its rules under the Gramm-Leach-Bliley Act to allow auto dealers that finance car purchases or provide car leases to provide online updates to consumers about their privacy policies as opposed to sending yearly updates by mail, according to an FTC press release. Under the proposed revision, auto dealers could provide consumers with the privacy policy solely online as long as they also notify consumers that it is available there on a yearly basis. Dealers would still be required to provide consumers with a written copy of the notice upon request, however. The proposed changes will be published in the Federal Register shortly. [Full Story]

WW – Wikileaks, Court Documents Shed More Light on U.S. Spying

The French government has called extensive eavesdropping by the U.S. Government, revealed by Wikileaks, on the private conversations of senior French leaders “unacceptable.” French President Francois Hollande called an emergency meeting of the Defense Council on Wednesday to discuss revelations published by French news website Mediapart and newspaper Liberation about U.S. National Security Agency surveillance. Meanwhile, newly unsealed court documents indicate the Obama administration fought a legal battle against Google “to secretly obtain” the email records of a security researcher associated with Wikileaks. [The New York Times]

US Legislation

The USA FREEDOM Act, FISA and the New Surveillance Landscape

President Barack Obama recently signed the USA FREEDOM Act into law. Hailed as the biggest intelligence reform in 40 years, the FREEDOM Act is considered the first major pro-privacy change to U.S. intelligence law since the original enactment of the Foreign Intelligence Surveillance Act in 1978 (FISA), writes Westin Research Center Fellow Arielle Brown. The USA FREEDOM Act ends the National Security Agency’s bulk collection of U.S. call metadata, among other things. Brown offers an analysis of the new act as well as a redlined version of FISA showing how the USA FREEDOM Act modifies existing law. [Full Story]

EU – Movement on Umbrella Agreement a Life Preserver for Safe Harbor?

A bipartisan bill introduced this week to provide the same data rights to Europeans that Americans have under the Privacy Act of 1974 has received acclaim on both sides of the political aisle. “The judicial redress issue is the last major sticking point in four-year negotiations over the creation of an ‘umbrella agreement’ for the protection of personal data transferred between law enforcement agencies in the U.S. and EU,” the report states. It would also address a major point of contention in the Safe Harbor negotiations . “Without this legislation, the umbrella agreement won’t be accepted,” said German MEP Jan Philipp Albrecht. “It’s parity we’re looking for,” said UK MEP Claude Moraes. “For this step to happen, and to have equivalence, is a very significant move.” Rep. Jim Sensenbrenner (R-WI) was equally pleased and “optimistic that it will be brought to a vote.” [Politico]

US – Other Legislative News


01-15 June 2015


US – Privacy Concerns Over Facial Recognition Test Program at Border

The Department of Homeland Security is making a new push to find immigration violators. The three-month pilot project at Dulles is part of larger testing of biometric technology. This fall, customs agents will also begin collecting face and iris scans of people entering and returning from Mexico on foot from a San Diego border crossing. “Looking at things like iris or facial recognition helps us compare that person to the document and confirm their identity” to check against watch lists. But privacy rights advocates are concerned these test projects could lead to a slippery slope with law enforcement agencies eventually trying to using biometrics to track law abiding citizens. “This is really just the beginning,” warned Harley Geiger, Senior Counsel at the Center for Democracy and Technology. “The real concern is not so much this particular pilot program, it is that this particular pilot program is a step towards a larger program,” Geiger said. “Not just in ports of entry, but also in public places, mass transit systems throughout the domestic United States.” [CBS News] [CBSN]

CA – Biometric Data Collection Powers In Budget Bill Raise Concerns

The Canadian government wants to collect biometric information from more people entering Canada. It currently collects a digital photograph and 10 fingerprints to verify the identity of foreign nationals from 29 countries and one territory when they apply to temporarily visit, study or work in Canada. Canada’s privacy watchdog, Canadian Bar Association raise privacy concerns in submissions to Parliament. Daniel Therrien, Canada’s privacy watchdog, sent a letter to parliamentarians this week to ask about the extent of the changes following testimony by government officials. [Source] [Visitors to Canada who need visa will face biometric screening] [The Star: Ottawa Bankrolls New Screening for Visitors to Canada, New Money For CSIS] [Globe & Mail: Canada Vastly Expands Data Collection of Travellers, Boosts Spy Agency Budget]

CN – First Facial-Recognition Technology ATM Unveiled

China has the first automated teller machine (ATM) with facial-recognition technology. Anti-counterfeit technology experts says the technology should curb ATM-related crimes. The product has passed authorities’ certification and will soon be available on the market. It’s not yet known who will manufacture the ATMs and how facial data will be collected. Some have concerns about privacy and accuracy. [South China Morning Post]

WW – Start-Up Uses Mouse Patterns to Confirm Identity

An Israeli start-up uses “behavioral biometrics” to keep users safe from fraud online. BioCatch maps and logs the way a user habitually moves a computer mouse and then creates a profile. If a user deviates from the logged pattern, it’s clear the user isn’t who he or she claims to be, the report states. [The Tower]

WW – Could “Brainprints” Replace Passwords?

Researchers have found that the human brain’s response to certain words varies to such a degree that it may be possible to distinguish individual “brainprints,” or a unique identifying code. In a small experiment, researchers hooked an EEG to 45 volunteers to measure brain signal response to various words including FBI and DVD. A second computer-based experiment successfully re-identified individuals with 94% accuracy. Brainprints could provide continuous variation, a distinct advantage for authentication. “Passwords or fingerprints only provide a tool for one-off identification. Continuous verification … could in theory allow someone to interact with many computer systems simultaneously, or even with a variety of intelligent objects, without having to repeatedly enter passwords for each device.” [Fast Company]

US – Facial Recognition is Booming, But is it Legal?

Google Policy Fellow at the Center on Privacy and Technology Ben Sobel writes about facial recognition technology and its near ubiquity, in preparation for the next round in the NTIA’s bid for a facial recognition code of conduct. Used by everyone from law enforcement (including a new use by police in the UK ) to retailers to Facebook and Google, there seems to be little notice of the fact that the technology is illegal in both Illinois and Texas, Sobel writes, and a current case may bring definition to just what form of the technology is allowed. “If the law does apply,” he writes, “Facebook could be on the hook for significant financial penalties.” [Full Story]

Big Data

EU – Purpose Limitation Could Have a Limited Future

The latest Council version of the General Data Protection Regulation provides that personal data may be further processed by the same data controller even if the further purpose is incompatible with the original purpose ‘if the legitimate interest s of that controller or a third party override the interests of the data subject,’” state Profs. Lokke Moerel and Corien Prins. They note that the Article 29 Working Party and several NGOs are concerned such a development would render the limitation principle “meaningless and void,” but Moerel and Prins disagree. In a preview of their more in-depth whitepaper, Moerel and Prins argue the Council version “is the only feasible way to guarantee” personal data protection in an era of big data and the Internet of Things. [Privacy Perspectives] [EU Regulators Misunderstand Big Data]

CA – Canadian Political Parties are Embracing Big Data on the Campaign Trail

In recent years, the NDP and Liberals have been racing to catch up to the Conservatives’ ability to amass and analyze voter data. Gone are the days of volunteers standing on doorsteps with a clipboards and voters’ lists, ticking off likely supporters. The modern Liberal canvasser now carries a smart phone or tablet, loaded with the mini-VAN app. It was developed by U.S.-based NPG VAN and used to great effect by Barack Obama’s presidential campaigns. Each volunteer is trained to give a brief homily on why they support the party — the personal touch never gets old — and to then follow a script designed to elicit pertinent information, including party preference, willingness to take a lawn sign, issues of concern, email address and phone number. Responses, along with other information such as a voter’s preferred language, are punched into mini-VAN, which is linked to the party’s central database, Liberalist, where party headquarters can monitor the canvassers in real time. Information gathered by canvassers is combined with publicly available demographic data from the national census, polling results and other data mined from responses to party petitions, email blasts and online and social media campaigns to produce what Liberals refer to as analytics dashboards — complex digital graphs and charts. Dashboards range from a countrywide overview of Liberal prospects down to a microscopic look at voters in each postal code. Digital sliders on each dashboard allow organizers to input a host of demographic variables — age, religion, language, income, children, educational attainment, employment status and so on. [The Canadian Press]

US – Big Data Recommendations Coming Soon

Does the use of health data not covered by HIPAA need more oversight? That’s one of the questions being considered by the Privacy and Security Workgroup of the Health IT Policy Committee as it prepares its report on the use of big data in the healthcare industry. At a June 8 meeting, there was a great deal of discussion about how much transparency patients should have into things like the data generated by medical devices and proprietary algorithms used for decision-making. Deven McGraw, a partner in the healthcare practice of Manatt, Phelps & Phillips, LLP, and the workgroup’s chair, “admitted the workgroup has more questions than obvious answers and no consensus about areas of potential harm to consumers.” [Healthcare Informatics]


CA – Bill C-51 Passed By Senate, Despite Widespread Public Opposition

Bill C-51 passed the Senate on June 9 in a 44-28 vote despite Liberal members’ opposition, but those opposed have vowed to fight until it is repealed. Early reports on Twitter suggest that the bill passed with applause from Conservative senators, but OpenMedia has already launched its fightback against the legislation, vowing to call on leaders of all political parties to commit to repealing the legislation as part of their election platforms, after a total of 243,370 Canadians spoke out against it in the months leading up to the Senate’s vote. Speaking just hours before the vote, author Margaret Atwood said that if passed, “many people will continue to think the Senators are a bunch of overpaid, entitled, patronage-appointment rubber-stampers, despite the good work they have sometimes done. And the Ottawa Senators will consider changing their name.”…. Also taking action is lawyer and constitutional expert Rocco Galati, who said that he would contest the legislation in court if it passes. An extension of existing post 9/11 anti-terror laws, the legislation will make it easier for federal agencies to share information—that Galati said included foreign governments—as well as let police to preventatively arrest terror suspects or restrict their activities. The bill will also allow the public safety minister to add people to Canada’s no-fly list, ban promotion of terrorism, and permit the Canadian Security Intelligence Service disrupt potential security threats. [The National Observer]

CA – Conservative Groups’ Last Minute Plea to Harper: Stop C-51

The letter is signed by traditionally conservative organizations like the National Firearm Association and Free Dominion, as well more than fifty individuals. It was facilitated by OpenMedia, the group behind the public campaign against the anti-terror legislation. The groups warn Harper’s Bill C-51 will cost the Conservative Party at the polls. [Global News] [Why conservatives, libertarians and gun lobbyists oppose Bill C-51] [Who does anti-terror law threaten?]

CA – Senator Mobina Jaffer Differs With Party Leader and Slams Bill C-51

Jaffer, the first South Asian woman to hold the Canadian Senate post, along with other independent Liberal senators, plans to vote against the legislation citing concerns about rampant information sharing between 17 government agencies, a lack of oversight of that information sharing, the ability of judges to issue warrants for preventative arrest and detention, and an overly broad definition of terrorism that could entangle citizens engaged in civil disobedience, reported CBC News. [Source]

CA – National Security Agencies Too Secretive, Experts Tell Senate Open Caucus

‘In Canada, security is never part of federal elections, so this might be a good and unexpected outcome of our discussion around Bill C-51, however flawed the bill is and will prove to be,’ said University of Ottawa professor Wesley Wark. With regard to Bill C-51, many of the meeting’s witnesses agreed that the legislation will only entrench this culture of secrecy, and will even serve to worsen it in some cases. One provision of the bill would give CSIS the right to go to a Federal Court to seek permission to violate an individual’s Charter rights in order to collect information. This would occur behind closed doors, without the individual’s knowledge or even a special advocate to speak on their behalf. “I have never in my professional life seen a provision like this. It’s unconstitutional on its face,” Cavalluzzo said. “Apart from it being unconstitutional … it’s a secret process.” He went on to note that that 14 of the 17 agencies which will be receiving this information have no review mechanism. “What if they make a mistake? What is the citizen going to do?” [Hill Times] [Canada: The Tories have buried many things in omnibus bills]

CA – Torture Survivor Turned Author Voices Fears Over Bill C-51

“Bill C-51 is vague, reactionary, and open-ended, and it leaves citizens with very little protection. It was passed in the House [of Commons] with very little debate and has pushed its way to the Senate. Democracy is fragile, and when damaged, it is extremely difficult and costly to mend,” said Nemat, who wrote Prisoner of Tehran and After Tehran, detailing her experiences and their aftermath.” [National Observer] [What if C-51 is Just the Edge of a Slippery Slope? ]

CA – OpenMedia Crowd-Sources Anti-Surveillance Privacy Plan

We learned that the CSE spied on law-abiding Canadians using the free Wi-Fi at Pearson airport, and monitored their movements for weeks afterward. We learned that CSE is monitoring an astonishing 15 million file downloads a day, with Canadian Internet addresses among the targets. Even emails Canadians send to the government or their local MP are monitored — up to 400,000 a day according to CBC News. Just last week we discovered CSE targets widely-used mobile web browsers and app stores. Many of these activities are not authorized by a judge, but by secret ministerial directives like the ones MP Peter MacKay signed in 2011. CSE is not the only part of the government engaged in mass surveillance. Late last year, the feds sought contractors to build a new monitoring system that will collect and analyze what Canadians say on Facebook and other social media sites. As a result, the fear of getting caught in the government’s dragnet surveillance is one more and more Canadians may soon face. [Source]

CA – Eyes on the Spies: Canadians Deserve Accountability

The findings from our crowdsourcing process make clear that Canadians dislike excessive secrecy around government spying. There was strong support for a wide range of measures to improve the accountability, oversight and transparency of surveillance activities. Notably, 94.1% of Canadians want an all-party parliamentary committee to conduct a thorough review of Canada’s existing oversight mechanisms, and make recommendations for improvements. And 87.9%want independent bodies to oversee CSE and Canadian Security and Intelligence Service (CSIS), and issue regular reports to the public. [Source]

CA – Millions for Surveillance — Nickels for Privacy

The CSE’s official watchdog has a staff of just eight and an annual budget of only $2 million, yet it’s expected to keep tabs on a rapidly expanding spy agency with over 2,000 employees and an annual budget of over $820 million. CSIS also suffers from a severe oversight deficit. In fact, the government shut down the office of the CSIS inspector general, which was responsible for reviewing day-to-day CSIS activities. All that’s left now to oversee CSIS is the part-time, resource-starved Security Intelligence Review Committee (SIRC). Over the years, SIRC has repeatedly complained it has insufficient powers to hold CSIS accountable — complaints that the government has ignored. It’s no wonder that SIRC is now taking an average of three years to investigate complaints against CSIS. [Source]

CA – ‘You Could Be Branded Terrorists’: RCMP Officer to Demonstrators

“Whenever you’re attacking the Canadian economy you could be branded a terrorist, right?” the officer says a little bit later. “Which is not necessarily what’s going to happen, but it could happen.” It’s unknown whether “they” was in reference to the Conservative government, the Department of Justice or law enforcement brass. And it’s also unclear whether the officer was relaying his personal opinion about the bill or repeating interpretations and analysis from the media. [Source]

CA – Federal Politicians Limit Debate Time on Privacy Breach Notification Bill

Bill S-4 “would require organizations to keep records of data breaches of any kind,” [Privacy Commissioner] Therrien said at the time. “We will be able to review their records to determine whether or not appropriate breach notification has occurred, and it will allow us to determine trends generally on the issues so that better advice can be given to organizations and individuals.” …But Tamir Israel, staff lawyer for the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, told the committee his organization is “concerned that the standard for notifying the Privacy Commissioner is too high.” Israel contended at the time that it is “very useful to have notification directly to the Privacy Commissioner of a majority of breaches for tracking purposes and to generally improve incentives to adopt rigorous technical safeguards.” [Canadian Underwriter]

CA – Ontario Province Introduces Privacy Legislation for Healthcare Data

The government announced sweeping changes to provincial health privacy laws this week in a bid to deter health professionals from snooping into medical records. Speaking at a press conference in Queen’s Park, Health Minister Dr. Eric Hoskins said proposed changes to the Personal Health Information Protection Act (PHIPA) included mandatory reporting of all health-related privacy breaches to the Information and Privacy Commissioner. Hoskins said he was acting on every single recommendation he had received from privacy commissioner Brian Beamish to strengthen PHIPA. This announcement comes on the heels of a Star investigation that unveiled thousands of health-related privacy breaches have gone unreported to the privacy commissioner because of a legislative loophole allowing hospitals to handle these violations behind closed doors. The Star investigation also outlined how Ontario, which used to be at the forefront of health privacy laws in Canada, was now lagging behind other jurisdictions that have moved toward mandatory reporting of health privacy breaches. Hoskins said the proposed law changes would not only make it compulsory for Ontario hospitals to report every single health privacy breach to the commissioner, but they would also have to report all health professionals disciplined for snooping to their relevant regulatory college. Hoskins also said the government was proposing to remove “a serious barrier to prosecuting breaches of patient privacy” by eliminating the six month deadline to prosecute. Under the proposed changes, the fine for individuals caught snooping would be doubled from $50,000 to $100,000 and organizations from $250,000 to $500,000. [Source] [Privacy breaches often not due to technology failure: PLUS Canada speakers] [Tech firms need to use data ethically around the internet of things]

CA – Ontario Moves to Limit Police Sharing Non-Conviction Information

A proposed new law would prevent the inappropriate release of non-conviction or non-criminal mental health information. Under the act, non-conviction records such as withdrawn or dismissed charges, acquittals and findings of not criminally responsible by reason of mental disorder could only be disclosed through some vulnerable sector checks for people working or volunteering with children and seniors. Police will have to consider factors such as how long ago an incident took place, if the record relates to predatory behaviour around a vulnerable person and whether the records show a pattern of such behaviour before deciding whether to release those records in a vulnerable sector check. The Police Records Check Reform Act was met with widespread support, including the Canadian Mental Health Association, the Ontario Association of Chiefs of Police and the Canadian Civil Liberties Association. [The Star] [National Post] SEE ALSO: [Toronto: John Tory calls for full stop to carding, citing ‘eroded public trust’] [Toronto police Chief Mark Saunders defends lawful carding after mayor objects]

CA – Kent Enacts New ATIPPA Law

In early March, the independent review committee led by former Newfoundland premier Clyde Wells delivered a comprehensive report into the province’s access to information system, along with proposed legislation to completely overhaul it. Public Engagement Minister Steve Kent says the government is — mostly — ready for the new access to information law that was formally enacted on Monday. The new law has been rated as the strongest freedom of information legislation in the country. [Telegram]

CA – Manitoba to Allow Victims to Sue for Intimate Photos Distributed Without Consent

Manitoba has introduced a law that would allow victims who had intimate images distributed without their consent to claim damages and recoup any profits from the crime. Attorney General Gord Mackintosh said the law would be the first in Canada to make it easy for victims to sue for everything from an injunction to punitive damages. The province would also partner with the Canadian Centre for Child Protection to boost funding for its tipline, which helps remove intimate images from the Internet and links victims with support. Social media has made it easier to harass and shame a person with an intimate image, Mackintosh said. [The Winnipeg Free Press]

CA – Law, Privacy and Surveillance in Canada in the Post-Snowden Era

I am delighted to report that this week the University of Ottawa Press published Law, Privacy and Surveillance in Canada in the Post-Snowden Era, an effort by some of Canada’s leading privacy, security, and surveillance scholars to provide a Canadian-centric perspective on the issues. The book is available for purchase and is also available in its entirety as a free download under a Creative Commons licence. [Michael Geist] [Canadians Have Good Reason to Be Wary of the TPP: Geist] See also: Timothy Banks of Dentons Canada, explains the requirements that prevent data from leaving Canada]

CA – OPC’s New Priorities – Commissioner Therrien Provides an Overview

The OPC will address these priorities through exploration of technological solutions, promoting good privacy governance, and enhancing public education. Other strategies to address these priorities will involve addressing challenges relating to privacy in a borderless world and the way in which these priority issues affect vulnerable groups. [OPCC] [Daniel Therrien: Appearance before the Senate Standing Committee on Legal and Constitutional Affairs on Bill C-26, the Tougher Penalties for Child Predators Act]

CA – Penalties that do not Punish: The Canadian Anti Spam Legislation

If Compu-Finder had a valid due diligence defence resulting in a finding that they did not violate CASL, the reputational damage arising from headlines referring to million dollar penalties is hard to undo, if not impossible. Moreover, in light of the CASL legislation that permits penalties to be assessed prior to liability, a company that is exonerated would have no legal recourse to recover damages caused to its business reputation. Imagine if this were the process in regulatory offence procedure whereby the prosecutor announced that a company was charged with violating occupational health and safety law and in the same breath stated that the fine would be $1.1 millions. For a more extreme example, imagine a prosecutor stating to the media before a trial commenced that the sentence for a person charged with fraud should be seven years in the penitentiary. Such conduct would violate the presumption of innocence. Therein lies a key distinction. Administrative monetary penalties are not offences and do not attract Charter protection. [Global Compliance]

CA – Scarborough Hospital Privacy Breaches Lead to 19 Charges

Five people accused of criminal and securities offences over sale of new mothers’ confidential records. In all, the personal health information of nearly 14,000 maternity patients at Rouge Valley Health System may have been stolen and sold, including the more than 8,000 patients from its Scarborough site and a further 6,000 at its Ajax hospital. Ontario’s information and privacy commissioner reported in December that the hospitals had “failed to comply“ with their legal obligations to protect personal health information. [CBC]

CA – Ex-Privacy Commissioner Pans Bell’s Ill-Fated Ad Tracking Program

“We pay for Bell service and they’re gaining at the other end by driving ads to us that we don’t want,” Ann Cavoukian, Ontario’s former information and privacy commissioner, said during a panel Monday at the Canadian Telecom Summit. “That’s not a good model. Customers don’t like this, and I’m a Bell customer.” Bell was tracking every website a consumer viewed, every app opened, every television show watched and every call made. Through the contentious relevant advertising program (RAP), the telco would marry these insights and other long-compiled account details to create a profile of users, which would then be sold to fee-paying third parties so they could better target and match their advertising initiatives. [Source] SEE ALSO: [IT World: Cavoukian: Telus Shows How Big Data and Privacy Can Work Together] [Why privacy must be baked into the Internet of Things] and [RILEY, Thomas B. Riley Obituary]


US – Consumers Don’t Back Privacy-Personalization Trade-Off

A majority of U.S. consumers do not think trading privacy for personalized services is a fair deal, citing a survey by the University of Pennsylvania’s Annenberg School for Communication where 55% of respondents said they disagreed or strongly disagreed it’s acceptable for stores to use shoppers’ information “to create a picture of me that improves the services they provide for me.” The study’s lead author said, “Companies are saying that people give up their data because they understand they are getting something for those data … But what is really going on is a sense of resignation,” adding, “Americans feel that they have no control over what companies do with their information or how they collect it.” [The New York Times] [Americans Resigned to Giving Up Their Privacy, Says Study] [The Online Privacy Lie Is Unraveling]


US – OPM Data Breach: Raising Enforcement, Privacy Protection Questions

The government has an important responsibility to protect PI that it retains—whether that is the PI belonging to government employees retained by OPM, or financial information belonging to private citizens retained by IRS. But what are the consequences when government fails to protect information, as compared to when a corporation fails to protect information? The FTC and other government regulators are taking a hard look at, and in some cases bringing enforcement actions against, companies for inadequate data protection practices. (The issue of how the FTC decides to bring cases is itself an issue, as highlighted in this recent FOIA case filed against the agency). The question arises: what is the appropriate mechanism for ensuring that OPM or any other government agency is accountable for data protection? And who or what entity is in the position to judge whether government agencies’ data protection practices are adequate? [Source]

CA – IPC: Letter to the Treasury Board on the draft Open Data Directive

In this letter to the Deputy Minister Greg Orencsak, Treasury Board/Secretary of Treasury Board and Management Board of Cabinet, the Commissioner Brian Beamish congratulates the government for the release of the draft Open Data directive and offers his recommendations on the best ways to move forward on the Open Government initiative. His recommendations include:

  • Ensuring the protection of personal information is explicitly highlighted when opening new data sets.
  • Requiring de-identified data to be periodically reviewed so that it cannot be linked to individuals.
  • Direction on how to further open up access to the government procurement process and disclosure of contracts.
  • Requiring that descriptions of data sets are accessible and understand. [Text of letter] [Source]


WW – Facebook Supports Encrypted Emails

In a move designed to improve the security of email communications, Facebook has announced it is gradually rolling out a new feature that will allow users to encrypt messages sent from Facebook to a preferred email account. Users will be able to add OpenPGP public keys to their profiles allowing for end-to-end encryption. Public key management is not yet supported on mobile, but, the blog post states, “we are investigating ways to enable this.” Earlier this year Facebook announced that it will help fund the development of GnuPGP, an open source implementation of the OpenPGP standard. The company began encrypting all of its web traffic in 2013, making it harder for crooks and spies to eavesdrop on communications, and last year it added support for the anonymity tool Tor. Also, WhatsApp, the messaging company Facebook acquired last year, incorporated an encryption system from Open Whisper Systems into the Android version of its app last year. [New Facebook Feature Shows Actual Respect for Your Privacy] [Full Story] [Facebook Introduces PGP Encryption for Sensitive Emails]

US – MIIT Reg Provides Insight on User Consent

China’s telecommunications regulator, the Ministry of Industry and Information Technology (MIIT), has promulgated a new regulation aimed at cracking down on spam messages. Scott Livingston writes about the Administrative Provisions on Telecommunications Short Message Services that governs the sending of commercial solicitations by text or in-app messaging. “Although mainly targeting commercial solicitations, the SMS regulation provides additional guidance on the issue of ‘user consent’ that is likely to be of interest to companies involved in data collection activities in the Chinese mainland,” Livingston writes. The regulation “indicates that MIIT is taking a more sophisticated view of how consent is obtained,” he adds. [Full Story]

Electronic Records

US – Study: Privacy vs. Data Sharing: A “False Dichotomy”

Healthcare privacy and data sharing are not mutually exclusive, according to Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “I don’t want to set this up as a zero-sum game where in order to get privacy you have to abandon data sharing or in order to do data sharing you have to abandon privacy,” Samuels said, calling the idea that privacy and data sharing are always at odds a “false dichotomy.” Samuels also discussed how the OCR plans to employ audits “as a tool to get out in front of potential privacy and security problems before they occur.” [FierceHealthIT]


WW – UN Report: Encryption is a Human Right

A new report from the United Nations states that encrypted communications are needed to protect freedom of opinion and expression and that encryption is a human right. UN Special Rapporteur David Kaye said encryption creates a “zone of privacy to protect opinion and belief.” He added, “The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality.” [The Intercept] See also: [Microsoft’s Top Lawyer Says Company Must Weigh Encryption Limits]

US – Gov’t Websites Must Switch to HTTPS Before 2017

The White House Office of Management and Budget (OMB) announced that all federal websites are now mandated to be encrypted under a secure connection. While policy-makers acknowledge that the switch to HTTPS only covers the connection and not the systems themselves, the OMB believes the move “will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature and create a stronger privacy standard government-wide,” the report states. The change, which has a deadline of December 31, 2016, aims to promote “better privacy standards for the entire browsing public.” [Source]

US – App Claims NSA-Proof Encryption

USMobile has released Android app Scambl3, an encryption tool “developed in collaboration with the NSA” that does not have a “backdoor” for law-enforcement monitoring. While the goal of the app is to afford smartphone users more comprehensive privacy—the company has vowed not to collect data gleaned from the app on its own servers—its security is such that it has garnered “a special U.S. export license” so as to keep it from the hands of countries with known terrorist activity. Jon Hanour, cofounder and president of USMobile, stands by Scrambl3’s abilities. “We believe the NSA cannot break our encryption,” he said. [Yahoo Tech]

US – Facebook Moves to Encrypt the Emails it Sends Users

With anti-surveillance, kill-that-damn-Patriot Act fever rising, both US and UK governments and law enforcement agencies have been gnashing their teeth over strong encryption, given that it scrambles communications for those who don’t have the correct key to decrypt them. For example, Apple and Google both annoyed US law enforcement by updating their mobile devices to have encryption turned on by default – a move that went “too far,” FBI Director James Comey said. With OpenPGP, Facebook aligns itself with all those annoying tech companies opting for strong encryption on their users’ communications. [Naked Security]

US – Recent Thefts Indicate Encryption Is a Must

After payroll processing organization Heartland Payment Systems had unencrypted computers stolen from its Californian headquarters—the second of such recent thefts—critics are calling for more comprehensive data protection that includes the “physical” elements as well as digital. This comes on the heels of a recent lawsuit from consumers allegedly affected in the Home Depot data breach, who claim the corporation had “overarching complacency when it came to data security.” Writes, “If you are responsible for or you work in security for an organization, be sure to review where your data actually is and map that to where you think that it should be.” [Forbes]

WW – Philip Zimmermann: King of Encryption Reveals His Fears for Privacy

Zimmermann and Snowden are 30 years apart in age, but their actions have framed the privacy debate. Zimmermann switched his focus from campaigning against nuclear weapons to pushing back on state snooping in 1991, when he released PGP for free over the internet in an act of political defiance. His protest helped prevent legislation which would have forced software companies to insert “backdoors” in their products, allowing the government to read encrypted messages. The creator of PGP has moved his mobile-encryption firm Silent Circle to Switzerland to be free of US mass surveillance. Here he explains why [Source]

AU – Crypto Party Craze: Australians Learning Encryption

A new kind of party craze has many Australians scrambling for invitations. Crypto parties, where people gather to learn online encryption, are attracting everyone from politicians, to business people, to activists. Two years after US spy agency contractor Edward Snowden leaked documents from the National Security Agency, exposing mass global internet surveillance, there is rapidly growing interest in protecting online activity. There have been crypto parties in Brazil, Germany and the UK, and more than a dozen have already been held in Australia. Apps like Wickr, Confide and WhatsApp have taken encryption out of the geek lab and to the masses. [Source]

EU Developments

EU – New EU-US Data Transfers Agreement Due Soon, Says US Official

EU and US officials should agree a new framework for the transfer of personal data by companies from the EU to the US “very, very soon”, a US official has said. The new agreement would replace the safe harbour framework which currently exists and facilitates the transfer of personal data from the EU to the US by US businesses. [Out-Law] [Reuters] [EU Justice Commissioner Vera Jourová has said European regulators are waiting for the U.S. to move on the use of personal data by its intelligence services before any further progress resumes on the future of the Safe Harbor agreement.]

EU – Fate of Safe Harbor in Limbo as EU Waits for U.S. to Budge

EU Justice Commissioner Vera Jourová has said European regulators are waiting for the U.S. to move on the use of personal data by its intelligence services before any further progress resumes on the future of the Safe Harbor agreement. Of the 13 recommendations sent to the U.S., two remain unfulfilled. “There, we’re still negotiating because we haven’t received satisfactory responses from the American side,” she said. European Data Protection Supervisor Giovanni Buttarelli said, “We are aware about the difficulties but at the same time, it’s time to have an answer from the U.S. side—on the commercial dimension and on the national security exception.” Additionally, U.S. Attorney General Loretta Lynch is meeting with Jourová and other EU officials Tuesday to discuss transatlantic cooperation. [EurActiv] See also: Jan Dhont and Alyssa Cervantes report on the European Court of Justice’s examination of a key question concerning the future of transborder data flows between the U.S. and EU.

EU – New Guidance on Processor BCRs Published by Art 29 WP

The Article 29 Working Party published new guidance on data processor BCRs, the significance of which “cannot be overstated.” That’s because the updated document offers guidance on how processor BCR companies should respond to government requests for access to data, a topic of great contention in Europe since the Snowden revelations. It puts companies in a catch-22, because it suggests companies receiving a government request for data put the request on hold and share with the relevant European DPA—something which may not be possible under foreign legal requirements. [Privacy and Information Law Blog] [Handling Government Data Requests Under Processor BCR]

EU – GDPR Trilogue Agenda Released

Group PPE has released a timetable for finishing up the European Parliament’s data protection reform, including an agenda for the highly anticipated trilogue process that details the proposed six-month schedule. This puts the proposed EU General Data Protection Regulation in the final stretch of what has surely been a marathon-like process. Hogan Lovells Partner Eduardo Ustaran breaks down the remaining hurdles and offers his predictions in this final stretch. Moving forward, “the challenges that lie ahead will be a real test of endurance,” he writes. [Source] [Privacy Perspectives] See also: In the context of French, Spanish, German and Dutch regulators’ investigations into Facebook’s practices, The New York Times reports on the increasingly complex questions surrounding regulation in the EU] [In a blog post for Hogan Lovells’ Chronicle of Data Protection, Partner Eduardo Ustaran examines the much-discussed one-stop-shop proposal]

EU – EU Governments in Disagreement Over Data Breach Liability Rules

EU governments are in disagreement over whether consumers should be able to sue businesses for damage they suffer as a result of a data breach even where those businesses are not responsible for the damage caused. The leaked papers also reveal that there is disagreement about whether data controllers and data processors should share the bill for damages where they are both responsible in part for non-compliant processing of personal data. This would require consumers to sue each of the businesses involved in that processing to recover from them what they each owe for the damage caused. [Out-Law]

EU – German Gov’t Proposes Telecom Data Retention Law

The draft data retention law unveiled on Wednesday would oblige providers to store call and Internet traffic metadata for a maximum of 10 weeks while location data would have to be stored for four weeks, the German government said. The measure is meant to help law enforcement agencies in their fight against terrorism and serious crime. According to the government, it strikes the right balance between freedom and security in the digital world. However, plans to retain metadata for these purposes are controversial in Germany and the draft law was immediately heavily criticized. [PC World] [Revised Data Retention Sought by Merkel Cabinet] [A draft German data retention law has been released, establishing new rules for telecommunications and Internet providers.] See also: The Guardian offers an outline of new surveillance powers proposed in the UK and what they would mean for businesses

EU – DPC Doubtful Proposal Is Constitutional

Data Protection Commissioner Andreas Voßhoff is criticizing the government’s bill on data retention, saying it not only amounts to a disproportionate violation of Germans’ basic civil rights but also those of other Europeans. Voßhoff wrote in a 31-page position paper that the government’s bill is “still not capable of” alleviating “considerable doubts regarding the general constitutionality” of data retention in telecommunications traffic, the report states. The bill would allow retention of all citizens’ telephone and Internet communications for 10 weeks. Voßhoff said the bill interferes with laws protecting the basic right to respect private and family life and protect personal data. [EurActiv]

UK – UK Intelligence Agencies Should Keep Mass Surveillance Powers: Report

UK intelligence agencies should be allowed to retain controversial intrusive powers to gather bulk communications data but ministers should be stripped of their powers to authorise surveillance warrants. That is the conclusion of a major report on British data laws published this week that proposes changes to the oversight of GCHQ and other intelligence agencies. The 373-page report, A Question of Trust, by David Anderson QC, also comes in response to revelations by the US whistleblower Edward Snowden about the scale of government surveillance disclosed two years ago. GCHQ will be happy to have retained its bulk collection powers while privacy campaigners will be dismayed. The privacy lobby will take comfort though in the shift on warrants to judicial control. The security agencies are likely to be relaxed about judicial control, which would bring the UK into line with the US and many other intelligence-gathering countries. As a direct consequence of the Snowden revelations, the report recommends that existing legislation on surveillance, the Regulation of Investigatory Powers Act (Ripa), be scrapped and fresh legislation drafted from scratch. The report by the official reviewer of counter-terrorism laws, was commissioned by David Cameron in July last year. The findings are likely to feed into proposed legislative changes on surveillance announced in the Queen’s speech. [The Guardian]

EU – GCHQ Uses Data Techniques Outlawed In US, Say Campaigners

Privacy International files legal claim and calls for end to harvesting of ‘bulk personal datasets’ by UK following last week’s passing of USA Freedom Act. The passing of the USA Freedom Act last week curtailed so-called “section 215” bulk collection of phone record metadata – information about who called whom, and timings, but not the content of conversations. It was a victory for the libertarian cause and a restriction of state surveillance powers. By contrast, UK privacy campaigners say, parliament’s Intelligence and Security Committee (ISC) has confirmed that GCHQ is still collecting datasets relating to “a wide range of individuals, the majority of whom are unlikely to be of intelligence interest.” [Source] [MPs Tom Watson and David Davis, with civil rights group Liberty, will petition the UK High Court in opposition to the Data Retention and Investigatory Powers Act, a measure that enabled the UK government to have “more surveillance power and Internet control” and allegedly competes with the European Convention on Human Rights] [Tim Berners-Lee Criticizes New Surveillance Plans of the British Government, Urges Britons to Fight the Snooper Charter]

UK – Legal Bid Over Personal Dataset Use

Privacy campaigners have launched a legal challenge against the use of large databases of personal information by Britain’s spy agencies. They are calling for watchdogs to intervene to end a technique which is seen as an “increasingly important investigative tool” for intelligence agencies. Privacy International said it lodged a claim at the Investigatory Powers Tribunal (IPT) objecting to the use of “bulk personal datasets” by MI5, MI6 and listening post GCHQ. They contain information which may be “extremely intrusive and sensitive” about “very large numbers of people, the majority of whom are of no legitimate intelligence interest whatsoever”, legal papers from the campaign group allege. Privacy International is calling on the IPT to declare the use of the datasets unlawful and issue an injunction blocking their future use. The Home Office said all surveillance activity is carried out in accordance with a “strict legal and policy framework”. Details about the use by security services of bulk personal databases emerged in a report by MPs earlier this year. The Intelligence and Security Committee (ISC) said they are “large databases containing personal information about a wide range of people” which vary in size from hundreds to millions of records. They are used to identify “subjects of interest” during the course of investigations, establish links and as a means of verifying information obtained through other sources. The report said GCHQ told the committee it considers bulk personal datasets to be an “increasingly important investigative tool” which is primarily used to “enrich” information already obtained through other techniques. [Source]

EU – What to Look Out for in Britain’s New Surveillance Bill

The government intends wholesale reform, but will it perpetuate a dark history of invasion of privacy or follow the US example, and end invasive surveillance? It is now clear that the government intends to pursue wholesale reform of surveillance law in the UK in the guise of the investigatory powers bill, which the government would like to see passed within a year. In some ways, this is a positive development: after two years of intense scrutiny by courts and committees, Britain’s legal framework for surveillance has been found desperately wanting, and a decision to overhaul surveillance law, rather than simply extend powers by attempting a revival of the snooper’s charter, raises the prospect that the government may be taking heed of some of the criticisms it has received. On the other hand, the investigatory powers bill could well turn out to be the government’s attempt to correct the technical legal failings of the current framework, insulating it from the inevitable criticism of the European court of human rights, while acquiring even more invasive surveillance powers. [Source]

EU – Senate Vote “Essentially Ensures” New Law

The French Senate has supported a new surveillance bill that would give intelligence agencies more freedom to monitor phones and email without a judge’s permission. By a vote of 251 to 68, the Senate took “a major step toward giving its spy agencies vast new powers in the wake of the deadly Charlie Hebdo attack,” the report states, noting the bill, which includes “a clause that would allow intelligence agencies to collect and analyze user metadata,” gives “law enforcement more power to monitor citizens without first going through the customary independent nine-person panel.” The Senate’s vote “essentially ensures the eventual adoption” of the legislation, the report states. [The Christian Science Monitor]

EU – Breach Notice Becomes Law in The Netherlands

Under the new law, the CBP will be have the authority to impose administrative fines ranging from E20,250 for relatively minor violations of the DPA to E810,000 for more serious violations. If the maximum fine is not deemed to be a suitable punishment, the CBP may also impose an administrative fine equal to 10% of the net annual turnover of the company in the preceding year. The law sets out specific circumstance in which the maximum fine may be imposed, but the imposition of the maximum fine requires the CBP to give the offender a warning to rectify the breach, a so called “binding instruction.” [DataProtectionLaw] [Data Guidance]

EU – CNIL to Investigate Data Privacy in Contactless Payments and Digital Health

The data protection authority in France is to review whether the use of contactless payments technology in the country respects consumers’ privacy. “CNIL is likely to be interested in the type of data that is being collected through contactless payments systems and whether the collection of that data is proportionate.” “CNIL will also want to ensure that sensitive payment data is not retained or is securely protected from hackers and that consumers’ right to object to the processing of their data via contactless payment systems is being observed.” “Data security in contactless payments is another issue CNIL will be concerned with and it will have a number of questions for companies about the steps they are taking to keep the sensitive account details of consumers private.” [Source] [France’s Data Protection Authority, the CNIL, has promised a focus on “contactless payments, Binding Corporate Rules and wellness and health devices and services” in the coming year, and it plans to inspect 550 organizations in 2015]

EU – CNIL Shows Regulatory Interest in Connected Cars and Smart Cities

The CNIL reported that it received over 5,000 complaints in 2014 and conducted over 400 investigations, including 146 remote investigations (the CNIL is empowered since March 2014 to conduct remote investigations). It also issued 62 cease and desist letters, ordered eight monetary fines and seven warnings in 2014. In addition, the CNIL revisited the actions it took in 2014, including the publication of “compliance packs” for certain industry sectors, such as the insurance sector (see our blog post of December 2014), the adoption of an accountability standard and the creation of a hub within the CNIL which is dedicated to BCRs. [Source]

EU – CNIL to Google: Delist on All Domains, or Else

The CNIL, France’s Data Protection Authority, has issued a report stating Google has not been universally removing links following the Court of Justice of the EU’s recognition of “the right to delisting” last year. “In this context, the president of the CNIL has put Google on notice to proceed, within a period 15 days, to the requested delisting on the whole data processing and thus on all extensions of the search engine,” the CNIL announced. Meanwhile, former UK GCHQ Director David Omand described Google as one of the few companies willing to work with intelligence agencies . Separately, Dan Shefet, the Danish lawyer who was able to have Google remove “defamatory information about him worldwide,” met with the EU to discuss ways to make the right-to-be-forgotten easier to implement, Reuters reports.[Full Story] SEE ALSO: Italy’s Data Protection Authority, the Garante, has issued a data protection handbook for employers to use as a tool in navigating privacy regulations that are applicable to the employment relationship.] [Italy’s new cookie policies came into effect last week]

Facts & Stats

US – Survey Indicates Change in Security Practices Need

The Informatica Corporation’s recently published survey, “The State of Data Security Intelligence ,” indicates that IT professionals are concerned about “escalating” privacy worries at work and the relative ineptitude of companies regarding data breaches, concluding there is a “need for consensus for data security intelligence.” The study involved more than 1,700 IT professionals, and 55% of those who “have had a breach in the past 12 months believe it could have been avoided if certain processes and intelligent technologies had been in place,” the report states. The findings indicate change is needed, said Larry Ponemon. “Organizations need to seriously consider adopting a data-centric security stance without delay. To do otherwise may soon be construed as negligence.” [Full Story]

US – Data Breach? Blame the CEO

A recent New York Stock Exchange and Veracode survey of 200 corporate directors finds that a majority of board executives place the blame for data breaches on CEOs over security teams, and the reason for doing so might be money. “That the directors are holding entire executive teams accountable ahead of security officers may reflect their acknowledgment that maintaining defenses costs time and money, and that higher-ups tend to hold the purse strings and set the priorities within organizations,” the report states. “Indeed, security officers can easily be hamstrung if they don’t receive the resources they need.” [Fortune]

CA – Cost of an Average Canadian Data Breach is $5.3 Million: Study

CSOs who need a weapon to convince management to up the IT security budget can throw this at them: The average cost to an organization of a data breach in Canada last year was just over CDN$5.3 million — about $2 million higher than the global average. That’s according to research conducted by the Ponemon Institute and sponsored by IBM, which looked at the actual costs of data loss or theft suffered by 21 Canadian companies in 11 industry sectors. The costs were based upon estimates provided by the organizations interviewed over a 10-month period. Ponemon acknowledges that the 21 companies sampled were not statistically representative of all companies here that suffered a breach last year. Note that’s an average cost: The study didn’t include organizations that lost over 100,000 records because they wouldn’t have been representative of most breaches. (The average number of lost records in the group was just over 20,400. The biggest number of lost records among the 21 firms studied was 74,550). Among the report’s highlights:

  • The biggest component of the CDN$250 per record cost of data breach in the studied companies was detection and escalation ($91). Post data breach response (ex-post response) and lost business were $67 and $84, respectively. Customer notification costs represented $8 per compromised record;
  • Certain industries had higher data breach costs. Financial, services, technology and energy had a per capita data breach cost substantially above the average $250. Public sector, education, and consumer organizations had a per capita cost well below that;
  • Malicious or criminal attacks caused the most data breaches. 52% of incidents involved a data theft (exfor criminal misuse. System glitch and employee negligence or human error both represented 24%of all data breaches;
  • Incident response teams and plans, extensive use of encryption, employee training programs, board-level involvement, CISO appointments, business continuity management and insurance protection decreased the per capita cost. However, third party involvement, lost or stolen devices, quick notification and engagement of consultants increased the cost.

The report was one of a series released last week covering Canada, U.S., the U.K., Germany, Australia, France, Brazil, Japan, Italy, India, and the Arabian region. [Source]

UK – Average Data Breach Costs £4.25M

An annual study from the Ponemon Institute and IBM found that the average cost per capita cost in a data breach increased to US$217 in 2015 from $201 in 2014. Plus, the average total cost of a data breach increased to $ 6.5 million from $5.8 million the prior year. The U.S. looked at 62 companies in 16 industry sectors after they experienced the loss or theft of protected personal data and then had to notify victims. The cost per record takes into account indirect costs, such as abnormal turnover or churn of customers, as well as direct costs caused by the breach itself, including technology investment and legal fees. Only $74 was attributed to direct costs. The study also noted, however, that not all records are seen as equal when stolen. Health records have an average cost of $398 each, whereas retail records cost $189 each. [SC Magazine]

UK – UK Firms Suffer More Data Breaches

The number and cost of data breaches suffered by British organisations have increased, a Government-commissioned report found. Nine in 10 large organisations reported being hit by an information security incident, an increase from 81% last year, research by professional services firm PwC found. Nearly three-quarters of smaller firms (74%) were affected by breaches, up from 60% a year earlier. The study also found that the average cost of the most serious incidents has jumped. The average is now between £1.46 million and £3.14 million. It means the higher end of the range has more than doubled from the £1.15 million recorded in the same report a year ago. Costs of breaches include business disruption, lost sales and recovery of assets. Incidents include infection by viruses or malicious software, theft or fraud involving computers, other breaches caused by staff and attacks by an unauthorised outsider. The report said there was a rise of more than a third (38%) in the number of external attacks on large organisations. These involved activities such as “penetration of networks”, denial of service attacks, phishing scams and identity theft. By contrast, frequent, large and unsophisticated attacks appear to be declining among the businesses surveyed. The report said the nature of the most serious incidents is changing to become “more targeted”. It added: “Small businesses should not presume that they will escape targeted attacks.” [BT News]

WW – Full Results of 2015 IAPP Salary Survey Released

With data from more than 1,300 privacy professionals around the world, the 2015 IAPP Salary Survey has information on compensation related to experience, industry, certification, geography and gender, along with historical trends, in the most extensive survey of the privacy profession we’ve ever done. Our executive summary, highlighting the major findings, is open to everyone, but only IAPP members have access to the full report, with more than 50 pages of statistics. [Full Story]


US – Deleted Political Tweets Archive Disabled

A website that collected the deleted tweets of politicians was shuttered by Twitter last month. Access by Politwoops, which was funded by the Sunlight Foundation, to Twitter’s API was suspended because it contravened Twitter’s terms of service. A Twitter spokesman said, “We strongly support Sunlight’s mission of increasing transparency in politics and using civic tech and open data to hold government accountable to constituents, but preserving deleted Tweets violates our developer agreement,” adding, “Honoring the expectation of user privacy for all accounts is a priority for us, whether the user is anonymous or a member of Congress.” [Ars Technica] [Gawker]


US – Virtual Currencies Placed Under New Regulatory Requirements

The New York Department of Financial Services (NYDFS), an agency that regulates Wall Street, issued new rules that will place restrictions on financial firms wanting to use virtual currencies. NYDFS’s Benjamin Lawsky said, “We think regulation is important to the long-term health of the virtual currency industry,” adding, “Building trust and confidence among consumers is crucial for wider adoption. It also helps attract additional investment.” Financial firms using virtual currencies must obtain a “BitLicense” and keep detailed records of bitcoin transactions, the report states. “We simply want to make sure that we put in place guardrails that protect consumers and root out illicit activity—without stifling beneficial innovation,” Lawsky said. [The Hill]

US – Dear Banks: Protect Your Clients by Restricting Tellers

New York Attorney General (AG) Eric Schneiderman believes that the way to increase security at banks is to deny tellers the current “unfettered” access they have to client accounts, as such access can allow tellers to steal “customer data and money” with relative ease. The AG’s office “found that ‘insider wrongdoing’ such as the tellers’ crimes was the No. 3 cause of data breaches in New York, behind hacking and lost or stolen equipment,” the report states. “While teller-fraud cases often get overlooked because of the small dollar amounts involved,” Schneiderman feels that should not be a deterrent. “Bank customers are still at risk,” he said. [The Wall Street Journal]

CA – Canada’s Insurance Regulators Sign MOU to Share Industry Conduct Information

Four members of the Canadian Council of Insurance Regulators (CCIR), an inter-jurisdictional association of insurance regulators, announced on Monday that they have signed a memorandum of understanding (MOU) that “sets out the terms for cooperation and exchange of information across provincial and territorial jurisdictions” to make the process simpler and more effective. The MOU will address issues like risk surveillance, consistent handling of consumer complaints, commercial practices and protection of confidential information “CCIR members represent every province and territory, and it’s in all our interests to work more closely to ensure that we can cooperate and share information on Solvency Supervision and Market Conduct of Regulated Entities,” CCIR chair Patrick Déry said in a statement. “As a result, today we are signing a comprehensive MOU that will formalize information sharing and address issues like risk surveillance, consistent handling of consumer complaints, commercial practices and protection of confidential information.” Déry said in the statement that the remaining CCIR members are expected to join their counterparts in British Columbia, Alberta, Ontario and Quebec and sign on to this new MOU in the “coming months.” The CCIR signatories have agreed to share information needed to coordinate regulation of insurance companies that carry on business in more than one province of territory. The MOU also provides specific protocols for the sharing of confidential information. All provinces and territories conduct investigations into consumer complaints about insurance practices, but the MOU will also allow jurisdictions to share in “broader market and risk analysis.” [Canadian Underwriters]

US – RadioShack Bankruptcy Case Highlights Value of Consumer Data

This case serves as an important reminder that companies must think about these types of issues on a regular basis as they conduct business. Companies must carefully consider the promises they make to consumers, particularly promises that may be overbroad and short sided or, at worst, untrue. Moreover, companies acquiring or investing in other companies should carefully consider the privacy issues surrounding consumer data, particularly if consumer data is a key asset in the deal. [InfoLaw]


CA – Freedom of Information Laws a Poor Match for Secretive Governments

Advocates say lengthy delays, obfuscation and retroactive laws are defeating transparency. B.C. Privacy Commissioner Elizabeth Denham has raised concerns about the timeliness of responses and an increase in cases where no record could be found in response to a request — no email, text or paper trail. The Federal Court of Appeal recently chastised the Department of National Defence for telling someone it would take more than three years to respond to a request. And federal Information Commissioner Suzanne Legault has warned against amendments to the Access to Information Act that would retroactively protect RCMP from prosecution for destroying long-gun registry records. If anything, she argues, the act needs tougher penalties along with greater access. “Access to information held by government is critical to the functioning of a modern democracy,” Legault said in press conference in March. “However, in reality, an act that was intended to shine a light on the decisions and operations of government has become a shield against transparency.” [CBC]

CA – Four Things to Know About Highway of Tears Scandal

It’s a scandal that has the potential to rock Christy Clark’s supremacy in B.C. A former legislative staffer claims the Liberal government routinely circumvents Freedom of Information laws by deleting sensitive documents and emails. When Tim Duncan questioned the practice, he said he was told: “It’s like in the West Wing. You do whatever it takes to win.” Duncan, who used to work for the province’s Transportation Minister, Todd Stone, came forward last week. In a letter to the province’s privacy commissioner, he claims his colleagues deleted emails pertaining to the infamous Highway of Tears. [National Post]


US – Men Win Case Under Genetic Discrimination Law

The first case tried under a law preventing employers and insurers from discriminating against people with genes that increase their risks for costly diseases. The case, however, involved two men who sued their employer after the company asked to take a DNA test in an effort to find a match for feces that someone had nefariously been leaving around their work facility. The men, who were cleared of any wrongdoing when the DNA did not match, were subjected to humiliating jokes, the report states. A judge ruled in favor of the men, ruling the test falls under the Genetic Information Nondiscrimination Act. [The New York Times]

US – Cops Use DNA Analysis to Prove Waiter Spit in Customer’s Drink

A New York man who suspected that a restaurant waiter had spit into his drink got the law involved and investigators were able to determine who spit into the drink using DNA analysis, according to court documents. [Source]

Health / Medical

US – HIPAA Violation Results in 10-Year Sentence

The recent sentencing of two individuals in Alaska to 10 and two years in prison, respectively, illustrates the power of the HITECH provision and that HIPAA crimes have serious consequences in the eyes of the law. While the maximum punishment for HIPAA-related crimes is 10 years and cases thus far in the U.S. haven’t been frequent, 2009’s HITECH law permits big punishments. “The HITECH Act amended the criminal provision to more explicitly permit prosecutors to go after anyone who improperly obtains or discloses health information, even if not part of a covered entity.” [Gov Info Security]

US – Two-Thirds of Doctors Reluctant to Share Health Data with Patients

The polling question was simple. Should patients have access to their entire medical record – including MD notes, any audio recordings, etc…?  For many, the response by over 2,300 physicians came as no real surprise.

  • 49% ? Access to all records should only be given on a case-by-case basis
  • 34% ? Yes, Always
  • 17% ? No, Never

In effect, a full two-thirds (66%) were clearly reluctant to share health data with their patients. A significant 17% were completely opposed to the idea outright. [Forbes]

CA – Ontario MD Watchdog Becoming Less Secretive

Ontario’s medical watchdog has become less secretive about doctors who make mistakes and act improperly. In an effort to increase transparency and accountability, the College of Physicians and Surgeons of Ontario is now letting patients know when it has “orally cautioned” doctors. New measures, adopted by the regulator last week, also include calling on the province to get tougher with physicians who sexually abuse patients, calling for “mandatory revocation” of doctors’ licences in all cases of “physical sexual contact” with patients. In addition, it has plans to ponder whether it should report to police whenever a physician may have committed a crime, and whether gender-based restrictions are appropriate. [Toronto Star]

US – Social Media Policies Needed in Medical Offices

Medical offices need social media policies for their employees. With the advent of a constant social media presence, the ability for a HIPAA slip-up or breach of patient privacy via an employee’s personal account has grown. “Creating a social media policy to clarify the standards for permissible and prohibited content for both personal and professional social media is one way to protect your patients, your productivity and your business reputation,” the article states. Smaller offices are encouraged to mimic other preexisting healthcare privacy policies, “setting examples” of what is appropriate to post, and making it explicitly clear the consequences of a breach of protocol. [Healthcare IT News]

US – Health Sites Lack Proper Safeguards: Research

According to student research, online health resources like WebMD do not have adequate privacy controls for their search engines. The University of Pennsylvania’s Tim Libert discovered that symptoms typed into these engines were being sold to third parties. “There’s been some kind of chilling cases: companies selling lists of people who had been raped or people who had AIDS,” Libert said. “So there’s a market for this stuff.” The report also looks at the marked difference between patient treatment in real time and on websites. “Anything that is happening on the Web today is pretty much completely unregulated,” Libert said, noting that HIPAA, while a “pretty good law,” doesn’t necessarily translate online. [NPR]

Horror Stories

US – FBI Examining IRS Attack

The FBI will investigate the data breach at the Internal Revenue Service and is working “to determine the nature and scope of this matter,” while Dark Reading reports early information about the breach “is offering security food for thought to both public- and private-sector organizations. According to security pundits, the breach offers ample evidence of authentication weaknesses prevalent today and also shows how interconnected unrelated data breaches can really be.” [The Hill] [IRS Authentication Method Criticized] [The New York Times – IRS to Make Sweeping Changes Following Breach] [Government Executive: IRS Commissioner Says Budget Crunch Not to Blame for Breach]

US – Massive Cyber Attack Hits US Federal Workers, Probe Focuses on China

In the latest in a string of intrusions into US agencies’ high-tech systems, the US Office of Personnel Management (OPM) suffered what appeared to be one of the largest breaches of information ever on government workers. The office handles employee records and security clearances. A US law enforcement source said a “foreign entity or government” was believed to be behind the cyber attack. Authorities were looking into a possible Chinese connection, a source close to the matter said. [Source] [Federal Personnel Info Stolen Hackers Grab Data on 4 Million Workers] [The New York Times: Hackers May Have Obtained Names of Chinese With Ties to U.S.] [$21 million tab to taxpayers for clean up after massive Chinese hack of federal database]

US – OPM Breach: Unanswered Questions Scope, Attribution, Impact

The FBI has confirmed that it’s investigating the intrusion, which was revealed June 4 when the OPM posted a breach notification on its website. The office said it discovered the intrusion in April as it was continuing to update its information security defenses. Here are seven key questions related to this rapidly unfolding story. [Data Breach Today]

US – Union: OPM Breach Response “Abysmal Failure”

A union representing federal employees has criticized the Office of Personnel Management’s response to its massive data breach, calling it an “abysmal failure” and claiming it was much worse than disclosed. The American Federation of Government Employees says the breach allowed hackers to obtain data—including Social Security numbers—for every federal employee, every federal retiree and up to one million former federal employees. A Wired report looks at ways in which the breach has far graver repercussions than anyone could have thought. [The Wall Street Journal]

US – Gov’t Breach May Reach Beyond Federal Employees

The massive data breach that affected at least four million government employees may also involve private citizens’ personal data. Information about family, friends and even college roommates is often included on forms for federal background checks that “were, in their entirety, part of the stolen information,” meaning a “potential release of a staggering amount of information, affecting an exponential amount of people,” an official said. Some of the compromised data dates back to 1985. House Homeland Security Committee Chairman Michael McCaul (R-TX) described the breach as “the most significant breach of federal networks in U.S. history,” but two “privacy-minded” Senators are pushing back against calls from lawmakers to immediately pass a stalled cyber bill. [ABC News]

CA – Stolen Maternity Records Part of Larger Investigation

The alleged scheme to sell stolen maternity ward records to investment brokers so they could peddle RESPs to new mothers was much larger than previously believed, according to sworn police documents. After charging a former Rouge Valley Hospital clerk last November, this week the Ontario Securities Commission laid charges against another hospital employee and three financial salespeople. But the 290 page document summarizing the police investigation reveals that police were aware of at least 15 other RESP sales representatives and two other hospital employees involved — though they haven’t been charged. By the numbers

  • $11,420 – minimum amount police say three financial salespeople paid two nurses for the names of new mothers.
  • 14,450 – number of mothers contacted by Rouge Valley Hospital to inform them that their confidential patient information may have been stolen.
  • $1 – how much the nurse and clerk were allegedly paid per name.
  • $2.50 – the price for one name that one RESP salesperson charged when selling them to other sales representatives. [Source] [Nurses, financial execs charged in patient RESP scheme]

UK – Are Organizations Ready for Watershed Moment?

While there’s ample evidence to show that data breach incidents have risen markedly, they didn’t necessarily “garner the kind of media coverage that can help to increase organizations’ awareness and encourage them to take the risks seriously,” a new whitepaper from Experian reports. Data Breach Readiness 2.0 outlines this changing landscape, the future of data breaches and offers a “customer first” approach to data breach response that includes a focus on managing the impact on those affected, “recognizing that this is where all other impacts ultimately flow from.” The whitepaper also encourages regular testing of programs and plans to ensure all possible outcomes are covered. [Data Breach Readiness 2.0]

US – Looted Pharmacies Mean Privacy Concerns

Looted pharmacies in Baltimore, MD, are alerting customers that the labels on stolen prescription drugs are a potential privacy threat. While the stolen drugs’ labels do not disclose SSNs, they do contain information such as names and addresses, permitting thieves to refill the prescription at the original prescription-holder’s expense, amongst other acts of fraud. In the wake of this revelation, brands such as Rite Aid have sought the assistance of risk management firm Kroll in an attempt to protect customer privacy. Thus far, however, “There is no evidence that personal information found on stolen prescriptions has been used for fraud, pharmacy and law enforcement officials said,” the report states. [The Baltimore Sun]

US – Heartland Breached Again

Another breach at Heartland Payment Systems has affected their payroll customers. The company made a breach warranty promise earlier this year because it said it was “so confident in the security of its payment processing technology.” But a break-in at its California offices saw thieves make away with a large number of computers and other materials. State and federal law enforcement are involved in investigating. [Forbes]

AU – Adobe Breached Privacy Act Leaving 38 Million Customers Exposed

Adobe has agreed to allow an independent auditor to ensure it has taken sufficient to harden its systems following a cyber attack that left 38 million of its customers exposed to fraud in 2013. Australian Privacy Commissioner Timothy Pilgrim revealed that he had requested the audit after revealing the findings of inter-governmental report that led him to conclude that the software company breached the Privacy Act. Adobe had not responded to requests for comment on the findings but a spokeswoman for the Office of the Australian Information Commissioner (OAIC) confirmed that the software company had agreed to the measure. The breach, which took place when Adobe left an obsolete server containing personal information exposed to the internet for about three months, gave hackers access to a database containing massive amounts of sensitive information belonging to its Australian customers. It included email addresses, encrypted passwords and plain text password hints, and in about 135,000 cases encrypted card numbers and other payment information. Overall, the breach impacted 1.7 million Australians. [CSO Online]

US – Adobe Finalizes Settlement Details

Adobe will “improve its security measures and pay nearly $1.2 million in legal fees plus $5,000 per named plaintiff” to settle a class-action lawsuit stemming from a 2013 data breach. In that incident, Adobe customers’ payment card data and personal information were comprised. According to court the filing , “expert analysis concluded that although measures could have been taken to minimize or prevent the breach, there was little to no evidence that any of Adobe’s customers suffered identity theft or actual damages as a result of it,” the report states, noting the settlement is now subject to the approval of U.S. District Judge Lucy Koh. [SC Magazine]

WW – Other Horror Stores in the News

The Office of the Australian Information Commissioner has said it is gathering more information about the recent breach at Woolworths, and Sally Beauty issued a statement detailing what happened in its March data breach. ] | [Indian Music Service Breach affects 10 million Gaana.com users] | [Following a breach lawsuit, Cottage Healthcare System’s insurer “argues that it is not liable for the payout because Cottage did not provide adequate security for its documents, a clause the California hospital network agreed to when it signed the insurance policy“] [Laptop Containing Personal Information of Mod Employees Stolen From Motorway Services]

WW – Your Data is Showing:

Courts and consumers are faced with a quandary. Data leaked now could be used a decade or more hence, and both courts and individuals are left calculating probable future risk as well as current exposure. Consumers face limited options for protecting themselves. A telling measure of frustration is a syndrome that has been termed “data breach fatigue.” A third of people notified about a breach don’t take any action at all, according to a 2014 study by the Ponemon Institute. [First Look]

Identity Issues

US – Government’s Plans to Identify You Based on Your Tattoos

Tattoos aren’t just for rebels: 1 in 5 American adults have some ink, according to recent polls. And now the government is trying to beef up technology that can automatically identify people by their tattoos. The National Institute for Standards and Technology, a part of the Commerce Department that has taken the lead on evaluating biometrics, organized a “challenge” in which groups faced off to see who could deliver software and algorithms that identified tattoos most accurately. The event, sponsored by the FBI’s Biometric Center of Excellence, brought together researchers from academia and the private sector to test image recognition technology against five different scenarios.  [The Washington Post]

US – Electronic ID Pilot Begins

The government has begun distributing electronic identity (eID) cards “as a pilot project, a step to better protect citizens’ personal information from online leaks.” Developed by the Ministry of Public Security’s No.3 Research Industry, “the eID will be citizens’ second identity for use in cyberspace. It features a cryptographic algorithm technically impossible to hack and would only generate random strings once cracked,” the report states, noting it “could be loaded to bank cards, SIM cards and identity cards.” The eID “provides a person’s true identity” and could be used for online interactions that “involve financial security, property safety and privacy of Internet applications,” the report states. [Global News] [ReadWrite: Two-Factor Authentication a Workplace Necessity] [New Zealand: Expert perspectives on digital identity and privacy]

Internet / WWW

US – FTC Workshop Explores Privacy in the Sharing Economy

The rise of peer-to-peer networking and the burgeoning “sharing economy” was the topic at a FTC workshop in Washington, DC, where participants discussed whether there is need for new regulation. In a wide-ranging conversation covering rapidly changing business models, potential regulatory obligations and consumers’ increasing dependence on reputational feedback mechanisms, economists, industry representatives and academics hashed out what is clearly a complex but innovative sector of the modern economy. [Full Story]

WW – FPF Whitepaper Examines Privacy in the Sharing Economy

The Future of Privacy Forum (FPF) has released a whitepaper that focuses on the reputational, trust and privacy challenges users and providers face on management and accuracy of shared information. User Reputation: Building Trust and Addressing Privacy Issues in the Sharing Economy considers how reputation-building and trust are frequently essential assets to a successful peer-to-peer exchange and looks at issues surrounding identity, anonymity and the role of social network integration. Services like Uber, Airbnb and Etsy rely on online and mobile platforms and peer-to-peer sharing of reputational information, including reviews and recommendations. “If consumer access to services is dependent on ratings and reviews, consumers need transparency into how these systems work,” said the FPF’s Jules Polonetsky. [Full Story]

US – IAB: How Will FCC Jurisdiction Affect Us?

After a change in policy brought Internet broadband providers under the Federal Communications Commission’s (FCC) jurisdiction, the Interactive Advertising Bureau (IAB) “wants to clarify whether the net neutrality rules will result in new privacy restrictions.” Industry groups including the IAB met with the FCC to discuss the implications of the order on May 28, and while the outcome of the session was not disclosed in the report, the order itself indicates that broadband providers are certainly on the FCC’s radar. Providers “are in a position to obtain vast amounts of personal and proprietary information about their customers,” the order states, noting, “Absent appropriate privacy protections, use or disclosure of that information could be at odds with those customers’ interests.” [MediaPost]

WW – Lack of Privacy in Self-Driving Cars Means Greater Manufacturer Responsibility

The advent of the “self-driving car,” Jack Boeglin argues, “means that the more privacy and freedom motorists are willing to give up, the more that liability should flow to manufacturers, government entities and other third-parties.” The Wall Street Journal reports on Boeglin’s piece, which also suggests developers must acknowledge that the ideas of liability and privacy aren’t mutually exclusive. “Nearly all of the literature on self-driving cars explores either their impact on social values like freedom and privacy or the questions they pose for legal liability,” Boeglin writes. “These lines of inquiry have developed largely in isolation, with little effort to examine how they might intersect and inform each other.” [Yale Journal of Law & Technology]

WW – Audi: Cars Are “Second Living Rooms”—And Private

Comments by Audi Chief Executive Officer Rupert Stadler appear to indicate that German auto companies are using in-car privacy concerns as “an attempt to build rival platforms to challenge Google for market share in Internet-assisted motoring.” “The Internet, cookies and other data collectors are almost common courtesy,” Stadler said. “But a car today is a second living room-and that’s private.” Customers, Stadler said, “want to be in control of their data and not subject to monitoring. And we take this seriously,” he continued. These comments come on the heels of an explosion of industry fusion, evidenced by the year-old “Automobile Alliance” founded by Google and auto companies group-bidding for tech contracts. [Bloomberg Business] [Audi CEO Confronts Google’s Schmidt With Data-Protection Pledge]

WW – New Tech Reduces Time Between Breach Compromise and Discovery

Start-up Terbium Labs offers to help breached companies quickly discover their sensitive data on the so-called “Dark Web.” Founded by researchers from Johns Hopkins University, the company combines two technologies—one that crawls the Internet, the other that collects and stores sensitive data in encrypted form. Terbium Labs CEO Danny Rogers said, “When you can bring that breach detection time down from months to seconds or minutes, then you can really minimize the damage and reduce the risk of the data being out there in the first place.” [MIT Technology Review]

WW – Just How Much Shadow Data Is Out There?

Cloud security firm Elastica released new data, showing that millions of compliance violations and intellectual property leaks exist in cloud applications, unbeknownst to organizations, thanks to employees using “shadow IT” like Dropbox and other cloud services. The company estimates the average potential exposure to be more than $13 million per business. Another security vendor, Venafi, released results of a survey showing that most IT security pros don’t know how to, or don’t take the time to, replace encryption keys and credentials following a breach. Perhaps that’s why, CSO reports, many CIOs and CISOs are increasingly turning to specialized cybersecurity prevention and response firms to help them protect their enterprises. [Dark Reading]

Law Enforcement

UK – Police Request Private Data Access ‘Every Two Minutes’

Police forces in the UK made the equivalent of one request for communications data every two minutes between 2012 and 2015. Big Brother Watch reported that a total of 733,237 requests to access data were made by police between 1 January 2012 and 31 December 2014. That is equivalent to 670 requests a day, 28 requests an hour of one every two minutes. The report was based on Freedom of Information requests granted by every police force but one. Just 54,164 of the requests were denied internally, meaning that 92.6%were accepted. In 2014 alone just under 250,000 applications were made. The requests include any time that police officers ask to see the “who, where and when of any text, email, phone call or web search” the privacy group reported. “Despite persistent claims that the police’s access to Communications Data is diminishing, this report shows that the police are continuing to access vast amounts of data on citizens,” the group said. “It is clear from the reports’ findings that disparity exists amongst police forces on what is considered necessary and proportionate for a request for Communications Data and why a refusal for access is given.” “If law enforcement persists with calls for greater access, internal procedures will need to be clarified, transparency about the process published and independent judicial approval brought in as part of the authorisation process.” [Wired] [REPORT: UK Police Request Personal Data Every Two Minutes ]

US – Surveillance by FBI’s Fleet of Spy Planes Raises Privacy Questions

Surveillance by the FBI’s fleet of spy planes, which are registered to shell companies and fitted with tech capable of sucking up cellphone data from innocent Americans, raises serious privacy questions. … Dirtboxes work like Stingrays, which are in use by “over 46 agencies including law enforcement, the military, and intelligence agencies across 18 states and Washington D.C. for more than a decade.” A Stingray surveillance device lets law enforcement mimic a cell phone tower, track the position of users “who connect to it, and sometimes even intercept calls and Internet traffic, send fake texts, install spyware on a phone, and determine precise locations.” Dirtboxes can “sweep up identifying information about tens of thousands of cell phones in a single flight.” The low-flying aircraft, often equipped with video and sometimes cell-phone surveillance technology, are used without a judge’s approval. The FBI said the