Biometrics
WW – Fingerprints Can Show If You’ve Done Drugs
A raft of sensitive new fingerprint-analysis techniques is proving to be a potentially powerful new avenue for extracting intimate personal information—including what drugs a person has used. New techniques can determine, from a single fingerprint, not whether you have handled these drugs, but whether you have taken them. The new methods use biometrics to analyze biochemical traces in sweat found along the ridges of a fingerprint. And those trace chemicals can quickly reveal whether you have ingested cocaine, opiates, marijuana, or other drugs. One novel, noninvasive forensic technique developed by U.K. researchers can detect cocaine and opiate use from a fingerprint in as little as 30 seconds. The assay—which was so sensitive that it could still detect trace amounts of cocaine after subjects washed their hands with soap—correctly identified 99% of the users, and gave false positive results for just 2.5 percent of the nonusers. The researchers say they hope to expand the range of controlled substances that can be detected, which could include methamphetamines, amphetamines, and marijuana. The test can be modified to detect therapeutic drugs prescribed by physicians too. [The Atlantic]
CN – Facial-Recognition Cameras Caught Suspect Among 60,000 Concertgoers
China is pursuing an ambitious plan to make an omnipresent video surveillance network. On the night of April 7, nearly 60,000 people had gathered at the Nanchang International Sports Center for a concert by Cantopop legend Jacky Cheung. In the middle of an upbeat song, a pair of police officers began descending the aisles, according to footage posted on the Chinese video sharing site Miaopai. Soon, they had arrived at the row they were looking for and apprehended the 31-year-old. Before Cheung had finished singing the refrain, officers were escorting the man out of the show. The man, identified only by his surname Ao, was reportedly wanted for “economic crimes,” according to Kan Kan News. Details about Ao had been in a national database, and when he had arrived at the stadium, cameras at the entrances with facial-recognition technology had identified him — and flagged authorities, the news site reported. “He was completely shocked when we took him away,” police officer Li Jin told Xinhua news agency. “He couldn’t fathom that police could so quickly capture him in a crowd of 60,000.” Ao’s unlikely capture became the latest example of China’s growing use of facial-recognition technology. As The Washington Post’s Simon Denyer reported, law enforcement and security officials in China hope to use such technology to track suspects and even predict crimes. Ultimately, officials there want to create a comprehensive, nationwide surveillance system known as “Xue Liang,” or “Sharp Eyes” to monitor the movements of its citizens. At the back end, these efforts merge with a vast database of information on every citizen, a “Police Cloud” that aims to scoop up such data as criminal and medical records, travel bookings, online purchase and even social media comments — and link it to everyone’s identity card and face. A goal of all of these interlocking efforts: to track where people are, what they are up to, what they believe and who they associate with — and ultimately even to assign them a single “social credit” score based on whether the government and their fellow citizens consider them trustworthy. Images from Denyer’s visits to three technology companies showed people monitoring cars and people as they passed through an intersection. Attached to each entity were text bubbles that showed identifying characteristics: the person’s gender and home town, for example. “Surveillance technologies are giving the government a sense that it can finally achieve the level of control over people’s lives that it aspires to,” Adrian Zenz, a German academic who has researched ethnic policy and the security state in China’s western province of Xinjiang, told Denyer. Many have voiced their concerns about the ethical ramifications of such a system. Human Rights Watch has a page dedicated to mass surveillance and the use of “big data” in China. “For the first time, we are able to demonstrate that the Chinese government’s use of big data and predictive policing not only blatantly violates privacy rights, but also enables officials to arbitrarily detain people,” Wang wrote. “People in Xinjiang can’t resist or challenge the increasingly intrusive scrutiny of their daily lives because most don’t even know about this ‘black box’ program or how it works.” As for Ao, the man caught at the Jacky Cheung concert, he said he thought he would be safe in a crowd of tens of thousands. He and some friends had bought the concert tickets, and Ao had driven with his wife about 60 miles to see the show, according to the news site. [Opinion: China’s new surveillance state puts Facebook’s privacy problems in the shade]
Big Data / Data Analytics / Artificial Intelligence
EU – A Privacy Pro’s Guide to Explainability in Machine Learning Models
With the EU GDPR just around the corner, there has been some debate and discussion about whether the law requires a “right to an explanation” from machine learning models. “Regardless of the regulation’s effects on machine learning, however, the practical implications of attempting to explain machine learning models presents significant difficulties,” Immuta Legal Engineer Stuart Shirrell writes. “These difficulties will become an increasing focus for privacy professionals as machine learning is deployed more and more throughout organizations in the future.” [IAPP.org]
Canada
CA – Federal Privacy Commissioner Argues for Right to Be Forgotten
Canada’s privacy commissioner took the stage at a Canadian Journalism Foundation (CJF) privacy summit in Toronto to advocate for the right to online reputation. The half-day summit was an opportunity for members of the media, as well as lawyers and legislators to meet and discuss the right to privacy in relation to freedom of expression. Daniel Therrien’s core position is that Canadians should be able to access the internet without having to fear that their reputations will be ruined as a result. A draft paper published in January 2018 established the OPC position, while also suggesting that ‘de-indexing’ and ‘source takedown’ are possible solutions to maintain individual online reputation. Also known as the ‘right to be forgotten,’ de-indexing refers to the process by which individuals can request that search engines remove results when an individual’s name is used in the search. Source takedown, by comparison, refers to the removal of the original source of content from the internet entirely. As individuals at the summit pointed out, there’s some contention between the right to privacy, freedom of expression and the freedom to access information. In response to freedom of speech advocates, Therrien argued, “there are real consequences to incorrect information being out there to be seen by many.” “The solution can be discussed at length, and a reason why we have put this out as a draft position paper is that we’re pretty sure that there’s a harm to be remedied here, and as a regulator, the tool that I have… is the legislation to limit or enforce,” he said. Therrien further argued that the in the age of the internet, more information is easily accessible than ever before. As such, it’s necessary to find some way to regulate the information that’s available. [betakit.com] Canadian Government Leaning Towards A Right to Be Forgotten it Can Enforce Anywhere in The World]
CA – Quebec Commissioner’s Suggests Amendments to Privacy Law
The Quebec Commission on Access to Information’s has issued recommendations for amending the Private Sector Privacy Act. Quebec’s private sector privacy law should be amended to compel organizations to destroy personal information once the purposes for which they were collected are fulfilled (except when kept under a legal provision), and delete any provision recognizing the right of an organization to retain information, even if it can no longer use it according to the law. [CAI QC – Five-Year Report (Pages 120-122)
CA – Supreme Court Rules on B.C. Campaign Financing Case
In a unanimous decision, the Supreme Court of Canada dismissed a bid by the B.C. Freedom of Information and Privacy Association (FIPA) that challenged a section of B.C.’s Election Act that requires even small spenders to register with the province’s chief elections officer if they sponsor election advertising during a campaign. [see here] But in its 7-0 ruling, the top court clarified the law so that people who wear T-shirts bearing political messages, or put bumper stickers on their cars or signs in their windows during an election, will not have to register with the province’s election office, providing they spend less than $500. But people or groups who sponsor advertising must continue to register. FIPA, a non-profit public advocacy group, had argued the requirement to register inhibits “political expression by persons who don’t wish names and addresses to become public knowledge,” and is a violation of the Charter of Rights and Freedoms’ guarantee of freedom of expression. In B.C., a person or group wishing to sponsor advertising during one of the province’s 28-day provincial election campaigns must register with a full name, address and a service address, and provide a signed statement. The Chief Electoral Officer then makes that information public, although the factum of the Attorney General of B.C. says telephone numbers and home addresses can be obscured upon request. Failing to register could result in a fine up to $10,000 or imprisonment up to a maximum of one year, or both. Reacting to the decision, the Canadian Civil Liberties Union said “small voices” could still be silenced under the B.C. Elections Act. B.C. Freedom of Information and Privacy Association v. British Columbia (Attorney General) | BC’s election gag law being challenged in Supreme Court of Canada | Canadian Lawyer magazine | Top Court Upholds BC Law Requiring Election Advertisers to Register | SCC rules on election campaign sponsorship in B.C. | Wearing a T-shirt isn’t ‘sponsored’ election advertising, top court rules
CA – Insurance Company Must Delete Personal Information
The OPC investigated a complaint against an insurance company, alleging violations of PIPEDA. The OPC investigation determined that a company should have treated an individual’s request to delete his data as a withdrawal of consent; the company initially denied the request (retention was necessary to provide insurance details to other insurers), however, once the individual accepted that deletion could result in higher premiums or coverage denial, his information was deleted. [OPC Canada – Case Summary 2017-005 – Insurance Company Required to Delete Individuals Personal Information After They Withdraw Consent]
CA – Nurse Fined for Criticizing Grandfather’s Healthcare Loses Appeal
A Prince Albert nurse fined for criticizing her grandfather’s palliative care online has lost her appeal of a $26,000 fine ordered by her professional regulatory board. In a written decision, Saskatoon Queen’s Bench Justice J. Currie said Carolyn Strom violated professional conduct rules relating to her profession as a registered nurse. Even though Strom was away from work on maternity leave at the time she wrote the online posts, Currie upheld an earlier decision from the Saskatchewan Registered Nurses’ Association (SRNA) that found Strom guilty of professional misconduct. In his decision, Currie said his role was not to determine whether the decision from the disciplinary committee was correct, but rather whether it “falls within the realm of reasonable decisions in the circumstances.” In that respect, Currie agreed with the discipline committee. The Saskatchewan Union of Nurses acted as an intervenor in the case, and said it is disappointed the SRNA ruling was upheld, saying the decision will affect nurses and other professionals, who will think twice before expressing their personal opinions. [paNOW]
CA – Alphabet to Start Toronto Smart-City Tech Pilot in Summer, Build in 2020
Alphabet Inc’s urban innovation company Sidewalk Labs hopes to break ground on its first ever smart-city project in Toronto in 2020, and begin testing some of the proposed technologies this summer, its chief executive said. This is the first time a timeline has been publicly disclosed for the project. A development plan is expected to be approved by the Sidewalk and Waterfront Toronto boards by the end of 2018, and the first residents could move in as early as 2022. The timeline is subject to government approvals and other processes that Sidewalk expects to spend most of 2019 working through. Other smart city projects have largely failed because of budgets, the involvement of too many parties, and the use of public resources on development with no immediate benefits for the broader population. Corporate access to personal information is a growing concern. Sidewalk Labs has faced growing scrutiny over its plans to put sensors and cameras all over Quayside. Doctoroff said Sidewalk Labs would destroy non-essential information, only retain data that would improve the quality of life, and not sell them to advertisers. Third parties must adopt privacy policies developed for the plan, he added. [Reuters]
CA – Man Arrested for Breaching Nova Scotia’s FOI Website
A 19-year-old Halifax man has been arrested for illicitly accessing the Nova Scotia government’s freedom-of-information website. The man was able to see more than 7,000 documents, some of which contained sensitive information, including birth dates, social insurance numbers, addresses and government-services client information. The Nova Scotia government said no credit card information was compromised in the breach, with government officials saying thousands of citizens in the province were likely affected. Halifax Regional Police searched the suspect’s house before his arrest. The man has been charged with the unauthorized use of a computer. Software and privacy professionals have expressed concerns the Nova Scotia government is using the 19-year-old man as a scapegoat for the breach. [CBC News See also: Teen charged after personal information exposed in Nova Scotia government website breach | Police refute claim they asked province to keep a lid on information breach | Province just sort of stumbles across massive data breach ]
Consumer
US – Majority of US Consumers Concerned About Privacy: Survey
The Network Advertising Initiative conducted a survey asking 10,000 U.S. consumers about their opinions on online privacy. Of the respondents, 85% said the current state of online privacy was at least “somewhat concerning,” with 50% of those consumers saying they are either “very” or “extremely” concerned about privacy. When asked about their top privacy concerns, 56% said hackers, while 15% said data collection by any federal government around the world. The majority of consumers said they want their online content to be paid by advertising, and 79% of respondents said individuals should be in control of opting out of any online marketing campaigns. [NAI]
CA – Canadians Skeptical About Cloud Security, Except at Work: Study
Nearly half of Canadians aren’t comfortable storing sensitive information in the cloud, according to a new study. 46% of Canadians don’t like the thought of storing family information on the cloud, a figure that rises to 52% when it comes to medical information, and 59% for financial information. Citrix Cloud and Security Survey says 62% of employed Canadians felt that documents uploaded to the cloud were either somewhat, or very secure. At the same time, 42% of workers think their employer is solely responsible for maintaining and upgrading security on all devices. A lot of employees, however – 34% – don’t even know if their company uses cloud services. In addition, more than 40% of all Canadians weren’t sure what the cloud was. [IT Business]
WW – Study Highlights Privacy Concerns with Gaming Platforms
Academic researchers published a paper that examined data handling practices in modern gaming. Platforms and consoles. These collect different types of user data through hardware (cameras, sensors, microphones), platform features (social media, user-generated content) and tracking technologies (cookies, beacons, and scripts). All games studied shared user data with advertising platforms and partners, while, mobile games stored private message contents and had a right to access and review these messages.[Privacy in Gaming – N. Cameron Russell, Joel R. Reidenberg and Sumyung Moon – Center on Law and Information Policy at Fordham Law School | Gaming Platform Updates Its Privacy Setting Default | DigitalTrends]
UK – ICO Fines Royal Mail Over 300,000 “Spam” Emails
Royal Mail, which claims to be the most trusted letter delivery service in the UK, was today fined for sending out more than 300,000 nuisance emails. The UK ICO said it launched a probe [see 16 pg PDF notice here] after an individual complained they had received a marketing email from Royal Mail, despite having opted out. Royal Mail argued the email in question was a service because it was telling customers there was a price drop for second-class parcels – but the ICO disagreed. Deeming the message to be marketing, the ICO issued a £12,000 fine for breaching the Privacy and Electronic Communications Regulations (PECR) since recipients hadn’t consented to receiving the mail. The ICO acknowledged that Royal Mail has an obligation to publicise price changes, but said there were more appropriate ways to do this, such as putting an update on its website. [The Register | BBC News, City A.M. and The Times]
Electronic Records
US – 25% of Patients Did Not Access Data Over Patient Privacy Concerns
A recent study by the Office of the National Coordinator for Health Information Technology (ONC) found that 25% of individuals who were offered access to their online medical records declined out of privacy and security concerns. Increasing access and adoption of electronic health records is stated to be a cornerstone of the ONC’s efforts. In response, the ONC created a guide to help individuals get and use medical records. National Coordinator for Health Information Technology Don Rucker said, “It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” adding, “This guide will help answer some of the questions that patients may have when asking for their health information.” [HealthITSecurity | PR here | NAP.edu]
EU Developments
EU – Proposal Gives Consumers More Power to Sue Companies
The European Union has unveiled a proposal to give consumers more power to sue companies if their rights have been violated. The proposal would call for any offending company to be penalized up to 4 percent of their annual turnover. Under the new rules, EU consumer law would be extended to cover “free” digital services where consumers provide personal data, including social media information, email accounts and cloud storage services. While business groups said the proposed bill could lead to a wave of lawsuits, Justice Commissioner Věra Jourová said profit-seeking class-action lawsuits would not be permitted under the pending legislation. [Reuters]
EU – EDPS Launches ‘Privacy by Design’ Mobile Health App Contest
The European Data Protection Supervisor is launching a contest for creators to design the best mobile health apps using “privacy by design” and “privacy by default” principles. Contestants are encouraged to create apps designed to be user friendly and give users more control over their information. The top two winners will receive prizes of 20,000 and 10,000 euros respectively and will be able to present their projects during the 40th International Conference of Data Protection and Privacy Commissioners in October. Submissions must be sent in by the end of June. [Telecompaper]
EU – WP29 Forming Social Media Working Group
Article 29 Working Party Chairwoman Andrea Jelinek said the agency is forming a Social Media Working Group in response to the Facebook-Cambridge Analytica revelations. “What we are seeing today is most likely only one instance of the much wider spread practice of harvesting personal data from social media for economic or political reasons,” Jelinek said. During his second day on Capitol Hill, Facebook CEO Mark Zuckerberg said regulation of his company is “inevitable,” but lawmakers and privacy professionals are skeptical of when it may happen. [Reuters]
EU – Group Calls for EU to Exempt Blockchain from GDPR
A blockchain group is calling for the European Union to exempt the technology from the GDPR. In a blog post, Coin Center Executive Director Jerry Brito writes the GDPR is “incompatible with the reality of open blockchain networks,” and if technology is regulated under the impending rules without any changes to either, the outcome could be troublesome. “The result of the law, then, may be that Europe is closing itself off from the future of the internet to its detriment.” [The Verge | Gizmodo]
UK – ICO Releases Data Protection Self-Assessment Toolkit
The U.K. ICO has released a data protection self-assessment toolkit. The resource has been created to help organizations, particularly small- and medium-sized businesses, make sure they are compliant with data protection laws, such as the EU GDPR. The toolkit includes checklists for controllers and processors, as well as for other areas of compliance, such as information security, direct marketing, records management, data sharing and subject access, and CCTV. Once a checklist has been completed, a report will be generated advising companies on practical steps they can take to improve their compliance efforts. [ICO.org]
US – GDPR: Study Shows 35% of Organisations Ready
The Centre for Information Policy Leadership conducted its second global survey to understand organisational preparedness for the GDPR. 239 organisations were surveyed across several industries: The first global survey was conducted in 2017. A think tank notes that mandatory DPOs will be appointed in 47% of companies surveyed, 35% have a procedure in place to identify and classify privacy risks to individuals, and only 38% will have to re-obtain individual consent; areas that still require further clarity include legitimate interests, breach notification, DPIAs, privacy by design, certifications, codes of conduct, and internal processing records. [Organisational Readiness for the EU GDPR 2nd Edition – CIPL]
FOI
CA – 80-Year Extension on Access-to-Info Request Appears to be a Record
A federal institution has given itself what may be the longest-ever time extension to respond to a citizen’s request under the Access to Information Act — at least 80 years, which will delay the delivery of documents to 2098 or beyond. 70-year-old Michael Dagg, the requester and longtime user of the act, asked Library and Archives Canada (LAC) for files from Project Anecdote, an RCMP investigation into money laundering and public corruption that was launched in May 1993. No charges were ever laid in the massive probe, which concluded in 2003. The voluminous Mountie files were eventually turned over to the government archives. Library and Archives determined there are a minimum of 780,000 document pages to review, in addition to audio and video recordings. Dagg was advised that the review of the material would normally take at least 130 years, but many of the records will automatically become public after 80 years, without need for review under the Access to Information Act, helping to shorten the extension period. Dagg says he plans to contact Library and Archives to negotiate a smaller subset of the Project Anecdote documents. “I would narrow the scope so I can get something within a year or two, rather than beyond my lifetime,” he said in an interview. Timeliness of responses has been a growing issue under the act. In 2016-2017, for example, responses to 2,326 requests took more than a year, up from 1,526 the year previous — or 2.7%t of all requests, up from 2.1%. And 19.3% of all responses to requests in 2016-2017 were in so-called “deemed refusal,” that is, they were late — delivered beyond legislated deadlines. That level of ‘deemed refusals’ has almost doubled in the last five years. And some 1,741 of these late requests were delivered more than a year after deadline. In 2016, former commissioner Suzanne Legault warned of a “culture of delay” within the federal government that has created “a slow and arcane system that seems bent on denying access.” [CBC]
Health / Medical
US – Report Finds Insider Data Breaches Most Common in Health Care Industry
According to Verizon’s 2018 Data Breach Investigations Report, 25% of all attacks over the year were perpetrated by said insiders and were driven largely by financial gain, espionage and simple mistakes or misuse. It also reports that organised criminal groups continue to be behind around half of all breaches, while state-affiliated groups were involved in more than one in 10. Financial gain, unsurprisingly, continued to be the top motivation for cybercriminals. The health care industry ranks worst when it comes to preventing insider data breaches. As the only sector reported to have more internal actors behind data breaches than external, errors were the leading type of cyber incident across health care, followed by malware, hacking and privilege misuse. The report also found that for the malware detected in health care, ransomware accounted for 85%. Simple errors – such as failing to shred confidential information, sending emails to the wrong person or misconfiguring web services – were at the heart of nearly one in five breaches. More than 20 per cent people still click on at least one phishing campaign during a year. [The Washington Post]
Horror Stories
US – Consumer Reports Publisher to Pay $16.4M to Settle Privacy Lawsuit
The publisher of Consumer Reports magazine will pay $16.375 million to settle a lawsuit alleging it violated Michigan privacy law. The publisher was accused of selling customers’ subscription and personal information to third parties without consent. The personal information included customers’ age, race, religion, income, medical conditions and political affiliations. “We have long advocated for the rights of consumers to have control over their private information,” a Consumer Reports spokeswoman said. “While we believe that our practices were in compliance with Michigan law, we chose to settle this case, without admitting liability, so that we can spend our time, effort and resources on protecting consumers.” [Reuters | Insurance Journal
AU – Study Shows Willingness to Pay Malware Ransom Demands
According to findings from the Telstra Security Report, 47% of Australian businesses paid malware ransom demands when found to be the victim of a cyberattack. The report, which surveyed 1,252 people across 13 countries and 15 industries, found that a willingness to pay ransom demands was consistent across all respondents, with 60% of ransomware victims in New Zealand, 55% in Indonesia, and 41% in Europe stating they have paid a ransom demand. Furthermore, 87% of Asian businesses and 82% of European respondents stated they recovered stolen data once the ransom was paid. [ZDNet]
Identity Issues
AU – Anonymization: Australian DPA Finds Publication of Dataset Flawed
The Office of the Australian Information Commissioner issued the results of its investigation into the publication of a dataset by the Department of Health. A dataset had the potential to identify service providers and some individuals because a public agency’s process for de-identification of PI and assessment of the risk of re-identification was flawed; it unlawfully disclosed PI for a purpose other than that of collection, and failed to take adequate steps to remove PI from the dataset relative to the sensitivity of the information (medical/pharm benefits information), and the context of its release (online to the public). [OIC Australia – Publication of MBS/PBS Data]
Location
US – Can GPS Tracking Stop Customers from Stealing Rental Cars? In California, A New Debate Over Privacy Begins
The use of GPS to track stolen vehicles is at the center of a debate between car rental companies and privacy advocates in California. Most rental cars are equipped with navigation and GPS technology. But unlike automakers that can begin tracking their customer’s movements as soon as they drive off the lot, California law bars rental companies from tracking their customer’s location until the vehicle has been missing at least five days past its return date. Some car rental companies want to decrease the number of days significantly, making it possible to track the movements of customers who failed to return vehicles on time. Meanwhile, privacy advocates worry that allowing companies to track customers — even if only after they’ve failed to return a rental vehicle — could open the door to privacy abuses, such as collecting and selling valuable consumer data. The ease of stealing rental vehicles may explain why there were more than 92,000 rental cars thefts across the United States between 2015 and 2018, with nearly 18,000 of those thefts occurring in California, according to the National Insurance Crime Bureau. California remains a leading state for car theft alongside Nevada and Washington State, according to the NCIB. But privacy advocates such as state Sen. Hannah-Beth Jackson (D-Santa Barbara) say the rental industry hasn’t provided data proving that enough thieves are posing as customers to warrant a change in existing laws, such as allowing companies to track the location of overdue rental vehicles. [Wash Post| zdnet.com]
Other Jurisdictions
RU – Russia Seeks to Ban Telegram Messaging App
Russia’s Roskomnadzor, the Federal Service for Supervision of Communications, Information Technologies and Mass Media, has filed a lawsuit asking a court in that country to block the Telegram messaging app. Telegram has refused to provide Russian authorities with encryption keys. [www.v3.co.uk: Russia set to ban Telegram app for refusing to hand over decryption keys on demand | www.zdnet.com: Russia moves to block Telegram after encryption key denial]
CN – China Ranking Citizens With A Creepy ‘Social Credit’ System
The Chinese state is setting up a vast ranking system system that will monitor the behaviour of its enormous population, and rank them all based on their “social credit.” The “social credit system,” first announced in 2014, aims to reinforce the idea that “keeping trust is glorious and breaking trust is disgraceful,” according to a government document. The program is due to be fully operational by 2020, but is being piloted for millions of people already. The scheme is mandatory. At the moment the system is piecemeal — some are run by city councils, others are scored by private tech platforms which hold personal data. Like private credit scores, a person’s social score can move up and down depending on their behaviour. The exact methodology is a secret — but examples infractions include bad driving, smoking in non-smoking zones, buying too many video games and posting fake news online. China has already started punishing people by restricting their travel. Nine million people with low scores have been blocked from buying tickets for domestic flights. Three million people are barred from getting business-class train tickets. The eventual system will punish bad passengers specifically. Potential misdeeds include trying to ride with no ticket, loitering in front of boarding gates, or smoking in no-smoking areas. According to Foreign Policy, credit systems monitor whether people pay bills on time, much like financial credit trackers — but also ascribe a moral dimension. Other mooted punishable offences include spending too long playing video games, wasting money on frivolous purchases and posting on social media. Spreading fake news, specifically about terrorist attacks or airport security, will also be punishable offences. 17 people who refused to carry out military service last year were barred from enrolling in higher education, applying for high school, or continuing their studies, Beijing News reported. Citizens with low social credit would also be prohibited from enrolling their children at high-paying private schools. “Trust-breaking” individuals would also be banned from doing management jobs in state-owned firms and big banks. Some crimes, like fraud and embezzlement, would also have a big effect on social credit. People who refused military service were also banned from some holidays and hotels — showing that vacation plans are fair game too. The regime rewards people here as well as punishes them. People with good scores can speed up travel applications to places like Europe. Naming and shaming is another tactic available. A 2016 government notice encourages companies to consult the blacklist before hiring people or giving them contracts. However, people will be notified by the courts before they are added to the list, and are allowed to appeal against the decision within ten days of receiving the notification. It’s not clear when the list will start to be implemented. A prototype blacklist already exists, and has been used to punish people. There is also a list for good citizens — that will reportedly get you more matches on dating websites. They can also get discounts on energy bills, rent things without deposits, and get better interest rates at banks. Despite the creepiness of the system — Human Rights Watch called it “chilling,” while others call it “a futuristic vision of Big Brother out of control” — some citizens say it’s making them better people already. A 32-year-old entrepreneur, who only gave his name as Chen, told Foreign Policy: “I feel like in the past six months, people’s behaviour has gotten better and better. “For example, when we drive, now we always stop in front of crosswalks. If you don’t stop, you will lose your points. “At first, we just worried about losing points, but now we got used to it.” [Business Insider]
Privacy (US)
US – California Ballot Initiative Seeks to Establish Consumer Privacy Rights
Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., have proposed the Customer Online Notification for Stopping Edge-provider Network Transgressions Act aimed at enhancing consumer privacy. The “privacy bill of rights” would require edge providers, such as Facebook and Google, to obtain consumers’ consent before selling sensitive information. “The avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land,” Markey said in a statement. The bill would prevent edge providers from forcing customers to provide consent in order to use any services. [Ars Technica | Engadget | Broadcasting Cable | MediaPost | LA Times | LW.com]
US – Consumer Groups Say YouTube Is Collecting, Using Children’s Data Improperly
A coalition of more than 20 consumer advocacy groups is expected to file a complaint with federal officials claiming YouTube has been violating a children’s privacy law. The complaint contends that YouTube, a subsidiary of Google, has been collecting and profiting from the personal information of young children on its main site, although the company says the platform is meant only for users 13 and older. The coalition of consumer groups said YouTube failed to comply with the Children’s Online Privacy Protection Act, a federal law that requires companies to obtain consent from parents before collecting data on children younger than 13. The groups are asking for an investigation and penalties from the FTC, which enforces the law. The New York Times and The Associated Press (via FT), USA Today, WIRED and The Guardian
US – Uber Agrees to Expanded FTC Data Breach Settlement
Uber has agreed to expand its proposed settlement with the FTC related to its 2016 data breach. The FTC released a revised complaint against the ride-hailing company, alleging Uber knew hackers used a key to access 25 million names and email addresses, 22 million names and phone numbers, and 600,000 names and driver’s license numbers. Uber could face civil penalties as a result of the expanded settlement if it fails to notify the agency of any future data breaches. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future,” Acting FTC Chairman Maureen Ohlhausen said. The FTC also offered lessons companies can learn from Uber’s data breach. [FTC.gov]
US – D.C. Court: Accessing Public Information is Not a Computer Crime
A district court in Washington, D.C. has ruled that using automated tools to access publicly available information on the open web is not a computer crime—even when a website bans automated access in its terms of service. The court ruled that the notoriously vague and outdated Computer Fraud and Abuse Act (CFAA)—a 1986 statute meant to target malicious computer break-ins—does not make it a crime to access information in a manner that the website doesn’t like if you are otherwise entitled to access that same information. The case, Sandvig v. Sessions, involves a First Amendment challenge to the CFAA’s overbroad and imprecise language. The plaintiffs are a group of discrimination researchers, computer scientists, and journalists who want to use automated access tools to investigate companies’ online practices and conduct audit testing. The problem: the automated web browsing tools they want to use (commonly called “web scrapers”) are prohibited by the targeted websites’ terms of service, and the CFAA has been interpreted by some courts as making violations of terms of service a crime. This is the second time in a year a court has recognized that a broad interpretation of the CFAA will negatively impact open access to information on the web. Judge Edward Chen found that a “broad interpretation of the CFAA invoked by LinkedIn, if adopted, could profoundly impact open access to the Internet, a result that Congress could not have intended when it enacted the CFAA over three decades ago.” The web is the largest, ever-growing data source on the planet. It is a critical resource for journalists, academics, businesses, and ordinary individuals alike. Meaningful access sometimes requires the assistance of technology to automate and expedite an otherwise tedious process of accessing, collecting and analyzing public information. Using technology to expedite access to publicly available information shouldn’t be a crime—and we’re glad to see another court recognize that. [EFF]
US – Woman Awarded $6.45 Million in Revenge Porn Case
A federal district court in California last week entered a default judgment against a man and ordered him to pay $6.45 million in damages after he was accused of spreading an ex-girlfriend’s naked pictures and videos online. It’s believed to be the second-largest payout for a victim of revenge porn who was not a celebrity, according to the woman’s lawyers. The unnamed woman, who was listed as Jane Doe in legal filings, sued the man, David Elam II, in civil court. She alleged copyright infringement, online impersonation with intent to harm, stalking and the intentional infliction of emotional distress. The case, which was filed in 2014, also underscores how complicated it can be to seek justice. There’s no federal law against revenge porn — just a patchwork of state laws. Doe was awarded $450,000 in damages because of copyright infringement. She also received $3 million in compensatory damages for emotional distress, and $3 million in punitive damages. [CNNMoney]
US – State AGs Opposed to Federal Bill
The New York Attorney General and 29 other State Attorneys General submitted their concerns to Congress regarding HR 4508, the PROSPER Act, specifically potential student-loan related abuses. The Bill would prohibit states from overseeing or addressing certain state law violations by student loan collectors or servicers and there are not federal protections for borrowers of student loans; such servicers have come under increased scrutiny from government agencies for practices that include collections on debt not owed, failures to provide borrowers about repayments options, and difficulties in contacting servicers through call centers. [New York Attorney General et al. – Letter to Congress Regarding PROSPER Act]
US – Copyright Office Considering DMCA Exemption for Voting Machines
As part of its triennial exemption process for the Digital Millennium Copyright Act (DMCA), the US Copyright Office is considering expanding the scope of exceptions to DMCA to include voting machines, which would allow researchers to probe the devices for vulnerabilities without fear of legal repercussion. At a hearing earlier this week, researchers and vendor representatives voiced their opinions about the possible change. [Cyberscoop: Security researchers and industry reps clash over voting machine security testing]
US – American Lawyers Urged to Use ‘Burner Phones’ When Travelling Abroad
Lawyers in the US are being advised to use “burner phones” when they travel abroad to protect information from government inspection on re-entering the country. The advice, given by the New York Bar Association, comes against the backdrop of the Trump administration tightening border security. Anyone entering the US can be asked to turn over their computers and phones to Customs and Border Protection for inspection. They will also be expected to disclose passwords to enable officials to examine their correspondence. Foreigners who refuse to comply can be denied entry into the country while US citizens face having their equipment confiscated temporarily to allow further inspection. The American Bar Association, which has 400,000 members, has been trying to persuade the Department of Homeland Security to devise a policy which will protect lawyer-client privilege. But no agreement has been reached, leading the New York Bar Association to suggest drastic measures. It has urged lawyers to use “burner phones” – cheap throwaway devices often seen in modern crime shows. The Association has also advised lawyers to install software to wipe sensitive information and to disconnect from cloud services. As things stand, the courts have yet to reach a conclusive decision on the legality of inspecting phones and computers. Currently 0.017 per cent of people entering the US are subjected to an electronic device search. [The Telegraph]
US – Data Breach Notification Laws Now Enacted in All 50 States
South Dakota and Alabama are the last of the 50 states to have enacted breach notification laws, along with Washington, D.C., Guam, Puerto Rico and the Virgin Islands. South Dakota became the 49th state to enact a data breach notification law when Governor Dennis Daugaard signed Senate Bill 62 into law on March 21. It goes into effect on July 1, 2018. On March 28, 2018, Alabama Governor Kay Ivey signed into law Alabama Senate Bill 318, effective May 1, 2018. Below are the parameters of these new data breach notification laws. As reported in a blog by Daniel Walbright, 32 state attorneys general have released a letter to Congress preemption of state data breach and security laws with a draft bill, “Data Acquisition and Technology Accountability and Security Act.” [DBR on Data]
US – FTC Launching Small Business Cybersecurity Education Campaign
The FTC announced a national education campaign to assist small businesses in strengthening their cybersecurity efforts. The campaign will include training modules and videos on subjects small business owners have identified as trouble spots, including ransomware, phishing attacks and email authentication. “Small businesses understand the importance of cybersecurity and the need to protect their networks and data, but many feel overwhelmed about how to address the myriad of cyber threats they face,” said the FTC. “Our new campaign aims to help these small businesses with targeted, plain-language advice on everything from protecting against phishing scams to tips on what to look for when choosing a cybersecurity vendor.” [FTC.gov]
US – FTC Report Makes Security Recommendations to the Mobile Device Industry
A new report by the FTC takes aim at how data security tech for mobile devices can be both improved and better utilized. The report, published in February 2018 and titled, Mobile Security Updates: Understanding the Issues [PR here], presents findings based upon information requested by the FTC in 2016 of eight mobile device manufacturers. The report recommends that both the devices themselves as well as their corresponding support services need to do a better job by deployed security updates quicker and more frequently. It recommends that manufacturers provide a minimum period during which security updates are to be provided, and make that period known to the consumer prior to purchase. It also recommended that manufacturers consider providing security updates that are separate and distinct from other updates that are often bundled together in one package. The report is intended to bolster consumer protection, however it is also relevant for small businesses and their use of mobile devices in the workplace such as bring-your-own-device (BYOD). While a BYOD policy helps a small business save on device and carrier costs, it also increases the likelihood of security threats to the business. [Working Place Privacy]
US – EPIC Releases US Privacy Law Updated Guide
The Electronic Privacy Information Center has released a guide on the major developments in U.S. privacy law ahead of the 63rd meeting of the International Working Group on Data Protection in Telecommunications in Budapest. The guide covers topics such as the passing of the CLOUD Act, the Facebook-Cambridge Analytica revelations, the investigation into potential interference with the 2016 U.S. presidential election, and the nominations of four new commissioners to the Federal Trade Commission, as well as U.S. Supreme Court affairs, including the U.S. v. Microsoft and the Carpenter v. U.S. cases. EPIC.org
Privacy Enhancing Technologies (PETs)
WW – Apple’s ‘Private by Design’ Health Care App Aims to Capture Market
With tech companies moving in to capture the health care market, Apple’s “private-by-design” strategy aims to ensure the security and privacy needs of organizations. A recent survey found that 47% of health care IT professionals expect to see mobile devices increase in use over the next two years, highlighting that health care providers are more willing to adopt mobile technology. Apple’s recently introduced Health Records app for iPhone users puts patients in control of data portability. Mike Restuccia, CIO at Penn Medicine, said, “I think the good thing about the Apple solution is that the data only resides on the end-user’s device,” adding, “So, we don’t have access to that. Apple doesn’t have access to the data. The beauty of the solution is it is patient managed, patient controlled and patient centered.” [Computerworld]
Security
AU – Human Error (Not Hackers) Behind Most Data Breaches in Australia
The Office of the Australian Information Commissioner released the first quarterly report since the country’s mandatory data breach notification scheme came into effect and noted an increase in the number of data breaches reported. The OAIC received notification of 63 data breaches in the first six weeks, compared to the 114 instances for the entire 2016–17 period when reporting was voluntary. The majority of breaches stemmed from human error, but an estimated 44% was the result of malicious or criminal behavior. The OAIC also stated that 78% of breaches included “contact information,” 24% contained “identity information,” and 73% of all eligible breaches “involved the personal information of under 100 individuals.” [iTnews | The Mandarin]
CA – Ontario Energy Board Establishes Cyber Security Framework
The Ontario Energy Board (OEB) established a Cyber Security Framework that is to be used by transmitters and distributors as the common basis for assessing and reporting their level of risk and security capability, as a means to move towards a more mature level of control and security. [Ontario Cyber Security Framework – Version 1.0 – Ontario Energy Board]
Surveillance
US – DHS to Compile Database of Journalists and ‘Media Influencers’
The Department of Homeland Security wants to track the comings and goings of journalists, bloggers and other “media influencers” through a database. The DHS’s “Media Monitoring” plan would give the contracting company “24/7 access to a password protected, media influencer database, including journalists, editors, correspondents, social media influencers, bloggers etc.” in order to “identify any and all media coverage related to the Department of Homeland Security or a particular event.” The database would be designed to monitor the public activities of media members and influencers by “location, beat and influencers,” the document says. The chosen contractor should be able to “present contact details and any other information that could be relevant including publications this influencer writes for, and an overview of the previous coverage published by the influencer.” Also, the contractor would have access to a password protected, mobile app that provides an “overview of search results in terms of online articles and social media conversations,” in several different languages such as Arabic, Chinese and Russian. The request comes amid concerns regarding accuracy in media and the potential for U.S. elections and policy to be influenced via “fake news.” The plan calls for the ability to track 290,000 news sources including online, print, broadcast and social media. Also, it would have the ability to track media coverage in over 100 languages, along with the “ability to create unlimited data tracking, statistical breakdown, and graphical analyses on ad-hoc basis.” DHS spokesman Tyler Q. Houlton tweeted that the practice of monitoring the press is considered “standard.” [Chicago Sun Times]
+++
