16-30 September 2017


WW – Apple Addresses Face ID Privacy Concerns

Apple has released a technical white paper breaking down the security measures behind the Face ID feature on the iPhone X. The white paper states Face ID only creates a map of a user’s face and keeps the “mathematical representation” of the face, rather than the entire image. The facial data is stored on the iPhone X’s Secure Enclave chip. The scan is encrypted, and the data only is stored on the device. If a user agrees to transfer the facial scan to AppleCare tech support, users will have the ability to approve what is sent, and the facial data will automatically be deleted after 90 days. The white paper did not address any concerns with law enforcement. Apple has also released a new privacy page. [CNET]

RU – Russia Adds Facial Recognition to Moscow’s Surveillance Cameras

In a move argued to boost security and identify criminals, the Russian government has implemented facial-recognition technology across its network of 170,000 surveillance cameras in Moscow. The city’s surveillance, which is the largest centralized surveillance in the world, has access to 20 million hours of stored video at any given time and will now be able to cross-reference images against those from the Interior Ministry’s database. The cameras will employ technology from Russian startup N-Tech.Lab, which has been recognized for its accuracy rate by both the U.S. Department of Commerce and the University of Washington. [Bloomberg]

WW – Facebook Testing Facial Recognition for Potential Login

Facebook announced it is testing how it can use facial recognition to verify a user’s identity. Facebook explained the feature would be optional, only available on devices where the user had previously logged in, and would be another step available in addition to the current two-factor authentication system in place. If testing proved a reliable option, the company could potentially roll it out on a larger scale. [TechCrunch]

WW – Nest Labs Adds Facial Recognition to Hello Doorbell

Expected to hit stores early next year, Nest Labs is adding Google’s facial recognition technology to a camera-equipped doorbell that will be able to alert the homeowner when an unrecognized face approaches. The Hello doorbell will come equipped with speakers that will make it seem like it can recognize and talk to people. Google’s facial recognition technology is anticipated to be deployed on an outdoor security camera, as well. Neither will tap into Google’s database of photos to automatically recognize people but will rely on the user to manually tag and name people before the device recognizes someone. [US News]

Big Data / Analytics

WW – IPC Awarded for Excellence in De-Identification Research

The International Conference of Data Protection and Privacy Commissioners has awarded the Information and Privacy Commissioner of Ontario its inaugural excellence in research award for the agency’s De-identification Guidelines for Structured Data. According to an IPC news release, there were 90 entries for consideration. “Our guidelines are the first of their kind in Canada to use plain language to explain sophisticated de-identification concepts and technical processes, with the benefit of being useful to a very wide audience,” IPC Commissioner Brian Beamish said. “To have our efforts recognized on the global stage is especially gratifying.” [IPC]

WW – ICO’s Machine Learning Report Awarded at ICDPPC

The U.K. Information Commissioner’s Office has won this year’s International Conference of Data Protection and Privacy Commissioners’ Global Privacy and Data Protection Award. The ICO’s Big Data, AI, Machine Learning and Data Protection report also received the People’s Choice Award. Information Commissioner Elizabeth Denham said she was delighted ICO’s work was recognized at an international level, adding, “The use of big data has implications for privacy, data protection and the associated rights of individuals. However implications are not barriers — it is not a case of big data ‘or’ data protection.” [ICO.uk]

US – US Investigation into Russia May Seek Algorithmic Transparency from Top Tech Companies

While tech companies have developed without much intervention from the U.S. government, the investigation into Russia’s role in the 2016 presidential election has the government looking to better understand the internal workings of online platforms, such as Facebook and Google. Top Democrat on the House Intelligence Committee Rep. Adam Schiff, D-Calif., warned of “the use of Facebook’s algorithms and the way it tends to potentially reinforce people’s informational bias.” While tech companies are intent on guarding proprietary company information, Electronic Privacy Information Center Executive Director Marc Rotenberg explains, “Algorithmic transparency is also key to corporate accountability.” Information Technology and Innovation Foundation Vice President Daniel Castro, however, said that “trying to regulate [social networks] by demanding companies turn over their intellectual property is going to have a dampening effect on innovation.” [Politico]


CA – Bill C-59 Falls Short, Even by Liberals’ Own Standards

In the lead-up to the 2015 federal election, the Liberal Party of Canada made a cynical deal: they would hold their noses and vote for the Conservative government’s Anti-Terrorism Act, 2016, also known as Bill C-51.[See here & here] They claimed to do so in order to avoid allowing the Conservative Party to call them weak on security during the upcoming election. In return, they promised Canadians that a Liberal government would repeal the worst parts of Bill C-51 once elected. But that is the past. Let’s look at the present: in June 2017, the Liberal government introduced Bill C-59 [Bill C-59 here & Charter Statement here], the National Security Act, 2017. Coming after months of consultation, this is the government’s primary response to the problems with Bill C-51. At 150 pages long, it’s a massive bill that creates various new acts and brings extensive modifications to existing laws. This past week, along with 38 other organizations and experts, the International Civil Liberties Monitoring Group issued a strong statement: Bill C-59 does not fix the ills of Bill C-51 and fails to place the protection of Canadians’ rights at the heart of our country’s national security activities. It’s important to remember that many organizations, including the ICLMG, called for the complete repeal of Bill C-51. The Liberal Party has refused that call. Even by their own standards of repealing the most egregious sections of Bill C-51, the new National Security Act falls short. In an open letter, the ICLMG and our allies point to a wide range of concerns. You can read the entire letter here. Here are five major areas of concern: 1) Information sharing; 2) Surveillance; 3) Spy agency disruption powers; 4) The no-fly list; and 5) Torture. [Huffington Post | Leading civil society voices want changes to Liberal national security bill

CA – Therrien Releases Annual Report on PIPEDA, Privacy Act

Privacy Commissioner of Canada Daniel Therrien has released his annual report to Parliament regarding the Personal Information Protection and Electronic Documents Act and the Privacy Act. The report covers several different topics, including consent consultation, reform updates for both PIPEDA and the Privacy Act, public safety, national security, and government surveillance. Therrien also writes about elements from last year’s report still having an impact on personal privacy, such as big data, the internet of things, biometrics and artificial intelligence. “Now is the time to instill confidence in Canadians that new technologies will be implemented in their best interest and not be a threat to their rights,” Therrien writes. “Now is the time to reform Canada’s critically outdated privacy laws.” [priv.gc.ca | OPC Calls for Fining, Rule-Making Powers]

CA – Canada Urged to Do More to Protect Data from U.S. During NAFTA talks

Concern is growing that federal negotiators aren’t doing enough to protect the personal information of Canadians from prying U.S. interests at the NAFTA negotiations. Information technology companies and other digital economy insiders say federal negotiators appeared unprepared during this week’s third round of talks to counter an American proposal that would forbid the storage of sensitive data in computing facilities on Canadian soil. Some warned that Canada appeared soft on the issue and might concede to the American demands in the interest of horse-trading — to potentially win concessions on higher-profile areas of contention, such as autos and agriculture. Sources say U.S. negotiators proposed NAFTA terms that banned data localization, lifting language directly from the failed Trans-Pacific Partnership. The U.S. position contrasts with British Columbia and Nova Scotia laws that require local data storage and appears to conflict with federal policy, which says “sensitive or protected data under government control will be stored on servers that reside in Canada.” [The Star]

CA – OPC Publishes its Report on Consent

In May 2016, the Office of the Privacy Commissioner of Canada published a discussion paper and launched a consultation on consent under the Personal Information Protection and Electronic Documents Act with the objective of identifying potential enhancements to the consent model and better defining the roles and responsibilities of the actors who could implement such improvements. On September 21, 2017, as part of its 2016-2017 annual report, the OPC published its “Report on Consent” in result of this consultation. [See Backgrounder here & Report on Consent here] In this report, the OPC recognizes that consent is a foundational element of PIPEDA, but notes that obtaining meaningful consent has become increasingly challenging in the digital environment and can sometimes be impracticable or very challenging in the case of big data initiatives or Internet of Things devices. The OPC also cites a survey revealing that the vast majority of Canadians are worried that they are losing control of their personal information and highlighted the importance of Canadians having the trust required for the digital economy to flourish. The report focuses on three themes: making consent more meaningful, alternatives to consent and governance/enforcement. [blg.com]

CA – OPC Concerned With Government Sharing of Roadside Test Results

The Federal Privacy Commissioner of Canada appeared before the standing committee on Justice and Human Rights on Bill C-46, An Act to Amend the Criminal Code (offences relating to conveyances). Proposed amendments to the Criminal Code would widen the potential uses and purposes for which roadside results may be collected and shared by authorities; sharing should be limited to only federal and/or provincial laws that relate to transportation safety, and consider whether negative test results will be retained. [OPC – Appearance Before the Standing Committee on Justice and Human Rights on Bill C-46 An Act to Amend the Criminal Code and to Make Consequential Amendments to Other Acts]

WW – Apple Revamps ‘Privacy’ Site, Calls It “Fundamental Human Right”

Apple updated its “Privacy” minisite, reorganizing it to better communicate what the company does to safeguard personal data on its various hardware and software platforms. The site calls privacy a “fundamental human right,” and explains the policies underlying systems like passcodes, Touch ID, Apple Pay, and app permissions. [App Insider see also The Washington Post]

CA – How to Join Surge of Privacy Class Actions in Canada

The number of Canadian privacy class actions has rapidly increased within the last six years, according to business law firm Osler. [see here] Based on Osler’s internal tracking, the firm says a total of 62 privacy class actions across Canada have been launched since 2005. However, Osler identified only two privacy class actions commenced prior to 2010. That year, there were three new privacy class actions, rising to seven in 2011, and 10 in each of 2012 and 2013. Following a slight dip in 2014 and 2015, there were 11 commenced in 2016. According to Osler, nearly half of privacy class actions initiated in Canada have been commenced in Ontario. But that’s not to say that a class action launched in Ontario will see all Canadians automatically opted in. Residents in New Brunswick, Newfoundland and Labrador, and British Columbia must choose to opt in, said lawyer Tony Merchant, whose firm Merchant Law Group LLP [see here] “But everywhere else in Canada, you’re a part of the class action unless you opt out,” Merchant added, noting that in most circumstances, Quebec is also an opt-out province unless there are certain jurisdictional issues. Residents of B.C., New Brunswick, or Newfoundland and Labrador will only be automatically opted into class actions launched in their own respective provinces. [The Star]

CA – Govt ‘Fell Short’ in Protecting Privacy During Electoral Reform Consultation: OPC

The government “fell short” and “should have been more prudent” in preventing users’ personal information from being shared with third parties as they interacted with a much-maligned online electoral reform survey, Canada’s privacy commissioner has found. [see here] MyDemocracy.ca employed third-party scripts that could disclose users’ personal information to Facebook without their consent as soon as they loaded the website, according to the commissioner’s investigation. The responsible Privy Council Office also never conducted a privacy impact assessment related to the initiative. About 360,000 people had participated in the survey in December and January. The commissioner found no evidence PCO was trying to match individuals to their responses, but IP addresses and other information was shared with Facebook automatically, “thereby increasing the risk that users’ interaction with the website could not be truly anonymous” — and the government didn’t obtain consent before information was shared. Users who were simultaneously logged into Facebook could be identified. The survey requested optional demographic information including postal codes, household income, sex, age and other details. [National Post | Government added privacy protections to MyDemocracy.ca contract only after privacy commissioner began investigation: documents]

WW – US, Canada, Australia Receive ICDPPC Award for Joint Investigation

A joint investigation into the July 2015 AshleyMadison.com data breach, which impacted customers in nearly 50 countries, has received the Global Privacy and Data Protection Award at this year’s International Conference of Data Protection and Privacy Commissioners in Hong Kong. The collaboration demonstrated among the U.S. Federal Trade Commission, Office of the Australian Information Commissioner and the Office of the Privacy Commissioner of Canada was described by ICDPPC Chair John Edwards as “a model on how to achieve cross-border cooperation in privacy enforcement.” The ICDPPC has also released a list of other winners for its inaugural awards. [Full Story]

CA – OIPC NL Offers Recommendations Following Text Message Data Breach

The Office of the Privacy Commissioner of Newfoundland and Labrador issued a report regarding a data breach involving the sharing of a text message. A complaint against the town of South Brook was filed after paper copies of a text message were shared during a meeting. The sender’s number had not been removed when the message was shared and was sent out to the public when town councillors decided to include the text message in a newsletter. Newfoundland Labrador Privacy Commissioner Donovan Molloy recommended the town create and implement a privacy policy, while offering education and training for staff and councillors. [VOCM]

CA – Sask MoJ Privacy Branch Reviewing Issues Around Reefer Survey

The Access and Privacy Branch of Saskatchewan’s Ministry of Justice is examining concerns around the province’s survey [see here] on recreational marijuana use after a University of Regina professor Marc Spooner identified potential vulnerabilities within the online tool. In response to Spooner’s concerns, Drew Wilby, executive director of communications with the ministry of Justice said a “data-scrubbing” process will occur to eliminate “possible junk or repetitive responses” before analysis starts, but Spooner said this raises further concerns. Spooner said the fact a data scrub is even possible indicates the survey has been collecting information that could potentially identify a respondent — like an IP address — despite the fact the survey indicates data collected is “non-identifying.” The survey, which is open until Oct. 6, is only one tool the Government of Saskatchewan is using to consult on the legalization of recreational marijuana, with the statement noting: “multiple ministries have been consulting with stakeholders since the announcement of cannabis legalization.” [Star Phoenix]


US – Report: Low-Income US Citizens Aware of Privacy Concerns, but Cannot Protect Data

Data & Society has released a report on the privacy and security experiences of low-income citizens in the U.S. The report, titled “Privacy, Security, and Digital Inequality,” finds households with annual incomes of less than $20,000 are “acutely aware” of digital privacy harms, but many respondents said it would be difficult to access the resources needed to help protect their personal information online. “This study highlights the disconnect between the one-size-fits-all conversations about privacy-related risk that happen in Washington and the concerns that are most salient to the communities who have long experienced a disproportionate level of surveillance and injustice in their daily lives,” said the report’s lead author, Mary Madden. [Full Story]

WW – Nielsen to Acquire Marketing Intelligence Software Platform

TV ratings company Nielsen is expected to acquire marketing intelligence company Visual IQ, BostInno reports. Matt Krepsik, Nielsen’s global head of product leadership for marketing ROI, said, “Visual IQ’s rich history of marketing attribution and digital intelligence combined with Nielsen’s gold-standard marketing effectiveness solutions will provide advertisers, publishers and agencies with a holistic platform that offers the transparency to optimize and improve the return on marketing investments.” The terms of the acquisition have not been disclosed. [Full Story]


AU – Australian Text Campaign Sparks Privacy Concerns

Unsolicited text messages urging citizens to vote yes on Australia’s vote for marriage equality have left recipients wondering how their numbers were gathered in the first place. The text message asked voters if they had voted yes and contained a link leading to an equality campaign website. Many recipients were said to be on the Do Not Call register, while others planned to vote no. Victorian MP Rachel Carling-Jenkins called the marketing move a “gross invasion of privacy.” Some recipients contacted The Australian to express concern, and one said they would file a privacy complaint to the Telecommunications Ombudsman. [The Australian]


CA – CRTC ‘Has Had Success Enforcing’ Canada’s Anti-Spam Legislation, Says Chief Compliance and Enforcement Officer

In a speech September 26, 2017 to the Standing Committee on Industry, Science and Technology, Steven Harroun — the Canadian Radio-television and Telecommunications Commission’s (CRTC) chief compliance and enforcement officer — defended the commission’s enforcement of CASL, stating that “the CRTC has had success enforcing the legislation in the short time it has been in force.” Harroun also acknowledged the CRTC’s cooperation with 12 enforcement agencies from eight countries around the world, connected through the Unsolicited Communications Enforcement Network (UCENet). “I’m not suggesting that the Act is perfect,” said Harroun. “I suspect you will hear a lot of suggestions about what needs fixing from various witnesses who will address the Committee in the months ahead.” [Mobilesyrup]

Electronic Records

US – Study: 73% of Medical Pros Use Staff Member’s Password to Access EHRs

A study published in Healthcare Informatics Research finds 73% of medical professionals have used another staff member’s password to access a patient’s electronic health record at work. Of the medical professionals polled, more than 57% estimate they have used another person’s password an average of 4.75 times, while 100% of medical residents surveyed said they have obtained the staff member’s password with their consent. “Unfortunately, the use of passwords is doomed because medical staff members share their passwords with one another,” the researchers wrote. “Strict regulations requiring each staff member to have a unique user ID might lead to password sharing and to a decrease in data safety.” [HealthITSecurity | Are Doctors the Weak Link in Terms Of Medical Security?]


EU – European Commission Seeks Opinions Before Encryption Report Release

The European Commission is seeking member states’ opinions on security and privacy before publishing a report on encryption technology. The report, set to be released Oct. 18, will not suggest lowering levels of encryption. An EU official said the debate on allowing law enforcement to access encrypted communications has passed, and instead, “practical” solutions will be suggested to help police in the future. “Encryption is the basis for our digital economy. We wouldn’t have e-banking, we wouldn’t have e-government systems,” the official said. “What we’re looking for is how do we help law enforcement here. Nobody is speaking about backdoors because that would mean the undoing of our whole systems. Nobody wants to create a mass surveillance system at EU-level.” [EURACTIV]

EU – Commission to Publish Encryption Report on 18 October

The European Commission is trying to pull together member states’ differing views on security and privacy before it publishes a report on encryption technologies on 18 October. One Commission source said that despite calls from some EU leaders to create so-called backdoors to give police access to encrypted communication, “the debate has moved on” and will suggest “practical” solutions to help law enforcement authorities. Privacy campaigners and technology lobby groups will be wary of any suggestion to weaken encryption as a way to help police investigate crime. The Commission official insisted that the report will not suggest lowering levels of encryption. Diplomats from EU member states met on 18 September for talks about the encryption report. There is broad consensus from member states that experts at EU institutions should produce more research and suggestions to help police use encrypted data in communications. “If you want to break encryption you need to first know how to encrypt,” one source said. [Euractiv | End-to-end encryption plan puts Europe on collision course with UK | EU seeks to outlaw ‘backdoors’ in new data privacy proposals

WW – Professionals Around the World Express Distrust Over NSA Data Encryption Techniques

Academic and industry professionals from countries such as Germany, Japan and Israel are pushing the U.S. National Security Agency to move away from data encryption techniques it wants to set as global industry standards. The group of cryptography professionals is concerned the NSA is advocating for the techniques not based on their quality, but because the agency knows how to break them. The debate has been ongoing for the past three years and has revolved around whether the International Organization of Standards should approve the two NSA techniques known as Simon and Speck. The NSA addressed these concerns by agreeing to drop all but the most powerful versions of the techniques. [Reuters]

CA – Toronto Hospital Implements Encryption-Based Security Strategy

Toronto-based North York General Hospital has tapped two companies to help boost its cybersecurity efforts. The health care organization selected cybersecurity firm Thales to provide hardware-based encryption technology to help bolster the secure exchange of information between health care staff. North York also chose a Thales technology partner, IDENTOS, to provide the platform to run the service. “We opted to add the IDENTOS solution to our security infrastructure toolbox to provide more flexibility in providing modern, encryption-based strategy driven by Thales and IDENTOS,” North York General Hospital CIO Sumon Acharjee said. “These two companies have the extensive, proven experience necessary for creating a solution that embraces growth, flexibility and accounts for today’s mobile-savvy users.” [Healthcare IT News]

WW – Encryption-Breaking Quantum Computers Getting Closer, Warns Canadian Expert

With research accelerating around the world on next-generation quantum supercomputers, the odds of someone creating a new machine able to crack current encryption methods protecting data has increased in the last 12 months, says a Canadian expert. Last year at this time, when experts from around the world gathered in Toronto for the fourth annual Quantum Safe Workshop, it was estimated there was a one in seven chance that by 2026 a quantum computer will be built that can break RSA-2048 encryption. That’s now down to a one in six chance, says Michele Mosca, co-founder of the University of Waterloo’s Institute for Quantum Computing, program director and a speaker at this year’s conference in London Mosco sees the quantum computing world from two sides. On the threat side, “a lot has happened in the last six to eight months in terms of progress towards scalable quantum computing” by public and private researchers in Canada, the U.S., Australia, England, Japan, the Netherlands and China. On the solution side Mosca admits researchers are getting closer to creating security tools that would keep up with the speed of a quantum computer. This side has been slower, in part because until the threat can be shown businesses see no reason to act. Most technology purchasers assume their security vendors will have a solution, Mosca said. Mosca warns CISOs that “you need to have a [quantum-safe] plan. You need to start your planning immediately. You don’t need to panic – a plan doesn’t mean you need to buy lots of stuff. But if you haven’t already you need to develop a roadmap and start a conversation with the other stakeholders” in your organization. “Then it will become clearer whether you need to step up the pace.” To that end Mosca and a colleague have posted a six-step quantum risk assessment methodology for CISOs. The methodology can be integrated with common risk management frameworks from NIST, ISO or other groups. [ITWorld | see also: Phys.Org, eWeek, Geek and Gears Of Biz]

UK – WhatsApp Rejects UK Request for Backdoor Access

Instant messaging service WhatsApp has rejected a request from the U.K. government to offer access to encrypted messages. A security source said, “It is crucially important that we can access their communications — and when we can’t, it can provide a black hole for investigators.” While WhatsApp has responded that there is a practice in place to “carefully review, validate, and respond to law enforcement requests based on applicable law and policy,” it also explains that it is unable to provide the requested data because it is not collected. Security professionals argue that creating a backdoor for the government would weaken encryption for everyone, but U.K. intelligence officials believe a compromise could be possible. [FSky News]

EU – Other Privacy News

  • In ongoing efforts to move forward with the proposed ePrivacy Regulation in the EU, the Council of the European Union has offered its first revisions, with proposed amendments and deletions, primarily focused on the “operative part of the proposal (articles)” with plans to examine the recitals at a later date. Eur-Lex
  • The U.K.’s Department for Digital, Culture, Media & Sport introduced the Data Protection Bill 2017 to the House of Lords and published it online. Gov.uk

EU Developments

EU – Groups Voicing Criticisms of European Commission’s Financial Services Draft Proposal

Several e-commerce companies and lobby groups are asking the European Commission to change a draft proposal regulating financial services. The Commission plans to reduce online fraud by requiring customers to use card authentication services and other biometric processes for purchases worth more than 30 euros. “Any extra click required to confirm a purchase can discourage the consumer from finalising the purchase. This hurts both EU consumers and traders,” the groups wrote in a letter to Commission President Jean-Claude Juncker and eight other EU commissioners. The Commission is completing the draft of the proposal and will send it to MEPs and diplomats from national governments at some point over the next couple of weeks. [EURACTIV]

EU – Irish High Court Expected to Hand Down Standard Contractual Clauses Decision Oct. 3

According to a news release from Europe Versus Facebook and a tweet from Austrian-based Lawyer Max Schrems, the Irish High Court is expected to hand down its judgment on a case that will determine the future of standard contractual clauses. “The Irish High Court has informed the parties today, that it [will] deliver the judgement regarding Facebook’s EU-US data transfers in the light of US surveillance laws (like FISA 702 and EO 12.333), as well as US surveillance programs disclosed by Edward Snowden (like ‘PRISM’ and ‘Upstream’) on October 3rd, 2017,” the release states. The court decision will either refer the case to the Court of Justice of the European Union or decide the case without a reference, something that Schrems has pushed for in the case. [Europe-V | EU Judges US Surveillance Law | High Court to rule on landmark data privacy case next week]

CA – Canada’s Border Agency to Start Tracking the Number of Cellphone Searches

The Canada Border Services Agency will begin tracking the number of cellphones its officers search at the border, and will provide Canadians their first glimpse into the frequency of those searches after six months. “Right now we’re not tracking separately how many cellphone searches we have done,” said Martin Bolduc, vice-president of the agency’s programs branch, in a meeting before the House of Commons standing committee on access to information, privacy and ethics. CBSA has long maintained that it has the right to search electronic devices at the border for evidence of customs-related infractions — without a warrant — as it does suitcases and bags. A 2015 interim policy, still in effect today, says that device searches “should not be conducted as a matter of routine.” In the U.S., the frequency of border searches of cellphones has risen sharply in recent years, according to data collected by the U.S. government. And while there are only anecdotal accounts of searches in Canada, lawyers across the country have called the practice unconstitutional and argued that the law be changed. [CBC | Public employees should wipe phones before entering U.S., says N.L. privacy commissioner | Privacy commissioner warns Canadians about increase in U.S. border agents demanding access to phones | Canadians should worry about U.S. border searches of cell phones: privacy czar | Digital privacy at the border: What’s in your phone? | Canadian Courts Edging Towards A Warrant Requirement For Device Searches At Borders | How our intimate lives can become a prerequisite for travel | The new electronic police state & the 4th Amendment at the border]

CA – Alberta Opposition Questions 800,000 Deleted Alberta Government Emails

The Opposition wants Alberta’s privacy commissioner to investigate 800,000 emails deleted by government and political staffers under the NDP According to United Conservative Party interim leader Nathan Cooper He also wants to know why top political staffers in Premier Rachel Notley’s office had only a handful of sent emails and messages in their inboxes, despite their time on the job. Also of concern for Cooper were policies from two departments directing staff to get rid of emails in their inboxes. A deputy minister briefing note in education noted that migration to a new system was the perfect opportunity to “clean up” the department’s email. Over in transportation, the department ran a competition for staffers to reduce the number of emails in inboxes by 25%. Those who deleted the most were entered into the draw for one of three $50 Apple gift cards. He thinks the lack of emails across all employees in managerial and director roles in government ministries could well point to breaches of the Privacy Act and records-retention policies. [Edmonton Journal]

CA – CBA Asks Ottawa for ‘Robust’ Protections for Solicitor-Client Privilege at U.S. Border

In a Sept. 27 appearance before the Commons Access to Information, Privacy and Ethics Committee [see here] customs lawyer Cyndee Todgham Cherniak renewed the Canadian Bar Association’s so-far unheeded requests to Ottawa since 2013 for the creation of a joint working group of representatives from Justice Canada, the CBA and the Canada Border Services Agency (CBSA) to collaborate in developing a defined policy for Canadian border searches involving solicitor-client protected information. The CBA told MPs that Canada should also require the U.S. Department of Homeland Security and U.S. Customs and Border Protection to have a similar policy on solicitor-client privilege that applies to U.S. officials engaged in preclearance examinations on Canadian territory. The CBA went on to raise numerous legal and constitutional red flags about Bill C-21 and Bill C-23. Privacy lawyer David Fraser of McInnes Cooper in Halifax told The Lawyer’s Daily the companion government bills significantly increase Canadian and U.S. customs and immigration officials’ authorities to examine travellers and their electronic devices, as well as to gather, store and share travellers’ private personal information with domestic and foreign governmental agencies. The proposed amendments to the Customs Act (C-21) [see here] implement the joint “Beyond the Border” Canada/U.S. border security initiative would “significantly expand” the role of the CBSA in controlling the exit of people and goods from Canada and also require international carriers — such as airlines, trains and buses — to collect and hand over to authorities detailed biometric information on all travellers departing Canada. Bill C-23, the Preclearance Act, 2016 [see here], would expand the powers of U.S. customs officials, who are engaged in preclearing U.S.-bound travellers from Canada, to operate on Canadian soil. At the same time Canadians’ privacy rights would be reduced, without adequate safeguards, the CBA said. Bill C-23 is now at second reading debate in the Senate, after MPs passed it last June, over NDP opposition and protests from civil liberties advocates. The CBA’s representatives urged the Commons committee to recommend to the government that Bill C-23 be delayed and revised — pending “full consultation and extensive review.” [Source | More coverage at Canadian Bar Association]

Facts & Stats

WW – Data Breach: 54% are Caused by Negligent Employees or Contractors

This Ponemon Institute study, sponsored by Keeper Security, surveyed small and medium-sized businesses on their cybersecurity practices. Third party mistakes caused 43% of data breaches and errors in system or operating processes, 34%; top challenges preventing the IT security posture from being fully effective included insufficient personnel, budget or technologies, no understanding of how to protect against attacks, and lack of in-house expertise. [2017 State of Cybersecurity in Small and Medium-Sized Businesses – Ponemon]

CA – OIPC NL Updates Guidance on Applications to Disregard Access and FOI Requests

The Information and Privacy Commissioner of Newfoundland and Labrador has updated his previous guidance related to applications to disregard access to information requests pursuant to the Access to Information and Protection of Privacy Act, 2015. Public bodies may apply to the Commissioner within 5 days of receiving a request and the Commissioner will decide within 3 days whether to grant approval to disregard the access or freedom of information request; this 8-day process does not extend the other timelines that apply to these requests. [OIPC NFLD – Applying to the Commissioner for Approval to Disregard an Access to Information Request]

CA – Saskatchewan Amends Its FOI Act

Saskatchewan’s Bill 30, An Act to Amend the Freedom of Information and Protection of Privacy Act, received royal assent on May, 17, 2017: amendments will come into force upon proclamation. The Act, which received royal assent on May 17, 2017, establishes a duty to assist by government institutions, increases the powers of the commissioner (e.g., exchange of personal information with other commissioners), and creates an obligation for public bodies to notify affected individuals of an authorized use or disclosure of their personal information. [Bill 30 – An Act to Amend the Freedom of Information and Protection of Privacy Act – Legislative Assembly of Saskatchewan | Amendment to Bill]

CA – OIPC SK Recommends Disclosure of Snooper’s Identity

The Office of the Saskatchewan Information and Privacy Commissioner investigated a breach of personal health information at the Prince Albert Parkland Regional Health Authority, pursuant to the Health Information Protection Act. An employee at a regional health authority snooped into health records of 14 patients with whom she had a personal relationship; notification letters to these individuals failed to identify the employee (to allow individuals to determine the harm or consequence of the breach), or how similar breaches will be prevented in the future (i.e. that the employee was terminated. [OIPC SK – Investigation Report 136-2017 – Prince Albert Parkland Regional Health Authority]


US – Equifax Offers Lifetime Ability to Lock and Unlock Credit for Free

Interim Equifax CEO Paulino do Rego Barros Jr. announced the credit monitoring agency will unveil a new service allowing consumers the lifetime ability to lock and unlock their credit for free, Bloomberg reports. Following Equifax’s data breach, the company will also extend the sign-up period for the free credit monitoring service TrustedID Premier. “We compounded the problem with insufficient support for consumers,” Barros wrote in an Op-Ed for The Wall Street Journal. “Answers to key consumer questions were too often delayed, incomplete or both. We know it’s our job to earn back your trust.” Meanwhile, New York state’s financial service regulators have issued a subpoena to Equifax, while San Francisco City Attorney Dennis Herrera filed a lawsuit against the firm related to the data breach. [Bloomberg] [Equifax CEO Richard Smith to step down following data breach | Equifax estimates 100,000 Canadians affected by data breach | Equifax breach extends to UK consumers |

US – CFPB Director Says Credit Rating Agencies Will Receive Embedded Regulators Following Equifax Breach

Following the Equifax data breach, Consumer Financial Protection Bureau Director Richard Cordray said credit rating agencies will be getting embedded regulators to ensure similar attacks do not occur. “If they’re going to restore public confidence in this marketplace and if they’re going to create the kind of reforms necessary, they’re going to have to recognize the old days of just doing what they want, being subject to lawsuits now and then, are over,” he said. “There has to be a scheme of preventive monitoring in place.” Cordray said the Equifax data breach was “far beyond” the attacks at both Target and Home Depot and demanded a stronger reaction. Cordray also said the CFPB will work with Congress to develop measures on the ways companies handle data and react to data breaches. [CNBC]

US – Sonic Suffers Breach Affecting Millions of Customers’ Payment Card Data

Sonic Drive-In has suffered a data breach affecting an unknown number of its 3,600 locations across the U.S. The breach has potentially compromised the debit and credit card information of millions of customers. Security Researcher Brian Krebs writes the payment card information may have been sold on a cybercrime marketplace called “Joker’s Stash.” The breach was first discovered after financial institutions reported fraudulent activity coming from accounts used at an Oklahoma City–based Sonic restaurant. “Our credit card processor informed us last week of unusual activity regarding credit cards used at Sonic,” the chain said in a statement. “We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor.” [KrebsOnSecurity]


CA – Watchdog Blasts Trudeau Government Over Broken Transparency Promises

Canada’s information commissioner has released a scathing 50-page report, chiding the government for breaking its promises on improving Canada’s transparency regime. [See PR here and Report here] The Liberals introduced new legislation last spring to improve Canada’s Access to Information Act and government transparency.[Bill C-58] That legislation “fails to deliver,” according to a special report from Information Commissioner Suzanne Legault. “I only need one sentence [to describe the bill]: This really effects a major regression in terms of access to information rights for Canadians,” she said. “We are now completely overtaken by most countries in the world in terms of our access to information regime,” she added. News Media Canada, an association of journalists and publishers, said in an audit [see here] published this week that the access to information system “is bogged down to the point where, in many cases, it simply doesn’t work.” A House of Commons committee will begin deliberations on the new bill in October. Legault says the government’s proposed changes will, overall, make that system even worse. “The government promised the bill would ensure the act applies to the prime minister’s and ministers’ offices appropriately,” Legault writes. “It does not.” [Vice.com  National Post, The Canadian Press, The Globe and Mail, Toronto Star and CPJ Press Freedom Online]

CA – Federal FOI in Canada Worse Now Than Under Harper: Report

The federal government received a failing grade in a new national audit of freedom of information regimes across Canada. The vast majority of federal departments under the Liberal government, which campaigned on a promise to increase information disclosure and transparency in Canada, failed to fulfill requests within the legal timeframe, the audit found. The report states, “this year, the audit has a special focus on the performance of the federal government led by Prime Minister Justin Trudeau, and performance was even worse than in the latter years of the former Stephen Harper government.” The national audit, which looks at freedom of information regimes federally, provincially and municipally, was conducted [by Fred Vallance-Jones, associate professor at University of King’s College] and freelance journalist Emily Kitagawa. The audit was prepared for and funded by News Media Canada and is the seventh report of its kind since 2008. [Desmog | Watchdog blasts Trudeau government over broken transparency promises | Additional coverage at National Post, The Canadian Press, The Globe and Mail, Toronto Star and CPJ Press Freedom Online]

CA – OIPC ON Addresses Frivolous and Vexatious Access Requests

The information Privacy Commissioner of Ontario has issued guidance on access to information requests pursuant to the: Freedom of Information and Protection of Privacy Act; and Municipal Freedom of Information and Protection of Privacy Act. When notifying the requester that their request is frivolous or vexatious organizations should indicate the reason for the decision and the requester’s right to appeal to the Commissioner; maintaining detailed records of the interactions with the requesters will help the organization support that the request is frivolous or vexatious (e.g., number, nature and size of the request). [IPC ON – Frivolous and Vexatious Requests]

CA – B.C. Gov’t Fails to Meet Deadlines on 1/5 FOI Requests: OIPC BC

The Government of British Columbia routinely fails to meet legal requirements for freedom-of-information requests. That’s the conclusion of an independent review of the province’s handlings of requests made under the B.C. Freedom of Information and Privacy Protection Act (FIPPA). “We saw regular contraventions of FIPPA and deterioration of response times with some modest improvement at the beginning of 2017,” reads the September 20 report signed by Drew McArthur, acting information and privacy commissioner for B.C. The review found that the province’s Information Access Operations team missed deadlines on one in five of the requests it receives. When this 20% of files was eventually delivered, the average number of days they were overdue was 62. In addition, the review found that files delivered on time were still taking longer than they should. That’s happened via an increase in the government’s use of time extensions. From 2012-13 to 2014-15, the percentage of files requiring a deadline extension was between 21 and 22%. By 2016-17, that number had increased to 37%. [Straight see also MetroNews Canada and CBC News]

CA – Access to Information Auditor Says P.E.I. Should Include Municipalities

P.E.I.’s municipalities should be brought under the provincial freedom of information law, says the leader on a recent access to information audit. [see here starting at Pg 68] Fred Vallance-Jones, who was one of the authors of a report on the audit that included requests to Charlottetown, said it’s time for P.E.I. to include municipalities in its Freedom of Information and Privacy Protection Act. “There is no reason municipal governments shouldn’t be accountable to the public the same way as other governments and frankly I scratch my head as to why P.E.I. has not joined every other province,” he said. P.E.I. is the only province that doesn’t include municipalities in its access to information legislation. [Guardian Additional coverage at CBC News]

CA – Newfoundland Entities Should Limit Persons Authorized to Post on Social Media

The Office of the Information and Privacy Commissioner of Newfoundland and Labrador issued guidance on the use of social media for public bodies and custodians. Social media policies should include who may post to social media (e.g., head of the public body, ATIPPA coordinator, privacy managers), the type of information that may be communicated via social media and the platforms that may be used. [OIPC NFLD – Use of Social Media See also: Baker & Mckenzie Canadian Employers Must Protect Against Abusive Posts: Avoiding the risks An outline of steps employers can take to avoid the pitfalls of social media – William Watson, Partner, and Susan MacMillan, Professional Support lawyer, Baker McKenzie]

US – Google and Apple Release New Transparency Reports

This week, both Google and Apple updated their transparency and privacy statistics for the first half of 2017. In a blog post for Google, the company explains the release comes as the U.S. government is set to discuss Section 702 of the Foreign Intelligence Surveillance Amendments Act 2008, which is set to expire at the end of 2017. Google explains this particular section is often utilized by the U.S. government to obtain data about non-U.S. users in order to collect “foreign intelligence information.” Both Apple and Google report an increase in requests for user data, with Apple stating that, during the first half of 2017, they received, “the largest number of national security orders that Apple has ever reported in five years of publishing transparency reports.” [Google Blog]

Health / Medical

CA – IPC Releases Breach Guidelines for Health Care Sector

Ontario’s Information and Privacy Commissioner has issued a reminder that it has released new guidelines for recent amendments to the province’s Personal Health Information Protection Act. Reporting a Privacy Breach to the Commissioner: Guidelines for the Health Sector will guide health care organizations and professionals to gain an understanding of the new amendments, which will go into effect Oct. 1, and when to notify the agency in the wake of a data breach. IPC Commissioner Brian Beamish said, “The guidance document developed by my office will help people who work with health information to understand their duties and responsibilities to ensure that sensitive information is protected, as well as to improve accountability and transparency in Ontario’s health care system.” [Full Story]

WW – Gem Working With CDC, Tieto to Bring Blockchain to Health Care

Blockchain company Gem is working with the U.S. Centers for Disease Control and technology services company Tieto on two separate projects to help incorporate blockchain technology into health care, TechCrunch reports. Gem is assisting the CDC as the agency hopes to use blockchain to protect shared data during natural disaster responses. Gem is helping Tieto as the European-based company seeks to establish a patient record system powered by Gem’s blockchain technology, especially as the EU General Data Protection Regulation comes closer to implementation. “The reality is your data is going from party to party all the time,” Gem Chief Executive Micah Winkelspecht said. “It’s being bought and sold without your knowledge. What we believe and what GDPR is enforcing is bringing that data back to the user to see how that data is managed and bringing that consent back to the citizen.” [TechCrunch] Blockchain a potential tool for EHR use

WW – Healthcare Organizations With IT Leader Have More Holistic Security Programs

The Healthcare Information and Management Systems Society investigated cybersecurity concerns of US healthcare organizations: 126 individuals that played a role in their organization’s information security responded. 60% of organizations surveyed employed a senior information security leader (“SISL”); 88% of these organizations conducted a cybersecurity assessment when acquiring a product or service (compared to 57% of non-SISL organizations), 82% supported education and training for staff (compared to 57% of non-SISL organizations), and 59% conducted mock exercises to test for failure of tech resources (compared to 51% of non-SISL organizations). [2017 HIMSS Cybersecurity Survey – HIMSS]

Horror Stories

Ex–Manitoba Health Employee Fined $7,500 for Illicitly Accessing Daughter’s Medical Records

A former Manitoba Health employee has been fined $7,500 for violating the Personal Health Information Act after illegally accessing the medical records of his estranged daughter, CBC News reports. The man accessed the records in April 2014 after learning his ex-wife had been hospitalized for psychiatric issues. While Defense Lawyer Gene Zazelenchuk said his client only accessed the records out of concern for his daughter, Judge Cynthia Devine said the defendant’s past role as a police officer made the infraction egregious. “More than anyone else, police officers know how to execute their duties in concert with the law,” Devine said. “His moral culpability in committing this offence is very high.” [CBC.ca]

CA – Huge Potential Breach Exposes Nunavut’s Lax File Management

Thousands of records containing the private clinical information of Nunavut residents treated at the Qikiqtani General Hospital in Iqaluit may have gone missing more than a year ago, but the Department of Health decided not to notify the public about what could be a massive information and privacy breach. That’s because health officials now say they aren’t sure the files are actually missing. The Department of Health could only provide a “broad description” of the missing records as “inpatient and outpatient service reports, patient demographics and clinical information,” because the records themselves had never been catalogued. More than a year after the box was first reported missing, the Department of Health said it now believes this box may have never existed since records showing the number of boxes, and the files inside them, are largely absent. Here’s the other problem: if there is a missing box, there is no record of what was in it, so it’s unclear how many Nunavummiut could be affected — or even what personal data was compromised — said Nunavut’s privacy commissioner, Elaine Keenan Bengts, who reviewed the privacy breach. [Nunatsiaq News See also: Nunavut’s health records ‘ripe for privacy breach’, says territory’s information commissioner]

Identity Issues

AU – OAIC and Data61 Publish Data De-Identification Framework

The Office of the Australian Information Commissioner and CSIRO’s Data61 have published the “De-Identification Decision-Making Framework“ to assist organizations in appropriately de-identifying data and put strategies in place to recover the information should a data breach occur. The framework is structured into three sub-headings, with the first requiring an organization to assess its data situation and conduct an audit, followed by conducting a risk and control analysis, and ending with asking the organization to determine how it would effectively manage the sharing of data. Australian Information and Privacy Commissioner Timothy Pilgrim wrote that the purpose of the framework is to “empower organisations to understand what is involved in a de-identification process,” as well as to help organizations identify, evaluate and balance the resulting risks. [ZDNet]


US – Lawmakers Request Details on Data Stored in IoT Nursery Device

Mattel’s new “connected kids room platform,” Aristotle, which is designed to watch over, record and interact with children, has prompted Sen. Ed Markey, D-Mass., and Rep. Joe Barton, R-Texas, to request the toymaker disclose information on how data will be stored and used, Bloomberg reports. In a joint letter, the lawmakers state, “Consumers should know how this product will work, and what measures Mattel will take to protect families’ privacy and secure their data,” arguing that never before has a device had access to such information. Aristotle, which was announced in January but is still unavailable for purchase, can play a lullaby, emit white noise, turn on nightlights, and send naptime and diaper-changing data to an owner’s smartphone app with permission. [Bloomberg]

Law Enforcement

CA – RCMP at Fault for Disclosing Woman’s Suicide Attempt at US Border

The Office of the Privacy Commissioner of Canada found the RCMP at fault for a privacy violation involving a woman attempting to cross the U.S. border. The woman was turned away from the U.S. border after border agents discovered she previously had attempted to commit suicide. The information regarding the incident was obtained through a RCMP-controlled database. While the information was originally recorded to help police in a possible future encounter with the woman, U.S. Customs and Border Protection used the information for different purposes, a violation of Canada’s privacy law. “We concluded that information about an attempted suicide can only be shared with U.S. border officials where the individual can reasonably be considered to present a risk to others,” the office said. [Ottawa Citizen | Therrien: Canadian citizens should be ‘very concerned’ about US border searches

CA – Ex-Manitoba Cop Fined $7,500 for Snooping Daughter’s Health Records

In what is the first case of its kind in the province, a former Manitoba Health employee who accessed the medical records of his estranged daughter has been fined $7,500. The 58-year-old accused, a retired city police officer, was convicted after trial earlier this year of one count of accessing personal health information in violation of the Personal Health Information Act. As a former police officer, the man would have been well aware of the importance of complying with the act, Judge Cynthia Devine said. “More than anyone else, police officers know how to execute their duties in concert with the law,” Devine said. “His moral culpability in committing this offence is very high.” Prior to the information breach, the woman had not disclosed her hospital stay to even her closest friends, court was told. She sank into depression and later lost her job and her house. [CBC News]

Online Privacy

UK – Report: 81% of Children Under the Age of 2 Have an Online Presence

42% of parents in the U.K. share photos of their children online, adding to the worldwide trend of young children having an online profile. An AVG report finds 81% of children under the age of 2 have an online presence. Oversharing concerns have motivated police in France and Germany to write Facebook warnings about the dangers of parents posting too much information about their children online, while academics in the U.K. suggest the government begin to educate parents to ensure they understand the importance of protecting a child’s digital identity. [phys.org]

CA – OPC to Query Google on Linking Court-Protected Names

The Office of the Privacy Commissioner of Canada will approach Google officials to request information on how the search engine is able to link court-protected names of young offenders and victims with online coverage of their cases even without direct mention of their name. While Google’s algorithms are not public, some researchers suggest that “a critical number of people have used the protected name alongside similar search terms, thereby establishing a pattern of links to news coverage.” The OPC spokeswoman said that no official complaints from affected individuals have been made, and Google announced it will act on individual complaints and remove search results that violate local laws. [Ottawa Citizen | Google’s ability to defeat court bans ‘horrifying for victims’: defence counsel | Google is linking secret, court-protected names – including victim IDs – to online coverage]

EU – EU Citizen Receives Requested Personal Data from Dating App

After executing her right under EU data protection laws and asking that dating app Tinder grant her access to her personal information, Judith Duportail discusses the 800 pages of information the company collected about her in a column for the Guardian. The personal information included more than her Tinder information, including her Facebook and Instagram history. “Tinder is often compared to a bar full of singles,” she writes, “but it’s more like a bar full of single people chosen for me while studying my behaviour, reading my diary and with new people constantly selected based on my live reactions.” [The Guardian]

Other Jurisdictions

UK – Judge Finds Man Who Did Not Share Device Passwords Guilty Under UK Terrorism Laws

The international director of CAGE, an advocacy group campaigning against the impact of counter-terrorism policies, was found guilty under U.K. terrorism laws for “wilfully obstructing or seeking to frustrate an examination or search” when stopped by British police at Heathrow Airport. Muhammad Rabbani refused to provide police with passcodes for electronic devices, arguing that he was acting to protect the privacy of a client involved in an anti-torture case. The judge presiding over the case found Rabbani to be legally required to have provided such information under Schedule 7 of the Terrorism Act 2000. Rabbani has announced plans to appeal the decision, saying the law poses a threat to personal privacy. [Reuters]

AU – Privacy Commissioner Publishes Data Breach Notification Guidelines for Comment

The Office of the Australian Information and Privacy Commissioner (OAIC) is seeking public comment [see here] on draft resources it has published relating to Australia’s impending data breach notification laws. [see here] A data breach worthy of reporting is defined by the OAIC as one that is likely to result in serious harm to any of the individuals to whom the information relates, noting also that a data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. As part of its reference material package, the OAIC prepared a guide to securing personal information, which also urges organisations to prepare or update their data breach response plan to ensure that they are able to respond quickly to suspected data breaches. [ZDNet | Former ASIO head questions why political parties are exempt from breach disclosure]

Privacy (US)

US – FPF Releases Guide Describing Student Data Protection

The Future of Privacy Forum has released a guide aimed at providing clarity for schools and associated service providers so that they may better understand their legal options concerning when to disclose student information to law enforcement. The FPF explains that given the current U.S. political climate and the recent repeal of the Deferred Action for Childhood Arrivals program, it is important for schools to understand how student information is protected under the Family Educational Rights and Privacy Act. The FPF said, “If this all sounds overwhelming, then it’s important to remind you of the number one best practice: strive to minimize legal risks on the back end by limiting the amount and types of data you collect about students on the front end.” [FPF] See also: Alberta’s education minister has announced legislation to be introduced this fall that would require public schools to protect LGBTQ students and information on students’ involvement in gay-straight alliances. Edmonton Journal

US – FTC to Host Workshop on Consumer Injuries Suffered in Privacy Cases

The FTC will host a free workshop in Washington, D.C., Dec. 12 to discuss the injuries consumers suffer when data about them is misused. The workshop will address the best ways to characterize injuries in privacy and data-security cases and accurately measure injuries and their prevalence. “Information flows of all kinds are vital to our economy, but the increased collection and use of consumers’ information carries some risk for consumers when that information is misused,” Acting FTC Chairman Maureen Ohlhausen said. “This workshop is aimed at helping us to better identify and measure the consumer injuries that may result from the misuse of information about consumers.” [FTC.gov] | FTC Speech]

US – NASA Engineer Part of Border-Search Lawsuit Against Government

Sidd Bikkannavar, a senior engineer at NASA’s Jet Propulsion Laboratory, is suing the government over a warrantless search of his smartphone upon arrival in the U.S. from a trip abroad. Bikkannavar is one of 11 travelers involved in the lawsuit against the U.S. federal government for the warrantless search of smartphones, laptops and other devices. The suit was filed by the ACLU and EFF last week. Esha Bhandari, a staff attorney for the ACLU, says the agents in Bikkannavar’s case exceeded their authority, adding that border agencies have the authority to conduct warrantless searches of a traveler’s luggage but authority does not extend to electronic devices. [LA Weekly]

US – Court Dismisses OPM Data Breach Lawsuits

A District of Columbia court has dismissed a pair of lawsuits related to the 2015 U.S. Office of Personnel Management data breach. The lawsuits, brought on by the American Federation of Government Employees and the National Treasury Employees Union, were dismissed after the court determined the plaintiffs lacked standing to bring their cases. “Plaintiffs seek damages for improper disclosure of information and for a failure to maintain adequate safeguards under the Privacy Act, but they have not alleged that private information was ‘disclosed,’ as opposed to stolen, and they have not alleged facts to show that their claimed injuries were the result of the agency’s failures,” the court wrote in its memorandum opinion. [The Hill]

US – DOT’s Autonomous Driving Guidelines Put a Varying Emphasis on Privacy

The U.S. Department of Transportation has released guidelines on autonomous driving, but the emphasis on privacy varies between groups. The guidelines recommend companies ensure not to include confidential business data when revealing their autonomous vehicle programs to the public. While the guidelines address businesses, consumer privacy has been de-emphasized, with the DOT stating it should be handled by the FTC. Other concerns have arisen regarding whether autonomous vehicle data will be used for commercial purposes or in insurance decisions. “From a privacy perspective, driving data looks very much like telephone records data,” Electronic Privacy Information Center President Marc Rotenberg said. “We’ve always had strong protections for telephone record data.” [CNN Tech]

US – Other US Privacy News

  • The U.S. Department of Homeland Security has announced a new policy that makes publicly available online information part of an individual’s immigration record. The Hill
  • The U.S. Department of Homeland Security has announced plans to collect the social media information of all immigrants, effective Oct. 18. The Hill
  • A federal judge has ruled that the surveillance systems on city buses in Reno, Nevada, may collect audio, as well as video recordings. Miami Herald
  • New York’s Gov. Andrew Cuomo has proposed expanding the state’s financial cybersecurity rules to cover credit reporting agencies. New York Law Journal
  • U.S. Secretary of Commerce Wilbur Ross and EU Justice Commissioner Věra Jourová have released a joint statement on the first annual review of the EU-U.S. Privacy Shield framework. Commerce.gov
  • The U.S. 9th Circuit ruled in favor of the personal privacy of 149 noncitizens over a FOIA request seeking their names from the treasurer of the National Border Patrol Council. Law360
  • In New Hampshire, an advisory committee is looking into creating rules on how to identify crime victims in court papers. The Concord Monitor
  • The D.C. Court of Appeals ruled law enforcement use of cell-site simulators to track a suspect’s phone without a warrant violates the U.S. Constitution. CBS News

Privacy Enhancing Technologies (PETs)

WW – Signal App Tests New Method for Accessing Contact List

Open Whisper Systems, the nonprofit behind the encrypted communication app Signal, is launching an experimental method to replace the contact-sharing request with a process that allows Signal’s servers to mine a user’s address book to find other Signal users. The contact-sharing request has been long considered a “necessary evil” to make apps such as Signal user-friendly, and it is thought that this new method, which utilizes an Intel processor feature called Software Guard Extensions, may represent an alternative process for apps interested in providing user convenience and security. [Wired]

US – Tech Vendor Creates New Feature to Test Password Health

Dashlane, a provider of password management programs, has created a new feature to alert administrators when their corporate users share passwords between accounts or utilize ones that are easy to guess. The product stores encrypted versions of passwords for other sites that are accessible once a user unlocks them with a memorized master password and sends the company statistics on how many passwords an employee has and if they are following good password guidelines. The new feature aims to prevent an employee from unnecessarily creating a vulnerability due to poor password management, increasing the risk of stolen credentials. [Fast Company]


US – NIST Releases Discussion Draft on Its Approach to Privacy and Security

The National Institute of Standards and Technology has released a new discussion draft for its approach to privacy and security. NIST Special Publication 800-37, Revision 2, is a response to U.S. President Donald Trump’s cybersecurity executive order and the Office of Management and Budget’s Memorandum M-17-25. “NIST Special Publication 800-37, Revision 2, empowers customers to take charge of their protection needs and provide security and privacy solutions to support organizational missions and business objectives. It includes a new organizational preparation step, instituted to achieve more timely, effective, efficient and cost-effective risk management processes,” NIST Fellow Ron Ross writes. “The organizational preparation step incorporates concepts from the Cybersecurity Framework to facilitate better communication between senior leaders and executives at the enterprise and mission/business process levels and system owners.” [NIST]

US – DHS Announces Themes for National Cyber Security Awareness Month

The U.S. Department of Homeland Security will support October as National Cyber Security Awareness Month, highlighting the government’s effort to raise awareness about the importance of cybersecurity and its increasing impact on daily life. DHS has announced five themes to be addressed throughout the month, covering important concerns and developing a better awareness of cybersecurity as part of its ongoing engagement to educate public and private sectors. [DHS]

EU – Proposed Regulation Establishes ICT Certification Framework

The European Union proposed a regulation concerning cybersecurity and ENISA, the European Union Agency for Network and Information Security. Companies with specific products or services will have a “one-stop-shop” for cybersecurity certification in the EU, allowing them to certify their product once and obtain a certificate valid in all Member States; the framework will supersede all existing parallel national schemes. ENISA will be restructured to have a permanent mandate, and work with both the private and public sectors, ensuring consistency in the NIS Directive implementation, and supporting the certification framework. [European Commission – Proposal for a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘‘Cybersecurity Act’’) Press Release | Proposed Regulation | Executive Summary Impact Assessment]

CA – OIPC YK: How Medical Staff Can Avoid the Risks of Ransomware

It appears that the risk of ransomware attacks locking doctors and medical institutions out of their own files has now become a reality for some areas of Canada. Although there are no reports yet of doctors or other healthcare providers being affected by ransomware in Yukon, now is the time to ensure we are ready, if and when the time comes. The risks posed by these attacks are significant. During a ransomware attack, all files (including patient information) stored on the computer are inaccessible. With this information unavailable to healthcare providers, there are serious risks to patient safety and care. A doctor can be missing key aspects of a patient’s history while diagnosing or dealing with a health issue. Even if the doctor’s office or institution has a backup system in place, the process to restore these files is not instantaneous and can take several hours or days. And, if the ransom is not paid by the deadline given, hackers will destroy the files, which means the important medical history of patients would be lost. There are additional risks to patient privacy, if hackers are able to access patient files during the attack. There are a number of things that can be done to mitigate the risk of becoming a victim of a ransomware attack. My office recently issued a Ransomware Advisory which provides more detail on how these attacks occur, how to prevent them, and what steps to take to respond to an attack. [see here] [Yukon.news]


CA – Union Expresses Privacy Concerns Over Proposed Locomotive Cameras

A union representing railway employees alleges proposed government legislation on rail safety contains a “landmark privacy violation” — an argument legal observers say may have some merit. Bill C-49, the Transportation Modernization Act [see here], would require all railway operators install and utilize locomotive voice and video recorders (LVVRs). The House of Commons Standing Committee on Transport, Infrastructure and Communities began hearings Sept. 14 [see here] The proposed legislative amendments would also limit the purpose for which the data is used, to mitigate employees’ privacy concerns. LVVR would only be used by the TSB for accident or incident investigation purposes, by federally-regulated companies to identify safety concerns and determine the cause of accidents not under investigation by the TSB, and by Transport Canada to address safety threats or develop policy. But Unifor, which is Canada’s largest union in the rail sector, argues the federal government has provided “little evidence” to demonstrate how LVVRs will be an improvement over the “black box” data recorders already installed on trains. “Our members work on-board so they have a unique and personal investment in railway safety, but federal legislation must not furnish employers with surveillance powers outside the scope of public safety,” said Bruce Snow, Unifor’s Rail Director. “Surveillance is an invasive and unnecessary distraction for rail workers that could lead to increased stress and reduced performance.” Snow said the union would consider it acceptable for the TSB to use the footage in safety violations, but it should not be shared with other players in the industry. Snow said Unifor is not looking at a legal challenge “at this stage.” “But what we are saying is we’re not going to bury our heads in the sand,” he said. “If this is passed, we want to work with all stakeholders to protect our membership. But if they are not, we will have to look at other ways to deal with it.” [Lawyers Daily]

US – Breach Exposes 540,000 Records from Vehicle Tracking Company

The Kromtech Security Center recently found roughly 540,000 records belonging to SVR Tracking, a company that specializes in “vehicle recovery,” in a publicly accessible online Amazon S3 bucket. The records contained information including email addresses and passwords, as well as some license plate and vehicle identification numbers. The SVR passwords were stored using a cryptographic hash function, SHA-1, though one that’s 20 years old and with known weaknesses. The company tracks vehicle location by providing continuous tracking every two minutes while the car is moving and every four hours when the car is stopped, and it is possible to see the entire path of the vehicle for 120 days. [Gizmodo]

US Government Programs

US – DHS to Collect Social Media Data on All US Immigrants

The U.S. Department of Homeland Security has announced plans to collect the social media information of all immigrants, effective Oct. 18. The announcement was published in the Federal Register. BuzzFeed News reports that the new rule may subject all U.S. citizens to government surveillance if they communicate with immigrants via social media. In May, President Donald Trump approved a new questionnaire for visa applications that required applicants to provide social media handles for the last five years. The new rule effectively broadens the government’s reach from would-be applicants to all immigrants, including permanent residents and naturalized citizens. [The Hill]

US Legislation

US – Other Legislation

  • In the wake of the Equifax breach, Massachusetts Attorney General Maura Healey announced updated legislation, An Act Removing Fees for Security Freezes and Disclosures of Consumer Credit Reports, which aims to better protect consumers from data breaches. Insurance Journal
  • Illinois Gov. Bruce Rauner has vetoed the Geolocation Privacy Protection Act, which was poised to be the country’s first geolocation privacy law. Illinois Policy After Illinois Gov. Bruce Rauner vetoed the state’s Geolocation Privacy Protection Act, the bill’s sponsor, Rep. Ann Williams, is working on a strategy to override the governor’s decision. Bloomberg BNA
  • A bipartisan group of U.S. representatives have reintroduced the International Communications Privacy Act, which would give law enforcement the power to require telecommunications providers to turn over the contents of an electronic communication no matter where they are held with a warrant. Multichannel News
  • California lawmakers shelved the California Privacy Act, a bill that would have put restrictions on ISPs’ abilities to share consumer data. The Los Angeles Times
  • Following Equifax’s data breach, a group of Democratic senators has introduced the Data Broker Accountability and Transparency Act to hold the data-broker industry accountable for breaches. Broadcasting & Cable
  • California Gov. Jerry Brown has signed a bill allowing victims of revenge porn to file civil lawsuits under a pseudonym in a measure to further protect victim privacy. Los Angeles Times See also: The Associated Press reports on the effectiveness of Colorado’s revenge porn law.
  • Montana’s law limiting the use of automatic license-plate readers by law enforcement is now in effect. Land Line
  • U.S. Senators have introduced the SAFE at Home Act to protect the privacy of domestic violence victims’ physical address in federal filings. Ozarks First





01-15 September 2017


US – Apple Unveils New Facial Recognition Authentication Feature for iPhone

While speaking at Apple’s 10th anniversary iPhone event, Apple CEO Tim Cook unveiled the iPhone X, a device he says will bring in the next decade of smartphone innovation. The flagship feature of the iPhone X is Face ID, allowing users to unlock their devices via facial recognition technology. While Face ID represents a benchmark in the development of smartphones and opens up a new era of facial recognition authentication, the new feature has prompted some in the media to raise privacy concerns. [IAPP.org] See also: [Facial recognition technology could become a smartphone staple]

WW – Facial Recognition Identifies More Than Just a Name

The Economist reports on the possible consequences of embracing facial recognition technology, arguing that the “ability to record, store and analyze images of faces cheaply, quickly and on a vast scale promises one day to bring about fundamental changes to notions of privacy, fairness and trust.” Highlighting this particular issue, a Stanford University study found that AI can accurately identify sexual orientation using facial recognition. While there are reported limitations to the testing, AI has also been used to explore links between facial features and a range of other points of interest, such as political views, psychological conditions or personality. While regulations can work to protect against the development of AI bias, it is also possible for such biases to be deliberately used against users. [Economist]

UK – Watchdog Warns Over Police Database of Millions of Facial Images

Paul Wiles, the biometrics commissioner, says in his annual report that the police’s use of facial images has gone far beyond their original use for custody purposes and forces are using facial recognition software to try to identify individuals in public places. [See PR here and report here] “Facial images are just the first in a new wave of biometrics. I am aware that the police are already experimenting with voice recognition technology and others such as iris, gait and vein analysis are commercially available,” says Wiles Wiles says that unlike DNA and fingerprints, images can be taken without the subject’s knowledge. Facial images of about 90% of the adult population already exist in passports and driving licences. A high court ruling in 2012 declared unlawful the retention by the police of images of innocent people they had arrested or questioned but who had never been charged or convicted of any offence. A Home Office review ordered by Theresa May when she was home secretary was published this February, which required the police to delete images but only application from an individual “unconvicted person”. [The Guardian | The Times]

CA – Canada Border Services Agency sharing information on American border crossings with Homeland Security

Canada’s border agency has quietly begun sharing information with U.S. Homeland Security about the thousands of American citizens who cross into Canada each day. Before long, Washington is expected to provide Ottawa with similar information about Canadians entering the United States. The exchanges are intended to bolster security and help enforce laws, though advocates for privacy and civil liberties are concerned about the potential for abuse. The effort involves exchanging entry information collected from people at the land border — so that data on entry to one country serves as a record of exit from the other. The data includes the traveller’s name, nationality, date of birth and gender, the country that issued their travel document and the time, date and location of their crossing. Canada and the U.S. signed a memorandum of understanding in August 2016 that allows American officials to disclose the border-crossing data about U.S. citizens to “any federal, state, local or tribal government authority” in the U.S. for reasons of national security, counter-terrorism, public health or safety. [The Star] | Canada-U.S. preclearance bill finally moves ahead, but privacy concerns mount over Trump’s ‘extreme vetting’ | | Canada, U.S. talk data sharing | Bill letting U.S. border guards detain Canadians could face legal challenges | Is The Border Safe? US Could Detain Canadians In Canada Under Bill | Pre-clearance bill would give U.S. border agents in Canada new powers | New bill would allow border guards to collect biographic data on those leaving Canada | Canada Is Going to Start Handing Over Even More Data About Travelers to the US | Op-Ed: Canada to share information with U.S. on land border crossers]

Big Data / Data Analytics

US – EBP Commission Final Report Emphasizes Both Data & Privacy

The Evidence-Based Policymaking Commission Act of 2016 [see here & here] mandated a 15-member panel [see here], appointed by former President Barack Obama and both Republican and Democratic congressional leadership, to develop a series of legislative recommendations. The 22 recommendations set forth by the commissioners, developed in just over a year, direct Congress and the president to focus on three broad categories: ensuring privacy, improving data access and strengthening the federal government’s capacity for evidence building. [See PR here & report here] In conjunction with the creation of the data service, the commission recommends standing up a publicly accessible transparency and accountability portal that would notify the public about how confidential data is used, as well as about agencies’ compliance with rules surrounding privacy. Integral to the recommendations is the commission’s rejection of the notion that increasing access to data, including confidential and personal data, assumes an increased privacy risk. The word “privacy” appears 408 times in the 114-page report, an emphasis that reflects the commission’s prioritization of protecting sensitive information, said commission chairwoman Katharine Abraham. But it’s not just federal agencies; the authors say Congress and the White House also should work with states “to ensure that state-collected administrative data on quarterly earnings are available for solely statistical purposes” to aid federal decision-making for grants and other funding. On the private-sector side, the commission states OMB should create a single, streamlined process for researchers to apply and gain approval to access government data that isn’t publicly available. [FCW See additional coverage here, and here]

US – IRS’ Use of Big Data Analytics Violates Privacy

Academics at Washington State University examine the privacy issues resulting from the Internal Revenue Service’s big data analytics program. The IRS uses big data analytics to mine commercial and public data pools, including social media sites, to include in proprietary databases and create pattern recognition algorithms that identify non-compliant taxpayers; however, data subjects are not made aware that they are being tracked online for this purpose, and the secrecy of the algorithms prevents people from confirming the data’s accuracy. [The Use of Big Data Analytics by the IRS – Efficient Solutions or the End of Privacy as We Know It – Kimberly A. Houser, Associate Professor and Debra Sanders, Professor, Washington State University]

WW – New Study Claims Apple’s ‘Differential Privacy’ Falls Short

A new study looks into Apple’s use of “differential privacy,” which inserts random noise into an individual user’s information to help protect user data from being exposed by a third party, and contends the company may be supporting more data mining than its public promise implies. Researchers found that Apple’s use of the practice uploads more specific data than the typical differential privacy researcher might consider private, adding that Apple keeps both the code and the “privacy loss parameter,” or the amount a data collector is willing to sacrifice for the sake of protecting its users’ privacy, a secret. In response, Apple states that its data collection is purely opt-in, highlighting that it prompts users to share “diagnostics and usage” information with the company when its operating systems first load. [Wired] [Chinese police use facial recognition to make arrests at festival]

US – NSF Issues $3M Grant to Support Data Ethics Research

Data & Society announced that the National Science Foundation has awarded a $3 million grant to fund the Pervasive Data Ethics for Computational Research, a four-year project out of the University of Maryland’s College of Information Studies. Katie Shilton, associate professor and primary investigator on the grant, explains the multidisciplinary team of PERVADE looks to “reveal ethical practices and norms to guide those who utilize big data and to inform policymaking and regulation.” PERVADE will specifically examine “how people experience the reuse of their personal data; what social factors influence people’s willingness to share their data; how and when consent should be given; and how consumers’ concerns can be shared with data system designers and big data researchers.” [Data Society]

WW – Even a Mask Won’t Hide You from the Latest Face Recognition Tech

Ditch the hat and scarf – it’s not fooling anyone. Face recognition software can now see through your cunning disguise – even you are wearing a mask. Amarjot Singh at the University of Cambridge and his colleagues trained a machine learning algorithm to locate 14 key facial points. These are the points the human brain pays most attention to when we look at someone’s face. The system accurately identified people a wearing scarf 77% of the time – a cap and scarf 69% of the time and a cap, scarf and glasses 55% of the time. This isn’t as good as systems that recognise undisguised human faces, but it is the best at seeing through disguises, says Singh. The system only needs to be able to see a fraction of facial key points – most of which are around the eyes and mouth – to be able to guess where the other points are likely to be. Based on that guess, it can identify the person if it has already been shown a map of their key points. He will present his findings at the International Conference on Computer Vision in Italy in late October. [See additional coverage here, here, here, here and here] [New Scientist]

WW – New AI Can Guess Whether You’re Gay or Straight From a Photograph

Artificial intelligence can accurately guess whether people are gay or straight based on photos of their faces, according to new research that suggests machines can have significantly better “gaydar” than humans. The study [also see preprint of paper here & author notes here] from Stanford University – which found that a computer algorithm could correctly distinguish between gay and straight men 81% of the time, and 74% for women – has raised questions about the biological origins of sexual orientation, the ethics of facial-detection technology, and the potential for this kind of software to violate people’s privacy or be abused for anti-LGBT purposes. Human judges performed much worse than the algorithm, accurately identifying orientation only 61% of the time for men and 54% for women. When the software reviewed five images per person, it was even more successful – 91% of the time with men and 83% with women. Broadly, that means “faces contain much more information about sexual orientation than can be perceived and interpreted by the human brain”, the authors wrote. The implications for artificial intelligence (AI) are vast and alarming. With billions of facial images of people stored on social media sites and in government databases, the researchers suggested that public data could be used to detect people’s sexual orientation without their consent. That means building this kind of software and publicizing it is itself controversial given concerns that it could encourage harmful applications. But the authors argued that the technology already exists, and its capabilities are important to expose “It’s certainly unsettling. Like any new tool, if it gets into the wrong hands, it can be used for ill purposes,” said Nick Rule, an associate professor of psychology at the University of Toronto, who has published research on the science of gaydar. “If you can start profiling people based on their appearance, then identifying them and doing horrible things to them, that’s really bad.” The authors also noted that artificial intelligence could be used to explore links between facial features and a range of other phenomena, such as political views, psychological conditions or personality. This type of research further raises concerns about the potential for scenarios like the science-fiction movie Minority Report, in which people can be arrested based solely on the prediction that they will commit a crime. [The Guardian See additional coverage here, here, here & here] HHS OCR Launches Revised HIPAA Breach Reporting Tool

WW – Report: AI Proves Useful for Highly Regulated Sectors

Consulting firm Capgemini researched 1,000 organizations across nine countries to find that highly regulated sectors, including telecom, banking and insurance, are proving to have the greatest rate of adoption of artificial intelligence. Capgemini Chief Technology Officer Ron Tolido said that regulated industries are “trailblazers” for their use of AI at scale. Tolido also said, “Many clients in Europe and outside are using AI to comply with regulations like the new data protection law, GDPR,” adding, “AI is being used to automatically detect flow of personal data through a company’s servers, and to make sure data use is compliant with GDPR.” [Financial Times]


CA – Canadian Government Proposes Mandatory Data Breach Notification Bill

The Canadian government has proposed new legislation making it mandatory for companies to report data breaches. Alberta is currently the only province requiring companies to disclose data breaches, as other provinces leave it to the businesses to decide whether to reveal an incident took place. The proposed legislation would force companies to report breaches to authorities and to notify affected individuals or face a monetary penalty. “The proposed regulations are expected to contribute positively to the privacy and security of individuals,” government officials wrote in a notice on the proposed bill. “Mandatory breach reporting allows individuals who are affected by a breach to take immediate action to protect themselves against further compromise that may lead to fraud, identity theft, humiliation, loss of employment or other forms of significant harm.” [CBC] [Breach of Security Safeguards Regulations – Department of Industry | Déjà Vu – Canada’s Breach Reporting and Notification Requirements | Security Breach Notification Regulations Workshop | Why it’s not just criminal cyber breaches you should warn your clients about | Data breaches in Canada: Reporting obligations, class actions and breach management | Focus: Mandatory reporting of breaches spreads | Feds set to regulate reporting of digital data breaches | Here’s why reports of data breaches will skyrocket this year | New Requirements of the Digital Privacy Act (Bill S-4) ]

CA – Public Advocacy Centre Skeptical of Data Breach Reporting Regulations

Companies would be required to notify people of a serious data breach involving personal information under proposed new federal regulations. [see here] But the regulations are intended to provide “maximum flexibility” to an organization that loses data, says a government notice accompanying the planned measures. Legislation passed two years ago laid the groundwork for mandatory reporting of private-sector breaches that pose a “real risk of significant harm” to individuals. The newly published regulations, drafted with the help of public feedback, would flesh out the legislation. The proposed rules don’t go far enough because they give companies discretion as to whether an incident is sufficiently serious to report, said John Lawford, executive director and general counsel of the Ottawa-based Public Interest Advocacy Centre. A risk-averse company might come clean about a breach, but others may be tempted to keep a lapse under wraps, Lawford said Tuesday. “I think it’s just a terrible solution, and I think we’re going to have fewer data breaches reported rather than more.” The privacy commissioner’s office, which has strongly supported the move to mandatory reporting, said Tuesday it was reviewing the regulations and therefore could not yet comment. [Source]

CA – Canada’s New Draft Breach Regulations

The Ministry of Innovation, Science and Economic Development Canada has published for comment new Breach of Security Safeguard Regulations. Dentons’ Timothy Banks writes for Privacy Tracker that “Privacy professionals who are familiar with the Alberta breach regulations will find a great deal of similarity, although the draft federal regulations do provide additional clarity on certain points, such as the manner of notification.” Banks offers an overview of the provisions in the draft, including its requirements for reporting, notifying, and record-keeping of notes that “Disappointingly, ISED failed to provide a safe harbor for effective encryption or any other guidance on what might constitute a ‘real risk of significant harm.’” The draft regulations are currently in a 30-day comment period. [IAPP.org]

CA – BC OIPC Praises Auto Insurer’s Data-Sharing Practices

The BC OIPC released a report praising the Insurance Corporation of British Columbia’s efforts to protect drivers’ privacy. The report covered the ICBC’s data-sharing practices with third parties, with Acting Commissioner Drew McArthur saying the disclosures were “reasonable and proportionate.” While the privacy commissioner’s office was pleased with the ICBC’s compliance, the agency did offer 12 recommendations on the ways it can improve its data-sharing practices, including better tracking and review of third-party access to data, removing duplicate and outdated access to accounts that belong to people who no longer work with approved third parties, and conducting internal audits of the ICBC’s information-sharing systems and policies. [The Canadian Press]

CA — BC Supreme Court Upholds OIPC Dismissal of Complaint

The Supreme Court of British Columbia reviews a decision of the Office of the Information and Privacy Commissioner in relation to collection and use of personal information in the TV show Border Security. The OIPC determined that it did not have jurisdiction to address a complaint alleging improper collection and use of personal information by a TV show; PIPA does not apply to collection, use or disclosure for artistic purposes, and artistic skills were used to heighten the drama or entertainment value in each episode. [Craig Taylor v. OIPC BC and BST Media Inc. – 2017 BCSC 1420 CanLII – Supreme Court of BC]

CA – Metrolinx Proposes Privacy Policy Changes Following Data Disclosures

After it was discovered Metrolinx had been sharing users’ travel data with law enforcement, the transit agency has proposed changes to its privacy policy. The proposed alterations include changes to the written information offered to users explicitly stating the circumstances when Metrolinx will share information with law enforcement, alerting users when police request their information, tracking and publishing statistics on data requests, and requiring police officers to get their supervisors to approve data requests. “We know that privacy and the protection of personal information are highly important to our customers and we share that concern,” Metrolinx Spokesperson Anne Marie Aikins said. “We felt it was important to conduct a thorough review and consultation to balance the need to protect the privacy of our customers and our efforts as a good community partner.” [Metronews]

CA – First Conviction Delivered Under Newfoundland and Labrador Privacy Law

A Royal Newfoundland Constabulary civilian employee has become the first person to be convicted under Newfoundland and Labrador’s 2015 Access to Information and Protection of Privacy Act. Annette Kennedy has been fined $1,000 for three violations of the law. Kennedy was found to have illicitly accessed the personal information of three people through an RNC database. “This will hopefully deter public body employees and ensure that their employers are aware that they must have reasonable safeguards in place to ensure the privacy of personal information, including audit capacities to identify potential breaches,” Newfoundland and Labrador Information and Privacy Commissioner Donovan Molloy said. [The Lawyers Daily]

CA – OIPC NB Advises Providers Not to Assume Patient Implied Consent

The OIPC examines the “circle of care” in healthcare relating to individual consent pursuant to the New Brunswick Personal Health Information Privacy and Access Act. New Brunswick law does not define “circle of care” and providers should instead focus on the “circle of consent”; implied consent can be assumed when knowledgeable consent already exists, the use/sharing of the information relates to the purpose for which the knowledgeable consent was originally obtained, and it is reasonable to infer that the consent would continue to include the use or sharing in question. [OAIPC New Brunswick – Personal Health Information Privacy and Access Act – Privacy and the Circle of Care]

CA – OIPC NL Guidance on the “Minimum Necessary Standard”

The Office of the Information and Privacy Commissioner of Newfoundland and Labrador issued guidance on the “minimum necessary standard” pursuant to the Access to Information and Protection of Privacy Act. Organizations are required to proceed with a “less is best” approach where only the personal information that is absolutely necessary to achieve the authorized purpose is collected, used or disclosed. [OIPC NFLD – Minimum Amount Necessary Requirement]


WW – Google Announces Launch of Mobile-Friendly Privacy Dashboard

Google is set to release an updated dashboard this week that will make the mobile user experience easier and clarify what personal data is stored in each of Google’s products. The redesign will allow Dashboard to work better with other Google tools, such as My Account and My Activity, allowing users to better control what data is collected. The company’s corresponding blog post explains that privacy and security features have enjoyed frequent use among its users, adding that the Takeout feature, which allows a user to download a copy of their data or export their information out of Google, has already seen one exabyte of data removed, with more than 1 million exports taking place each month. [ZDNet]


US – Misconfigured Database Leaked Sensitive US Voter Data

Researchers at the Kromtech Security Research Center found a misconfigured CouchDB database that exposed the voter records of more than half a million Alaskans to anyone with a web browser. Records contained both sensitive and personally identifiable information and had fields for the types of issues that an individual can be lobbied on. The data is just a portion of a larger file belonging to TargetSmart, which said its national voter file is the “most comprehensive and up-to-date voter file ever assembled.” Kromtech’s Alex Kernishniuk said, “There seems to be no end in sight for improperly secured data making its way onto the web,” adding that it was up to regulators to “manage an aging electoral system that seems to be struggling to keep up with the digital age.” [ZDNet]

US – More Than a Dozen States Still Refuse To Release Voter Data

These are state-by-state responses to a request for detailed voter data from President Donald Trump’s Presidential Advisory Commission on Election Integrity [see here], which is investigating voter fraud. The information indicates whether a state is willing to comply with, is denying or is undecided on the request for data. Some of the states that are willing to comply have fees or other requirements of the commission. All the states that have agreed to comply are withholding some details the commission sought and are releasing only information considered public under state law. The commission sent one request in late June and another in July after a court said the data collection could move ahead.[Source For coverage of the 9/12/17 PACEI meeting see here, here, here and here]

US – Some US States Are Going Back to Paper Ballots

In the wake of rising concerns about the security of electronic voting systems, several US states are returning to the use of paper ballots for their elections. Virginia and Iowa have established post-election audit requirements that compare electronic vote totals with paper ballots. Just five states – Delaware, Georgia, Louisiana, New Jersey, and North Carolina – use exclusively electronic voting systems. Georgia will pilot a paper-ballot system in elections this fall. [Some States Return to Paper Ballots Following 2016 Election Hacks | Paper Ballots May Make a Comeback in Georgia] See also: [Virginia Election Board Elects to Decertify eVoting Machines That Do Not Provide Receipts]

Electronic Records

CA – Ontario Bans Pharma Companies from Promoting Products through Patients’ Electronic Records

Ontario will no longer allow pharmaceutical companies to promote their products through patients’ electronic health records. The decision comes after it was discovered Telus Health had been placing electronic vouchers for brand-name drugs into patients’ records used by thousands of doctors across Canada. “Ontario patients must have confidence that (prescribing) decisions are not influenced by marketing programs or electronic vouchers,” Health Minister Eric Hoskins said in a statement. “This practice is particularly concerning given its powerful influence on the brands of drugs that Ontarians receive, often without patients even being aware that this practice is happening.” [Toronto Star]

CA – Ontario Physician Responsible for Unattended PHI

The Information and Privacy Commissioner of Ontario investigates a privacy breach of personal health information, pursuant to the Personal Health Information Protection Act. The physician’s patient took a picture of a computer screen in the examination room, displaying the PHI of 72 other patients; although the physician did not purposely disclose the PHI, it was made available to the patient when he was left alone with the unattended computer screen. [IPC ON – PHIPA Decision 49]

CA – ON Regulatory Body Imposes Retraining Requirements on Nurse

A panel of the Discipline Committee of The College of Nurses of Ontario conducted a hearing on allegations of professional misconduct against a nurse. The nurse admitted to not logging off a workstation after opening a medical chart and her unique login credentials were then used to access a patient’s PHI; the nurse is suspended for 1 month, and she must review the regulatory body’s and IPC’s guidance on privacy for PHI, complete prescribed questionnaires and attend 2 meetings with an expert (at her own expense). [College of Nurses of Ontario v. Ana Maria Palusci – 2017 CanLII 50753 (ON CNO) – Discipline Committee of The College of Nurses of Ontario] See also: [ON Nursing College Disciplines Nurse for Snooping: CNO v. Brar – 2017 CanLII 49348 – Discipline Committee of the CNO]

US – Majority of 2017 Data Breaches Caused by Hacking and Insiders

This mid-year breach report, issued in collaboration with DataBreaches.net, examines data breaches in the healthcare sector for the first half of 2017. Hacking caused 53% of incidents (almost 40% of those caused by ransomware or malware) involving 1.68 million patient records, and insiders caused 41% (either errors or wrongdoing) involving 1,17 million patient records; it takes a healthcare organization 325 days on average to discover a breach. [2017 on Track to Exceed 2016 Trend of ‘One Health Data Breach Per Day’ – Protenus, Inc.]

EU Developments

EU – Council of the EU releases first proposed revisions of ePrivacy Regulation

In ongoing efforts to move forward with the proposed ePrivacy Regulation in the EU, the Council of the European Union has offered its first revisions, with proposed amendments and deletions, primarily focused on the “operative part of the proposal (articles)” with plans to examine the recitals at a later date. “The revisions are based on the discussions held in the WP TELE [Working Party for Telecommunications and Information Society] meetings and on the written comments provided by delegations to date, and are without prejudice to any comments delegations might wish to make in the future,” the draft proposal states. The council Presidency also pointed out that “work on the text will be incremental” and that the “first redraft aims mainly at clarifying certain elements and outlining specific issues to be examined for the purposes of advancing the discussions on the file.” Additional WP TELE meetings will be held Sept. 19, 20 and 25. [Europa] [Behavioral advertising industry slams ePrivacy plans]

EU – Google Services Deemed Adequate by Spanish Data Protection Agency

In a company blog post, Google announced that the Spanish Data Protection Agency, Agencia Española de Protección de Datos, has confirmed the legal protections underpinning G Suite and Google Cloud Platform international data flows adequately meet Spanish regulatory requirements. This follows a decision earlier this year by the EU’s data protection authorities, also known as the Article 29 Working Party, which confirmed that Google Cloud services’ contractual commitments meet the requirements to legally frame transfers of data from the EU to the rest of the world in accordance with the EU Data Protection Directive 95/46/EC. Customers in Spain need to opt-in to relevant model contract clauses and should notify their relevant transfer to the AEPD’s registry. [Google Blog]

EU – Spanish DPA Fines Facebook $1.4M for Privacy Rule Violations

Spain’s data protection authority fined Facebook $1.4 million for multiple violations of the country’s privacy rules. The AEPD criticized Facebook for collecting data on users’ personal preferences from its own services and third parties without informing individuals on the ways the information will be used. The agency said Facebook did not receive properly informed consent before using the collected information, while adding the company violated privacy laws by not deleting data when it was no longer of use. Facebook disagrees with the AEPD’s decision and plans to appeal the penalty. “As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people,” a Facebook spokesperson said. [Fortune]

EU – MEPs Discuss Next Steps on EU-Canada PNR deal

At a meeting Thursday of the European Parliament’s Civil Liberties Committee, MEPs discussed the current status of the agreement between the EU and Canada on the sharing of airline passenger name records. At the outset, Parliament Legal Advisor Dominque Moore briefed the committee on the Court of Justice of the European Union’s July opinion on the proposed agreement, which, in summary, said the agreement could not proceed without significant amendment. The court cited conflicts it found in the EU Charter of Fundamental Rights. Responding to Moore’s presentation of facts, Dutch MEP and rapporteur on the agreement Sophie in ‘t Veld wanted to know what kind of implications the ruling may have on other agreements. “If you look at the criteria used by the court, at the least the PNR agreement with the U.S. doesn’t remotely meet those criteria,” she said. [IAPP.org]

EU – Other Privacy News

  • In ongoing efforts to move forward with the proposed ePrivacy Regulation in the EU, the Council of the European Union has offered its first revisions, with proposed amendments and deletions, primarily focused on the “operative part of the proposal (articles)” with plans to examine the recitals at a later date. Eur-Lex Europa
  • The U.K.’s Department for Digital, Culture, Media & Sport introduced the Data Protection Bill 2017 to the House of Lords and published it online.
  • During his annual state of the union speech, European Commission President Jean-Claude Juncker announced the Commission will add funds and new powers to the European Union Agency for Network and Information Security. com
  • France’s CNIL has published a blanket authorization for whistle-blowing that eliminates a time-consuming preapproval process among other changes, The National Law Review reports. More

Facts & Stats

WW – 2016 Averaged at Least One Per Day in the Health Sector

This breach report, issued in collaboration with DataBreaches.net, examines data breaches in the healthcare sector for 2016. Almost half of breaches were caused by insiders (43%), one quarter by hackers (27%), one-fifth through loss or theft (19%) and the remainder had no known cause; California was the state with the highest number of breaches, and it took an average of 233 days to discover a breach (but 607 days to discover a breach caused by an insider). [2016 Averaged at Least One Health Data Breach Per Day, Affecting More Than 27M Patient Records – Protenus, Inc.]


US – Data Privacy Concerns Grow as Digital Ad Spending Aimed at Children Rises

A PwC report states the global market for digital advertising aimed at children will reach $1.2 billion by 2019. As digital advertising toward children continues to grow, demand for compliant digital media technology also rises, especially as companies seek to comply with the EU General Data Protection Regulation and the U.S. Children’s Online Privacy Protection Act. PwC expects platforms and technology designed to enhance data privacy when targeting children will continue to evolve, estimating 10-20% of digital ad spend related to children will be on “compliant programmatic advertising” by 2019. [Kidscreen]


MX – Mexican Tax Refund Site Exposed 400GB of Sensitive Customer Data

Mexican VAT refund site MoneyBack exposed sensitive customer information as a result of a misconfigured database, revealing more than 400 gigabytes of information that could be downloaded or viewed. A routine check from security firm Kromtech found the CouchDB database to be misconfigured, allowing public access to the data of half a million customers’ passport details, credit card numbers, travel tickets and more. Passports identified include but are not limited to citizens of the U.S., Canada, Argentina, Colombia and Italy. [The Register]


WW – Study: Anonymous Genome Sequencing Can Lead to Reidentification

A new study out of La Jolla shows how computer algorithms can now predict what a person looks like by using an anonymous genome sequence, turning anonymous data into identifiable information. Human genome sequencing pioneer J. Craig Venter and his team of scientists demonstrated how they were able to train computer algorithms to generate predictions of specific physical traits based only on raw genomic data. UC San Diego Computer Scientist Xiaoqian Jiang spoke to the significant privacy implications: “No longer can one assume that exposure of her genome sequence will not be directly linked back to her,” adding, “She needs to realize that sharing her genomic data is just like sharing her picture, with increasingly high resolution.” [kpbs.org]

Health / Medical

US – State and Federal Sharing Unclear on Marijuana Patient Data

A White House anti-drug initiative is requesting information about patient demographics from states where medical marijuana is legal, raising not only patient privacy concerns but also questions about how the state government should cooperate with the federal government. Federal officials maintain the data will be used in connection with ongoing research into how the usage rates among different age groups correlate to how strictly states regulate medical marijuana. A recent probe in California revealed that only physicians and dispensaries held the requested patient data, not the state health department. It is unclear if dispensaries are considered covered entities under the Health Insurance Portability and Accountability Act, making it unclear how information will be covered. [Lexology]

ON – Ransomware Attacks in Ontario May Have to be Notified

An examination of whether healthcare entities must notify ransomware attacks: A ransomware attack will only meet the criteria for breach reporting obligations under PHIPA if it results in the disclosure of personal data, but in a ransomware attack the hacker is not necessarily able to view the data; however, such an attack could be used as evidence of civil claims (custodians may be held liable for invasion of privacy claims, or a heightened duty of care due to a fiduciary duty to individuals whose PI is stored). [Healthcare Data: Are You Required To Report A Ransomware Attack? – Ruth E. Promislow, Partner, and Ethan Z. Schiff, Associate, Bennett Jones | National Post: Group Says Medical Offices Are Regularly Hit by Ransomware]

US – OCR Advises Health Care Organizations to Have Data Backup Plans for Natural Disasters

As hurricanes continue to affect the U.S., the Department of Health and Human Services’ Office for Civil Rights is advising health care organizations to prepare for national disasters by having contingency data backup plans. According to an OCR release, health care organizations are required to have data backup, disaster recovery, and emergency mode operation plans under the HIPAA Security Rule, while stating the HIPAA Privacy and Security rules are not suspended during national disasters. “The Privacy Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur,” the OCR stated. “The HIPAA Security Rule’s requirements with respect to contingency planning also help HIPAA covered entities and business associates assure the confidentiality, integrity and availability of electronic PHI during an emergency such as a natural disaster.” [HealthITSecurity]

US – New OCR Director Seeks ‘Big, Juicy’ Data Breach Case as Teaching Example

Speaking at the 10th annual Safeguarding Health Information HIPAA conference, the Department of Health and Human Services’ Office for Civil Rights Director Roger Severino discussed one of his goals for his new position. Severino’s top enforcement priority is to find a “big, juicy” data breach case to use as an example to teach others about handling incidents. “I haven’t zoomed in on a particular area, whether it will be cybersecurity, ransomware, physical security, etc. It wouldn’t be the best tactic to say what we’re looking for, but I think coming into this job, I’ve gotten up to speed on HIPAA, and as the threats evolve, we have to evolve in how we approach it — and we have to be smart about who we target,” Severino said. [HealthcareInfoSecurity]

US – Future of HIPAA Compliance Audits Remains Unclear

The U.S. Department of Health and Human Services’ Office for Civil Rights has yet to release new information on the future of HIPAA compliance audits. While speaking at the 10th Annual HIPAA Compliance Conference, OCR Senior Adviser Linda Sanches said her agency had no information on a permanent HIPAA compliance audit program or if the agency will move forward with its plans to conduct on-site audits as part of the second phase of the HIPAA compliance audit program that started last year. “The point of the audit program was never for it to be a strong enforcement methodology,” Sanches said. The audit program “has been designed to help you all in compliance and support your compliance work.” [GovInfoSecurity]

EU – WP29’s Opinion on Health Wearables Concerning to Manufacturers

An opinion from the Article 29 Working Party regarding data collection has raised concerns with fitness tracking manufacturers. The WP29 opinion states employers should not be allowed to issue health care wearables to their employees, even if employees offer their consent. The regulators state employers should be prohibited from accessing the data from the wearables, even if it is aggregated for the entire workforce. Wearable manufacturers have expressed their issues with the opinion. Fitbit states employees should be informed of the ways their data is used and given the option to opt out of data-sharing practices without any consequences. [Bloomberg]

Horror Stories

CA – OPC Places Priority on Investigating Effects of Equifax breach

The Office of the Privacy Commissioner of Canada announced it has placed a priority into investigating the Equifax data breach on Canadian citizens. The agency said it will work with Canadian data protection authorities to investigate the breach and asked Equifax to alert affected Canadian citizens as soon as possible. Equifax claims only a limited number of Canadian citizens were compromised, mainly those who worked or applied for credit in the U.S. The breach has caught the attention of Canadian class-action lawyers, while Cytelligence CEO Daniel Tobok believes millions of Canadians will be impacted by the breach, saying Equifax customers were not the only ones exposed during the incident. Equifax Canada is also facing calls for increased transparency from the Canadian Automobile Association. Meanwhile, a Cambridge woman is filing a $550 million class-action lawsuit against Equifax Canada due to the breach. [G&M] See also: US FTC announces investigation into Equifax data breach | Australia: Post-Equifax breach, APF calls for privacy tort, government action]

US – Yahoo Ordered to Face Litigation Related to Three Data Breaches

U.S. District Judge Lucy Koh ordered Yahoo to face litigation brought on behalf of more than one billion users who were affected by three data breaches between 2013 and 2016. Koh shot down Yahoo’s argument the breach victims had no standing to sue. “All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information,” Koh wrote in her ruling. Koh said plaintiffs allegedly had to spend money to stop future identity theft, and the company could have helped mitigate users’ losses by reporting the breaches earlier. Meanwhile, the 8th U.S. Circuit Court of Appeals weighed in on a case potentially affecting whether data breach victims have the right to sue in federal court. [Reuters]

US – Time Warner Cable’s App Suffers Data Breach Affecting 4M Users

Security company Kromtech discovered 600 gigabytes of unprotected data belonging to four million users of the MyTWC app. The data was found on an Amazon server and contained the usernames, account numbers and other information of individuals using the app. The app’s creator, BroadSoft, said in a statement no bank, credit card or other personal data was exposed in the breach. In other news, private security firm TigerSwan suffered a data breach exposing personal information of U.S. citizens within the intelligence community, and a website has begun selling personal data obtained through an Instagram security bug, including details gathered through users’ phone numbers and email addresses. [BBC.com]

CA – Canoe.Ca Says Data for One Million Users Hacked

Canoe.ca says [see here] some of its databases containing the personal information of about one million users from 1996 to 2008 has been hacked. The company says the databases breached contained records including names, email addresses, mailing addresses and telephone numbers. The information was provided by users for contests, forums, comments pages or the hosting of personal pages. Information collected after 2008 was not compromised [CBC]

US – HHS Launches Revised HIPAA Breach Reporting Tool

HHS’ Office of Civil Rights has launched a revised web tool providing information about HIPAA breaches. The tool, the HIPAA Breach Reporting Tool (HBRT), features improved navigation helping those looking for information on breaches and ease-of-use for organizations reporting incidents. It also gives health care providers, health plans and business associates easy access to a database from which they can gain a better sense of the common types of breaches and the steps HHS is calling for in order to resolve HIPAA breach cases. The HBRT was originally launched in 2009, as required by the HITECH Act, providing information regarding HIPAA breaches involving 500 or more individuals. HHS announced that the HBRT’s new features include: 1) Enhanced functionality and search capabilities allowing users to learn more about breaches currently under investigation and reported within the last 24 months; 2) New archive that includes all older breaches and information about how breaches were resolved; 3) Improved navigation to additional breach information; and 4) Tips for consumers. [Enhanced HHS HIPAA Breach Reporting Tool May Aid Health Care Industry Data Security Efforts]

ON – Ontario Schools to Collect Race-Based Data in Effort to Reduce Educational Disparities

Schools across Ontario will be collecting race-based data in an effort to close the gaps in achievement and well-being between students of different backgrounds. A total of 15 boards, including the Toronto District School Board (TDSB), have been collecting race-based data for years, but the province would like the practice to expand to all boards, starting with students in Grade 4. Boards will also be encouraged to collect data on students’ ethnicity, religion, sexual orientation, gender identity, disability and parents’ socioeconomic status. Anthony Morgan, a human-rights lawyer and a prominent advocate for Toronto’s black community, said the collection of race-based data could bring about positive change, but he had concerns about students’ privacy: Who would have access to the data and how would it be reviewed? He said it is crucial that the province communicate its intentions clearly to parents. “If the government does not take seriously how it plans to gather the data, what it plans to do and who has access to that information, they might get a lot of resistance that they shouldn’t get,” he said. “Especially if a family has a child they feel has already been hard done by the system. There’s already a trust gap that they’ll have to address.” Since 2004, the Alberta government has included a voluntary First Nations, Métis and Inuit self-identification question on all school registration forms and has used responses to track the achievement of students from these groups. [G&M | Province to collect data on students facing suspension or expulsion]

Law Enforcement

CA – RCMP Unlawfully Used Cellphone-Tracking Tech in Six Cases: OPCC

Details of the Royal Canadian Mounted Police’s use of a highly controversial method of tracking suspects’ cellphones have emerged as a result of an investigation by Canada’s Privacy Commissioner. In a report published last week [See OPC Report] Commissioner Daniel Therrien reported that the RCMP had deployed the IMSI catchers 125 times between 2011 and 2016: In 91 cases, the RCMP obtained a general warrant; in 22, it obtained a metadata warrant; in 13, it obtained no warrant at all. In one investigation, the RCMP obtained a warrant, but later concluded it was unnecessary. In the 13 cases where it obtained no warrant, seven were under “exigent circumstances” — meaning someone was at risk of death or serious harm in six investigations, the RCMP had deployed the devices illegally by failing to acquire a warrant beforehand. The report into the devices is the most extensive look into the federal police agency’s IMSI catcher program published to date. The investigation was spurred after community organization OpenMedia [See OpenMedia PR] filed a complaint [see here] with the commissioner over the RCMP’s refusal to admit the existence of the program. Since it began using the devices, IMSI catcher use has been governed under an interim policy, as no formal rules have been adapted. Motherboard has taken a closer look at that interim policy. Generally speaking, the Privacy Commissioners concluded that the RCMP used the devices legally. The Information Commissioner did, however, slam the RCMP’s secrecy on the surveillance technique. The RCMP had, until April, 2017, refused to confirm or deny their possession of the devices — even after VICE News confirmed the RCMP had obtained a license to use the devices and reported how RCMP officers detailed their usage in court, raising questions on the devices’ efficacy. The RCMP released a statement [see here] on the report prior to its publication defending the use of the IMSI catchers, but highlights the commissioner’s findings that the RCMP — at least now — follow the letter of the law in using them. [Source See additional coverage at CBC News, Motherboard, The Canadian Press and The Globe And Mail] Toronto Police refuse to acknowledge use of Stingray surveillance devices]

CA – Privacy Warning Over OPP Use of GPS Darts on Fleeing Cars

The Ontario Provincial Police have a new pilot project in place where they shoot at fleeing cars using Global Positioning System (GPS) darts which track the vehicles’ movements. [See here] Those involved in the trial project say the use of darts could mean fewer casualties from high-speed chases. Experts, however, warn their use could also lead to privacy issues if overzealous or unscrupulous officers misuse the new technology. The technology works like this: If a suspect vehicle flees police, an officer inside the cruiser triggers the firing of a dart from a small cannon-like device attached to the cruiser’s front grill. The dart sticks to the back of the suspect vehicle by means of both a magnet and an adhesive. Pursuing police then pull back. Investigators track the suspect vehicle using the dart’s GPS and use this to strategize an apprehension. Privacy issues could arise if officers use the darts in a non-emergency situation, such as to monitor a driver not fleeing police, or if the darts are used for nefarious personal reasons, such as to monitor a former spouse or romantic partner. [The Lawyer’s Daily]

US – Minnesota Supreme Court Hears Arguments in Case Involving Unlocking Smartphone

The Minnesota Supreme Court heard arguments in a case where a man was ordered to turn over biometric information to unlock his cellphone. Law enforcement obtained a warrant to search Matthew Diamond’s phone, only to find it needed his fingerprint to unlock the device. However, the wording of the warrant opened up questions in the case. Public Defender Steven Russett argues Diamond’s Fifth Amendment rights were violated when investigators asked which fingerprint was used to unlock the device, rather than instructing him to give a fingerprint, knowledge, he said, that acted as self-incriminating testimony, the report states. “If the order said, ‘You may take his fingerprints,’ I wouldn’t be here,” Russett said. [Twin Cities]


US – FTC’s Uber Consent Agreement Designates Geolocation Information as PI

According to an analysis of the FTC’s recent Consent Agreement with Uber, the designation reflects the FTC’s position on the sensitivity of consumers’ location information, and may impact emerging technologies relying on such data (e.g,. drones, autonomous vehicles) and the companies currently using the data for customers, prospects, and employees; companies should update their privacy policies to specifically include what geolocation information is being collected and how it is used, and review vendor and customer agreements to ensure adequate safeguards. [Federal Trade Commission’s Uber Consent Agreement Designates Geolocation Information as Personal Information – Kevin D. Pomfret, Partner, Williams Mullen]

Other Jurisdictions

WW – Google stops challenging most warrants for data stored overseas

In a court filing to the Supreme Court, the Justice Department revealed that U.S. search warrants for data stored on overseas servers have largely gone unchallenged by Google. This marks a deviation from the company’s previous approach, which relied on the 2nd Circuit Court of Appeals decision that U.S. search-and-seizure law does not require compliance with a warrant to turn over email stored on its servers outside of the U.S. Microsoft is still reported to rely on the decision. The Justice Department asked for the Supreme Court to review the 2nd Circuit Court’s decision, but no decision on whether they will hear the case or not has been made. [ArsTechnica]

WW – UN Calls for Global Drone Registry

The United Nations’ International Civil Aviation Organization is backing the creation of a single global drone registry as part of a broader effort to develop common rules for flying and tracking unmanned aircraft. ICAO, which was asked to help develop more uniform drone regulations, will host a symposium this month to discuss issues on registering and tracking drones, as well as geofencing systems to prevent operation in restricted zones. The effort to create common operating standards for drone manufacturing and use is part of an effort to streamline drone development so that drone specifications would be accepted worldwide, regardless of where it was manufactured. [Reuters]

Online Privacy

WW – Ad Industry Urges Apple to ‘Rethink’ Cookie-Blocking Plans in New Browser

Six major U.S. advertising industry groups have written an open letter urging Apple to “rethink” plans to release new cookie preference standards in a forthcoming update to its Safari web browser. Apple’s Intelligent Tracking Prevention feature would curb how advertisers and websites track users online by placing a 24-hour limit on ad retargeting. TechCrunch reported on the plans last June, when Apple Senior VP of Software Engineering Craig Federighi explained, “Safari uses machine learning to identify trackers, segregate the cross-site scripting data, put it away so now your privacy — your browsing history — is your own.” More details on the system can be found on Apple’s WebKit blog. Thursday’s open letter warned the new standards are “opaque and arbitrary,” adding, “Put simply, machine-driven cookie choices do not represent user choice; they represent browser-manufacturer choice.” In response to Apple’s ITP feature, Google said last week it will change the way it tracks conversions in AdWords. [Adweek] See also: Sen. Franken pushes Apple for privacy answers on iPhone X]

Privacy (US)

US – ACLU, EFF File Lawsuit Against Warrantless Search of Devices at US Border

The American Civil Liberties Union, along with the Electronic Frontier Foundation and the ACLU of Massachusetts, filed a lawsuit challenging the warrantless search of smartphones, laptops and other electronic devices at the border as being unconstitutional. The case, Alasaad v. Duke, was filed on behalf of 11 travelers whose devices were searched without a warrant at the U.S. border and challenges policies from 2009 that allow officers with the U.S. Customs and Border Protection or U.S. Immigration and Customs Enforcement to search devices without a warrant. According to CBP data, such searches are reportedly undergoing a significant spike in frequency. [ACLU]

US – Other Privacy News

  • The U.S. 9th Circuit ruled in favor of the personal privacy of 149 noncitizens over a FOIA request seeking their names from the treasurer of the National Border Patrol Council. Law360
  • The FTC announced three companies have agreed to settle charges related to misleading consumers about their participation in the EU-U.S. Privacy Shield agreement. gov
  • The FTC announced that computer manufacturer Lenovo agreed to settle charges it harmed consumers by pre-loading its devices with ad tech software that compromised users’ privacy and security. gov
  • In what the ACLU is calling “a big win for transparency in California,” the California Supreme Court ruled this week that bulk-collected and -stored license-plate data does not constitute “investigative records” and therefore cannot be kept secret. org | Pasadena Weekly
  • In New Hampshire, an advisory committee is looking into creating rules on how to identify crime victims in court papers. The Concord Monitor


US – NIST Updates Security and Privacy Controls for Information Systems

The National Institute of Standards and Technology issued updated draft guidance on security and privacy controls for federal information systems and organizations: Significant structural changes have been made from Revision 4; and public comments will be accepted until September 12, 2017. The updated version makes significant structural changes to the report by moving the privacy and security controls from the appendices and incorporating them into the body of the guidance; the catalog of security and privacy controls includes access controls, awareness and training, audit and accountability, incident response, and risk assessment. [NIST – Security and Privacy Controls for Information Systems and Organizations – Draft NIST Special Publication 800-53 Revision 5]

US – NIST Published Draft Ransomware Guidelines

The US National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCOE) has published a draft guidance document titled Data Integrity: Recovering from Ransomware and Other Destructive Events. The guide “demonstrates how organizations can develop and implement appropriate actions following a detected cybersecurity event.” [NIST develops guidelines for dealing with ransomware recovery | Data Integrity: Recovering from Ransomware and Other Destructive Events]

Smart Cars / IoT

US – DOT Releases Guidelines for Automated Driving Systems

The Department of Transportation has released a revised set of guidelines outlining best practices for automated driving systems, the Vision for Safety 2.0, scaling back some of the recommendations outlined by President Barack Obama last year. The guidelines remain voluntary in nature. The DOT admits the guidelines are part of what it sees as an evolving approach to automated driving, adding that “DOT and NHTSA are already planning for 3.0.” The announcement came the same day that the National Transportation Safety Board found a Tesla automated driving system to have played a “major role” in a collision last year that resulted in the death of the test driver. [NPR]

WW – Tech Companies Develop Platforms for Smart City Development

As the development of smart cities continues, tech startups are finding their own unique role to play. Atomico-backed startup Teralytics has identified its niche by developing a platform to sell analytics that help customers, such as government agencies and transport companies, better understand the complex problems relating to human mobility for better urban planning. Ericsson, which launched the Connected Vehicle Marketplace, has partnered with automotive software developer Zenuity to develop a cloud-based platform for connected safety, advanced driver assistance support, and autonomous driving software and functions, which the company sees as an essential part of their strategy for enabling connectivity, security and innovation across the automotive industry into the future. [TechCrunch]

WW – Survey: Majority of Smart Meter Customers Do Not Receive Info on Data Storage Plans

A survey commissioned by the U.K. Department for Business, Energy & Industrial Strategy found the majority of smart meter customers did not receive information from their energy supplier about their plans to store energy use data. The study found only 16% of respondents recalled their energy suppliers giving them the information, while 73% said they did not receive any type of information. “The survey results are also at odds with the direction of travel in privacy law in general. Under the new General Data Protection Regulation, great emphasis is placed on transparency around the processing of personal data, the purposes of that processing and to whom data might be shared with, so there might be work for suppliers in the smart energy market to do to improve customers’ engagement on these issues,” Pinsent Masons’ Chris Martin said. [Out-Law]

US – NIST Explains Fog Computing as Solution for Technological Gaps

The National Institute of Standards and Technology (“NIST”) issued draft guidance on fog computing. Fog computing, which resides between smart end-devices and traditional cloud or data centers and is often erroneously called edge computing, supports vertically-isolated latency-sensitive applications by providing pervasive, scalable, layered, federated (interoperable), and distributed computing, storage, and network connectivity. Comments are due by September 21, 2017. [NIST – The NIST Definition of Fog Computing – NIST Special Publication 800-191 (Draft) | Press Release]

CA – Book Review: Cybersecurity in Canada

Cybersecurity in Canada, a 140-page book by lawyer Imran Ahmad of the Miller Thomson law firm, was published earlier this month aimed at IT procurement managers, risk managers and lawyers. [See here] Ahmad, who in addition to leading his firm’s cybersecurity law practice also sites on the cyber council of the Canadian Advances Technologies Alliance (CATA), says each chapter is no more that 10 pages at the most. So it’s really a handbook, not a dissertation.” In addition to listing best practices organizations can implement before and after a data breach or cyber attack, contributors also author chapters on cloud computing, supply chain procurement, cyber insurance, obligations of the board and management, dealing with law enforcement and handling customers and the media after an incident. The book is not an introductory text to IT or law, assuming network admins and counsel have some knowledge of respective areas. Lawyers who don’t practice cyber or privacy law will appreciate the chapter on possible litigation exposure from a breach (and CEOs and boards may find it educational and sobering). As for incident management, the book has lots of advice for counsel and the incident response team, including reporting requirements under current provincial and federal laws. [Source]


WW – Windows 10 Fall Update Set to Include Privacy Improvements

Microsoft announced enhanced privacy settings are set to be released in October’s Windows 10 Fall Creators Update. The updated version will build upon this spring’s Windows 10 Creators Update and include a full privacy statement made available during the setup. It will also require the user to express direct authorization if an app wants to access your camera, microphone, contacts, calendar and other potentially sensitive information but will only apply to apps installed after the update. While the update does not turn off what access Microsoft has to Windows 10 data, it is expected to improve transparency, the report states. [PC World]

Telecom / TV

AU – Australian Parliament Passes Telecommunications National Security Law

The Australian House of Representatives has passed the Telecommunications and Other Legislation Amendment Bill 2016, with the Telecommunications Sector Security Reforms to establish a framework for national security threats. Communications Minister Mitch Fifield and Attorney General George Brandis in August said the TSSR has an emphasis on “the shared responsibility between government and the telecommunications industry,” adding that the increased threat of cyberattacks makes protecting networks a priority of the government. The bill requires service providers to do their best to protect their networks and that they notify the government of any changes to systems that could have “material adverse effect.” [ZDNet]

US Legislation

US – Spy Leaders Seek Permanent Extension of Controversial FISA Surveillance Authority

Attorney General Jeff Sessions and Director of National Intelligence Daniel Coats asked congressional leaders on Monday [see letter here] for a clean extension of the spying provision. Most notably, the top officials requested that the reauthorization be permanent. At the end of the year, Section 702 [see here & here] of the “FISA Amendments Act” sunsets. Through 702, the NSA administers its PRISM program, which relies on the cooperation of internet companies to funnel requested data to intelligence agencies. Also under 702, US spies engage in “upstream” collection, involving the extraction of data right off of internet cables around the world. Such tactics, however, invariably result in Americans being spied on, too, especially those who are in regular contact with individuals overseas. [Source – see additional coverage here, here, here and here]

US – Senators Introduce Data Broker Legislation Following Equifax Breach

Following Equifax’s data breach last week, a group of Democratic senators has introduced the Data Broker Accountability and Transparency Act to hold the data-broker industry accountable for breaches. The bill would allow consumers to access and correct their information and also give consumers the ability to stop brokers from using, sharing or selling personal information for marketing purposes. Additionally, the bill would require data brokers to develop comprehensive privacy and data security programs and to provide reasonable notice in the case of breaches. Sen. Elizabeth Warren, D-Mass., also announced she has launched an investigation into Equifax’s data breach and has plans to introduce a bill that would give consumers the ability to freeze their credit for free. [Broadcasting Cable | More fallout from Equifax data breach | Schumer calls for resignations unless Equifax offers better identity theft protections | Top Equifax executives retire following data breach | Breach of Equifax affects 143M consumers]

US – California Passes Law to Protect Victim Privacy in Revenge Porn Cases

California Gov. Jerry Brown has signed a bill allowing victims of revenge porn to file civil lawsuits under a pseudonym in a measure to further protect victim privacy. The new law will protect the confidentiality of victims by maintaining a pseudonym in all court documents and records and requiring all personal information be either redacted or omitted. The bill was introduced by Sen. Bob Wieckowski, D-Fremont, increasing protections put in place by a 2014 law he authored that allowed victims of revenge porn to seek damages in civil court and to remove content from the internet. [Los Angeles Times]

US – Illinois Law Imposes Prohibitions on Ed Tech Providers

Senate Bill 1796, the Student Online Personal Protection Act, has passed the Illinois Legislature and been signed by the Governor. Effective August 24, 2017, entities that provide products or services to schools that collect, retain or use student data cannot disclose it (unless for legal or regulatory compliance, protection of individual safety, or to contractually obligated third parties), or use it for targeted advertising or to amass a student profile; entities are not prohibited from using or sharing student data to improve its services or educational products, or selling or leasing student data for mergers and acquisitions. [Senate Bill 1796 – The Student Online Personal Protection Act – State of Illinois Public Act 100-0315]

US – Other US Legislative Developments

  • A bipartisan group of U.S. representatives have reintroduced the International Communications Privacy Act, which would give law enforcement the power to require telecommunications providers to turn over the contents of an electronic communication no matter where they are held with a warrant. Multichannel News
  • The U.S. House of Representatives unanimously approved the SELF-DRIVE Act to streamline rules governing self-driving cars. ArsTechnica
  • California lawmakers have shelved the California Privacy Act, a bill that would have put restrictions on ISPs’ abilities to share consumer data. The Los Angeles Times
  • California Gov. Jerry Brown has signed a bill allowing victims of revenge porn to file civil lawsuits under a pseudonym in a measure to further protect victim privacy, the Los Angeles Times reports. More
  • A California bill requiring telecommunications companies to get opt-in consent for sharing consumers’ personal data is running out of time. Los Angeles Times
  • The Geolocation Privacy Protection Act has reached the desk of Illinois Governor Bruce Rauner. The bill would require internet companies to inform consumers what geolocation data they are collecting, the reasons for gathering the data, and the entities receiving the information. NBC Chicago
  • The Colorado Open Records Act got an update over the summer allowing for records to be released digitally. CU Boulder Today
  • Illinois’ governor has signed legislation that puts restrictions on the collection and sharing of students’ data by apps and websites. The Telegraph
  • New rules governing how Michigan police use body cameras and what can be done with data collected by them will go into effect in January. The Oakland Press

Workplace Privacy

EU – ECHR Ruling Revives Privacy in the Workplace

“On Sept. 5, the European Court of Human Rights handed down a landmark judgement about privacy and monitoring at the workplace,” writes Ernst-Oliver Wilhelm for Privacy Tracker. Multiple courts rejected Bogdan Mihai Bărbulescu’s claim that his conviction for using a work messaging account to communicate for private purposes and was done through inappropriate monitoring of his communications; however, this week the ECHR “found that Article 8 of the European Convention of Human Rights (Right to respect for private and family life) is applicable in this case and ruled that county courts had failed to protect Bărbulescu’s right to a private life in the workplace.” The court noted that proportionality and procedural guarantees against arbitrary monitoring are essential and offered relevant factors that should be taken into account by organizations. [IAPP.org]

EU – Employers Must Provide Notice Prior to Employee Monitoring, European Court Rules

In what is being called a landmark privacy ruling, the European Court of Human Rights has decided that employers must provide notice from employees prior to monitoring their online communications. The judgment, which was decided by the Grand Chamber of the ECHR, its highest chamber, overturned an earlier ruling that had sided with employers. In 2007, Romanian Software Engineer Bogdan Barbulescu was fired for using a company messaging system to discuss personal matters with family. Lawyers for Barbulescu have argued the incident violated Article 8 of the European Convention on Human Rights. Tuesday’s ruling also suggests that employers must provide justification for any monitoring of employee communications. Editor’s Note: An earlier version of this article suggested employers need to obtain consent before monitoring. That is not the case. [DW.com]



19 August – 01 September 2017


US – NY State Facial Recognition Program Leads to Arrest of 4,000 People

Driver’s license facial recognition technology employed by the state of New York since 2010 has led to the arrest of approximately 4,000 individuals in connection to identity theft or fraud. According to Gov. Andrew Cuomo, the state has identified more than 21,000 potential identity theft or fraud cases thus far, and as many as 16,000 people face noncriminal administrative action related to the facial recognition program. “The use of this facial recognition technology has allowed law enforcement to crack down on fraud, identity theft, and other offenses,” Cuomo said. At least 39 other states currently employ forms of facial recognition software. [Ars Technica]

UK – Police Use of Facial Recognition Undermines Public Trust

The U.K.’s independent Biometrics Commissioner, Paul Wiles, has used his first public announcement to warn that the lack of laws controlling the police’s use of facial recognition technology is undermining public confidence in law enforcement. In addition to the police’s growing database of facial images, which is reportedly above 20 million images, the unregulated use of facial recognition technologies is adding to the public distrust. Wiles adds that the current use of automated facial recognition software is “an intrusion on privacy.” Big Brother Watch’s chief executive, Renate Samson, argues, “It is time the government gave custody images and facial biometrics the same protection as fingerprints and DNA and ensured automatic deletion is standard when a person is released without charge.” [Sky News]

WW – Google, Walmart Join Forces to Launch Voice-Activated Shopping

Walmart will be joining forces with Google to allow customers to order products by talking to their Google Assistant. Customers who possess a Google Home smart speaker or are Google Express customers will be able to speak into their smart devices to order one of the hundreds of thousands of products Walmart will make available through the partnership. The system will also remember previous purchases customers have made in order to make future purchases move faster. The system will only be available in the U.S. to start but may move to Canada if it is deemed successful. [CBC]

Big Data / Data Analytics

WW – Artificial Intelligence Replicates Society’s Inherent Bias

Navneet Alang writes about a significant problem with artificial intelligence: It “may be just as bigoted as human beings.” Last fall it was revealed, to the dismay of the developers, that a system using image recognition was associating women with cleaning and the kitchen. “Since machine learning and AI operate through collecting, filtering, and then learning from and analyzing existing data, they will replicate existing structural biases unless they are designed explicitly to account for and counteract that,” the reports states. As AI becomes more omnipresent in our lives, Alang writes, “We are situated at the threshold of determining whether a new era of technology will replicate the injustices of the past, or if it may in fact be used to challenge the inequalities of the present.” [New Republic] [Avanade CEO discusses digital ethics and artificial intelligence] [Why it is time to stop putting blind faith in big data] [Use of AI surveillance expected to increase] [Antitrust enforcement of big data on the rise]

WW – Unintended Gender Bias Amplified in AI Programs

Researchers have found that a significant gender bias is built into two prominent sets of research photos and that when image-recognition software trains on the two datasets, it has the unintended consequence of amplifying the bias rather than simply mirroring it. While a solution has reportedly been created to neutralize this phenomenon, it requires that a researcher first identify the bias to specify what needs to be corrected. Mark Yatskar, a researcher at the Allen Institute for Artificial Intelligence, says that this phenomenon could also amplify other biases in data adding, “This could work to not only reinforce existing social biases but actually make them worse.” [Wired]

CA – Avanade CEO Discusses Digital Ethics and Artificial Intelligence

Avanade CEO Adam Warby discusses digital ethics and its role in the development of artificial intelligence. “We’ve actually done some research, and we found that of the people who recognize that there are unintended consequences of digital technology, less than half have actually developed some form of guidelines, policies, or practices to deal with it,” Warby said. “This is about first recognizing it, like with any issue, and I think that data privacy is one of the things that will be brought to the forefront, particularly with the advent of the GDPR regulations coming out of Europe that companies within less than a year have to comply with.” Warby also discusses the groups who will have to make the decisions regarding moving forward with artificial intelligence. [IT World Canada]

US – FTC Hopes to Take Closer Look into AI

In an era when Silicon Valley is experiencing a surge in investment and the Trump administration has reportedly done very little to engage on policy questions related to artificial intelligence, Acting FTC Chairwoman Maureen Ohlhausen suggested the agency hopes to take a closer look into artificial intelligence. Ohlhausen also stated that the FTC will continue to focus on algorithmic bias as in the previous administration, saying, “We do enforce laws that are to protect consumers from discrimination, and I think that’s appropriate for us to continue to think about and to continue to be vigilant for.” [Axios]


CA – Canada to Create Directive on Intelligence Sharing With Allies

Canada’s office of Defense Minister Harjit Sajjan is creating a directive to dictate how Canada’s electronic spy agency shares foreign signals intelligence with their closest allies, the Five Eyes partners. A 2016 report from the oversight commissioner of the Communications Security Establishment found that the agency had illegally and unintentionally shared domestic metadata with allies even though the agency is said to have a “robust suite of privacy measures.” CSE Commissioner Jean-Pierre Plouffe said the government assured him that the directive would “explicitly acknowledge the risks associated with this type of sharing, given that CSE cannot, for reasons of sovereignty, demand that its Five Eyes partners account for any use of such information.” [CBC News]

US – OIPC NFLD Recommendations for Collection, Use and Disclosure of PHI

Custodians can rely on individual’s implied consent if they are a health care professional or provider, or operates a health care facility or service, the PHI has been given by the individual or another custodian, and will be used for provision of health care; processing should not be done if other information will serve the purpose, and only the PHI necessary for the authorized purpose should be collected, used or disclosed. [OIPC NFLD – Safeguard Newsletter – Volume 1 Issue 2]

CA – Ontario Court: Energy Consumption Is Private Data

A recent decision by the Ontario Court of Appeal establishing energy-use data as personal information will likely impact private organizations going forward. In R. v. Orlandis-Habsburgo, an energy provider, noting increased energy use, forwarded information to police, suggesting nefarious activity. Police obtained a warrant, raided the home, and arrested the occupants for running a marijuana-growing operation. The court held, however, that the utility violated the tenants’ expectation of privacy. In particular, it was the informal nature of the data-sharing the court took exception with. For private organizations in the future, it will be necessary to have clear policies surrounding when data is shared with law enforcement if it is to have value in prosecuting criminals. [Mondaq] [Aird & Berlis LLP: Ontario Court of Appeal Established New Privacy Rights – Utility Consumption Data and Grow Ops]

CA – OIPC NL Finds Government Agency Unlawfully Disclosed Employee Information

This OIPC own motion investigation examines allegations of improper disclosure by the Human Resources Secretariat pursuant to the Access to Information and Protection of Privacy Act, 2015. The disclosures were inadvertently made in the course of an inaugural “sunshine list” disclosure; the 4-5 days for finalizing the disclosure was insufficient, there were a small number of employees responsible (who had no administrative support, had no Excel certification, and had never gone through the process before). The agency responded promptly to the breach (it sent notifications to affected individuals), and implemented remedial measures, but failed to make much effort to retrieve the disclosures from the media. [OIPC Newfoundland and Labrador – Report P-2017-003 – Human Resource Secretariat]

CA – OIPC AB Orders Alberta Organization to Notify Affected Individual

Servus Credit Union notified an unauthorized disclosure to the Office of the Information and Privacy Commissioner of Alberta. Several unauthorized charges were made to the affected individual’s account after an employee provided her bank account number and ATM card to the wrong individual; the situation poses a risk of harm to the affected individual since the information could be used to complete additional transactions. [OIPC AB – Breach Notification Decision P2017-ND-89 – Servus Credit Union]

CA – Outgoing New Brunswick Privacy Commissioner Reflects on Her Tenure

As she prepares to finish her term, New Brunswick Information and Privacy Commissioner Anne Bertrand looked back at her time in the position. Bertrand said she has seen a heightened level of government transparency during her tenure, while believing she had succeeded in using public pressure and the power of persuasion to ensure the government followed its own laws. Bertrand handled more than 4,000 files on cases regarding the public’s privacy and the right to know and expressed her desire to release more information on a committee investigating the ways at-risk children had been dying. Alexandre Deschênes will take over the position. [CBC News]

CA – OIPC BC Investigating Landlords’ Potential Privacy Violations

British Columbia Acting Information and Privacy Commissioner Drew McArthur is launching an investigation into whether landlords are violating the privacy of potential tenants by asking too many questions about sensitive information. The Office of the Information and Privacy Commissioner Director of Policy Brad Weldon said low vacancy rates in several cities are putting people in the position where they feel they cannot refuse a request for information, such as complete bank statement and T4 income forms. “Because we have this power imbalance right now,” Weldon said, “[landlords] can ask for information that’s clearly, likely offside of (the Protection of Information and Privacy Act), but they sort of have the upper hand.” [Vancouver Sun]

CA – Ontario School Boards Should Collect More Student Demographic Data

A report from York University states Ontario school boards should collect more comprehensive data on students’ race, ethnicity, religion and gender identity. According to the report, collecting demographic data could help schools make learning more inclusive and relevant to students’ experiences. The York report calls for school boards to improve their demographic data collection no later than 2018–19. However, “(Data) has immense potential to be positive, but it has immense potential to be negative depending on who has access to the information, how it’s reported, who it’s reported to and what’s done to manipulate it — and that should be a valid concern,” Racial Justice Lawyer Anthony Morgan said. [The Star]


WW – Canadian Government Issues Steps for Mobile Device Cyber Hygiene

The Communications Security Establishment of Canada has issued guidance on cyber hygiene. Use a PIN or password to access mobile devices, disable features not in use such as GPS, Bluetooth and Wi-Fi, and avoid opening files, clicking links or calling numbers contained in unsolicited text messages or emails; a separate device should be used specifically for travel purposes, and storage devices and charging equipment from unknown sources should not be used. [CyberHygiene – Communications Security Establishment]


CA – New Brunswick to Launch Open Data Portal in 2018

The New Brunswick government will launch an open data portal in 2018. The portal will be an online app allowing citizens to search hundreds of data sets. The portal is part of the province’s effort to fulfill promises made in the government’s open data policy, ensuring “government-held data is made available proactively, without barriers for its reuse and consumption, except where there are legitimate restrictions on its release.” “Service New Brunswick is working with departments and agencies to identify candidate data sets that can be part of the open data portal, while respecting privacy laws,” a Service New Brunswick representative said. “Once the portal is launched data sets will be continuously added.” [CBC]

US – NIST Issues Updated National Checklist Program for IT Products

The National Institute of Standards and Technology issued updated guidance on the development and implementation of checklist programs for IT products. Checklist users and developers can use automated or manual checklists to verify that a product has been configured properly or identify unauthorized configuration changes to the product; devices and software used for security checklists include general-purpose and mobile operating systems and infrastructure devices such as routers, firewalls, and wireless access points. [NIST – National Checklist Program for IT Products – Guidelines of Checklist Users and Developers – Draft NIST Special Publication 800-70 Revision 4]

Electronic Records

US – Higher Ed Sharing Student PII Without Consent

Higher education institutions often fail to appropriately care for students’ personally identifiable information. Thanks in part to the Family Educational Rights and Privacy Act of 1974, requiring educational institutions to keep education records private but not directory information, which “would not generally be considered harmful or an invasion of privacy if disclosed,” student information is often being shared without the knowledge or consent of the student, unless they are savvy enough to put a “privacy hold” on their information. Leah Figueroa, a data analyst who has worked in higher education for 13 years, estimates that her institution provides an average of 90,000 student records per year to third parties, including Freedom of Information Act requests, making personal information all too accessible. [NakedSecurity]

EU Developments

EU – Law Enforcement Access Gets Review

On Aug. 4, the European Commission opened a public consultation to “help Europe’s law enforcement agencies combat crime in the digital age.” In other words, law enforcement wants access to more information, more easily. Currently, authorities rely on judicial cooperation mechanisms, like mutual legal assistance treaties, the recently introduced European Investigation Order within the EU, the direct cooperation of service providers, or, last but not least, on “direct access to obtain electronic information” — aka hacking. But the Commission is convinced this isn’t enough and is stepping up plans that have been on the table since 2015 to address the so-called e-evidence issue. The consultation will be open until Oct. 27. [IAPP.org] See also: France’s CNIL has published a blanket authorization for whistle-blowing that eliminates a time-consuming preapproval process among other changes. [The National Law Review]

UK – Fraud Prevention Group Warns Identity Theft Reaching ‘Epidemic Levels’

Identity theft is reaching “epidemic levels,” adding that people in their 30s are now the most targeted group based on a warning from fraud prevention group Cifas. Simon Dukes, chief executive of Cifas, explained that there has been an increase in identity fraud each year that has raised the rate at which identities are stolen to almost 500 per day. Dukes explains that with more personal information available online, it is not only consumers who need to be educated on the perils of identity theft, but it is also an important point of concern for small- and medium-sized businesses. [BBC]

EU – Google Begins Compliance with EU Antitrust Order

Google submitted details on the way it plans to comply with a European Union antitrust order. Google was hit with a $2.9 billion fine by the EU in June after the European Commission determined the tech company abused its dominance in Europe by giving its own shopping services prominent placement in searches, demoting the services of its rivals. In addition to coming up with a solution, Google has been ordered to stop the practice by Sept. 28. “Google will continue to be under an obligation to keep the Commission informed of its actions by submitting periodic reports,” a European Commission spokesman said. [Reuters]

EU – e-Learning Platforms Present Significant Privacy Risks to Students

The International Working Group on Data Protection in Telecommunications introduced a working paper on e-learning platforms at its 61st meeting. Risks include unlawful processing and lack of transparency, excessive collection, profiling and automated decision-making, function creep, inadequate security, and a lack of accountability; recommendations include obtaining parental consent, applying the principles of data minimization, privacy by design and privacy by default, and clear allocation of the educational institution’s and provider’s roles, rights, and responsibilities. [Working Paper on e-Learning Platforms – International Working Group on Data Protection in Telecommunications]

US – Federal Court Refuses to Dismiss Complaint Against Smart TV Manufacturer on the Basis of Consent Decree

The Court considers Defendant Vizio’s motion to dismiss a lawsuit alleging its smart TV data collection and disclosure practices are a violation of federal and state laws. Plaintiffs are not a party to the consent decree (they would have no recourse if the manufacturer shirked its promises or the regulators failed to enforce the decree), and there was no evidence that the manufacturer has halted collection of users’ TV viewing; the manufacturer unsuccessfully argued that the samples of users’ TV shows it collects are “tiny” and not “recognizable” (these factors are irrelevant when determining whether information qualifies as “content” under the Wiretap Act). [In Re: Vizio, Inc., Consumer Privacy Litigation – Order Denying Defendant’s Motion to Dismiss and Strike – United States District Court Central District Of California]


US – EFF Submits Amicus Brief on Anti-Cyberbullying Law

The Electronic Frontier Foundation, along with the Washington state branch of the ACLU, has submitted an amicus brief regarding new anti-cyberbullying legislation that they argue is an overreach and could censor free speech. While the law is aimed at protecting against cyberstalking and punishes online harassment, the EFF argues that certain expression of speech could inadvertently fall victim to the law. The EFF says that the problem of online harassment is one that calls for a multi-layered approach and that Washington’s law demonstrates how some approaches can go “terribly wrong.” [Engadget]


US – Lawmakers Seek Probe of Post-Breach Identity Theft Services

US legislators are seeking further investigation into the efficacy of credit monitoring services that are routinely offered to data breach victims. Three US congressmen have asked US Comptroller General Gene Dodaro to further investigate issues raised in a March 2017 report from the Government Accountability Office. Among the questions raised: Are some credit monitoring services more effective than others? Is credit monitoring the best response? And are there other measures that could be taken to protect data theft victims from fraud? [The Hill Watchdog pressed to probe post-data breach services | democrats-energycommerce.house.gov: Letter | GAO: IDENTITY THEFT SERVICES: Services Offer Some Benefits but Are Limited in Preventing Fraud] [Surprising stats on third-party vendor risk and breach likelihood]

WW – Researchers Investigate Ways to Link Bitcoin Transactions to Customers

Princeton University’s Steven Goldfeder and several researchers investigated the ways individuals can be linked to their bitcoin transactions. Goldfeder examined 130 websites that accept bitcoin payments and found 53 of those websites leaked payment information via web trackers. While most of those sites leak information on purpose, some of the sites leaked more data than expected. “We find that many merchant websites have far more serious (and likely unintentional) information leaks that directly reveal the exact transaction on the blockchain to dozens of trackers,” the researchers said. A bitcoin transaction can be traced back to an individual if a person were to determine the amount of bitcoin spent, then find the transaction at the exact time the purchase was completed. [MIT Technology Review]

WW – Cellphones Increasingly Hacked for Virtual Currency

The New York Times reports on the vulnerability and increased hijacking of phone numbers as a ploy to gain access to account information, specifically targeting those with ties to virtual currency. In many instances, hackers have called up cellphone providers to trick them into handing over control of a victim’s phone number. Two-factor authentication may also be vulnerable to these types of attacks, the report states. “It’s really highlighting the insecurity of using any kind of telephone-based security,” said Michael Perklin, the chief information security officer at the virtual currency exchange ShapeShift. Coinbase, a widely used bitcoin wallet, is reportedly encouraging customers to disconnect their mobile phones from their accounts. [New YorkTimes]


EU – Startup Partners With Pharma Company for Genomic Analysis

In an effort to develop new therapies and cures for existing diseases, Irish startup Genomics Medicine Ireland has partnered with Abbvie, a multinational pharma group, to map the genomes of 45,000 Irish people. The population-based genomic analysis will examine genetic, lifestyle and environmental factors in hopes that it will lead GMI to new developments. Dan Crowley, acting chief executive of GMI, said that all studies were designed so that the company was “completely removed from the study participant.” The company also stated that privacy protection was of “utmost importance,” adding that all systems have been designed from the outset to comply with the EU General Data Protection Regulation. [Irish Times]

Health / Medical

US – Nurse Arrested While Protecting Patient Privacy

An argument between local police and a Utah nurse defending her patient’s rights was caught on a police body camera and is now the subject of an internal investigation by the police department. The nurse, Alex Wubbels, refused to allow Detective Jeff Payne to collect a blood sample from an unconscious patient without consent or probable cause and a warrant. The report states Wubbels was right to defend her patient’s inability to give consent, considering both Utah state law and a U.S. Supreme Court ruling that “blood can only be drawn from drivers for probable cause.” Payne’s lieutenant ordered him to arrest Wubbels if she refused to let him draw a sample, which he proceeded to do. [The Washington Post]

US – HHS Releases Bulletin for Handling Patient Information During a Declared Emergency

The Department of Health and Human Services recently released a bulletin to help guide covered entities on how to share patient information in a declared state of emergency, specifically clarifying how patient information may be shared in the aftermath of Hurricane Harvey. The bulletin explains that while sanctions and penalties for HIPAA noncompliance may be waived during an emergency, “covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures,” the bulletin states. The HHS adds that in such instances, patient information may be shared with anyone who is able to “prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.” [HealthITSecurity]

US – Mobile Health Apps Show Need to Prioritize Privacy

A new report stresses the need to maintain personal health information in light of the increased use of specialized health care mobile messaging apps, adding that providers must ensure that patient privacy is a priority. It is reported that the HIPAA Security Rule does not require “specific technology solutions when it comes to mobile device technical safeguards,” instead requiring “reasonable and appropriate security measures be implemented.” The HIPAA Security Rule is also “flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments.” While secure messaging apps help connect patients with health care professionals, patient privacy and potential vulnerabilities must be considered first, the report states. [HealthITSecurity.com]

Identity Issues

CA – OPC Canada Warns Users About Device and Browser Fingerprinting

A guest blogger on the website of the federal Privacy Commissioner examines device and browser fingerprinting. Device fingerprinting methods are difficult to detect, websites often fail to disclose their fingerprinting practices in their privacy policies, and many of the companies that perform the fingerprinting are working for the websites that a user visits; tracking technologies are outpacing individual controls, which are often beyond most people’s technical capabilities and/or break websites or lead to poor browsing experiences. [OPC Canada – Privacy Tech-Know Blog: Cookieless Identification and Tracking of Devices, Christopher Parsons]

IN – India’s Aadhaar Program Lacking Sufficient Privacy Provisions: Report

A report published by Health and Technology and penned by the World Privacy Forum’s Pam Dixon compares India’s privacy efforts with the Aadhaar biometric identity program with actions taken by the U.S. and the EU. The paper finds the Aadhaar program does not have sufficient privacy and data protections; for example, the program possesses so-called failure-to-match rates of up to 49 percent, despite having the biometric information of 97% of adults in India in 2016. While the Aadhaar program’s biometric privacy efforts are lacking, the paper points to the impending EU General Data Protection Regulation and laws such as HIPAA, the GLBA, and FCRA as laws in the EU and U.S. where biometric activities are regulated as potential models. [Technology Science]

How NIST Digital Authentication Guidelines Could Help Health Care

In June, the National Institute of Standards and Technology released a new version of its digital identity guidelines designed to help federal agencies seeking to create a secure authentication process, but it could help the health care industry, as well. Phishing, social engineering, and lost or stolen items are among the risks organizations face when attempting to secure their authorization process. NIST suggests several ways to mitigate those threats, including extending training for subscribers, implementing system and network security controls, and installing multiple steps to access a system. [HealthIT Secuity]

EU – Ireland’s DPC Calls for More Transparency on Public Services Cards

As the debate regarding public services cards continues, Irish Data Protection Commissioner Helen Dixon said the issue of transparency needs to be addressed. “There is a pressing need for updated, cleared and more detailed information to be communicated to the public and services users regarding the mandatory use of the public services card for accessing public services,” Dixon said. The DPC is asking the Department of Social Protection to publish a comprehensive FAQ on the public services card program, including the ways data will be collected and who will have access to the information. The department agreed to the DPC’s request and will publish in the immediate future. [The Irish Independent] See also: [The promise of managing identity on the blockchain]

WW – New Apple Feature Will Disable Touch ID

Apple is expected to introduce a new feature in iOS 11 that will allow a user to disable the Touch ID by quickly pushing the power button five times. The move will signal an emergency SOS that can only be reversed after entering the passcode. The update comes as recent rulings have granted police the means to force users to unlock their phones using their fingerprints and follows a rise in controversies surrounding law enforcement requests for phone data. Passcodes are reportedly protected under the Fifth Amendment but fingerprints are not. [USA Today]

Law Enforcement

US – Judge Says Stingray Use Requires Warrant, But Warrantless Use Was Justified in Murder Case

A US federal judge in California has ruled that evidence gathered through the warrantless use of a cell-site simulator may not be suppressed in a murder case. The evidence was used to locate the defendant, Purvis Ellis. Judge Phyllis Hamilton did find that using the technology to locate Ellis constituted a search under the Fourth Amendment, which under normal circumstances would require a warrant. In this case, Hamilton agreed with the government that there were “exigent circumstances,” justifying the use of a cell-site simulator. [Arstechnica: Court: Locating suspect via stingray definitely requires a warrant | Document Cloud: Pretrial Order Denying Motions to Suppress]

US – EFF, ACLU Win Court Ruling: Police Can’t Keep License Plate Data Secret

In what the ACLU is calling “a big win for transparency in California,” the California Supreme Court ruled this week that bulk-collected and -stored license-plate data does not constitute “investigative records” and therefore cannot be kept secret. The Electronic Frontier Foundation (EFF) and the ACLU won a decision by the California Supreme Court that the license plate data of millions of law-abiding drivers, collected indiscriminately by police across the state, are not “investigative records” that law enforcement can keep secret. California’s highest court ruled that the collection of license plate data isn’t targeted at any particular crime, so the records couldn’t be considered part of a police investigation. The ruling sets a precedent that mass, indiscriminate data collection by the police can’t be withheld just because the information may contain some criminal data. This is important because police are increasingly using technology tools to surveil and collect data on citizens, whether it’s via body cameras, facial recognition cameras, or license plate readers. The panel sent the case back to the trial court to determine whether the data can be made public in a redacted or anonymized form so drivers’ privacy is protected. [EFF]

US – New Sensor Tracks Neighborhood Traffic

Flock’s sensor, unveiled at the Y Combinator’s Demo Day, allows users to log the license plate of a car that travels in and out of their neighborhood. While residents of the neighborhood can reportedly opt out of the monitoring, visitors or those traveling through cannot. Flock says that the data gathered is only available to “neighbourhood leaders” and could be used to combat crime. Albert Gidari, director of privacy at Stanford Law School’s Center for Internet and Society, said, “One of the great weaknesses in U.S. privacy law is that we only protect against intrusions into private areas, not public spaces.” Gidari added that as monitoring becomes more prevalent, this is an area that may warrant further discussion. [BBC.com]

NZ – Firearm License Verification Raises Privacy Concerns for Gun Owners

A new regulation requiring New Zealand’s largest online auction platform, TradeMe, to verify license details with police for each firearm transaction is raising privacy concerns for gun owners. Despite public concern, Privacy Commissioner John Edwards insists the requirement is not a violation of privacy, adding those who wish to obtain firearms are free to use other methods and that the platform is free to set their terms and conditions. To prevent the illegal sales of firearms, TradeMe has been seeking access to verify transactions with the national firearms license register since 2016. [Newshub]


WW – Weather App Sends Geolocation Data When Location Sharing Is Off

A security researcher discovered weather app AccuWeather has allegedly been sending geolocation data to a third-party monetization firm, even when a user has disabled location sharing. Will Strafach found the app would send Wi-Fi router data to Reveal Mobile every few hours, even if the app did not have access to a user’s exact location. An AccuWeather executive said Reveal Mobile technology “has not been in our application long enough to be usable yet.” “In the future, AccuWeather plans to use data through Reveal Mobile for audience segmentation and analysis, to build a greater audience understanding and create more contextually relevant and helpful experiences for users and for advertisers,” AccuWeather Executive Vice President of Emerging Platforms David Mitchell said. [ZDNet]

WW – AccuWeather Responds to Media Reports of Location Data Sharing

Representatives from AccuWeather have responded to reports that it shares users’ location data with third parties after users had opted out from such sharing. AccuWeather stated, “Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.” The company said it and the third party in question, Reveal Mobile, follow industry best practices and standards. “We also recognize this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly.” [TechCrunch]

WW – Uber to Remove Post-Trip Location Tracking Feature

Uber will be removing a feature within its app that allows the ride-hailing company to track users up to five minutes after a trip. The change will allow users to share their location only when using the app, moving away from an update made last November where Uber required users to either always allow the app to collect location data or never collect it at all. Uber initially made the decision to continuously collect user data to help ensure customers’ physical safety, but the decision was criticized by users and privacy advocates as a breach of user trust. Uber may consider bringing back the tracking feature but only after clearly explaining the value of the process and allowing users to opt-in to the setting. [Reuters]

Online Privacy

US – Alt-Right Demonstrators Get Lesson in Public Anonymity

Lawrence Friedman and Joanna Grossman use the recent alt-right rally in Charlottesville to demonstrate how the personal anonymity once felt in a crowd is a lost concept in today’s society. The report shows how crowdsourcing efforts on Twitter to identity, expose and shame members of the rally reinforce the new reality of the privacy in the public space. While some participants were correctly identified and have realized social repercussions, others were wrongly identified as participating in the rally and have suffered unnecessarily. The authors also wonder if some of the alt-right protesters ought to be allowed to learn and grow past their prejudices, but argue “the computer age is a deadly threat to any right to be forgotten,” adding, “American law ignores, on the whole, the right to forget, and to be forgotten.” [Full Story]

WW – Anonymous Messaging App Uploads Users’ Contacts When Launched

Bishop Fox Senior Security Analyst Zachary Julian discovered the anonymous messaging app Sarahah gathers and uploads all the phone numbers and email addresses from a user’s device the first time the app is launched. While the app will ask for permission to access contacts in some cases, Sarahah does not disclose it uploads the data. Julian used the monitoring software Burp Suite to see the app uploading his private data from his smartphone. Sarahah’s creator, Zain al-Abidin awfiq, tweeted the feature will be removed in a future release and was intended for a “find your friends” feature. Meanwhile, Major League Lacrosse suffered a data breach exposing the sensitive information of every single player after a spreadsheet was accidentally loaded onto the league’s website. [The Intercept]

Other Jurisdictions

WW – Event: Towards an International Metrics Agenda for Privacy-Policy Making

The International Conference of Data Protection and Privacy Commissioners, the Organization for Economic Co-operation and Development, and the Asia Pacific Privacy Authorities will be hosting a roundtable Sept. 27 to examine the scope and goals of a joint international privacy metrics agenda. The roundtable will be held alongside the 39th International Conference of Data Protection and Privacy Commissioners. “The meeting will report on current efforts to understand and improve the availability of internationally comparable metrics for privacy policy making and promote a discussion on options for advancing a joint privacy metrics agenda,” the announcement states. “The meeting will include presentations in relation to ongoing international projects.” [ICDPPC]

IS – ILITA Issues Draft Guidelines on Database Transfer

On Aug. 13, Israel’s DPA, the Israeli Law, Information and Technology Authority, published for public comment new draft guidelines setting extensive data protection standards for transferring ownership of a database. Gal Omer, senior associate in Amit, Pollak, Matalon & Co., writes that the guidelines articulate the ILITA’s position that, under certain circumstances, the transfer of ownership of a database “necessitates obtaining prior consent from the data subjects for the transfer of their personal data to the new entity.” Omer notes that the proposal is “notably different from current common practices in M&A transactions in Israel and will require … privacy considerations and data protection risk assessments in thus-far unfamiliar territories.” The comment period is open through Oct. 1. [Privacy Tracker]

Privacy (US)

US – Librarians to Become Privacy Resource in Communities

The Institute of Museum and Library Services announced that New York University, in partnership with the Library Freedom Project, received a grant to launch the Library Freedom Institute. The LFI will serve as a “privacy-focused train-the-trainer program” for 40 geographically dispersed librarians to become “Privacy Advocates,” serving as a privacy resource to their region. It is expected that, after a six-month course, the trained librarians will be able to conduct privacy training workshops for their own community, helping to develop a privacy-conscious public. [IMLS.gov]


UK – 10 Tips to Better Cyber Security

To combat the associated risk of cyberattacks, here are the top 10 steps businesses can take to increase their security, adding that the question is no longer if a business will suffer a cyberattack, but when it will happen. While recognizing the need to be aware of current and impending privacy legislation, the list also contains pre-emptive steps to help protect data. “The importance of an adequate cyber security strategy cannot be overstated,” the article states, adding, “With under a year until GDPR comes into effect, businesses need to follow these steps now to avoid facing severe fines, damaged reputations and a loss of customers in the event of a data breach.” [Computerworld UK]

AU – Victoria Releases Government Strategy for Cyber Resilience

Australia’s Victorian state government has unveiled a new holistic government strategy focused on building cyber resilience, emphasizing the ability to prepare for, respond to, and recover from cyber incidents and disruption rather than compliance. Special Minister of State Gavin Jennings said the new approach is designed to make cybersecurity part of the fabric of government data and information management. The strategy documents note that Victoria is responding to an unprecedented scale of incidents and disruption, adding, “The time for an agency-by-agency (only) approach has passed. We need to address these risks strategically, and where it makes sense, holistically.” [The Mandarin]

US – FTC Recommends Use of Industry-Tested and Accepted Security Methods

The FTC has issued security recommendations for companies. Using a tried-and-true security method accepted by industry experts is preferable to proprietary methods (a company can also truthfully state their use of the industry-accepted method in their ad campaign); secure sensitive data throughout its lifecycle (follow the principle of data minimization, store decryption keys separately from encrypted data, ensure proper configuration for encryption, and do not fail to validate TLS certificates or disable the default validation settings) [FTC – Stick with Security: Store sensitive personal information securely and protect it during transmission] See also: The National Institute of Standards and Technology has issued a draft revision of its Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations.

US – Awareness Gap in U.S. Business Owners

Nationwide issued a study on business owners’ attitudes and usage of cybersecurity in the United States: the survey consisted of sample of 1,069 US business owners ages 18 or older with 1 to 299 employees. 45% of business owners have been a victim of a cyberattack without knowing it was attack, and 74% think cyberattacks are unlikely to affect their business (41% believe only large businesses are vulnerable to attack); the most common types of attacks on companies are computer viruses, phishing and Trojan horses. [2017 Business Owners Attitudes and Usage Study]

WW – Cybersecurity: Biggest Risks to Security Are Human Errors

This academic article examines the problem of cybersecurity. Humans are also the best solution because employees are the “eyes and ears” of an organization, who are often best positioned to report suspicious incidents; best practices include organizing humans (have a well-prepared incident response team), creating and following policies (people will evade policies and procedures if they are too inconvenient), and educating humans (engage people in dynamic training, and promote a security culture on a day-to-day basis, including at the C-level). [Cybersecurity vs. Humans: The Human Problem Requires a Human Answer – Daniel Solove, TeachPrivacy]

Smart Cars / IoT

US – GAO Examines Connected Vehicle Manufacturers’ Data Privacy Efforts

The U.S. Government Accountability Office conducted a study to see the ways connected vehicles connect, use and share data, and how those data practices affect consumer privacy. The GAO analyzed 13 automakers that offer connected vehicles, finding all 13 had easily accessible privacy notices, but none was written clearly. Most of the automakers reported limiting data collection, use, and sharing, but their notices did not clearly identify their practices. All 13 automakers said they do not sell or share with unaffiliated third parties personal data which could be later be linked to a consumer’s identity. The GAO report also found the National Highway Traffic Safety Administration needs to clearly define its roles and responsibilities related to vehicle data privacy. [GAO]


WW – Privacy International Publishes Law and Surveillance Guide

Privacy International has published a Guide to International Law and Surveillance. The guide is a “handy reference tool for anyone engaging in campaigning and advocacy on privacy in the sphere of surveillance, who is seeking legal backing for their work.” It includes recent reports, resolutions and court rulings by the United Nations, international and regional courts, multinational organizations and others. The guide covers topics such as the legality of mass surveillance, data retention, the extraterritorial application of human rights law and digital surveillance, and much more. Privacy International plans to expand the guide as new statements and developments arise. [Privacy International]

CA – Saskatoon Transit Had Right to View Surveillance Video of Fired Bus Driver

The Saskatchewan Information and Privacy Commissioner ruled Saskatoon Transit did not violate the privacy of a fired bus driver after reviewing surveillance video of his entire shift. Saskatoon Transit reviewed the video after the driver allegedly hit a cyclist with his side mirror. The driver believed his privacy was violated after his employers determined he did not hit the cyclist but reviewed the duration of his shift and shared still images of the video with his union after he filed a grievance. The privacy commissioner’s report states the city had the right to review both the incident with the cyclist and the driver’s conduct during his shift. [CBC News]

Telecom / TV

CA – Canada Considering Warrants for Cellphone Border Searches

Efforts within Canada to require a warrant for searching a person’s cellphone at the border. Movement has been made in moving cellphones away from their current definition as goods, with proponents saying the devices contain too much important information to be subjected to the same searches as backpacks or suitcases. If Canada were to make it mandatory to obtain warrants for cellphone border searches, it could put the country ahead of the U.S. in regards to privacy protections, as U.S. courts have held national security is more important than Fourth Amendment rights at the border. [Full Story]

US Legislation

US – Texas Law Prescribes Conditions Under Which Providers May Process Student PII

Processing of student covered information, which is broadly defined, is permitted for profiling for a school purpose, for service improvements, mergers and acquisitions (subject to compliance with the law), pursuant to statutory or regulatory compliance, for protection against liability, for marketing purposes (if covered information is not associated with an identifiable student), for college or career counselling services (with student/parental informed consent), and for third party services (subject to compliance with a written contract). [House Bill 2087 – Student Information Protection – Texas]

US – Other Legislative News

  • The Colorado Open Records Act got an update over the summer allowing for records to be released digitally. [CU Boulder Today]
  • Illinois’ governor has signed legislation that puts restrictions on the collection and sharing of students’ data by apps and websites. [The Telegraph]
  • New rules governing how Michigan police use body cameras and what can be done with data collected by them will go into effect in January. [The Oakland Press]
  • New York Gov. Andrew Cuomo signed legislation prohibiting the unlawful alteration of official student records in any primary, intermediate, high school or college in the state — expanding on the types of information covered in the previous law. [Wyoming County Free Press]

Workplace Privacy

US – Class-Action Lawsuits Filed for Alleged Employee Biometric Data Violations

Lawyers with the Chicago law firm Edelson P.C. have filed three separate class-action lawsuits, citing a violation of the Illinois Biometric Privacy Act in each case. The firm reportedly alleges that all three companies failed to provide a written explanation to their workers of who was collecting and storing their biometric data, how long the data would be stored, and how it would be disposed of should an employee leave the company. It is reported that the companies required employee fingerprint data for company databases and for worker identification. [Cook County]


04-18 August 2017


US – FBI Can Keep Secret Who’s in its Biometrics ‘Mega Database’ –Justice Dept.

The FBI has obtained a legal exemption from federal privacy laws, allowing the agency to keep secret whose data it has stored in its vast biometrics database. A final rule published in the federal register by the Justice Dept. says that the Next Generation Identification (NGI) system will not be subject to several key protections and provisions covered under the Privacy Act, which allow for judicial redress and opting out of the database altogether. “The FBI’s massive biometric database includes the information of individuals who apply for citizenship or must get a background check as a condition of their job decision The Bureau’s decision to exempt this database from basic privacy protections invites abuse” said the ACLU. Described as a “mega-database” by the ACLU, the NGI system contains millions of fingerprints, photos for facial recognition, iris patterns, and a voice and gait recognition database from a variety of government and non-law enforcement sources — including those who apply for jobs, security clearance, and immigration purposes. A FOI request by the Electronic Privacy Information Center found that the database had a 20 percent search error rate on facial recognition matches, a rate that the FBI is “prepared to accept.” Security researcher Bruce Schneier said (via an EFF report) that even a 90% accurate system will “sound a million false alarms for every real terrorist.” The rule will go into effect on August 31. [ZDNet]

WW – Report: Biometrics Plays Increasing Data Security Role in Public Service

Accenture released a new report, Emerging Technologies Make Their Mark on Public Service, which found the use of biometrics and advanced analytics plays an increasingly critical role in data security and privacy across government and public service agencies. Based on a survey of nearly 800 public service technology professionals in nine countries, the report found that 73% of respondents cited “improved data security and privacy protection as the leading benefit of investing in emerging technologies.” The report also found that the public safety industry has the highest adoption rate of biometric technologies and that 69% of all respondents said they are deploying or considering deploying biometric technologies. [Source]

Big Data

US – CDT Launches Digital Decisions Tool

The Center for Democracy & Technology announced the launch of its first public version of the digital decisions tool aimed at enabling developers to understand and mitigate what the CDT sees as the unintended bias and ethical pitfalls associated with designing automated decision-making systems. The interactive digital decisions tool encourages developers to think critically and methodically by adding a series of questions to consider during the designing and deploying process of an algorithm in order to help shape a fair outcome for all. The CDT is currently seeking feedback. [CDT.org]

WW – AI Diagnoses Depression Through Photo Analysis

Researchers at Harvard University and the University of Vermont released a study suggesting that artificial intelligence can detect depression by analyzing the color, shading, and editing of Instagram photos. The study shows that their algorithm could correctly detect depression in 70% of the test subjects who had been diagnosed with depression within the past three years while general practitioners were able to identify 42% through in-person evaluations. While researchers believe this is not a direct comparison, they do identify it as a tool that could potentially help diagnosis delivery in the future by alerting a practitioner to signs of depression. [Seeker]


CA – Lawyers Try to End Warrantless Phone Searches at Border

Supreme Court of Canada judges have found, a smartphone can contain “immense amounts of information” that touch a person’s “biographical core.” They’ve acknowledged that laptops create detailed logs and trails of data that can be used to retrace a person’s steps in ways that physical documents can’t. And lawyers have successfully argued that smartphones and laptops, far from being static stores of information, are in fact portals to the near-limitless volumes of data stored in the cloud — from social media profiles to email accounts and file-sharing apps. It was in this context that a Manitoba provincial court judge Donovan Dvorak last year [see here] made a significant ruling: just as Section 8 of the Charter of Rights and Freedoms protects Canadians from unreasonable search and seizure, that right should also apply at the border when an officer asks to search your smartphone or laptop. The judge called into question the federal government’s long-held position that the Customs Act gives it the broad power to search personal electronic devices without a warrant or limitations, under its definition of importable goods. Judge Donovan Dvorak ruled that if border officers are to search phones, they have to abide by the limits defined in the 2014 Supreme Court case R. vs. Fearon, which dealt with cellphone searches incidental to arrest. It was decided that for a search to be lawful in such scenarios, there would have to be a relevant law enforcement purpose for the search, the search could not be indiscriminate, and officers would be required to take detailed notes on what was searched and how. Across Canada, an increasing number of lawyers are arguing more or less the same thing: that warrantless smartphone searches at the border are unconstitutional, and the practice should be stopped or at least limited. CBC News learned of four cases which lawyers are arguing their clients’ electronic devices were unlawfully searched under the Customs Act. [These are: 1) R. vs. Sikailey (Ontario); 2) vs. Vaillancourt (Manitoba); 3 R. vs. Askari (Alberta); and 4) R. vs. Canfield (Alberta)] Each of these cases focuses on Section 99(1)(a) of the Customs Act, which gives border officers the power to, “at any time up to the time of release, examine any goods that have been imported and open or cause to be opened any package or container of imported goods and take samples of imported goods in reasonable amounts.” But it’s not yet clear if Judge Dvorak’s ruling will stick. Federal government lawyers argued in May they should have been notified before such questions were raised to give them the chance to respond. The Crown has since been granted the chance to submit arguments that the law is reasonable as is. [see here] [CBC News | See also See: Canada’s privacy czar raises flag over planned U.S. border password searches | Privacy commissioner investigating Canada Border Services Agency over electronic media searches | Allan Richarz: What, if any, rights to privacy do you have when crossing the border?]

CA – CSE Commissioner Tables Annual Report in Parliament

The Annual Report of the Communications Security Establishment Commissioner, the Honourable Jean-Pierre Plouffe, CD, was tabled in Parliament. [see here] The Commissioner made five recommendations: 1) that CSE make clear in memoranda of understanding with foreign entities the limitations of CSE’s foreign SIGINT activities and that it cannot receive information that may have been acquired by directing activities at Canadians; 2) that CSE apply caveats consistently to all exchanges and that it use appropriate systems to record all information released; 3) that CSE issue over-arching guidance to establish baseline measures for information exchanges; 4) in the context of foreign signals intelligence ministerial authorizations, that CSE reporting to the Minister on private communications explain the extent of privacy invasion. There is a distorted view of the number of Canadians or persons in Canada involved in communications intercepted by CSE as a result of the technical characteristics of certain communications technology and the manner in which CSE counts private communications; and 5) that CSE always obtain written legal advice from Justice Canada concerning the retention or use of an intercepted solicitor-client privileged communication. [Office of the CSE Commissioner]

CA – NL OIPC Rules Sunshine List/RNC Blunder an Accident

The NL OIPC has concluded that a privacy breach that led to the salary and employee ID information of some Royal Newfoundland Constabulary officers being published online earlier this year was accidental. [See OIPC PR here & 17 pg pdf Report here] The information was published as part of the 2016 Sunshine list, which listed people who made more than $100,000 while working for the N.L. government or one of its boards or agencies. Government had agreed to a request from the RNC Association to leave the names of 167 police officers off the list for safety reasons, but their names were included in public spreadsheets released on June 30 anyway. [CBC News]

CA – Police Need Search Warrant to Get Hydro Records in Grow-Op Cases: Court

The Ontario Court of Appeal has ruled [see here] that police investigating a suspected marijuana grow-op in a Hamilton home needed a search warrant to obtain hydro records from a local utility company. The landmark decision sends a clear message to law enforcement agencies and hydro companies, says Toronto cannabis lawyer Paul Lewin. Despite the fact the court did not exclude the marijuana and cash seized — so the convictions for possession for the purpose of trafficking and possession of proceeds of crime, were upheld – the case is nonetheless a positive development for cannabis growers and privacy advocates, Lewin said. The province’s high court rejected the Crown argument that the appellants did not have a reasonable expectation of privacy in the data. “The examination and use of the data by the police was not authorized by law, and therefore could not be reasonable within the meaning of s. 8 of the Charter,” Justice David Doherty, writing on behalf of the panel, wrote in a decision released Aug. 11. “The appellants’ right to be free from unreasonable search and seizure was breached.” [Toronto Star]

CA – BC OIPC Launches Probe into Translink Data-Sharing with Police

BC’s information and privacy office will investigate TransLink’s disclosure of rider data after a Tyee story revealed the transportation authority is increasingly sharing users’ personal information with law enforcement agencies. “In light of reports that TransLink shared its riders’ Compass fare card information with law enforcement agencies, I launched an investigation into the transportation authority’s collection, use, and disclosure of its ridership’s personal information,” said Acting Information and Privacy Commissioner Drew McArthur in a statement. Documents obtained through freedom of information by The Tyee’s Bryan Carney showed [see here] that the Metro Vancouver transportation authority is routinely providing police personal information of transit users — including where they travelled — without warrants or notification to individuals. The documents show TransLink has received 132 requests from law enforcement agencies for information on transit users so far in 2017, and granted 82 requests. If the rate continues for the full year, the number of requests granted will have jumped 30% over 2016. [The Tyee | See also: TransLink Should Review Policy on Info Sharing with Police, Says Privacy Advocate | TransLink Increasingly Sharing Riders’ Personal Information, Travel With Police | Metrolinx is reviewing its privacy policy, and you’ll have a chance to weigh in | Metrolinx to review Presto privacy policy | Metrolinx has been quietly sharing Presto users’ information with police | Presto tracking a privacy issue | Regina, Saskatoon Transit have provided police with transit card information in investigations | Winnipeg Transit gave Peggo card travel history to police without warrants | Vancouver transit’s Compass card system poses privacy concerns]

CA – Agreement Needed for RNC to Access MRD Database: Privacy Commissioner

NL Information and Privacy Commissioner Donovan Molloy is recommending that the RNC Royal Newfoundland Constabulary be barred from access to the Motor Vehicle Registration database if an Information Sharing Agreement is not put in place between the two parties. Service NL’s Motor Registration Division (MRD) handles a huge amount of information and the Privacy Commissioner conducted an audit to ensure that third parties with access to the database are protecting the privacy of those individuals. [See PR here & IPC Report here] [VOCM News]


US – Advice from DEF CON’s Voting Village

Def Con attendees were given the opportunity to hack decommissioned electronic voting machines. They found numerous security holes, particularly in systems that do not provide paper trails. Municipalities and states would be well-advised to start addressing voting security issues as soon as possible. Recommendations include retiring outdated machines; securing voter registration systems and databases; requiring the use of risk-limiting audits where electronic voting machines are used; changing rules for voting systems’ procurement and maintenance; and training election officials in the use of cryptographic keys. [Wired]

Electronic Records

WW – Can Ethereum Blockchain Solve the Social Media Privacy Problem?

Most would agree that the top drawbacks to social media are the loss of personal privacy, data protection and ownership of information. However, the ‘centralized’ control model of social media might be a thing of the past, however, thanks to the next-generation ‘decentralized’ models of social media, based on blockchain technology. One such project is ‘Indorse‘—a reward-based decentralized professional network on the Ethereum blockchain. Indorse uses a LinkedIn-style professional networking model, wherein members retain the ownership of data while earning rewards for sharing their professional skills and using the platform. In its White Paper, Indorse highlights: “To be clear, we are not against advertising, and we are most certainly not against social media. However, we are against the centralization of social media. We believe the solution is a new model of social networks—a decentralized one that places ownership of information back in the hands of the members.” The project Indorse will create a parallel decentralized version of a professional networking platform. Like Indorse, other such projects are together building a decentralized world. Together, decentralized platforms and tokenization are emerging in a big way and if the trend continues—more regulatory and legality angle with get attached to it over time. Investopedia Also See: Will blockchain be the saviour of cybersecurity? | Block Chain Market: Demand for Improved Privacy of Patient Data to Steer Growth | The big business revolution: why the future is blockchain | US Government Funds Blockchain Key Management Tool With $794k Grant  | How Blockchain Can Improve The Health Information Exchange | Encrypgen Uses Blockchain to Usher in New Era of Genetic Privacy | The Present Use and Promise of Blockchain in Insurance | Blockchain and healthcare privacy laws just don’t mix | Google’s DeepMind plots healthcare data auditing system secured by blockchain | Why Data Security is Critical with Healthcare Blockchain | A Complete Beginner’s Guide To Blockchain | Blockchain’s brilliant approach to cybersecurity | Legal implications of expanded use of blockchain technology | Blockchain Healthcare Conference Showcases Skepticism and Promise | IEEE Launches World’s First Virtual Blockchain Workshop Dedicated to Advancing HealthTech for Humanity | Hyperledger Plans Blockchain Healthcare Group | Healthcare blockchain ideas swirl at government conference]


US – How NIST Digital Authentication Guidelines Could Help Health Care

In June, the National Institute of Standards and Technology released a new version of its digital identity guidelines designed to help federal agencies seeking to create a secure authentication process, but, it could help the health care industry, as well. Phishing, social engineering, and lost or stolen items are among the risks organizations face when attempting to secure their authorization process. NIST suggests several ways to mitigate those threats, including extending training for subscribers, implementing system and network security controls, and installing multiple steps to access a system. [HealthITSecurity]

WW – Microsoft Unveils Blockchain-Enhancing Framework

Microsoft has released a technical whitepaper on a framework designed to improve the performance, and privacy, of blockchain. The Coco Framework is expected to be made available on GitHub in 2018 as an open-source project, where it will help strengthen several blockchain ledgers. Coco currently supports 10 different ledgers. “We think blockchain will transform pretty much every industry,” said Azure Chief Technology Officer Mark Russinovich. “We’re working with customers and partners to make it easier for them to play with.” [ZDNet]

EU Developments

EU – General News

  • European Data Protection Supervisor Giovanni Buttarelli said the EU-U.S. Privacy Shield agreement is “an interim instrument for the short term. Something more robust needs to be conceived.” [More]
  • A new U.K. Data Protection Bill would make it easier for people to access personal data held by an organization, withdraw consent for processing and request deletion of data, plus gives regulators increased fining powers. [Sky News]
  • Ireland’s Data Protection Commissioner has released guidance on the appropriate qualifications for a data protection officer. [More]
  • Russian President Vladimir Putin has signed a pair of bills prohibiting the use of virtual private networks and eliminating the anonymous use of instant messaging services. [Radio Free Europe]


CA – Third Parties Cannot Determine If Request is Frivolous or Vexatious

The Ontario Information and Privacy Commissioner reviewed an appeal by General Motors Canada regarding the Ministry of Economic Development, Employment and Infrastructure’s decision to disclose public records, pursuant to the Freedom of Information and Protection of Privacy Act. Frivolous or vexatious discretion is not intended to be available to outside parties objecting to disclosure of records that would otherwise be subject to disclosure simply because of the requester’s motives or nature of the request; the identity of the requester is generally not relevant to the decision-making process of a public body. [IPC ON – Order PO-3738-I – Ministry of Economic Development Employment and Infrastructure]


US – Genetic Testing Back on Radar for Parents

After a federal bill protecting patients from genetic discrimination passed in the spring, familiar faces began to appear at Dr. Ronald Cohn’s door. Cohn is the pediatrician-in-chief for SickKids Hospital, and over the last few months, he’s been fielding new conversations with parents of young patients, who’ve previously sat down with him to discuss genetic testing. The tests could be recommended for any number of reasons, whether to find the most effective treatment for a known condition or to diagnose a mystery slate of symptoms their child was living through. But, prior to March this year, the results of that test weren’t legally protected from discrimination, discouraging some parents from giving their consent. After the Genetic Non-Discrimination Act, or Bill S-201 [see here], passed in March — ensuring no person can be required to undergo genetic testing or disclose previous results — many of those parents are re-appearing at Cohn’s door. [The Star See also: New genetic non-discrimination law will promote privacy and human rights in Canada | Canada expands protection of individual rights with new legislation on genetic testing and privacy | Genetic privacy bill to go to Supreme Court | Canada Passes Legislation Protecting Genetic Information | Canada’s new genetic privacy law is causing huge headaches for Justin Trudeau | Genetic non-discrimination bill unconstitutional: Trudeau | Liberal backbenchers defy cabinet wishes and vote to enact genetic discrimination law | Does this genetic testing bill threaten the insurance industry? | Life insurers’ new genetic test policy called an 11th-hour stalling attempt | Canadian insurance industry pens rules on use of genetic test results | Genetic discrimination private member’s bill pits Grit backbenchers against cabinet | Canada: Genetic Discrimination And Canadian Law | Genetic testing bill perpetuates myths and fears]

US – Researchers Show How Encryption Could Protect DNA

Researchers at Stanford have published a study showing how to apply “genome cloaking” to DNA samples so that 97% of a participant’s unique genetic information remains hidden from anyone other than the DNA owner during analysis. The process reportedly includes using an algorithm to encrypt their DNA while uploading it to a cloud where researchers are then able to analyze the specific point they are examining. Researchers say that this will help address the 2008 Genetic Information and Nondiscrimination Act, which is reported to have significant loopholes and raises concerns over DNA discrimination. Gill Bejerano, one of the researchers, said, “Now we can perform powerful genetic analyses while also completely protecting our participants’ privacy.” [Gizmodo]

Health / Medical

US – Federal Court Says Your Prescription Records Aren’t Really Private

When you fill a prescription at your local drug store, you would surely bristle at someone behind you peeking over your shoulder — but in a [recent] decision [also see here], a federal court in Utah said that you have no Fourth Amendment right to object when the peeker is the U.S. government. In a case challenging the Drug Enforcement Administration’s warrantless access to patient prescription records stored in a secure state database, the court relied in part on an outdated legal doctrine to rule that a “patient in Utah decides to trust a prescribing physician with health information to facilitate a diagnosis,” and thereby “takes the risk that his or her information will be conveyed to the government.” That’s hard to swallow — and it helps make very clear the huge stakes of our upcoming Supreme Court argument in United States v. Carpenter, which concerns the role of the so-called “third-party doctrine” in opening up all kinds of sensitive records to warrantless searches by police. [ACLU | See also: Police are now tracking your prescription drugs | With executive order, Missouri becomes last state to start drug database | Federal judge orders Utah to turn over prescription drug database to DEA | Police access to prescription drug monitoring database draws privacy concern in opioid crisis | With executive order, Missouri becomes last state to start drug database | ACLU fights against warrantless searches of drug database | DEA Wants Inside Your Medical Records to Fight the War on Drugs | Feds accessing medical records without warrants]

US – Recording Medical Visits Could Be a Growing Trend

The growing practice of recorded medical visits and can be used as a tool to help patients remember important details. Describing the difficulty patients face when trying to remember details of the visit and interpret complex medical language, researchers point to how recording conversations is a practice they would like to see embraced. Only 11 states reportedly need both parties’ consent to record, and in 39 states, plus the District of Columbia, only one party’s consent is necessary under wiretapping or eavesdropping laws. Some physicians, however, have expressed concerns the recordings could find their way into malpractice cases. It also raises questions about who owns the data. [Hong Kong]

Horror Stories

US – Data Breach Exposes Sensitive Info of 1.8M Illinois Voters

A data breach has exposed the sensitive information of 1.8 million Illinois citizens. Cyber resilience firm UpGuard found an Amazon Web Services device controlled by leading voting machine supplier Election Systems & Software. The device was not protected by a password and compromised information included citizens’ names, addresses, dates of birth, partial Social Security numbers, party affiliations and, in some cases, driver’s license and state ID numbers. [Gizmodo]

US – Anonymous Affiliate Releases PII of 22 GOP Lawmakers

A group affiliated with online activist group Anonymous has published what it claims to be the private cellphone numbers and email addresses for 22 Republican members of Congress. In a move that marked the end of nearly two years of silence, the release is believed to be part of a bid to push for the impeachment of U.S. President Donald Trump. Rob Pfeiffer, chief editor of The Anon Journal, said the release was spurred by Trump’s reaction to the violent clashes in Charlottesville. [The Washington Post]

US – Vancouver Pot Dispensary Patient Data Breach Highlights Regulatory Haze

Sensitive patient data supplied to a Vancouver cannabis dispensary has been either mishandled or — according to the shop’s owner — stolen, a situation again highlighting the cloud of confusion over the regulation of retail pot. A tipster found a computer memory card in a Vancouver alley, containing more than 1,000 photos of people taken inside a west-side dispensary, as well as digital copies of private medical documents. Postmedia reviewed and confirmed the contents of the memory card, but is not identifying the dispensary, because it was not immediately possible to confirm how the disk was obtained. The tipster who provided the disk said he was unsure if it ended up in the alley due to negligence or “some criminal act that led to the memory card being stolen or otherwise taken from the dispensary.”  [Vancouver Sun]

Identity Issues

UK – New Law Could Criminalise Uncovering Personal Data Abuses, Advocate Warns

The new UK data protection bill [see here & here] will contain a clause making it a criminal offence to “intentionally or recklessly re-identify individuals from anonymised or pseudonymised data”. The maximum penalty under the new law would be an unlimited fine. Lukasz Olejnik [see here], a Princeton cybersecurity and privacy researcher, warns that the government’s proposed data protection bill may criminalise the research that highlights these problems, while doing nothing to stop the spread and release of poorly anonymised data. Olejnik said: “It’s a justified risk. Security and privacy research requires assessing system strength, including trying to break de-identification and anonymisation systems. This can be done by demonstrating re-identification. When faced with ‘unlimited fines’ and unspecified provisions, I cannot imagine anyone risking conducting research for public good.” A similar proposal in Australia also led to concerns from security researchers there. Melbourne University researchers argued that a ban on re-identification “could inhibit open investigation, which could mean that fewer Australian security researchers find problems and notify the government”. As a result, “criminals and foreign spy agencies will be more likely to find them first”, they wrote. The UK data protection bill will not be published in full until the end of the summer recess, and is expected to be voted on in the current parliamentary term. [The Guardian | Also See: The new UK Data Protection Bill will criminalise failures under GDPR | Re-identifying folks from anonymised data will be a crime in the UK | NZ privacy commissioner recommends Australia’s data re-identification criminalisation lead | Data re-identification criminalisation law should be passed: Senate committee | Brandis flags Privacy Act changes to protect anonymised data | Brandis to criminalise re-identifying anonymous data under Privacy Act | Research work could be criminalised under George Brandis data changes]

AU – Australia Adds Personal Identifiers on Postal Vote

The Australian Bureau of Statistics’ decision to include personal identifiers on ballot papers for a same-sex marriage postal vote next month has raised concerns over the separation of voter identity and vote cast. Monique Mann, co-chair of the surveillance committee of the Australian Privacy Foundation, warns, “There is a real potential for a chilling effect — if people believe that their vote in the survey is not secret, that may influence the way they choose to vote, or indeed if they vote at all.” The ABS maintains that survey responses would be “anonymous and protected under the secrecy provisions” of the Census and Statistics Act and is reported to help protect against fraud and multiple voting. [Guardian]

AU – Australian Government Reports on Metadata Requests and Use

The annual Attorney General’s Department report on the operation of the Telecommunications (Interception and Access) Act saw 325,807 requests made to access metadata in the 2015–16 period, a slight reduction in the number of requests compared to the previous year. A 2015 law required Australia’s telephone and internet service providers to maintain customer metadata, including a variety of customer details, which the Australian government can access without a warrant. Thanks to a mutual assistance treaty signed with China, it is also reported that Australia provided the Chinese government with “documents, records and articles of evidence” in relation to criminal activity. A spokesperson for Attorney General George Brandis assured that their cooperation with foreign governments is “subject to safeguards to ensure compliance with our international human rights obligations.” [BuzzFeed News]

WW – New Coalition Aims to Educate on Data Sanitization

A group of stakeholders has launched the International Data Sanitization Consortium to encourage IT professionals to follow best practices around destroying and deleting old data. “I am astounded by how little is known and understood about data sanitization,” Blancco Chief Strategy Officer Richard Stiennon said. “The vast majority of organizations today aren’t undertaking the necessary steps to implement a data sanitization process and are leaving themselves vulnerable to a potential data breach,” he said, adding, “This is both disappointing and alarming — and something we at the IDSC hope to change through ongoing education and guidance.” [Healthcare IT News]

Internet / WWW

UK – British Library’s Internet Archives Exempt from New UK Privacy Law

The internet archives maintained by the British Library will be exempt from recently introduced privacy legislation designed to expand the “right to be forgotten.” The law will align the U.K. with the EU GDPR, but the new rules offer exceptions for information, including the British Library’s archives and medical records collected by the National Health Service. While the British Library is “pleased” with the exemption, it said the government has not explained the way the exclusion will work in practice. “We are in ongoing dialogue with the Data Protection Bill team to ensure that possible risks to the activities of the British Library and similar institutions can be appropriately managed,” the library said in a statement. [Bloomberg Technology]

Law Enforcement

CA – New RCMP Dashcams Coming After Previous Ones Discontinued

The Saskatchewan RCMP said an in-car video system was discontinued n favor of a pilot project with new dashcam technology that began in May 2017. It expects to go provincewide with the in-car digital video systems once the pilot wraps at the end of August. Some citizens have expressed concerns about not knowing if they’re being recorded. Some research has suggested the cameras can create an over-reliance on video and a reduction in attention to detail. Recording can add up, and needs to be clarified in policy because of cost as well as transparency. People will question the circumstances in which a camera was turned on and off. There are also questions around privacy, regarding who has access to the video and when it can be used in the future. [CBC]

US – Police Body Camera Company Stoking Privacy Concerns

After high-profile police killings and clashes with protesters over the past several years, civil rights advocates have pressed law enforcement officers to wear body cameras, so that there would be an indisputable video record of any police confrontation. Some police departments have been reluctant to adopt the technology. But now, one of the major camera companies is offering police a free trial to use its technology in a move that raises both civil liberties and budgetary questions for communities across America. In April, Axon [formerly Taser International see here] unveiled an offer for police departments to try its body cameras for free for one year. That offer helps Axon get its cameras into more police departments, knowing that the company stands to make huge profits not from the sale of cameras but rather from its attendant cloud video storage platform, www.Evidence.com. The video footage collected by its cameras is helping Axon build out its artificial intelligence business, which requires massive amounts of data to train computers to operate autonomously and in unprecedented ways that could vastly expand police surveillance and targeting. By giving the cameras to police departments, Axon is able to collect even more of the data it needs, in effect using the enticement of a free trial offer to build out its video analytics and computer vision business — all on the backs (or rather, torsos) of local police departments. As part of its quarterly earnings report, Axon disclosed that it has received inquiries about its free trial from more than 1,500 law enforcement agencies. With computer vision capabilities, Axon body cameras could be used to identify persons of interest through recorded video — turning a tool for police accountability into a new surveillance mechanism. Machine learning could enable Axon’s software to train itself on patterns of movement it deems “suspicious” and generate new lists of suspects for police to investigate. To begin, however, Axon will most likely use its AI capabilities for the less-alarming tasks of redacting videos and generating reports. On last week’s earnings call, Smith said those features could roll out as soon as the end of this year. Axon’s willingness to take a loss on camera sales can be explained in by its short-term profitability off of cloud storage and its long-term vision to turn itself into a software company specializing in computer vision for law enforcement. But that development raises significant privacy concerns for Axon’s technology to be used in surveillance and predictive policing. [International Business Times | TASER’s Free Body Cams Are Building a Massive Police A.I. | Real-Time Face Recognition Threatens to Turn Cops’ Body Cameras Into Surveillance Machines ]


US – Absent Warrant, Police Could Monitor Anyone Via Location Data: ACLU

Lawyers have filed their opening brief at the Supreme Court in one of the most important digital privacy cases in recent years. Carpenter v. United States [also see here], asks a simple question: is it OK for police to seize and search 127 days of cell-site location information (CSLI) without a warrant? Previously, lower courts have said that such practices are compatible with current law. But the fact that the Supreme Court agreed to hear the case suggests that at least four justices feel that perhaps the law should be changed. Carpenter’s attorneys, many of whom are from the ACLU, argue in their filing [August 7; see here] that the current legal standard gives the government too much leeway. They write: “the government could use this tool to monitor the minute-by-minute whereabouts of anyone—from ordinary citizens to prominent businesspersons to leaders of social movements.” Previously, the Supreme Court found that there is no privacy interest in “business records” disclosed to a company—like location data, for instance—under the so-called “third-party doctrine.” [ArsTechnica | See also: Digital Privacy to Come Under Supreme Court’s Scrutiny | Third party rights and the Carpenter cell-site case | How should an originalist rule in the Fourth Amendment cell-site case? | Carpenters, Carriers, and Cell-Sites (Oh My!): SCOTUS to Hear Mobile Locational Privacy Case | ‘Carpenter v. United States,’ the Fourth Amendment historical cell-site case | Justices to tackle cellphone data case next term (more details) | U.S. Supreme Court to Consider Whether the Fourth Amendment Protects Cell-Location Data | U.S. Supreme Court to settle major cellphone privacy case ]

Online Privacy

CA – Police Investigating Toronto “Snitches” Website

The man who set up a website that reveals the age, identity, home address of purported “snitches” or police informants across the GTA says he only targets non-violent “career” criminals and does not advocate violence or vigilantism against them. Adam Louie says he set up the website, “Golden Snitches,” [see here] in order to protect people from becoming ensnared by known police informants who he says are themselves involved in criminal activity. Louie says when someone submits a profile to be posted, he speaks to them, speaks to people possibly incarcerated as a result of the allegation, as well as their lawyers. He said some have threatened to commence legal action against him, but none have actually followed through to date. A Toronto police spokesperson said the service is aware of the website. “I can’t comment on its legitimacy but there is an ongoing investigation and we are aware of its existence.” Louie said the site represents a public service and is not meant to bring harm to anyone. [CP24]

WW – Can You Trust Cheap Chinese Phones with Your Privacy?

Should you trust a low-priced Android phone from a brand you’ve never heard of with your security and privacy? It might not be such a wise idea. Many low-priced Android smartphones have had security and privacy problems. In late July, Russian antivirus firm Dr.Web reported that models sold under the Leagoo and Nomu names had a malicious program built right into the firmware. Then, just last week, Amazon suspended sales of phones marketed by BLU after researchers reported that snooping adware was built into the devices. (By Friday, Amazon was selling the phones again.) The upshot is this: You should really think twice before buying an Android phone from an unfamiliar manufacturer. Be wary of any smartphone that costs less than $100 unlocked. If a smartphone doesn’t cost much, and doesn’t make you watch ads, then you have to wonder how else the company makes money. [Tom’s Guide]

US – Facebook to Protect the Privacy of Deceased Users

Although Facebook admits that it may not have all the answers when it comes to the death of a user, it is taking steps to ensure privacy and enhance empathy after a user passes away. By designating a “Legacy Contact,” Facebook allows a contact of the user’s choosing to have access to the periphery of the deceased’s account and grants them the ability to delete the account or designate it as a memorialized profile. The Legacy Contact, however, will not be able to change or delete old posts or remove friends. Facebook Director of Global Policy Management also stated that no one will have access to conversations. “In a private conversation between two people, we assume that both people intended the messages to remain private.” [TechCrunch]

Other Jurisdictions

AU – Australia’s Data Retention Scheme Detailed in Report

A recent report shows that Australian telecommunications companies are left with an AU$70 million gap to cover the cost of ensuring data-retention obligations. Under regulations passed in March 2015, telecommunications carriers “must store customer call records, location information, IP addresses, billing information, and other data for two years, accessible without a warrant by law-enforcement agencies.” From 2015 to 2016, the report states that 63 enforcement agencies made 333,980 authorizations for retained data, of which 326,373 were related to criminal law. Most requests reportedly stem from illicit drug offenses, followed by miscellaneous, homicide, robbery, fraud, theft and abduction. [ZDNet]

Privacy (US)

US – Google Must Turn Over Data Stored Abroad Sought Under U.S. Warrant

Alphabet Inc.’s Google has lost a bid to overturn a magistrate judge’s order forcing the company to turn over Gmail data stored abroad in response to a federal warrant (In re Google Inc. , N.D. Cal., No. 16-mc-08263, review denied 8/14/17 ).[See Amicus Brief form Microsoft, Amazom, Apple & Cisco here] Judge Richard Seeborg of the U.S. District Court for the Northern District of California Aug. 14 upheld [also see here] a magistrate judge’s order denying Google’s motion to quash the warrant. Google must turn over all content that is “accessible, searchable, and retrievable from the” U.S. pursuant to the lawful warrant under the Stored Communications Act (SCA) [see here], Seeborg said. The SCA warrant, served on U.S.-based Google, was a “domestic application of the statute” because the data is “easily and lawfully” accessed and disclosed in the U.S., he said. Also, the “conduct relevant” to the warrant occurred in the U.S., he said. Google fought to quash the warrant and overturn the magistrate judge’s opinion because it believed that the SCA warrant was applied beyond U.S. borders in violation of the statute and turning over the data would flout user privacy interests. The U.S. Court of Appeals for the Second Circuit’s ruling in Microsoft v. United States that Microsoft need not turn over emails stored in Ireland to law enforcement because the SCA warrant didn’t reach data stored in overseas data centers isn’t being followed by district courts. The U.S. Department of Justice June 23 asked the U.S. Supreme Court to review the Microsoft decision. The justices haven’t issued a decision on the request. Seeborg reached this decision in part because Google moves data around from one location to another automatically for business optimization purposes. Google’s algorithmic-based storage may be the reason why the case differs from the Second Circuit’s Microsoft case. Timothy Newman, privacy and cybersecurity associate at Haynes & Boone LLP in Dallas, said that courts are having “an easier time enforcing these warrants when the location of the data is determined by an algorithm and not based on user-specified location.” [BNA.com | See also: Apple, Amazon, and Microsoft are helping Google fight an order to hand over foreign emails | SF Judge Hands Google Another Loss on Foreign-Stored Data | US judge orders Google to hand over data to the FBI from overseas emails | Judge Breaks Precedent, Orders Google to Give Foreign Emails to FBI | Google must turn over foreign-stored emails pursuant to a warrant, court rules | Microsoft’s cloud privacy battle may go to US Supreme Court | Court Declines to Reconsider Microsoft Email Seizure Ruling | Court Keeps Microsoft’s Irish Servers Safe From U.S.  | US government wants Microsoft ‘Irish email’ case reopened  | Lawmakers question DOJ’s appeal of Microsoft Irish data case | Microsoft Cloud Warrant Case Edges Closer to Supreme Court | Government Seeks Do-Over On Win For Microsoft And Its Overseas Data

US – EFF’s Court Brief Urges Warrants for E-Device Searches at Borders

The EFF has filed a court filing [in the appeal of “United States v. Molina-Isidoro” – see here] pressing for warrants be required for searches of mobile phones, laptops and other digital devices by federal agents at international airports and U.S. land borders — describing these as “highly intrusive forays into travelers’ private information”. [See EFF PR here] [Also see news coverage here & here & here] Such searches are currently allowed under an exception to the Fourth Amendment for routine immigration and customs enforcement. However, the EFF says digital device searches at the U.S. border have more than doubled since the inauguration of President Trump. In July, the U.S. Customs and Border Protection agency also clarified that its policy allowing warrantless border searches is restricted to locally stored data — meaning cloud services cannot be legally searched without a warrant. However the average device owner still likely holds a lot of data on their devices, from documents, to offline email to smartphone photos and videos. The EFF notes that border agents opened the defendant’s Uber and WhatsApp apps when they searched her device — implying that cloud data may have been accessed as part of the search. “There is no indication that border agents put her phone in airplane mode or otherwise disconnected it from the Internet when they accessed these apps,” the filing states. The document also refers to the Supreme Court holding that police require a warrant to search the content of a phone seized during an arrest — with the EFF arguing the same principle should apply to the digital devices seized at the border. [TechCrunch | Also See: Cellphone Privacy: Homeland Security Chief Acknowledges Searches of U.S. Citizens’ | Lawyers demand answers after artist forced to unlock his phone | Lawmakers Move To Stop Warrantless Cellphone Searches at the U.S. Border | Lawsuit Seeks Transparency as Searches of Cellphones and Laptops Skyrocket at Borders | Digital Privacy at the U.S Border: A New How-To Guide from EFF | Border agents could be forced to get a warrant before searching devices | Wyden objects to DHS password collection plan | Sen. Wyden Calls for Warrants for Tech Searches on the Border | Wyden to Introduce Legislation Limiting Phone Searches at Border | A US-born NASA scientist was detained at the border until he unlocked his phone | Your Privacy Doesn’t Matter at the Border

US – DoJ Warrant for Data on ALL Visitors to Anti-Trump Site Sparking Fight

The Justice Department is trying to force an internet hosting company to turn over information about everyone who visited a website used to organize protests during President Trump’s inauguration [Also see here, here and here] Federal investigators last month persuaded a judge to issue a search warrant to the company, Dreamhost, demanding that it turn over data identifying all the computers that visited its customer’s website and what each visitor viewed or uploaded. Over 1.3 million requests were made to view pages on the website in the six days after inauguration alone. Dreamhost is fighting the warrant as unconstitutionally broad. “In essence, the search warrant not only aims to identify the political dissidents of the current administration, but attempts to identify and understand what content each of these dissidents viewed on the website,” two lawyers for Dreamhost wrote in a court motion opposing the demand. The government’s filing declared that Dreamhost “has no legal basis for failing to produce materials in response to the court’s search warrant.” The fight, which came to light on Monday when Dreamhost published a blog post entitled “We Fight For the Users,” centers on a search warrant for information about a website, disruptj20.org, which served as a clearinghouse for activists seeking to mobilize resistance to Mr. Trump’s inauguration on Jan. 20. Judge Leibovitz had set a hearing for Friday August 18. But late Tuesday, William Miller, a spokesman for the U.S. attorney’s office said the court was rescheduling it to a later date, which was not yet set. [The New York Times | In J20 Investigation, DOJ Overreaches Again. And Gets Taken to Court Again. | A closer look at DOJ’s warrant to collect website records]

US – Lawsuit Over False Online Data Revived After U.S. Top Court Review

A federal appeals court on revived a California man’s lawsuit accusing Spokeo Inc of publishing an online profile about him that was filled with mistakes. The 9th U.S. Circuit Court of Appeals ruled 3-0 [see here] in favor of Thomas Robins, 15 months after the U.S. Supreme Court asked [see here] it to more closely assess whether he suffered the “concrete and particularized” injury needed to justify a lawsuit. The SCOTUS case was significant because Robins tried to pursue a class action, which if successful could expose Facebook Inc, Alphabet Inc’s Google and other online data providers to mass claims in similar lawsuits. In the decision, Circuit Judge Diarmuid O’Scannlain said “it does not take much imagination” to surmise how Robins could have suffered real harm, given the importance of consumer reports to getting jobs, obtaining loans and buying homes. Spokeo said it will vigorously defend itself in court, and it believes the need to show individualized inaccuracies will make it “very difficult” to win class certification. [Reuters]

US – DreamHost to Fight US DoJ Over 1.3m IP Addresses of Anti-Trump Site Visitors

Efforts by US prosecutors to identify up to 1.3 million people who accessed an anti-Trump protest website is unconstitutional, a court will hear this week. Lawyers for DreamHost, which hosts disruptj20.org, will argue in a Washington DC courtroom that the demand for visitor records from the website breaks both the First and Fourth Amendments on free speech and unreasonable search. Last month, the US Department of Justice demanded DreamHost hand over 1.3 million IP addresses of visitors, as well as any contact information, submitted comments, emails and uploaded photos. It refused. In its legal filing to the court, DreamHost uses several touchstone cases to argue that the demand is counter to American laws and traditions. The warrant violates the Fourth Amendment, DreamHost argues, referencing several legal precedents about protected speech and the fact that “concerns about privacy are especially critical when people engage in aspects of speech and association during political campaigns.” It also points to cases involving Amazon and Microsoft in which the open-ended nature of the request for all information on all visitors without any date restriction was ruled unconstitutional. The broad nature lacks the “specificity” required. The company also argues that the warrant violates the Privacy Protection Act. It says it has reviewed much of the information requested and argues that it qualifies as either “work product” or “documentary material” and so benefits from additional legal protections. [The Register | Justice Dept. Demands Data on Visitors to Anti-Trump Website, Sparking Fight | In J20 Investigation, DOJ Overreaches Again. And Gets Taken to Court Again. | A closer look at DOJ’s warrant to collect website records]

US – CDT Urges FTC to Investigate VPN Provider Over Deceptive Practices

The Center for Democracy & Technology is urging the FTC to investigate claims made by virtual private network provider Hotspot Shield. In its 14-page filing, the CDT alleges the company violates its “anonymous browsing” claims by “intercepting and redirecting web traffic to partner websites, including advertising companies.” David Gorodynasky, head of the service’s parent company, AnchorFree, said the company does not profit from its customers’ data. CDT disagrees. “Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the VPN uses more than five different third-party tracking libraries, contradicting statements that Hotspot Shield ensures anonymous and private web browsing,” the CDT stated. [ZDNet | arstechnica | zdnet | cdt.org]

US – Uber Agrees to 20 Years of Privacy Audits to Settle FTC Data Mishandling Probe

The legacy of Travis Kalanick’s fast and loose management style at Uber continues to serve up fresh embarrassments for the embattled, still CEO-less company. The ride-hailing giant has settled a FTC investigation into data mishandling, privacy and security complaints that date back to 2014 and 2015 – ostensibly agreeing with the FTC’s complaint that it misrepresented its practices to consumers. [Also see here] The FTC said Uber has agreed to put in place a comprehensive privacy program, including undergoing regular independent privacy audits. [See FTC PR here] The FTC’s order extends for a period as long as 20 years. In its complaint docket the FTC cites news reports in 2014 of Uber’s so-called ‘God view’ real-time interface that had apparently allowed its employees to spy on users’ rides, and Uber’s response at the time — when it claimed to have “a strict policy prohibiting all employees at every level from accessing a rider or driver’s data”, and to be “closely” monitoring and auditing this policy. In its decision and order docket, the FTC orders a prohibition against “misrepresentations” by Uber pertaining to how it monitors or audits internal access to consumers’ personal Information; and to the extent to which it protects the privacy, confidentiality, security, or integrity of any personal information it handles and stores. In a statement responding to the FTC’s order, an Uber spokesperson told us: “We are pleased to bring the FTC’s investigation to a close. The complaint involved practices that date as far back as 2014. We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs. In 2015, we hired our first Chief Security Officer and now employ hundreds of trained professionals dedicated to protecting user information. This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information.” [Mobile Trend]

US – Judge Says LinkedIn Cannot Block Startup from Public Profile Data

U.S. District Judge Edward Chen in San Francisco ruled [see here] that Microsoft Corp’s LinkedIn unit cannot prevent a startup from accessing public profile data [see LinkedIn C&D letter here], in a test of how much control a social media site can wield over information its users have deemed to be public. Judge Chen granted a preliminary injunction request [see here] brought by hiQ Labs, and ordered LinkedIn to remove within 24 hours any technology preventing hiQ from accessing public profiles. [For all related court docs see here] The case is considered to have implications beyond LinkedIn and hiQ Labs and could dictate just how much control companies have over publicly available data that is hosted on their services. [For additional news see here, here & here & for background see here] HiQ Labs uses the LinkedIn data to build algorithms capable of predicting employee behaviors, such as when they might quit. LinkedIn plans to challenge the decision, a company spokeswoman said. [Reuters]

US – The FTC and FBI Are Shining the Spotlight on Your Kid’s Smart Toys

In June, the FTC announced that it had updated its COPPA compliance plan for businesses to make inescapably clear that internet-enabled toys and other “internet of things” (IoT) devices that collect personal information from children may be subject to COPPA. Shortly thereafter, the FBI issued a public service announcement warning parents that connected toys “could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.” The FTC’s formal pronouncement that COPPA applies to connected toys and other IoT devices may serve as a shot against the bow, and likely foreshadows enforcement activity with regard to connected toys. It is a safe bet that the FTC has been paying close attention to the privacy and security ramifications of smart toys and privacy issues with such devices. Whatever the FTC’s announcement may portend, it was moderate in tone by comparison to the FBI’s public service announcement. The FBI encouraged parents to “consider cybersecurity prior to introducing smart, interactive, internet-connected toys into their homes.” It alluded to the range of information that connected toys might collect, such as recordings of a child’s voice, physical location, internet use history, and IP addresses, and associate with account information, which could include the child’s name and address. The FBI urged parents to research connected toys before purchasing them to learn of any known security issues, to closely monitor children’s use of such toys, and to follow good security practices, such as ensuring that the toys are running updated firmware and that they are turned off when not in use. As for legal protections, the FBI noted that smart toys must comply with COPPA and Section 5 of the Federal Trade Commission Act. The FTC and FBI announcements reflect the growing attention of a variety of federal agencies to the security of consumer smart devices. [The Hill]

US – Disney Faces Children’s Privacy Class Claims Over Mobile App

The Walt Disney Co. allegedly allowed mobile gaming applications to collect and export children’s personal information to advertising partners without parental consent, according to a federal court complaint (Rushing v. Walt Disney, Co., N.D. Cal., 17-cv-4419, complaint filed 8/3/17). The case highlights legal questions surrounding the use of big data analytics to gain knowledge about app user activity. The practice leaves open the possibility that individual pieces of data can be aggregated with other information to identify individuals, exposing companies to potential liability for privacy violations. The plaintiffs, a parent and her child who used the Disney Princess Palace Pets mobile gaming app, alleged in an Aug. 3 complaint filed in the U.S. District Court for the Northern District of California that Disney’s user tracking system violates COPPA.[see here] The law requires websites and apps targeted at children to gain parental consent to collect and use the personal information of children under the age of 13. Stacey Gray, policy counsel at Future Privacy Forum, said that the “lawsuit is very unusual because despite the way it is framed, in reality it is not a COPPA complaint.” COPPA doesn’t allow individuals to sue, leaving that power to the Federal Trade Commission and state attorneys general. The allegations in the complaint are based on multi-state common law intrusion upon seclusion and California constitutional right to privacy claims, Gray said. [BNA.com]

US – Tech Companies File Amici Brief in Support of Warrants for Cell Phone Data

More than a dozen US tech companies filed an amici brief with the US Supreme Court, voicing their support for strong privacy protections and requiring law enforcement to obtain warrants to access certain data from mobile phones. The brief says that law enforcement currently relies on outdated laws to obtain the warrants, which violate the Fourth Amendment. [wired | law.com | aclu.org]

Privacy Enhancing Technologies (PETs)

WW – New Apple Feature Will Disable Touch ID

Apple is expected to introduce a new feature in iOS 11 that will allow a user to disable the Touch ID by quickly pushing the power button five times. The move will signal an emergency SOS that can only be reversed after entering the passcode. The update comes as recent rulings have granted police the means to force users to unlock their phones using their fingerprints and follows a rise in controversies surrounding law enforcement requests for phone data. Passcodes are reportedly protected under the Fifth Amendment but fingerprints are not. [USA Today]


US – NIST Releases Revised Security and Privacy Controls

The National Institute of Standards and Technology has issued a draft revision of its Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. The revision was developed by a joint task force from the civil, defense and intelligence communities, the NIST news release states, and “represents an ongoing effort to produce a unified information security framework for the federal government.” NIST Fellow and Team Leader Ron Ross said the new revision “takes the guidance in new directions — we are crafting the next-generation catalog of controls that can also be applied to secure the internet of things.” It’s the first to really dive into the world of sensors and media collection devices like cameras, recorders and voice-activated controls that are embedded both in personal devices and smart systems like those used for traffic monitoring. This also marks the first time that privacy controls are embedded into the security section, rather than listed in an appendix. The structure of the outcome-based document is designed to guide users through the complex process of establishing controls governing the activity of systems and devices. NIST Senior Privacy Policy Advisor Naomi Lefkovitz said, “This revision covers the overlap in security and privacy for systems, as well as the ways in which they are distinct. It also enhances the ability for both professional teams to collaborate yet still maintain their respective authorities.” Comments are due on the draft Sept. 12, just 30 days after the initial release. NIST plans to do a final draft in October with another round of comments before the final version is released Dec. 29. [see NIST PR here | FCW.comNIST | NextGov | NIST Releases Updated Cyber and Privacy Guidance Draft | Security and Privacy Controls for Information Systems and Organizations]

US – NIST Revamps Password Recommendations

The National Institute of Standards and Technology has revamped their advice for creating passwords. NIST released a new guideline for password creation, favoring long, easy-to-remember phrases over a mixture of capital letters, numbers and symbols. The original author of “NIST Special Publication 800-63. Appendix A,” Bill Burr, said he regrets advising internet patrons to create more complex passwords and for telling users to change their passwords every 90 days. Burr said most people would only make minor changes to their passwords, while mixing different symbols and numbers made passwords difficult to use and remember. [The Wall Street Journal]

US – NIST Outlines Framework for Cybersecurity Training

In a statement [see here] Monday August 7, the National Institute of Standards and Technology [NIST] said it’s planning to upgrade a federal initiative on cybersecurity education and workforce training. NIST, which is responsible for developing a range of computer and network security specifications, said it wants to update the National Initiative for Cybersecurity Education [NICE], which is a government-industry created framework that aims to “promote a robust network and an ecosystem of cyber-security education, training, and workforce development.” [see 144 pg pdf NICE Framework here] The NICE framework addresses some of the most obvious but often overlooked steps involved in the creation of security teams, such as assessing workforce skills and identifying certification and training requirements. It also specifies tasks used in job descriptions, and ultimately seeks to match these tasks with people who possess the right knowledge, skills and abilities. One of the main aims of the NIST effort is to raise awareness of the need for a “ground-up” approach to cybersecurity strategies, in order to ward off evolving security threats such as ransomware. Another of NICE’s goals is to expand and institutionalize integrated and certified security teams that reflect recommended best practices. NIST added that it’s planning to host a conference to discuss its progress with NICE in Dayton, Ohio, this November. [Silicon Angle | Illinois mandates cybersecurity training for state employees]

US – EFF Claims Captive Portals Provide ‘Illusion of Security’

The Electronic Frontier Foundation explores the use of captive portals — a webpage users interact with before accessing public Wi-Fi — their associated security issues and best practices, in their latest Deeplinks blog post. The EFF argues that the process of signing in to a network, either by agreeing to the terms of service or by providing personal information to gain access, unnecessarily interferes with security rather than provide actual safeguards for the user. They claim, “The illusion of security that a login window may provide can lead users to inaccurately believe that wireless networks with captive portals are safer than those without.” The EFF goes on to say that moving away from the use of captive portals will help create more open and privacy-protective wireless access portals. [Deeplinks]

WW – Bad Android Messaging Apps

Some apps for sale in Android app stores have been found to contain malware known as SonicSpy, which can record calls, take pictures, make calls, send text messages, and monitor call logs and Wi-Fi access point information. SonicSpy is contained in messaging apps which do perform as advertised while surreptitiously stealing and monitoring users’ information. [Android app stores flooded with 1,000 spyware apps].

US – FTC Posts Fourth Blog in Its “Stick with Security” Series

On August 11, 2017, the FTC published the fourth blog post in its “Stick with Security” series. [See here] This week’s post, entitled Stick with Security: Require secure passwords and authentication, examines five effective security measures companies can take to safeguard their computer networks. The practical guidance aims to make it more difficult for hackers to gain unauthorized access to networks. These security measures include: 1) Insisting on long, complex and unique passwords; 2) Storing passwords securely; 3) Guarding against brute force attacks; 4) Protecting sensitive accounts with more than just a password; and 5) Protecting against authentication bypass. [Hunton & Williams]

US – FTC Posts Third Blog in Its “Stick with Security” Series

On August 4, 2017, the FTC published the third blog post in its “Stick with Security” series. [See here]. This post, entitled “Stick with security: Control access to data sensibly,” notes that just as business owners lock doors to prevent physical access to business premises and shield company proprietary secrets from unauthorized eyes, they should exercise equal care with respect to access to sensitive customer and employee data. The post outlines two key security steps companies should take: 1) Restrict Access to Sensitive Data; and 2) Limit Administrative Access. The FTC’s next blog post, to be published Friday, August 11, will focus on secure passwords and authentication. [H&W Blog]

CA – Surrey Renters Revolt Over ‘Heavy-Handed’ Strata Fines, Surveillance

Some renters at Surrey’s d’Corize high rise have received thousands of dollars of tickets in a day from building managers for minor infractions, such as not compacting garbage, and for wearing improper footwear in the gym and believe they’re being watched by surveillance cameras. The fines began after tenants noticed that surveillance cameras were installed throughout the building in recent months. In July, he said the number of tickets issued dramatically increased. However, the strata said that the sudden spike in fines was in response to a constant reoccurrence in offences, which lead to health and safety concerns. written statement from the strata said that the security system is partly meant “to meet statutory and regulatory requirements, including the enforcement of the bylaws and rules.” Many residents believe the strata is using video surveillance to justify the levied fines — a practice that goes against guidelines authorized by B.C.’s Office of the Information and Privacy Commissioner. According to the OIPC’s Privacy Guidelines for Strata Corporations and Strata Agents, “personal information obtained from video surveillance or key fob systems should not be used to justify levying fines” for minor bylaw infractions. “It’s much easier and less privacy invasive to educate people about what’s appropriate,” said OIPC acting information commissioner Drew MacArthur “That’s the way to approach that — not to put in surveillance cameras.” The OIPC has the power to order strata to remove cameras if they are in violation of residents’ privacy. A strata is also obliged to provide residents access to tape that contains their information, according to the OIPC. [CBC News | See also Report landlords who break privacy rules, urges BC agency]

US – Defense Counsel Journal’s Free Issue Covers Privacy Law Topics

The International Association of Defense Counsel (IADC) journal, Defense Counsel Journal (DCJ) [see here] will release two issues of its “Privacy Project V,” with the first coming out this summer and the second being released in the fall. In the issues, IADC members discuss a variety of legal privacy topics that are growing more important to the public on a global scale each year. Topics found in the free summer issue [see here] are designed to keep attorneys abreast on the new information and changing trends regarding privacy and related areas of law. Subjects covered in the issue include product liability laws related to the internet, metadata in litigation, data breach class actions, email evidence in litigation, among other topics. [Madison County Record]

Smart Cars / Cities / IoT

UK – UK Publishes Laws of Robotics for Self-Driving Cars

The UK has published a set of “Key principles of vehicle cyber security for connected and automated vehicles” [see here] outlining how auto-makers need to behave if they want computerised cars to hit Blighty’s byways and highways. [Also see here & here] The principles suggest all participants in the auto industry’s long supply chains must work together on security both in the design process and for years after vehicles hit the roads. The eight principles include: 1) Organisational security is owned, governed and promoted at board level; 2) Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain; 3) Organisations need product aftercare and incident response to ensure systems are secure over their lifetime; 4) All organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system; 5) Systems are designed using a defence-in-depth approach; 6) The security of all software is managed throughout its lifetime; 7) The storage and transmission of data is secure and can be controlled; and 8) The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail. Each principle has sub-principles and that’s where the detail gets interesting. Transport minister Lord Callanan’s announcement suggests the Principles will be included in future legislation governing self-driving cars on British tarmac. [Register]

WW – Report: Smart City Market Expected to Hit $cc775B by 2021

A report from BCC Research finds the smart city market is expected to hit $775 billion by 2021. The number of cities to incorporate smart technology is expected to rise to more than 600 over the next couple of years. The report states North America will dominate the global smart city market, raising their investments from $118.5 billion in 2016 to $244.5 billion in 2021. “This is a large and growing market. There are currently around 100 smart city projects, and we think in a short period of time that will expand to roughly 10–13% of medium to large cities. We see about 5,000 cities of that size and 600 will go to smart city technology in the fairly near term,” BCC Analyst Michael Sullivan said. [TechRepublic]

US – FPF Seeks Feedback on Seattle’s Smart City Risk Assessment

The Future of Privacy Forum is seeking public feedback on the proposed City of Seattle Open Data Risk Assessment. In its Open Data Policy, Seattle said data would be “open by preference” unless individual privacy is affected. To ensure a balance between open data and privacy is met, the city announced last year that it will perform annual risk assessments and “tasked FPF with creating and deploying an initial privacy risk assessment methodology for open data,” according to an FPF release. The comment period will be open until Oct. 2. [FPF]

US – FPF Releases Infographic on Microphone Use in IoT Devices

The Future of Privacy Forum has released an infographic, Microphones & the Internet of Things: Understanding Uses of Audio Sensors in Connected Devices, to educate users on the range of uses microphones have in different connected devices. The infographic highlights how microphones are used by displaying when microphones are activated, what kinds of data can be transmitted, and the current U.S. legal protections for connected devices. FPF Policy Counsel Stacey Gray explained that “Information networks and devices that make up the ‘Internet of Things’ promise great benefits for individuals and society.” Gray added, “However, if we do not have the right guiding principles or necessary privacy safeguards, consumers will lose trust in the evolving technologies.” [FPF]

WW – Google Glass EE Evades Privacy Questions 

Just about two years after Google spiked the original Glass [see here & here], the company is back with Glass Enterprise Edition, targeted towards factory employees and blue-collar specialists building machines big and small, using a precise set of instructions pulled up on the inside of the Glass’s smart lens. Google’s resurrection of Glass, with a few new work-specific alternations and improvements, has so far been hailed as a smart pivot for a device with extraordinary potential, but a misguided initial message. The first Glass was plagued by concerns the device was an unwanted intrusion into other people’s privacy. Users could potentially record people without their consent, even if a light on the front made it clear the camera was on. The pushback against “Glassholes” smeared whatever big improvements Glass conferred on the user’s life. But what about the new Glass EE? As a device marketed toward the workplace, has Google successfully freed it from the besmirchment of privacy questions that helped doom the original device? For Woodrow Hartzog, a digital privacy expert and assistant professor at Samford University, the answer to that question is mixed. He says questions still remain about how employers might use the data they collect through Glass EE devices on the factory floor, what Glass EE might do to employee morale in terms of autonomy and power employees have in the first place, the potential to turn Glass EE devices into tools for surveillance, whether Google may reverse course with the new model and begin implementing facial recognition technologies on Glass devices — and what that will mean for privacy concerns moving forward — and many others. The original Google Glass’s failure may have had more to do with the fact that consumers didn’t feel the practical benefits outweighed privacy concerns, rather than with absolute objections over privacy and digital security. Google may have found a solution to that concern with Glass EE, not through a rapid transformation of features that mitigate privacy concerns — Glass EE is more-or-less just a technical improvement of its predecessor – but by simply changing its messaging and promoting Glass as a workplace device. [Inverse]


US – Stingray Detection Apps Can Be Circumvented: Study

Researchers from Oxford University and the Technical University of Berlin tested five Android mobile apps that claim to be able to detect when the device connects to a cell-site simulator, or Stingray. While the apps were able to detect when service had been forcibly downgraded and when they received silent messages that are used for geolocation, the researcher were able to use other methods to evade detection and trick the devices into providing their information. [Those Free Stingray-Detector Apps? Yeah, Spies Could Outsmart Them | Those ‘stingray’ detector apps are basically useless, say researchers | Evaluating IMSI Catchers Detection Applications]

Telecom / TV

US – Anti-Robocall Law Survives First Amendment Challenge by Time Warner

Under the Telephone Consumer Protection Act [see here, amended in 2015 see here], you’re not liable for using an automated system to place calls or send texts to cellphones if you’re engaged in government debt collection. But if you’re trying to collect non-governmental overdue bills via the same automated system, you could be on the hook for millions of dollars in a TCPA class action. That distinction, according to a ruling [August 1, 2017, see here] by U.S. District Judge Paul Oetken of Manhattan in a TCPA class action against Time Warner [also see here & here], means that the TCPA is subject to the most stringent form of review under the First Amendment as per the U.S. Supreme Court’s 2015’s Reed v. Town of Gilbert which held that strict scrutiny applies to content-based regulations on speech. The TCPA’s carve-out for government debt collection, Judge Oetken held, is a regulation based on content. But the judge refused to take the next step and hold the TCPA to be unconstitutional under the First Amendment. Time Warner’s lawyers argued in a motion for judgment on the pleadings that TCPA fails the strict scrutiny review because the law, as amended, is not narrowly tailored to serve a compelling government interest. The exemption for government debt collectors “renders the speech restriction prototypically under-inclusive and results in an irrational, ineffective and patently unfair regime.” Judge Oetken disagreed. Privacy is a compelling interest, he held, whether it’s the traditional respect courts have accorded for privacy in the home or the modern extension to cellphone privacy. And the carve-out for government debt collectors, he held, is a narrow exemption that does not doom the entire law. [Reuters]

US Government Programs

US – General News

  • The U.S. Ninth Circuit Court’s ruling in Robins v. Spokeo found that a Fair Credit Reporting Act violation was sufficient to justify Article III standing. Lexology
  • Davis & Gilbert Partner Richard Eisert discusses U.S. District Judge Edward Davila’s ruling that the onus falls on the individual user to keep browsing history private rather than on a company to set privacy as a default. [AdExchanger]
  • The Ninth U.S. Circuit Court of Appeals recently ruled that concern about potential privacy intrusion does not qualify as an imminent injury that can be addressed in court [AMA Wire]
  • The first challenge is underway to a new Tennessee law requiring public schools to share student information with charter schools within 30 days of a request. [The Tennessean]
  • A three-judge panel of the second most powerful court in the U.S., the D.C. Circuit Court of Appeals, has ruled customers can sue a health insurer for a 2014 breach in which personal data was compromised. [The Hill]
  • Chicago Mayor and City Clerk have put out a request for proposals for technology companies to build a platform for municipal ID cards despite threats of funding cuts from the Trump administration. [StateScoop]

US Legislation

US – General News

  • NY Gov. Andrew Cuomo signed legislation prohibiting the unlawful alteration of official student records in any primary, intermediate, high school or college in the state — expanding on the types of information covered in the previous law. [Wyoming FreePress]
  • NY Gov. Andrew Cuomo signed new legislation that will make it possible to sue a neighbor for the invasion of privacy if they videotape in an adjacent backyard without permission. [Times-Union]
  • Two Senate committees advanced bipartisan bills aimed at boosting cyber skills. [Morning Consult]
  • A bipartisan group of U.S. senators has released new legislation intended to confront internet-of-things security vulnerabilities. Sens. Cory Gardner, R-Colo., Steve Daines, R-Mont., Mark Warner, D-Va., and Ron Wyden, D-Ore., are co-sponsoring the bill. [Reuters]
  • Orrin Hatch, R-Utah, and Chris Coons, D-Del., have released new legislation that would create a legal framework for allowing law enforcement to access data of U.S. citizens stored overseas. The International Communications Privacy Act would also mandate that law enforcement notify other countries of the data collection in accordance with their laws, the report states. [The Hill]
  • The draft Senate Republican border security bill, Building America’s Trust Act, would increase the collection of biometric data, the use of drone monitoring and, in some cases, mandatory DNA collection. The author and co-sponsors of the bill have yet to officially introduce the bill. [Ars Technica]
  • Delaware has updated its data breach law to include the protection of additional types of information and increase notification requirements, among other changes. [JDSupra]
  • Nebraska Sen. Carol Blood has proposed a bill to create a drone policy in the state addressing privacy concerns, among others. [Omaha World-Herald]





21 July – 03 August 2017


US – FBI Biometric Database to Be Exempt from Parts of Privacy Act

The Federal Bureau of Investigation this week published a final rule that will exempt its Next Generation Identification biometrics database from certain portions of the Privacy Act. The massive database includes biometric records of individuals who have undergone background checks for jobs, military service or for those who have criminal records. Beginning Aug. 31, individuals will not be able to find out what types of data the FBI has about them. The agency has argued doing so could compromise investigations. The Electronic Privacy Information Center had tried to persuade the FBI to minimize its data collection and Privacy Act exemptions to no avail. Though it’s not currently known how many records are in the database, the Electronic Frontier Foundation estimated in 2014 that the FBI could have as many as 52 million facial images by 2015. [NextGov | New Rule Exempts FBI From Disclosing Its Biometric Database To Americans | If the FBI Has Your Biometrics, It Doesn’t Have to Tell You | Facial recognition database used by FBI is out of control, House committee hears

US – Businesses Sued for Collection of Employee Biometric Data

A host of employee biometric privacy lawsuits are seeking class-action status in the Cook County Circuit Court this year. Grocery store Roundy’s, Intercontinental Hotels’ Kimpton chain and data center operator Zayo Group have all been accused of violating the Illinois Biometric Information Privacy Act. The suits alleged all three businesses did not obtain required written consent and provide disclosures about the collection, use and storage of employees’ fingerprints and handprints. Potential violations could result in high fines. Roundy’s, for example, estimated in a court filing from last May that damages could reach up to $10 million. Mercator Advisory Group Vice President of Payments Innovation Tim Sloane said, “This is likely to be a costly lesson to business leaders in Illinois.” [The Chicago Tribune]

Big Data

US – CDT Launches Digital Decisions Tool

The Center for Democracy & Technology announced the launch of its first public version of the digital decisions tool aimed at enabling developers to understand and mitigate what the CDT sees as the unintended bias and ethical pitfalls associated with designing automated decision-making systems. The interactive digital decisions tool encourages developers to think critically and methodically by adding a series of questions to consider during the designing and deploying process of an algorithm in order to help shape a fair outcome for all. The CDT is currently seeking feedback. [Full Story]


CA – EU’s Highest Court Axes Canuck Passenger Name Record Deal

Brussels has to go back to the drawing board on a key plank of its counterterrorism strategy. The European Court of Justice dealt a blow to the EU’s policy of sharing information about airline travellers, saying that a long-standing arrangement with Canada ran roughshod over people’s privacy. [See here] In its ruling, the ECJ said the Commission went too far when it gave Canada access to detailed information about airline passengers, including what meals a passenger ate, in what company he or she traveled and how he or she bought a ticket — and stored these data for up to five years. The idea is that law enforcement could use the information to map and monitor terrorists’ and criminals’ travels, and halt them before boarding flights. A PNR data-sharing agreement with Canada dates back to 2006, but when it was revised in 2014, the European Parliament asked the ECJ for its opinion on the update before giving the deal its seal of approval. Security Commissioner Julian King said that Commission officials are speaking to Canadian counterparts “about ways of addressing the concerns raised by the European Court of Justice on the envisaged EU-Canada PNR agreement.” [See here] But King said the opinion did not affect EU countries’ obligations to implement the EU’s own, internal PNR system. Privacy advocates called the opinion a win for privacy. “Reckless data retention and profiling have no place in a democratic, law-based society,” Joe McNamee, executive director at European Digital Rights, said in a statement. [POLITICO.eu | Deal to share passenger info between EU and Canada struck down on privacy concerns | When travel security makes things more dangerous | EU-Canada Airline Data Pact Violates Privacy: Adviser | EU-Canada passenger data deal infringes privacy: EU adviser | EU-Canada Air Data Deal Is Illegal, Warns Top Lawyer | EU-Canada Traveler Data-Sharing Deal May Go Too Far | EU Court of Justice Issues Ruling on Privacy Rights and International Agreements – Sam Trosow, Associate Professor, The University of Western Ontario]

WW – Canada Third in Reported Data Breaches So Far This Year

The number of publicly-reported data breaches in Canada in the first six months of the year hit 59 — two more than the same period a year ago — according to a compilation released this week by Risk Based Security (RBS), a Virginia provider of threat intelligence. [See here] By comparison there were 22 publicly-reported breaches in China and 19 in Russia. The United Kingdom was second on the list with 104 breaches. Canada was third. However, measured by the number of records exposed China was number one, with over 3.8 billion. The U.S. was second with just over 3.7 billion, India third with over 179 million records exposed. Canada was eighth with over 2.1 million records exposed. Overall there were 2,227 international breaches reported in the first half of 2017, exposing over 6 billion records in the first half of this year. One Chinese company accounted for 2 billion exposed records alone. [IT World Canada]

CA – Nova Scotia Minister Used Private Email for Government Work: Documents

Documents obtained by Global News under an access to information request show cabinet minister Leo Glavine relied on a private email account when he was minister of health. Last year, the province’s privacy and information commissioner, Catherine Tully, warned against the use of private email by government entities. “The (Office of the Information and Privacy Commissioner) strongly recommends that public bodies and municipalities prohibit their staff from using instant messaging tools and personal email accounts for doing business, unless they can be set up to retain and store records automatically,” reads the report. Spokesperson Lisa Jarrett sent an emailed statement saying the Gmail account in question isn’t a personal email account but rather the email Glavine uses for constituency work. The legislature’s website lists a different email for Glavine’s MLA work than the Gmail account listed in the documents obtained by Global News. Jarrett said both of the private accounts are used for his work as an MLA. Other MLAs also use non-government email accounts. While Nova Scotia’s access laws don’t ban the use of personal email accounts, using them could put the user in conflict with the access and privacy law in several ways, Tully said in an interview. [Global News]

CA – NB OIPC Calls for Public Release of Cop-Cam Video of Shooting

New Brunswick’s access to information and privacy commissioner has called for the release of a body camera tape that shows a fatal police shooting in Rothesay. The decision comes after a 15-month access to information battle by CBC News. In her ruling [see 10 pg pdf here], Anne Bertrand had to determine who should be allowed to see footage collected from body cameras worn by police. She decided that public interest trumps privacy in this case. Releasing the videotape, Bertrand wrote, is the “right thing to do” for the public to understand the decision to use fatal force. “In special circumstances, there may be a public interest in the public knowing about what happened, despite there being personal information involved,” Bertrand said in an interview. The police force isn’t required to follow Bertrand’s decision and will be getting legal advice. Michael Boudreau, a criminology professor at St. Thomas University in Fredericton, said. “I think this is a very important decision on a go-forward basis for police forces across the country” National civil liberties group backs call for release of police shooting tape [CBC News]

CA – ‘Canadians are concerned’: Private Data On the Table in NAFTA Negotiations

The personal information of Canadians will be on the negotiating table when North American free trade talks begin this month. The United States has served notice it wants an end to measures that restrict cross-border data flows, or require the use or installation of local computing facilities. Privacy advocates say that means trouble for Canada’s ability to shield sensitive information such as health or financial data from the prying eyes of foreign agencies by storing it in computer servers on Canadian soil. The U.S. proposal runs counter to public-sector privacy laws in British Columbia and Nova Scotia that require domestic data storage. It also seems at odds with the federal government’s strategy on cloud computing — the purchase of digital storage from third parties — that says all “sensitive or protected data under government control will be stored on servers that reside in Canada.” The U.S. trade representative flagged the data storage issue in its 2017 report on foreign trade barriers, noting the B.C. and Nova Scotia laws prevent public bodies such as schools, universities, hospitals and government-owned utilities from using American services when there’s a possibility that personal information would be stored in, or accessed from, the United States. The report also highlighted the Canadian government’s major consolidation of federal email services, a procurement project that cited national security as a reason for requiring the contracted company to keep data in Canada. [See here at Pg 71/72] [National Post | Privacy rights on the NAFTA agenda | NAFTA talks: U.S. proposal for cross-border data storage at odds with B.C., N.S. law | NAFTA: data flows back on the trade agenda Renegotiations of the North American Free Trade Agreement could come in conflict with privacy laws in two Canadian provinces – CBC News]

machines. Brian Beamish, Ontario’s information and privacy commissioner, said in an e-mail he doesn’t have jurisdiction over homeowners who use security cameras or collect data for personal use. [Barrie Examiner]

CA – OIPC SK: Public Bodies Should Share Data Adhering to the Minimisation Principle

The Office of the Saskatchewan Information and Privacy Commissioner issued guidance on the collection and disclosure of personal information and personal health information. An authorized sharing occurs only when one public body has the authority to collect personal information and the other has the authority to disclose it; both public bodies should collect and disclose the least amount of data possible, and enter into a data sharing agreement when sharing will occur on an ongoing basis. [OIPC SK – Collection/Disclosure – A Two-Step Analysis]

CA – OIPC AB Provides Six Guiding Principles for Information Sharing

The OIPC AB has issued guidance on information sharing for both the private and public sector. Information sharing initiatives should consider transparency (outline the participants and what information will be collected, shared and disclosed for what purposes), legal authority (including ensuring participants are subject to access/privacy laws), privacy impact assessments (identify ways to mitigate risks of a breach), access and correction rights for individuals, accountability (share the least amount of data needed), and oversight (consult with the OIPC to address potential privacy implications). OIPC AB – 6 Principles for Getting Information Sharing Right]

CA – Ontario Court Upholds IPC Ruling that Doctors’ Billing Information Is Not PI

The Court considered an application for judicial review of an OIPC ON order requiring the Ministry of Health and Long-Term Care to disclose physicians’ billing records under the Ontario Health Insurance Program. The IPC reasonably concluded that the information is not PI (it relates to professional information) and the secrecy obligation under the Health Insurance Act governing the physician payments is subject to FIPPA; the requester does not need a reason to request the billing records (FIPPA mandates disclosure if no privacy exemption is proven, and the public is entitled to information to hold the government accountable). [Ontario Medical Association, several physicians affected directly by the Order and affected Third Party Doctors v. IPC ON, Minister of Health and Long-Term Care, the Ministry of Health and Long-Term Care and Theresa Boyle – 2017 ONSC 4090 – Ontario Superior Court of Justice]

CA – Manitoba Ombudsman Issues Guidance on Privacy Programs

The Manitoba Ombudsman has issued guidelines for implementing a privacy management program. The program must be supported by senior management, delegated to a privacy officer that is provided with the necessary resources to develop and implement the program and must include controls that describe the types of personal information and the processing activities, mandatory employee training, and service provider oversight. [Manitoba Ombudsman – Guidelines for Implementing a Privacy Management Program for Privacy Accountability]

CA – BC Organization Must Remove and Destroy Personal Information

The Office of the Information and Privacy Commissioner in British Columbia investigated a complaint against the Surrey Creep Catcher, alleging improper handling of personal information, pursuant to the Personal Information Protection Act. The organization induced individuals to have online communications with fictitious underage girls, video-recorded encounters with these individuals, and posted the videos on social media; these activities were not for journalistic purposes (no effort was made to provide accurate, fair descriptions of the facts), and collection, use or disclosure of their information was done without consent and was not for any investigative purpose. [OIPC BC – Order P17-03 – Surrey Creep Catcher]

CA – OIPC BC Cautions Employers About Risks of Social Media Background Checks

The OIPC BC updated its guidance on conducting social media background checks: the original guidance was issued in 2011. Risks include inaccuracy, collecting irrelevant or excessive information, overreliance on consent (an employer cannot use the information if consent is subsequently withdrawn), and inadvertent collection of third party PI; conduct a PIA (find out what privacy law applies, identify the purposes for using social media, and identify the types and amounts of PI), and do not attempt to avoid privacy obligations by contracting a third party to perform the social media background checks. [OIPC BC – Conducting Social Media Background Checks]

CA – Barrie City Staff Looking into Potential Bylaw to Regulate Surveillance Systems and Drones

Barrie Council has asked staff to investigate a potential bylaw to regulate home security video surveillance systems, domestic closed-circuit television surveillance and drones with cameras. City clerk Dawn McAlpine says two Ontario municipalities have passed bylaws prohibiting cameras being focused on other private properties. But she expects enforcement would be a problem – specifically permission to go on private property to determine which way a camera is facing. Tobi Cohen, who’s with the Office of the Privacy Commissioner of Canada, said its regulations don’t apply to individuals who collect, use or disclose personal information strictly for personal and non-commercial purposes. “That being said, privacy protection and safeguards against unlawful surveillance are provided elsewhere through the Charter of Rights and Freedoms, the Criminal Code and through provincial laws,” he said in an e-mail. While Transport Canada has a number of regulations concerning drones – how high they can fly, how close they can be to buildings, etc. – that federal department does not regulate cameras on these flying


US – Stanford Economist Examines a Paradox of the Digital Age

People say they want to protect their personal information, but new research shows privacy tends to take a backseat to convenience and can easily get tossed out the window for a reward as simple as free pizza. The working paper — co-authored by Susan Athey, a senior fellow at the Stanford Institute for Economic Policy Research – provides real-life evidence of a digital privacy paradox: a disconnect between stated privacy preferences and actual privacy choices. And it serves policymakers with some food for thought about how to regulate data sharing without creating more hassles for consumers. “Generally, people don’t seem to be willing to take expensive actions or even very small actions to preserve their privacy,” Athey said. “Even though, if you ask them, they express frustration, unhappiness or dislike of losing their privacy, they tend not to make choices that correspond to those preferences.” What’s more, students who had expressed stronger preferences for privacy — whether it was privacy from the government, the commercial provider or the public — essentially behaved no differently than those who said privacy was less of a concern, the study found. Altogether, the experiment results show that “consumers deviate from their own stated preferences regarding privacy in the presence of small incentives, frictions and irrelevant information,” the study stated. The findings, released in June by the National Bureau of Economic Research, provide a rare snapshot: The privacy paradox has been widely observed, but empirical evidence from a real-world setting – involving choices with real consequences — has been limited. The study raised two policy implications. Since the findings show consumers’ actions don’t align with what they say, and it’s difficult to gauge a consumer’s true privacy preference, policymakers might question the value of stated preferences. On the other hand, consumers might need more extensive privacy protections to protect consumers from themselves and their willingness to share data in exchange for relatively small monetary incentives. In any case, as people are quick to give up some privacy for less hassle, regulations should avoid inadvertently sticking consumers with additional effort or a less smooth experience as they make privacy-protective choices, the study stated. [Source]

US – Rewards Program Raises Privacy Concerns

A new rewards program provides opted-in users credit for every $300 they spend on their Verizon bill. Verizon Up features “Device Dollars toward your next device purchase, discounts on an accessory, or partner rewards,” as well as other ticket opportunities. The concern for some, however, is the trade-off. To use the program, a user must sign up for Verizon Selects, which allows the company to track browsing history, app usage, device location, service usage, demographic information, postal and email contact data, among others, the report states. The data is also shared with “vendors and partners,” and Verizon’s Oath, the combination of newly acquired AOL and Yahoo. [The Verge]

US – Filmmakers Create Short Movies on Online Privacy, Surveillance

Rooftop Films and Mozilla recently presented a screening of several short films regarding various internet-related topics. Film fans and web patrons visited Brooklyn, NY, for the Net Positive, Internet Health Film Shorts program, where filmmakers displayed what they felt was helping — and hurting — the internet. The topics of the films included online privacy, surveillance, virtual reality and internet fame. [Mozilla blog]


AU – Australian Government Issues Recommendations for Sharing of Public and Private Sector Data Sets

The Australian Federal Government released a final report on the costs and benefits of increasing the availability and use of data in the public and private sectors: the draft report was issued in November 2016. Accredited authorities would be established with the power to share or release data sets, and permit trusted users to access and use sensitive or identifiable data (based on risk classifications), and consumers would have access and control of their data; inclusion of private sector databases could lead to uncertainty over commercially sensitive information and intellectual property rights, and regulatory complexity will increase (new regulatory bodies will not sit under the Information Commissioner). The Quest for Greater Data Availability and Use in Australia – Sylvia Ng et al. – PWC | Article | Government Report]


US – DEF CON Voting Village

People attending DEF CON last week were given the opportunity to try to hack voting machines and voter databases. DEF CON’s “hacker voting village” was created to let attendees discover vulnerabilities in a variety of decommissioned voting equipment that conference organizers bought on eBay. Read more in: – www.scmagazine.com: Election tech hacked within hours at DEF CON Voting Village

  • cnet.com: Defcon hackers find it’s very easy to break voting machines
  • darkreading.com: DEF CON Rocks the Vote with Live Machine Hacking
  • eweek.com: Hackers Demonstrate Voting Machine Vulnerabilities at DefCon
  • wsj.com: Hacker Cracks Voting Machine in Less Than 2 Hours
  • reuters.com: Hackers scour voting machines for election bugs

US – 33 States Accepted DHS Election Security Help

The US Department of Homeland Security (DHS) Election has provided cyber security assistance to 33 state election offices and 36 local election offices prior to the November 2016 election. Election systems have been designated as critical infrastructure. DHS is offering cyber hygiene assessments and risk and vulnerability assessments. DHS also shares critical threat information with critical infrastructure operators and owners. [Read more in thehill.com: 33 states accepted DHS aid to secure elections]

EU – Estonia Implements Strong eVoting Security

Estonia is adopting stronger security measures for its elections. Estonia is the only country that allows citizens to vote through online balloting. The system was introduced in 2005. The upgrades include features known as end-to-end verifiability. Tarvi Martens, the Estonian National Electoral Committee’s head of evoting, notes that while US elections are dependent of a variety of electronic voting machines, “with Internet voting, there’s a single piece of software that can be controlled.” [www.irishexaminer.com: World’s most hi-tech voting system raises cyber defences]

US – Colorado Now Requires Regular Risk-Limiting eVoting Audits

Colorado has become the first US state to require risk-limiting audits to be conducted regularly. Risk-limiting audits compare a random sample of paper ballots with their corresponding digital ballots to see if votes were correctly tabulated. [Read more in: thehill.com: Colorado hires startup to help audit digital election results and www.politico.com: Colorado to require advanced post-election audits]

US – Open Source Software Can Help Secure Voting Process

In an effort to improve the security of electronic voting systems, the National Association of Voting Officials is encouraging election officials to use open source software. The author of this piece argues that open source software is more secure than proprietary software. [www.nytimes.com: To Protect Voting, Use Open-Source Software]


CA – Canadian Organizations Should Treat Scams as Data Security Matter

An examination of what Canadian companies should as victims of a phishing scam. Where funds are transferred by wire, the organization should immediately contact the company’s financial institution, local law enforcement and/or the RCMP, the Canadian Anti-Fraud Centre and their cyber-insurance provider; where sensitive information is disclosed, the company should initiate its incident response plan and identify regulatory and contractual obligations. [Phishing Lures – What To Do If You’ve Taken the Bait – Justin L. Root, Counsel, Sarah H. Jodka, Counsel and Wendy G. Hutton, Partner, Dickinson-Wright]

WW – Google to Settle Class-Action Related to Email Scanning

After announcing it will no longer scan emails for ad personalization, Google has agreed to resolve a class-action privacy lawsuit related to the practice. The settlement agreement would place a three-year injunction affecting the tech company’s ability to send ads based on users’ emails. The settlement would also require Google “to cease all processing of email content that it applies prior to the point when the Gmail user can retrieve the email in his or her mailbox and that is used for advertising purposes,” according to court papers. Meanwhile, the European Union is putting pressure on Google and other tech companies, such as Twitter and Facebook, to update their terms to ensure they are in line with EU law. [MediaPost]

CA – Email Confidentiality Clauses Are Not Considered a Security Measure

The Quebec Order of Human Resources and Industrial Relations’ disciplinary complaint against Carole Milot for unauthorized disclosure. The email confidentiality clause is a standard clause that appears systematically in all emails transmitted without requiring an additional action of the email sender; employees cannot delegate to email recipients their professional responsibility to preserve the confidentiality of information that comes to their knowledge in the exercise of their profession. [Disciplinary Board Order of HR Advisors in Quebec Approved Industrial Relations Canada Province of Quebec NOT 13-16-00013]

US – White House Officials Spear-Phished in Email Prank

A number of White House officials, including Homeland Security Adviser Tom Bossert, was tricked by a series of spear-phishing emails. A U.K.-based, self-described “email prankster” convinced Bossert that he was U.S. President Donald Trump’s son-in-law Jared Kushner. In response, Bossert shared his personal email address with the adversary. White House Press Secretary Sarah Huckabee Sanders said, “We take all cyber-related issues very seriously and are looking into these incidents further.” Former FBI Special Agent Adam Malone said, “Spear-phishing is the most common technique used by hackers to gain access to their victims. This information shines a light on how easy it is for people to build trust with unverified individuals.” [CNN]

Electronic Records

US – Personal Info of 650,000 Voters Discovered on Poll Machine Sold on Ebay

When US government workers decommission old voting equipment and auction them off to the public, they’re supposed to wipe voter information from the device’s memory. There’s no formal auditing process for how many of the machines are properly wiped, and thus no way to estimate how many machines have been sold that inadvertently contain voter records. But hackers given access to an ExpressPoll-5000 electronic poll book—the kind of device used to check in voters on Election Day—have discovered the personal records of 654,517 people who voted in Shelby Country, Tennessee. It’s unclear how much of the personal information wasn’t yet public. Some of the records, viewed by Gizmodo at the Voting Village [watch 3:19 video here], a collection of real, used voting machines that anyone could tinker with at the DEF CON hacker conference in Las Vegas [see here], include not just name, address, and birthday, but also political party, whether they voted absentee, and whether they were asked to provide identification. Anyone with access to such a device—whether on Election Day or while playing with an ExpressPoll-5000 at home—would need only moderate computer skills to check for those records. They’re stored on a removable memory card. Anyone who pulls out the drive and reads the memory card with their computer will see the drive’s contents, including the giant database of personal records, if it hasn’t been wiped. [Gizmodo]


WW – IARPA’s Homomorphic Encryption Computing Techniques with Overhead Reduction Program

In an audio interview, Dr. Mark Heiligman, program manager for the Homomorphic Encryption Computing Techniques with Overhead Reduction (HECTOR) program at the US Intelligence Advanced Research Projects Activity (IARPA) describes the goals of the program. IARPA is holding a Proposers’ Day Conference on Wednesday, July 26 to provide interested parties with information about the program. Read more in: federalnewsradio.com: Dr. Mark Heiligman: Intelligence community pursues HECTOR and www.iarpa.gov: Homomorphic Encryption Computing Techniques with Overhead Reduction (HECTOR) ]

EU Developments

EU – CJEU Hears Arguments in Potential Facebook Class-Action

In a parallel case to ongoing litigation in Ireland’s High Court, Austrian Privacy Lawyer Max Schrems and representatives from Facebook Ireland presented arguments Wednesday at the Court of Justice of the European Union in a potential privacy class-action against the social networking company. At issue is whether Schrems can bring a worldwide privacy class-action suit against the company in Austria on behalf of 25,000 users, even though many of those individuals are not Austrian. The CJEU’s advocate general will offer his opinion on the case November 7, though the opinion will not be binding. The court’s final judgment is expected by year’s end. [Irish Times]

EU – First look at LIBE’s 800 ePrivacy amendments

As the clock ticks on the ePrivacy Regulation — and the ambitious aim of having it ready for May 2018 — members of the European Parliament’s civil liberties committee have submitted more than 800 amendments. The big — though not surprising — news is the proposal to introduce “legitimate interest” as a justification for further processing of data. Polish MEP Michal Boni’s amendments in Recital 17 on metadata and Recital 21 on access to information stored on terminal equipment both propose “an exemption from obtaining end-users’ consent in cases where the processing is necessary for the purpose of legitimate interest, provided that the data protection impact assessment was carried out.” Jennifer Baker has the scoop on this and other controversial potential additions for The Privacy Advisor, including interviews with MEPs from Germany, the U.K., the Netherlands and more. [IAPP.org]

EU – CJEU Declares EU-Canada Agreement Incompatible with Fundamental Rights

The EU Court of Justice considered the compatibility of the draft EU-Canada passenger name record agreement. The transfer, processing and retention of sensitive data cannot be justified solely on the basis of protection against terrorism and transnational crime, and storage of PNR data for up to 5 years is not proportional; the Agreement must be based on judicial and police cooperation and protection of personal data, and passenger should only be retained, after departure, if they present an identified risk. CJEU – Opinion 1-15 – Draft Agreement Between Canada and the EU on PNR Data | Press Release | Opinion

UK – ICO Issues Recommendations for Surveillance Camera Use

The UK information Commissioner’s Office has updated its code of practice in relation to surveillance cameras and personal information, pursuant to the Data Protection Act of 1998: the Code was originally issued in 2014. Organisations should conduct data protection impact assessments to ensure surveillance systems are lawful, proportionate and necessary, and clear responsibilities, secure and encrypt images captured, restrict viewing of live images to authorised persons, and view recordings of sensitive areas after an incident; disclosures of recordings must be controlled and consistent, and recordings should be provided to law enforcement in a suitable format. [ICO UK – In the Picture: A Data Protection Code of Practice for Surveillance Cameras and Personal Information]

EU – French Court Refers Territorial Scope to CJEU

The Conseil d’Etat (“Conseil”) considers an appeal by Google Inc. regarding an order issued by the Commission Nationale de l’informatique et des Libertés requiring it to delink all search materials across extensions of a domain name for each complaint received. The extraterritoriality of the CNIL’s order of Google to delink material on all search engine extensions poses difficulties for interpreting EU law; a decision from the CJEU is required to determine whether the law allows a Member State decision to apply to the entirety of the search engine’s domain. EC 19 July 2017 – No. 399922 – Google Inc | TechCrunch]

EU – Groups to European Commission: Privacy Shield Isn’t Adequate

In a letter written to European Commissioner for Justice, Consumers and Gender Equality Vera Jourová, Human Rights Watch and Amnesty International ask the European Commission to reevaluate its stance on Privacy Shield’s adequacy, specifically its “Implementing Decision 2016/1250.” The letter asks the commission to “encourage the U.S. legislative and executive branches to adopt the necessary binding reforms” so that transferring data to the U.S. complies with EU law, including the GDPR. The letter cites the U.S.’s foreign intelligence surveillance laws as evidence privacy protections “demonstrably fall far short of essential equivalence to the standards set out in EU law.” [HRW.org]

EU – German Court Rules Employee Keyboard Tracking Illegal

The Federal Labour Court has ruled that a company violated workers’ rights when it installed spy software on its computers. The company had informed employees that they would begin saving internet traffic on company computers and then installed keylogger software and routinely took screenshots. A case was filed against the company when an employee was fired based on evidence gathered during this surveillance. The German court ruled that such evidence was illegally obtained and that keylogger software was an unlawful way to control employees. The court included that, since the termination was based on illegal evidence, the employee’s termination should be void. [The Local]

EU – Other Developments

  • A group of researchers from the Institute for Information Law at the University of Amsterdam published a report on the state of the European Commission’s proposed ePrivacy Regulation. In it, they found the ePrivacy Regulation needs significant revisions in four major areas. [The Register]
  • Germany’s Federal Labour Court has ruled that a company violated workers’ rights when it installed spy software on its computers. [The Local]
  • After the U.K. House of Lords’ EU Home Affairs Sub-Committee released a report on the details of data transfers post-Brexit, the U.K. House of Commons Library published a briefing paper on the subject. [Reed Smith’s Technology Law Dispatch]
  • In what it says is an effort to block the spread of extremist material, Russia’s State Duma passed a bill outlawing the use of virtual private networks and other proxy services to access state-blocked websites. [VOA]
  • A new opinion from the advocate general of the Court of Justice of the European Union states that a student’s exam script should be considered personal data. [The Irish Times]

Facts & Stats

US – Report: Data Breaches Up 29% in the First Half of 2017

A report from the Identity Theft Resource Center and CyberScout found the number of data breaches in the U.S. increased 29% in the first half of 2017. The report found 791 breaches took place in the first six months of 2017, exposing about 12 million records, although 67% of the breaches did not indicate the number of compromised records. While the business sector suffered the highest percentage of reported breaches at 54.7%, the health care industry saw the biggest increase in incidents, suffering 30.7% of the attacks, up from 22.6% reported in the first half of 2016. [NBC News]

US – At Mid-Year, U.S. Data Breaches Increase at Record Pace

The number of U.S. data breaches tracked through June 30, 2017 hit a half-year record high of 791, according to recent numbers released [see here] by the Identity Theft Resource Center (ITRC) and CyberScout. This represents a significant jump of 29 percent over 2016 figures during the same time period. At this pace, ITRC anticipates that the number of breaches could reach 1,500 in 2017, a 37% annual increase over 2016, when breaches reached an all-time record high of 1,093. Sixty-seven percent of data breach notifications or public notices did not report on the number of records impacted, an all-time record high that represents an increase of 13% over the first half of 2016 and a major hike over the 10-year average of 43%. The Medical/Healthcare industry stands apart when it comes to reporting most fully on the number of records compromised, due in part to mandatory reporting for healthcare industry breaches that impact 500 or more individuals. For the first half of 2017, 81.5% of the breaches reported to Health & Human Services included the number of records, equal to the first half of 2016. Since 2005, the ITRC has identified data breaches in five industry sectors: financial (including banking and credit); health/medical; government/military, education and business.[See here] So far in 2017, the business sector continues to top the list at 54.7% of the total breaches, followed by the healthcare/medical industry at 22.6%. The education sector ranks third at 11% of the total breaches followed by the Banking/Credit/Financial industry at 5.8% and the government/military at 5.6 percent. [ID Theft Center]


CA – ON OIPC Rules Province Must Hand Over Info Advocates

Ontario government must hand over information to accessibility advocates, commission rules. Ontario’s privacy commission says the provincial government significantly overcharged an advocacy group fighting for information on accessibility law compliance in the province and must now hand over the material. Privacy Commission Adjudicator Diane Smith’s July 27 decision says the government tried to charge the Access for Ontarians with Disabilities Alliance $4,200 for a sweeping access to information request seeking details on many issues, including plans to make sure private businesses are complying with accessibility laws. It ordered the government to provide much of the information in the request free of charge and knocked the fee for the rest down to $750. The government now has until Aug. 28 to release those documents. [CP via The Toronto Star]

CA – Echoes of Trump in Sask. Government’s Response to GTH Land Deal Access Requests: Expert

University of Ottawa professor Michel Drapeau, a leading expert in access to information law says when he read the latest report on the government’s handling of Global Transportation Hub land deal documents, his mind immediately went to U.S. President Donald Trump and the well-publicized allegations he has disregard for the rule of law. He said the outrageous behaviour of Saskatchewan’s Ministry of Highways, outlined in a new report [see here] by the Office of the Saskatchewan Information and Privacy Commissioner, “makes you wonder if it’s a spreading disease.” In his July 19 report, commissioner Ron Kruzeniski details a year and a half long litany of unjustified delays, excessive fees and unlawful behaviour by the ministry. After reading the report, Drapeau said the ministry’s response is “beyond negligent and it’s beyond the pale and they just couldn’t care less.” “I just find their reaction to what is a quasi-constitutional right, contemptuous,” said Drapeau, an author [see here] of textbooks and reference guides on access to government documents. [CBC: Echoes of Trump in Sask. government’s response to GTH land deal access requests: Expert]


WW – Helix Develops Marketplace Based On User DNA

Personal genomics company Helix has announced the launch of 18 apps designed to offer an enhanced marketplace built upon a user’s DNA. Each app will turn a one-time DNA donation into new insights on how to optimize your existence based on your genetic makeup. However, owning DNA is not without ethical issues: “While Helix wouldn’t comment on how the company plans to use its genetic information internally, it did say it doesn’t have any plans to share data with any third parties, to support external research efforts or otherwise.” The scope of the FDA’s authority to regulate genetic testing is in a legal dispute. [Wired]

Health / Medical

WW – Survey: Despite Support for IoT Medical Devices, Security Concerns Remain

A survey found most U.S. citizens support internet-of-things devices having the ability to send significant health changes to their doctor, but a majority is still concerned about the devices’ security. The 2017 Unisys Security Index saw 78% of respondents supporting the IoT device collecting and transmitting their medical information, but 51% said they were extremely or very concerned about someone gaining unauthorized access to their devices, such as an internet-connected defibrillator or pacemaker. Respondents were less likely to want health insurers to access their IoT data, with 41% stating they do not want those organizations to obtain their information. [Healthcare Informatics]

CA – Privacy Worries Over TELUS EHR Tool with Rx Drug Vouchers

A software tool that Telus has written into its electronic patient records system could prove to be a setback in the war to lower drug prices in Canada by favouring brand name drugs over cheaper generic ones. The tool, used the moment a prescription is being written by a doctor, also raises privacy concerns for patients, among other issues. As the Star’s Jesse McLean and David Bruser report, thousands of Canadian doctors use the software to take notes during patient visits and create a prescription to be filled by the patient’s pharmacy. There is a privacy concern. “There will certainly be a number of physicians who will be concerned they are inadvertently participating in contributing data to pharmaceutical companies,” Dr. Monica De Benedetti and colleagues at the Hamilton Family Health Team wrote to Telus in a complaint letter. For its part, Telus Health insists it has only shares with drug companies the total number of vouchers that are printed off for their products. No patient or physician information is shared, the company says. Still, data systems have a way of being compromised and, regardless, doctors may not want to contribute any market information to pharmaceutical companies at all. The good news? The software, which allows physicians to opt in at any time, also allows them to opt out. [The Toronto Star | Doctors use this software during patient visits. Now Big Pharma is tapping it to sell their drugs]

US – HHS’ Website Highlights Breach Investigations and Resolutions

The U.S. Department of Health and Human Services, Office for Civil Rights launched a web tool that provides information on breaches affecting entities covered by the Health Insurance Portability and Accountability Act. The website makes available information that entities covered by HIPAA report to OCR when they are involved in breaches affecting 500 individuals or more; it displays the name of the entity, state where the entity is located, number of individuals affected, date and type of breach, and location of the breached information. [HHS Unveils Improved Web Tool to Highlight Recent Breaches of Health Information]

Identity Issues

CA –TransUnion Pushes Liberals to Grant Access to Newly Issued Social Insurance Numbers

TransUnion, an international credit reporting agency, is pushing the federal government to give it access to a monthly list of new social insurance numbers despite years of rejections over privacy concerns. Currently, only government officials are allowed access to the list. TransUnion argues that the information would help it better detect identity theft because social insurance numbers that have either not been issued, or those not issued at birth, are often used to fraudulently apply for credit cards and loans. The monthly list, known as the “Last SIN of the Month Report,” gives a breakdown by region of the latest regular and temporary social insurance numbers, including those given to new workers or newborns. Amid privacy and security concerns, the previous Conservative government used a 2012 budget bill to tighten the rules about what personal information ESDC [Employment and Social Development Canada] could share with non-government entities. The rules came into effect in December 2013, and ESDC stopped sharing the social insurance numbers list with TransUnion and others because it was no longer able to disclose the report outside the department. [Global News]

US – Identity of Users Defamatory Reviews Not Protected by Freedom of Speech

The District Court reviews an appeal by ZL Technologies, Inc. relating to anonymous posts published on Glassdoors, Inc.’s website. When vigorous criticism descends into defamation, constitutional protection under the First Amendment is no longer available; the posts conveyed factual assertions that could be proved true or false, providing support for a defamation cause of action (e.g., statements around staff turnover. [ZL Technologies Inc v Does 1-7 and Glassdoor Inc – Court of Appeal of California]

US – Chicago Looks to ID Program to Protect Immigrant Data

Chicago Mayor Rahm Emanuel and City Clerk Anna Valencia have put out a request for proposals for technology companies to build a platform for municipal ID cards despite threats of funding cuts from the Trump administration. The efforts are part of a national trend seeing so-called sanctuary cities designing ID systems that will protect the personal information of undocumented residents and help prevent deportation. “We are committed to creating a more inclusive and accessible city for all Chicagoans, and this RFP will help us achieve a technical solution that strikes the right balance between making the ID both secure and accessible,” Valencia said in a statement. In an April vote, the program passed 44 to 4, though the potential funding cuts remain a concern for some. [StateScoop]

Law Enforcement

US – New York Eyes Textalyzer to Bust Drivers Using Cellphones

Police in New York state may soon have a high-tech way of catching texting drivers: a device known as a textalyzer that allows an officer to quickly check if a cellphone has been in use before a crash. Democratic Gov. Andrew Cuomo on Wednesday directed the Governor’s Traffic Safety Committee to examine the technology and the questions about privacy and civil liberties its use would raise. The device is called the textalyzer because of its similarity to the Breathalyzer, which is used to identify drunken drivers. Once plugged into a person’s phone for about a minute, it will indicate whether a motorist was texting, emailing, surfing the web or otherwise using his or her cellphone before a serious crash. …The technology is still some months away from being ready, according to Cellebrite, the Israel-based tech company developing the device. Digital privacy and civil liberties groups already have questioned whether the technology’s use would violate personal privacy, noting that police can already obtain search warrants if they believe information on a private phone could be useful in a prosecution. Rainey Reitman, of the Electronic Frontier Foundation said “I am extremely nervous about handing a cellphone to a law enforcement officer and allowing them in any way to forensically analyze it This is a technology that is incredibly problematic and at the same time is unnecessary. There are already legal avenues for a police officer.” [Source | New York ‘Textalyzer’ Bill Threatens Privacy Under the Guise of Safety | NY Lawmakers Consider Adding a ‘Textalyzer’ to Accident Investigations]

Online Privacy

WW – Google Implements Stronger Warnings for Unverified Apps

People using G-suite applications, including Gmail and Google Docs, will see bolder warnings each time they try to interact with new or unverified web apps. The warnings will appear before the permissions consent screen, and will include information about the risks to their personal data if they continue to use an unverified app. Read more in: www.eweek.com: Google Strengthens Protections Against Unverified Web Apps and developers.googleblog.com: New security protections to reduce risk from unverified apps.

WW – Study: More than 50% of Children’s Apps Fail to Protect Data

The Washington Post tested more than 5,000 popular apps aimed at children under 13 to see whether they are properly protecting user data. The testers found more than 50% of those apps fail to protect data, often sending sensitive information, such as device serial numbers, email addresses and other personally identifiable information, to third-party advertisers. More than 90% of the failing cases involve apps sending identifiers users cannot change or delete, such as hardware serial numbers. Despite the high numbers, the testers believe the failures are not malicious. “We suspect that most of the developers whose apps fail to protect data do not have nefarious intent, but rather fail to configure their software properly or neglect to scrutinize practices of the third-party advertisers they rely upon to generate revenue,” the report states. [Full Story]

WW – Adsquare Introduces New Cross-Device Matching Method

Adsquare is proposing a different method to cross-device matching. The mobile device exchange is deviating from the traditional method of using cookies as core identifiers and is instead aiming to start with device IDs as the primary source of identification. Adsquare CEO Tom Laband said, since cookies are not people-based, they are not a reliable foundation for building audiences in apps. Laband also said creating segments based on device ID will make opting out easier, especially as the EU General Data Protection Regulation comes into effect. [AdExchanger]

US – New Survey Examines Why We Share on Social Media

Visual content solutions provider Olapic conducted a survey of the motivational and emotional responses to social media postings and found that our desire to share stems from an emotional drive more than anything else. In a survey of more than 1,000 participants, Olapic and data analysis company Spectra Analytics measured the impact and longevity of online trends and found that 40% of Americans ages 16 to 44 post to interact with friends, for example, while women tend to be more likely than men to post supportive comments. The authors of the study point to the predictive nature of their findings as a powerful tool to control the next online phenomenon. [ZDNet]

CA – Google Files Injunction Against Canadian Search Results Ruling

In response to a ruling from Canada’s Supreme Court, Google is filing an injunction against the decision that states the tech company must remove search results for pirated products. Google filed the injunction with the U.S. District Court for Northern California, stating the ruling violates U.S. law and thus the company does not need to comply with the Canadian decision. “We’re taking this court action to defend the legal principle that one country shouldn’t be able to decide what information people in other countries can access online,” Google Senior Product Counsel David Price said. “Undermining this core principle inevitably leads to a world where internet users are subject to the most restrictive content limitations from every country.” The case parallels other conflicting jurisdictional takedown requests, including whether Google should apply the right to be forgotten globally. [Wired]

WW – Google’s plans to track you offline just hit their first hurdle

Google’s new ad programme lets the company track credit card information across online and brick-and-mortar shops The Electronic Privacy Information Centre (EPIC) is calling on the US Federal Trade Commission (FTC) to investigate Google [see PR here & 25 pg pdf complaint here], alleging that the company is gaining access to credit card information in a bid to bind customer online behaviour to offline shopping habits. Google’s new advertising scheme, Store Sales Measurement, allows the tech giant to track customer credit-card transactions – both online and within brick-and-mortar shops. According to the Washington Post, a legal complaint filed by the privacy group claims Google is leveraging the credit and debit card information of the majority of US consumers, without providing a meaningful way for individuals to opt out. The group also alleges that Google is using this sensitive information in a method that is vulnerable to data breaches and that it should be audited by third parties. The company said that it has “invested in building a new, custom encryption technology that ensures users’ data remains private, secure and anonymous”. EPIC cite the database technology Google’s scheme is based on – CryptDB – as having known security flaws. In 2015, Microsoft researchers successfully hacked health records stored using CryptDB. Google Tracking In-Store Purchases? Privacy Group Asks FTC To Investigate Google [Source]

CA – Ashley Madison Gets Privacy Re-Boot with Ann Cavoukian’s Help

Ashley Madison relaunches in Australia: ‘We’re just trying to help people have a better affair.’ Ashley Madison suffered a public relations disaster in July 2015, when hackers released the personal details of 35 million members online — almost all its users worldwide. The service marketed as the discreet way to cheat suddenly lost its trump card — privacy. A joint investigation by Canada and Australia’s Privacy Commissioners found Ashley Madison’s parent company Avid Life Media (ALM) “did not have appropriate safeguards in place considering the sensitivity of the personal information nor did it take reasonable steps in the circumstances to protect the personal information it held.” ALM, now rebranded as Ruby Corp, were given a deadline, which ends today [July 31, 2017 see here], to obtain independent third party assurance that it had adopted the report’s recommendations and secured its members’ data. Ruby Corp hired Ontario’s former Information and Privacy Commissioner Ann Cavoukian to overhaul its privacy and data policies. “We have received our Privacy by Design certification, which is an important certification,” Mr Keable told news.com.au by phone from Toronto, where Ashley Madison’s main office is based. “We have put privacy of our members’ data at the heart of our business and we now look at data as something that is sacred to us,” Mr Keable said. [News.com.au | Ashley Madison investigation finds security measures lacking; fictitious security trustmark was ‘deceptive’ | Watchdog slams Ashley Madison over privacy failures | Ashley Madison broke Canadian privacy laws with ‘deceptive’ security practices: Privacy czar | Ashley Madison not as discreet, a lot more deceptive than it said, probe finds]

Privacy (US)

EPIC Files Complaint with FTC Regarding Google’s Sales Measurement Program

The Electronic Privacy Information Center is planning to file a complaint with the Federal Trade Commission regarding Google’s Store Sales Measurement program. The program ties consumers’ online behavior to their purchases in brick-and-mortar stores. EPIC’s complaint states Google is gaining access to sensitive information, such as customers’ credit and debit card purchase records, without divulging the way the information was obtained. The complaint states Google does not give consumers a meaningful way to opt out of the program. The tech company says the approach is “common” and it had “invested in building a new, custom encryption technology that ensures users’ data remains private, secure and anonymous.” [The Washington Post]

WW – Future of Privacy Forum Announces Eighth Annual Call for Papers

The Future of Privacy Forum has announced its eighth annual Privacy Papers for Policymakers call for nominations. The aim is to highlight important work and leading privacy research that has a positive contribution in shaping future data policy solutions for the U.S. Congress, federal agencies and for data protection authorities around the world. Finished papers and/or nominations will be considered on or before Sept. 26, 2017. Winning authors are invited to present their work at an annual event in Washington, D.C., Feb. 27, 2018. [Full Story]

US – FTC and FBI Issue Compliance Reminder on Children’s Online Privacy Protection Act

Both the FTC and the FBI have made clear that they are focused on kids’ privacy, particularly as it relates to internet-connected or “smart” toys and other devices directed at children. The FTC recently updated its six-step compliance plan [see here] for businesses to comply with the Children’s Online Privacy Protection Act (COPPA). Similarly, the FBI released a Public Service Announcement [see here] about the dangers of internet-connected toys and other kids’ devices. COPPA prohibits unfair or deceptive acts and practices in connection with the collection, use, and/or disclosure of personal information on the internet from and/or about children. COPPA is one of the strictest privacy statutes in the world, and even has been touted as a model by European and other regulators in jurisdictions known for more rigid privacy laws than are typically found in the United States. COPPA applies to websites or other online services such as mobile apps that collect personal information from children under the age of 13. Companies that have a significant consumer base among kids under 13 and that offer internet-connected toys or devices should carefully review company operations and advertising programs in response to the updated Compliance Plan. COPPA is vigorously enforced by the FTC and state attorneys general, and the added attention in these areas will only increase the level of scrutiny for companies. The updates from the FTC and FBI—as well as the continued focus on these issues in the European market—highlight the risks and challenges around kids’ privacy, and can serve as an opportune reminder for companies to revisit policies, processes, and procedures to ensure full compliance in this area. [Morgan Lewis | FTC’s COPPA Guidance Update Part of a Larger Trend]

EU – German Researchers Obtain Web Browsing Histories of 3M Citizens

A pair of German researchers obtained the information of three million German citizens from companies gathering “clickstreams.” Among the information was the porn-browsing habits of a judge and the drug preferences of a politician. Speaking at the DEF CON cybersecurity conference in Las Vegas, Svea Eckert and Andreas Dewes said the data is supposed to be anonymized, but analysis shows it could easily be tied to individuals. [The Guardian]

US – Other Developments

  • Patrick Leahy, D-Vt., and Mike Lee, R-Utah, plan to reveal a bill designed to update the Email Communications Privacy Act of 1986. [The Hill]
  • In a continued reorganization of the White House, House Homeland Security Committee Chairman Michael McCaul, R-Texas, has introduced a bill to raise the priority of cybersecurity at the Department of Homeland Security. [The Hill]
  • S. District Court Judge Colleen Kollar-Kotelly ruled President Donald Trump’s voter fraud commission does not need to conduct a privacy impact assessment before gathering citizens’ data. [Politico]
  • A New York federal judge denied a motion to suppress data stemming from law enforcement access to cellphone records in a 2015 case, writing in his decision that “current Fourth Amendment jurisprudence affords no privacy interest in records created by a third party based on information voluntarily provided.” [Courthouse News]
  • The House Appropriations Committee unanimously agreed to add language to the 2018 appropriations bill that would require government agencies to obtain a warrant, rather than a subpoena, to access emails, texts and cloud-based data. [Broadcasting & Cable ]
  • S. Secretary of State Rex Tillerson announced that the Office of the Coordinator for Cyber Issues will be shut down and reorganized to fall under the State Department’s Bureau of Economic and Business Affairs. [Bloomberg]
  • Missouri has announced a new prescription drug-monitoring program that could be up and operating within a month. The executive order signed by Governor Eric Greitens comes after previous attempts failed, due in part to privacy concerns. [The Associated Press]
  • Utah state law currently mandates a warrant for the Drug Enforcement Administration to view the state prescription-drug database, but that is being weighed by U.S. District Judge David Nuffer in a case that pits health care privacy against a need to combat the country’s opioid drug epidemic.[ABC News]
  • A recent investigation by the Vermont attorney general found that a facial-recognition program in use at the Department of Motor Vehicles to be in violation of state law. [The Burlington Free Press]
  • A recently passed Nevada law requires ISPs and website operators to inform users of what the data they collect and how it’s used. [Hunton & Williams’ Privacy & Information Security Law Blog]
  • New Jersey has a new law restricting the scanning and use of state-issued IDs by retailers [Hunton & Williams’ Privacy & Information Security Law Blog]
  • The U.K. government has announced new drone laws requiring registration of certain drones, and safety, security and privacy training for owners [Sunday Express]
  • S. Congressman Blake Farenthold, R-Texas, has introduced the Cell Location Privacy Act, which would require local, state and federal law enforcement agencies to obtain a warrant before using a cell site simulator device to locate a cellphone user. [Source]
  • The U.S. Federal Trade Commission is looking for public input on the CAN-SPAM Rules, among other things, as part of Chairman Maureen Ohlhausen’s regulatory reform initiative [The National Law Review]
  • Arkansas’s new State Insurance Department General Omnibus Bill, which includes changes to breach notification rules, goes into effect August 1 [Radar]
  • California’s Supreme Court has ruled on the access of employer records under the California Private Attorneys General Act of 2004. [The National Law Review]
  • A Florida appeals court sided with a man who secretly recorded a meeting with a police officer limiting the state’s laws against secret recordings. [Miami Herald]
  • Medical and civil rights groups are pushing for Rhode Island Governor Gina Raimondo to veto a bill that would allow police to access health information without a warrant. The bill is an effort to fight the opioid crisis in that state. [RI Future]
  • Chicago’s Finance Committee Chairman Edward Burke has introduced three ordinances for the aldermen’s consideration: the Chicago Internet Privacy Ordinance, the Chicago Location Information Protection Act and the Mobile Privacy Awareness Act. [Chicago Sun Times]

Privacy Enhancing Technologies (PETs)

WW – Apple’s New Patent Protects Device Screens from Prying Eyes

Apple has filed a patent for a screen allowing for increased privacy on portable devices. The application, entitled “Displays With Adjustable Angles-of-View,” would use an electrically adjustable lens array designed to modify a device’s backlight in order to narrow the angle of view. Instead of an attachment, the method would be integrated into the display through a series of substrate layers. “Displays are typically designed to display images over a relatively wide angle of view to accommodate movements in the position of a viewer relative to the display,” Apple said in its application. “In some situations, such as when a user of a laptop or other device with a display is using the device in public, the wide viewing angle is undesirable as it compromises privacy.” [CNET]

WW – Mozilla Introduces Self-Destructing File App

Mozilla is testing an app that lets users create files that self-destruct after one download or after 24 hours. Firefox Send can accommodate files up to 1GB. It can be used “in any modern browser,” although Firefox users may need to download Firefox 54. It works on Chrome; functionality in Edge is in development, and it works in Safari 11.0, which is currently available to developers. The app’s functionality requires that Web Crypto API be implemented in the browser. Read more in www.zdnet.com: Firefox’s new tool lets you send self-destructing 1GB files from any browser]


US – Legislation Aims to Improve IoT Security

US legislators have introduced the Internet of Things Cybersecurity Improvement Act of 2017, which would establish standards for companies that want to sell Internet of Things (IoT) devices to the federal government. Among the requirements: the devices must be capable of being patched; they must not have hard-coded passwords; and the vendors must ensure that the devices do not contain vulnerabilities when they are sold. Read more in:

  •  www.cnet.com: Congress to smart device makers: Your security sucks
  •  www.darkreading.com: Proposed IoT Security Bill Well-Intentioned But Likely Hard To Enforce
  •  www.eweek.com: How the Federal Government Wants to Improve IoT Security
  •  krebsonsecurity.com: New Bill Seeks Basic IoT Security Standards
  •  www.scribd.com: Text of the Internet of Things Cybersecurity Improvement Act of 2017

US – GAO Says US Defense Department Needs to Address IoT Security

According to a report from the Government Accountability Office (GAO), the US Department of Defense (DOD) lacks adequate rules to address the security threat posed by Internet of Things (IoT) devices. While DOD has established policies for certain IoT-related security risks, the policies are insufficient for certain devices. GAO recommends that DOD conduct appropriate operations security surveys; and assess current IoT-related policies and identify areas that need attention. [fcw.com: DOD risks ‘rogue’ apps under current IoT policy | www.gao.gov: Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD]

EU – Bluetooth Sensors Track Cars, Traffic Patterns

The city of Aarhus, Denmark, has started using Bluetooth sensors to collect traffic pattern information from vehicles as a means to reveal irregularities that would have otherwise gone unnoticed. The sensors, made by Blip Systems, feed off a device’s Bluetooth capability and are being used in cities around the world. Aarhus Municipality ITS Project Manager Asbjørn Halskov-Sørensen argued, “Ultimately, the data contributes to an improved economy and a better environment through reduced driving times and fuel consumption, and thus reductions in greenhouse gas emissions from vehicles.” [Full Story]

US – The Privacy Issues with Employee-Embedded RFID chips

Wisconsin-based company Three Square Market made waves last week when it announced it will embed radio frequency identification chips in its employees. On August 1, the company is hosting a “Chip Party” for those employees opting in to the embedded tracking project. Yet, embedding tracking technology into the human body, or “cyborgification,” as the Center for Democracy & Technology’s Joseph Jerome points out, “raises a host of ethical questions” and “employer-driven ‘chipping’ poses at least three immediate challenges.” In this post for Privacy Perspectives, Jerome dives into those concerns, including questions about notice, consent, data security and the potential for mission creep. [IAPP.org]

EU – Samsung Launches Service to Monetize IoT Data Use

European Communications reports Samsung has created a service to assist in the monetization of data usage by internet-of-things devices. The Samsung Artik Cloud Monetization for IoT allows device manufacturers to measure the amount of data customers use on their devices so they can be charged accordingly. Device manufacturers will be able to define service plans according to need, then Samsung’s service will measure data usage against the plan and send payments to the manufacturers. “It’s an open data broker model that enables, for the first time, device manufacturers and service providers to tap into an open IoT ecosystem and create service plans that generate revenue directly from the interactions of devices and services,” a blog post from Samsung Artik said. [Eurocomms]

US – Carnegie Mellon University Study Finds Most Home Routers Are Lemons

A US Department of Defense (DoD) funded study from Carnegie Mellon University found that nearly all home routers are rife with security problems. They are “notorious for their web interface vulnerabilities” and other security issues, and they are not frequently updated. The study analyzed 13 routers from a variety of manufacturers. When the researchers found vulnerabilities, they contacted the manufacturers, giving them 45 days to release a patch, after which they would release vulnerability details. Most manufacturers responded slowly if at all. Among the suggestions for addressing the router security issue is to focus not on the number of flaws found in devices, but on the responsiveness of vendors in providing fixes. Read more in: www.govinfosecurity.com: Consumer Routers Report Concludes: It’s a Market of Lemons | resources.sei.cmu.edu: “Systemic Vulnerabilities in Customer Premises Equipment (CPE) Routers”]


US – HHS Releases New Data Breach Education Web Tool

The U.S. Department of Health and Human Services, Office for Civil Rights has released an updated web tool designed to help educate health care entities better identify data breaches. The HIPAA Breach Reporting Tool also educates health care professionals on the ways data breaches that involve health information are investigated and resolved. The tool also possesses a feature that allows health care organizations to see data breaches currently under investigation and reported within the last 24 months. “HHS heard from the public that we needed to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches,” HHS Secretary Tom Price said. “We have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned consumers.” [HHS.gov]

US – FTC Publishing Blog Posts on Data Security Best Practices

The Federal Trade Commission announced it will publish new blog posts on ways to educate businesses on the best practices to protect and secure consumer data. In the first blog post, the FTC looks back to past cases for emerging themes from closed data security investigations. The FTC found while news companies may report on data breaches, they may not cover whether the compromised data had been encrypted. The post also looks into the helpful work done by security researchers. The posts are designed to build upon the agency’s Start with Security guide for businesses. [Full Story]

FTC Posts Second Blog in Its “Stick with Security” Series

On July 28, 2017, the FTC published the second blog post in its “Stick with Security” series. [See here] The FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This latest post looks at key security principles that apply to all businesses regardless of their size or the types of data they handle. The practical guidance offers five steps companies can take to ensure the security of the data they hold and provides examples to illustrate each step. The steps are: 1) Don’t collect personal information you don’t need; 2) Hold onto information only as long as you have a legitimate business need; 3) Don’t use personal information when it is not necessary; 4) Train your staff on your standards; and 5) When feasible, offer consumers more secure choices [H&W]

US – Ransomware growing but accidental breaches a major cause of loss

Ransomware attacks continued their rise in the first half of 2017, up by 50% over the first half of 2016, but accidental breaches continue to be a major problem and account for 30% of breaches overall, specialist insurer Beazley reported. Beazley, which offers cyber and data breach response insurance, released its latest Beazley Breach Insights report on Aug. 1 based on client data in the first six months of 2017. The report found that hacking and malware attacks – of which ransomware attacks form a growing part – continue to be the leading cause of breaches, accounting for 32% of the 1,330 incidents that Beazley Breach Response (BBR) Services helped clients handle in the first half of the year. However, accidental breaches caused by employee error or data breached while controlled by third party suppliers continue to be a major problem, accounting for 30% of breaches overall, only slightly behind the level of hacking and malware attacks. In the healthcare sector, these accidental breaches represent, by a significant margin, the most common cause of loss at 42% of incidents, Beazley noted in a statement. [See here] …”Unintended breaches account for one-third of all data breach incidents reported to Beazley and show no signs of abating,” Katherine Keefe, global head of BBR Services, said in the statement. “They are a persistent threat and expose organizations to greater risks of regulatory sanctions and financial penalties. Yet, they can be much more easily controlled and mitigated than external threats. We urge organizations not to ignore this significant risk and to put more robust systems and procedures in place.” [Canadian Underwriter]

Smart Cars

US – Connected Car Data in Demand

The New York Times reports that automakers, local government, retailers, insurers and tech companies are all eager to leverage the information collected by connected cars. While there is a limit on how event data recorders can be used, no law governs the data captured by the other devices in cars, leaving a long list of devices open for use. The line created between being a benefit to the consumer and the potential threat to personal privacy and security is murky, the report points out. [Full Story]


US – Newly Declassified Memos Detail Extent of Improper Obama-era NSA spying

The National Security Agency and FBI violated specific civil liberty protections during the Obama administration by improperly searching and disseminating raw intelligence on Americans or failing to promptly delete unauthorized intercepts, according to newly declassified memos that provide some of the richest detail to date on the spy agencies’ ability to obey their own rules. The memos reviewed by The Hill were publicly released on July 11 through Freedom of Information Act litigation by the American Civil Liberties Union. They detail specific violations that the NSA or FBI disclosed to the Foreign Intelligence Surveillance Court or the Justice Department’s national security division during President Obama’s tenure between 2009 and 2016. Critics say the memos undercut the intelligence community’s claim that it has robust protections for Americans incidentally intercepted under the program. “Americans should be alarmed that the NSA is vacuuming up their emails and phone calls without a warrant,” said Patrick Toomey, an ACLU staff attorney in New York who helped pursue the FOIA litigation. “The NSA claims it has rules to protect our privacy, but it turns out those rules are weak, full of loopholes, and violated again and again.” The Hill reviewed the new ACLU documents as well as compliance memos released by the NSA inspector general and identified more than 90 incidents where violations specifically cited an impact on Americans. Many incidents involved multiple persons, multiple violations or extended periods of time. There also were several instances in which Americans’ unmasked names were improperly shared inside the intelligence community without being redacted, a violation of the so-called minimization procedures that Obama loosened in 2011 that are supposed to protect Americans’ identity from disclosure when they are intercepted without a warrant. Numerous times improperly unmasked information about Americans had to be recalled and purged after the fact, the memos stated. …The NSA also admitted it was slow in some cases to notify fellow intelligence agencies when it wrongly disseminated information about Americans. The law requires a notification within five days, but some took as long as 131 business days and the average was 19 days, the memos show. The new documents show that the NSA has, on occasion, exempted itself from its legal obligation to destroy all domestic communications that were improperly intercepted. Under the law, the NSA is supposed to destroy any intercept if it determines the data was domestically gathered, meaning someone was intercepted on U.S. soil without a warrant when the agency thought they were still overseas. The NSA, however, has said previously it created “destruction waivers” to keep such intercepts in certain cases. [The Hill |

US – Intelligence chairman accuses Obama aides of hundreds of unmasking requests

Intelligence Chairman Devin Nunes (R-Calif.), in a letter to Director of National Intelligence Dan Coats, is accusing top political aides of President Obama of making hundreds of requests during the 2016 presidential race to unmask the names of Americans in intelligence reports, including Trump transition officials. …National Security Adviser Susan Rice and CIA Director John Brennan have acknowledged making such requests though they insisted the requests were for legitimate work reasons. His letter noted requests from senior government officials, unlike career intelligence analysts, “made remarkably few individualized justifications for access” to the U.S. names. “The committee has learned that one official, whose position had no apparent intelligence related function, made hundreds of unmasking requests during the final year of the Obama administration,” Nunes wrote. “Of those requests, only one offered a justification that was not boilerplate.” Sources familiar with the Nunes letter identified the official as then-U.N. Ambassador Samantha Power. Nunes said he intends to introduce legislation to address concerns about the unmasking process impacting Americans’ privacy. Beginning in 2011, Obama loosened the rules to make it easier for intelligence officials and his own political aides to request that the names be unmasked so they could better understand raw intelligence being gathered overseas. The change has been criticized by liberal groups like the ACLU and conservatives like Nunes because of the privacy implications. [The Hill See also: Schumer uses Senate rule to scuttle meeting on ‘unmasking’ by Obama officials | Schumer Blocks National Security Briefing For Senate Committee | Senate Judiciary Committee to push for facts on alleged ‘unmasking’ by Obama officials | Was Obama administration illegal spying worse than Watergate? Explosive Revelation of Obama Administration Illegal Surveillance of Americans | Top Obama Adviser Sought Names of Trump Associates in Intel | Rand Paul offers backup to Trump on monitoring claims| Obama’s rule changes opened door for NSA intercepts of Americans to reach political hands | Lawmaker says U.S. foreign surveillance ‘unmasked’ Trump associates | Trump camp could have fallen into ‘backdoor’ surveillance | Trump’s Wiretapping Accusations: Here’s What the Government Can Actually Do | National Security Agency Databases Open for Business | Obama Expands Surveillance Powers on His Way Out

US – OTI Details Open-Sourced Surveillance Experiment

New America’s Open Technology Institute reveals a project it conducted this past April during the March for Science protests in Washington, D.C. The group made sensors designed to detect the presence of cell site simulators called Stingrays — technology that mimics cellphone towers in order to surveil smartphone metadata, content and location. “There is a nascent open source community coalescing around the idea of detecting cellular surveillance,” the report states. “Based on the available literature and documentation, the community has identified a number of possible identifiers that point to the presence of cell site simulators.” The project found, however, that available technology only allows for detection of 2G and 3G GSM networks. The group, together with other advocacy organizations, plans to create more advanced detection sensors and conduct further research on Stingray use. [Open Technology Institute]

Telecom / TV

CA – Rogers Transparency Report: Tower Dump Requests an Issue

Rogers has released its fourth transparency report, detailing the number of requests for customer information it received from government and law enforcement over 2016, and how many times it acquiesced to those requests. [See here] In its latest corporate responsibility report, competitor Bell refrained from citing specific numbers, while Telus’ transparency report for 2016 was included in its sustainability report, revealing a total of 65,183 requests. In 2015 report, Rogers focused largely on the landmark R. v. Rogers Communications ‘Tower Dump’ case, which entailed a 2014 police request for all data from a single operating tower that would have led to Rogers disclosing information involving over 30,000 customers. …This year, chief privacy officer David Watt stated that ‘Tower Dump’ requests are still something the carrier is patrolling closely: “In 2016, we continued to be vigilant with these requests and pushed back against 60% of the ‘Tower Dump’ orders we received, narrowing the requests so that information was only disclosed for about 10% of the customers who were part of the original request” In total, Rogers [says] that it received requests impacting 126,349 customers in 2016. [MobileSyrup]

US – Amazon pulls Blu smartphones following privacy concerns

After security firm Kryptowire discovered the smartphones created by Blu had software that collected users’ data and sent it to China without consent, Amazon has pulled the phones from its website. Blu said it has not committed any wrongdoing, while a company spokeswoman said Blu has “several policies in place [that] take customer privacy and security seriously.” Blu said it is in the process of review to resume sales of the phones on Amazon. “Because security and privacy of our customers [are] of the utmost importance, all Blu phone models have been made unavailable for purchase on Amazon.com until the issue is resolved,” Amazon said in a statement. [CNET]

US – Amazon to Suspend Sales of Android Blu Over Spyware Concerns

Amazon says it will suspend sales of Blu Android smartphones after a Black Hat presentation alleged that some Blu models send personal data to a company in China. Blu denies the allegations. The problem lies with a firmware updating utility called AdUps. AdUps was notified of the issue last fall, but has yet to make changes so that personal information is not sent. Read more in threatpost.com: Amazon Halts Sale of Android Blu Phone Amid Spyware Concerns | www.scmagazine.com: Amazon suspends sales of Blu Android phones amid spyware allegations.]

US Government Programs

US – DHS Partnership with Airlines for Traveler Verification Service Impacts Individual Privacy

The Department of Homeland Security provided the public with notice concerning U.S. Customs and Border Protection’s data processing activity plans in relation to the Traveler Verification Service. Privacy risks that cannot be fully mitigated include individual participation (the only way for a traveler not to be subject to biometric collection is to not travel, and U.S. federal privacy protections do not extend to non-U.S. citizens), purpose specification and use limitation (air carriers may use photos they collect consistent with their contractual relationship with travelers), and data minimization (DHS cannot limit the time that airlines retain the information collected for their own business purposes). [Department of Homeland Security – Privacy Impact Assessment Update for the Traveler Verification Services (TVS): Partner Process | Press Release | PIA update]

US – OPM CIO DeVries Criticizes GAO Cybersecurity Audit

The U.S. Office of Personnel Management Chief Information Officer David DeVries criticized an audit conducted by the Government Accountability Office. While the GAO praised the work the OPM has done following the massive data breach it suffered in 2015, it still found the agency to fall short in several areas, putting its IT assets at risk. DeVries sent a written statement to the GAO, saying the audit did not capture all the work the OPM has done since the incident. “GAO does not fully acknowledge OPM’s defense-in-depth strategy and compensation controls,” DeVries said. “OPM has applied a defense-in-depth strategy to efforts to enhance OPM’s cybersecurity posture, meaning there are many layers and aspects to OPM’s defensive strategy.” [BankInfoSecurity]

US Legislation

US – Bipartisan Lawmakers Introduce Trio of Email Privacy Overhaul Bills

The bills, introduced July 27, would take different approaches to update the decades-old Electronic Communications Privacy Act (ECPA).[See here] The 1986 law allows access to consumer emails stored more than 180 days with a subpoena or a court order. ECPA generally requires the government to obtain a warrant to access data stored for less time. Warrants must be supported by probable cause — a higher standard than needed for subpoenas or other court orders. The House passed its version of an ECPA update in February.[See H.R.387 here and here] The Senate bills are the first signs of life for the issue there this year. It’s unclear whether or when the Senate Judiciary Committee will consider any of the measures, which together signal that there isn’t agreement yet in the Senate about how to rewrite the law. The Senate measures take different approaches to updating ECPA. The Email Privacy Act ( S. 1654), introduced by Sen. Mike Lee and co-sponsored by Sens. Patrick J. Leahy (D-Vt.) and six other Republican and Democratic senators, is companion legislation to the Email Privacy Act [see H.R.387 here], which passed the House in February. The Senate bill would update ECPA to require law enforcement agencies to obtain a search warrant before accessing consumer communications no matter how long they are stored. The ECPA Modernization Act ( S. 1657) [see here], also introduced by Lee and co-sponsored by Leahy, includes a warrant requirement for access to consumer communications, but would also require a warrant for access to historical and real-time geolocation information, prohibit the use of communications and geolocation data obtained in violation of ECPA, and require notice within 10 days to individuals whose electronic communications were sought under a warrant. The International Communications Privacy Act (S. 1671) [see here], introduced by Sen. Orrin Hatch (R-Utah) and co-sponsored by Sens. Dean Heller (R-Nev.) and Christopher Coons (D-Del.), also contains search warrant requirement provisions for stored consumer communications. [BNA]

US – ECPA Reform Legislation Introduced

US legislators are working on a bill that would update the Electronic Communications Privacy Act of 1986 (ECPA). The new bill would require law enforcement to obtain a warrant prior to accessing stored electronic communications. The Senate’s version of the bill would also require a warrant for obtaining location data. Read more in: www.eweek.com: New U.S. Cyber-Security Legislation May Help Reassert Fourth Amendment and www.lee.senate.gov: Sens. Lee and Leahy Introduce ECPA Modernization Act

US – Revocation of Consent Under the TCPA

The basic principle of the Telephone Consumer Protection Act (TCPA) is that it seeks to prohibit a company from making “any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party.” What happens if an individual gives a company “express written consent” and later seeks to revoke that consent? Prior case law, and a 2015 Federal Communications Commission (FCC) ruling [see here], had stated that a consumer who freely gives informed consent may revoke it by “any reasonable means.” There have been various cases where the plaintiffs have successfully claimed that they revoked their initial consent and were therefore entitled to damages under the TCPA. The Second Circuit, in “Reyes v. Lincoln Automotive Financial Services, No. 16-2104-cv” [see here], however, draws a clear distinction with those rulings and comes out stating that express consent can, in certain cases, be irrevocable. The Second Circuit found that while there was sufficient evidence to support that Reyes had revoked consent, the TCPA does not allow for a party to revoke his express written consent to be contacted if that express written consent was given as part of a “bargained-for exchange” in a bilateral agreement. This is in stark contrast to prior cases in the Third [see here] and Eleventh [see here] circuits that stated that consent could in fact be revoked. [Source]

Workplace Privacy

US – Company Offering Microchip Implants for Employees

Employees of Wisconsin-based Three Square Market will have the option to have a radio-frequency identification biochip implanted into their hands for work purposes. Employees who agree to the program can use the chip to make purchases in their offices, open doors or log in to their computers. “We foresee the use of RFID technology to drive everything from making purchases in our office micro markets, opening doors, use of copy machines, logging in to our office computers, unlocking phones, sharing business cards, storing medical/health information, and used as payment at other RFID terminals,” 32M CEO Todd Westby said. “Eventually, this technology will become standardized, allowing you to use this as your passport, public transit, all purchasing opportunities.” The company is expecting more than 50 employees to undergo the procedure. [ZDNet]




08-20 July 2017


US – DHS: Don’t Want Your Face Scanned? Don’t Travel!

Last month, the Department of Homeland Security (DHS) released a privacy impact assessment for its Traveler Verification Service (TVS), a program designed to develop and expand DHS’s biometric entry-exit system for international flights. There are already pilot face scanning schemes in place at airports in six American cities; Boston, Chicago, Houston, Atlanta, New York City, and Washington, D.C. These pilot programs allow passengers and pilots to opt out. The DHS assessment explains that while you may be able to opt out of TVS scanning, government collection of your biometrics is unavoidable if you want to travel: “the only way for an individual to ensure he or she is not subject to collection of biometric information when traveling internationally is to refrain from traveling” [See pg 9 here] Sadly, millions of Americans consider passing through a body scanner to be an ordinary part of air travel. It would be a shame if facial scans became as widely accepted. [CATO at Liberty Blog | U.S. plan to have citizens flying abroad submit face scans stirs privacy concerns]


CA – Significant Privacy Issues in New Child Welfare Laws: OIPC ON

Ontario’s privacy watchdog is calling for greater privacy protections in new child welfare laws which will give the Ministry of Children and Youth Services broad powers to collect, use and disclose personal information. The new privacy section of Bill 89, the Child, Youth and Family Services Act (CYFSA) [see here], will be the first time that many service providers like children’s aid societies are backed by personal privacy laws. When the new rules come into effect, they will require service providers like children’s aid societies to get consent when collecting information, and to report serious privacy breaches to the privacy commissioner’s office. However, because the Ministry is subject to the Freedom of Information and Protection of Privacy Act (FIPPA) and not these new laws, it is not under the same privacy obligations. …While there are improvements to be made, Beamish said the privacy protections in Bill 89 are a “really big step forward” for youth and families in the system. One area that the commissioner’s office is satisfied with is the right for youth to access their own files, which will come with very limited exceptions. [The Toronto Star | Ontario’s children’s aid societies grappling with how to monitor privacy breaches ]

CA – Ontario’s Children’s Aid Societies Grappling with How to Monitor Privacy Breaches

As children’s aid societies move toward a new centralized database, access to most records from across the province — and not just from within an agency — will soon become searchable to workers. While the Ontario Child Protection Information Network (CPIN) database streamlines information collecting and sharing, it can also bring the “possibility for seemingly unfettered access” to sensitive files of youth in care, said Yuan Stevens. Youth should be told in a “no-nonsense way” how their files are protected by legislation, and who has seen their file over time, she said. She said privacy risks that existed in previous systems can increase in a centralized database. [The Star]

CA – Alberta Homicide-Victim Naming Policy Could Be Ready in August

The Alberta Association of Chiefs of Police (AACP) plans to discuss their new draft policy at an executive meeting Aug. 1. By then, the province’s privacy commissioner, Jill Clayton, will have weighed in with her opinion, according to a representative from her office. Medicine Hat police Chief Andy McGrogan — head of the AACP, which represents all police services in Alberta including the RCMP and the Alberta Sheriffs — doesn’t expect much debate from the chiefs. The policy, submitted to the Office of the Privacy Commissioner at the end of June, was devised by a team that included legal representatives from the Calgary, Edmonton and Medicine Hat forces, a high-ranking member of the Royal Canadian Mounted Police and two representatives from the Solicitor General’s office, McGrogan said. Justice Minister Kathleen Ganley indicated the need for a uniform policy for naming homicide victims last spring. Currently, each police force has its own policy. [Edmonton Journal] | Police policy draft on naming homicide victims now with Alberta privacy commissioner  | To name or not to name? Alberta police inch closer to policy on identifying homicide victims | Alberta police chiefs try for common ground on naming homicide victims | Alberta chiefs of police to discuss homicide victim naming policies | Edmonton police chief defends policy of not releasing names of homicide victims | Edmonton police policy of not naming murder victims stands alone in Alberta | Bureaucratic secrecy erodes democratic rights | RCMP silent on Alberta murder victims citing Privacy Act ]

CA – Manitoba Ombudsman Recommendations for Changes to FIPAA and PHIA

The Manitoba Ombudsman (MO) issued recommendations in response to the government’s legislative reviews of the: Freedom of Information and Protection of Privacy Act (FIPPA); and Personal Health Information Act (PHIA). There should be specified circumstances for abandoning and disregarding requests for information (e.g. non-payment of fees, frivolous or vexatious, abuse of process), and adverse action should not be taken against employees who complain about their employer, individuals and the Ombudsman should be notified of privacy breaches with a risk of significant harm, higher fines should be set for corporations, and willful use or access of personal information should be an offence. [Manitoba Ombudsman Releases Comments and Recommendations in Response to FIPPA and PHIA Reviews:    Press Release |   Review of PHIA | Review of FIPPA]

CA – Sask OIPC Report Finds Ministry of Highways Still Breaking Law

Saskatchewan’s information and privacy commissioner says over the past year-and-a-half the Ministry of Highways has violated Saskatchewan’s freedom of information law through a series of delays and unacceptable excuses. “I have no choice but to conclude that Highways is not able to manage its freedom of information process properly,” said Ron Kruzeniski, in a 22 page report released July 19. …Kruzeniski said that is unacceptable from a ministry that manages a $1.1 billion budget. “I will not accept that a ministry controlling that amount of the public purse is not properly equipped to handle its legal obligations under FOIP,” he wrote. This is the fourth critical report Kruzeniski has issued related to the ministry’s handling of CBC’s access requests. [Press Release See also: Sask. government withholds GTH info at CP’s request; privacy commissioner says release it | 3 strikes: Sask. government chastised again for handling of GTH document requests | $180K for GTH documents ‘excessive’ and ‘unreasonable,’ says commissioner | GTH should not have had $129K appraisal says Sask. information and privacy commissioner | Privacy commissioner calls for GTH land deal documents to be released; province not compelled to do so | Is the Sask. government hiding stuff behind huge info fees? | GTH won’t release land deal appraisal because it could ‘harm the reputation’ of preparer Province worried disclosure of appraisal could affect government negotiations]

CA – ‘Don’t Reuse Passwords,’ Fed Privacy Commissioner Warns

The Office of the Privacy Commissioner of Canada (OPC) is urging individuals to stop reusing passwords, and businesses to require employees reset their passwords, in order to curb a recent trend involving similar breaches. Besides not using the same password for different websites, accounts and devices, individuals and employees are also reminded to consider several best practices when selecting passwords: 1) Avoid obvious choices such as mother’s maiden name, child’s name, pet’s name or any reference someone may be able to guess through information you have posted elsewhere; 2) Make them eight or more characters; 3) Use a combination of letters, numbers and symbols; and 4) If you need to write them down to remember them, keep them offline in a secret, secure, locked place. The OPC has also prepared a new tip sheet for businesses to help them mitigate the risk of password reuse. [Office of the Privacy Commissioner of Canada]

CA – Is Big Brother Lurking Behind Ottawa’s Carrot Rewards?

Canadian citizens can get Carrot Rewards [see here & here], a government sponsored app that rewards them with points for making healthy choices. Among privacy experts, the app is coming under fire for the same reasons that China’s Sesame Points [see here] was criticized. Namely, that Carrot Rewards is just another step down the road to a gamified society where behavioral science is carefully used to manipulate the masses. The app emerged two years ago, when the federal government first funded Carrot Rewards with $5 million. Since then, the local governments of Ontario, British Columbia, and Newfoundland and Labrador have all provided further funding for the social engineering app. Ontario, the most recent government to provide funding, handed over a whopping $1.5 million. The Canadian heart and stroke foundation, Diabetes Canada, BC Healthy Living Alliance, and Sun Life (a Canadian life insurance company) are all behind the project. With local governments’ and the public health agency’s support, this certainly helps to lend the app legitimacy. For privacy experts, the problem is twofold. Firstly, the app’s ‘nanny state’ mentality – which most consider to be creepy, at best, and an outright intrusion into people’s lives, at worst – could be a slippery slope to even more invasive government controls in the future. …So, where does information gathered by the Carrot Rewards app end up? This is an important question. Unfortunately, the privacy policy leaves users in something of a gray area. [BestVPN.com | Big Brother collecting big data — and in China, it’s all for sale | What’s Your ‘Public Credit Score’? The Shanghai Government Can Tell You | China’s dystopian ‘social credit’ surveillance system could move to Canada | China’s New Tool for Social Control: A Credit Rating for Everything ]

CA – OIPC BC Issues Procedures for Resolving Access Complaints and Reviews

The BC OIPC provides guidance on its complaints processing procedures under the Freedom of Information and Protection of Privacy Act (FIPPA). The OIPC may investigate and resolve complaints of unlawful time extensions, inappropriate fees, refusal of requests without justification, or unlawful use of personal information; to determine whether an inquiry will proceed, the OIPC will consider whether a review would reasonably succeed, would be an abuse of process, is trivial, or if the matter would be better dealt with in another process. [OIPC BC – Guide to OIPC Process (FIPPA) ]

CA – Yukon Government Considers New Missing Persons Legislation

The territorial government is considering a new law that would help police find missing people more quickly. If passed, the legislation would allow investigators to apply for a court order to access someone’s personal information like their health, banking or telephone records, even if there’s no evidence of a crime. Currently, police can request a court order for someone’s private information only if there’s evidence that a crime has been committed. Not all reports of missing people come with clear evidence of a crime. In those cases police have to try other methods to get the information they need Missing persons legislation already exists in many other Canadian jurisdictions including B.C. and Alberta. If Yukon passes its own law it would be the first of its kind in the North. Advocates in other jurisdictions have raised concerns about laws like this being misused to help find people who might not want to be found, such as someone fleeing an abusive relationship. For now the Yukon government is just consulting on the possibility of creating the law. A survey is available on the Department of Justice website and will be open until Sept. 11. [See here] [Yukon News] | Yukon missing persons legislation could give police access to personal info ]


CA – OPC Report Public Perception of Companies’ Privacy Practices

The Office of the Privacy Commissioner of Canada recently released a preliminary report outlining the results of a series of focus groups conducted with Canadians about privacy and the protection of personal information.[See here] According to OPC Canada – Qualitative Public Opinion Research with Canadians on Consent, Canadians are primarily concerned with identity theft, fraud/financial loss, and spam; they do not like companies selling or passing their PI to third parties without their consent, or being asked to provide a SIN or financial/banking information when not required. Canadians would like greater transparency from companies with regards to processing practices, enhanced government enforcement powers (including the power to impose financial penalties), and greater public education by the government in relation to privacy-related issues. See also review by CyberLex Blog (McCarthy Tétrault)

Data Analytics

WW – Apple Expands Bet on Cutting Edge Privacy Technology

Last year, Apple kicked off a massive experiment with new privacy technology aimed at solving an increasingly thorny problem: how to build products that understand users without snooping on their activities. Its answer is differential privacy. The problem differential privacy tries to tackle stems from the fact that modern data-analysis tools are capable of finding links between large databases. Privacy experts worry these tools could be used to identify people in otherwise anonymous data sets. Differentially private algorithms blur the data being analysed by adding a measurable amount of statistical noise. Apple is now expanding its use of differential privacy to cover its collection and analysis of web browsing and health-related data. [The Wall Street Journal] See also: Facial Recognition, Differential Privacy, and Trade-Offs in Apple’s Latest OS Releases | Comment: Differential privacy and data collection is still not clearly defined as opt-in on iOS 10 | Apple’s New Privacy Technology May Pressure Competitors to Better Protect Our Data The technology is almost a decade-old idea that’s finally coming to fruition | Apple pollutes data about you to protect your privacy. But it might not be enough | Apple: how data harvesting is core to it addressing privacy | How Apple plans on making features smarter while balancing privacy | This is what Apple’s differential privacy means for iOS 10 | What Apple’s differential privacy means for your data and the future of machine learning | Apple promises “differential privacy” at Worldwide Developers Conference | With Apple’s Differential Privacy, Is Your Data Still Safe? | Apple’s use of ‘differential privacy’ is necessary but not new | Is Apple’s New Privacy Feature Safe? | Apple’s ‘Differential Privacy’ Is About Collecting Your Data—But Not ​Your Data | Apple promises to deliver AI smarts without sacrificing your privacy ]


US – Privacy Group Sues White House to Stop Voter Data Collection

The Electronic Privacy Information Center (EPIC) challenged the White House July 7 in Federal court on President Donald Trump’s voting commission’s request for voter data from 50 states and the District of Columbia. U.S. District Judge Colleen Kollar-Kotelly [see here] said she would rule as quickly as possible on the request for a temporary restraining order to halt the data collection. EPIC asked the court to bar the creation of “a secret database stored in the White House” of national voter registration information, saying the move posed “staggering” privacy implications. The organization contends the electronic data collection lacked legal authorization and is the type of government system that should be subject upfront to a full privacy impact review. Washington Post. [MeriTalk] Background: Trump signed an executive order in May that established the Commission on Election Integrity, which investigates instances of potential voter fraud. The commission asked the states to turn over all publicly available voter data. The panel also requested voters’ “dates of birth, political party (if recorded in your state), last four digits of Social Security number if available, voter history (elections voted in) from 2006 onward, active/inactive status, canceled status, information regarding any felony convictions, information regarding voter registration in another state, information regarding military status, and overseas citizen information.” The commission, led by Vice President Mike Pence, gave states two weeks to comply as of June 30 and said it would share the data with the public. Arkansas is the only state so far to turn over the requested data. “There are obvious data privacy concerns. Digital security experts have called the plan a gold mine for hackers,” said Dale Ho, director of the Voting Rights Project at the American Civil Liberties Union. “More important, it’s obvious that the commission collecting this information is intended to sell President Trump’s lie that he ‘won’ the popular vote.” Many States Praised For Defying Voter Data Request Aren’t Doing That At All | Did Trump’s Voting Commission Break Privacy Laws? We’ll Find Out Soon | Now 44 States Have Refused Trump Commission’s Demand For Personal Info On Voters | Privacy Rights Group Sues Trump’s Election Integrity Panel | Trump’s Voter Fraud Commission Temporarily Halts Call for Voter Rolls |More Challenges Launched Against Trump Voting Commission | Many States Praised For Defying Voter Data Request Aren’t Doing That At All | Did Trump’s Voting Commission Break Privacy Laws? We’ll Find Out Soon | Now 44 States Have Refused Trump Commission’s Demand For Personal Info On Voters | Privacy Rights Group Sues Trump’s Election Integrity Panel ]

US – Two Years After Massive Breach, Audit Shows OPM Still Vulnerable

Over two years after the Office of Personnel Management (OPM) suffered a massive data beach compromising the data of over 20 million current and former federal employees and their families, there are still notable deficiencies in the way the agency handles its information systems, according to a recent audit. Though there have been improvements to OPM’s IT security programs, the report notes there were “significant problems with the authorization packages prepared during the sprint” conducted in 2016 to bring the agency’s IT systems up-to-date and that “there is still significant effort needed to stabilize the authorization program.” OPM does not fully comply with the cyber-security protocol issued by the National Institute of Standards and Technology, which all federal agencies will be required to adhere to. The audit, dated June 20, was made publicly available on July 7. [GovConWire | | A new approach to federal cybersecurity, 2 years after the OPM breach | Erosion of public trust biggest long-term impact of OPM breaches, experts say | OPM looking to rebuild trust | US Government Re-Hires Firm Linked to OPM Breach | Congressional Report Slams OPM on Data Breach | U.S. personnel management hack preventable, congressional probe finds | Report details missed opportunities to stop OPM cyber breach | Lamar Smith Seeks OPM Response on Cyber Posture, Data Breaches | Lawmakers Press Agencies on Potential Foreign Nationals’ Access to OPM Data ]

Electronic Records

A – eHealth Card Numbers Shared Without ‘Legislative Authority’

In a 14-month period, eHealth sent the names, addresses, dates of birth, residency status and health card numbers of all Saskatchewan residents older than the age of 16 and inadvertently sent similar data belonging to tens of thousands of people younger than that to Elections Saskatchewan, to help the latter keep election rolls up to date. Saskatchewan’s privacy commissioner, Ron Kruzeniski, issued a report late last month [pdf here], finding that eHealth did not have legislative authority — permission in law — to release the information. The report calls on eHealth and the ministries of Health and Justice to work together on an amendment to the Health Information Protection Act to allow for information sharing. But Kruzeniski recommends a discussion of whether health card numbers need to be shared. Elections Saskatchewan and eHealth reached an agreement in August 2015 to share information about residents 16 and older. [Star Pheonix]

EU Developments

WW – Organisations and DPAs Need to Collaborate to Achieve Success: CIPL

The Centre for Information Policy Leadership (CIPL) issued a summary of a working session on the latest draft of its Smart Data Protection Discussion Paper: Feedback was provided from 60 stakeholders including senior representatives from Data Protection Authorities (DPAs); businesses; national governments; and academics. DPAs are concerned about an uncontrollable tsunami of complaints which will require immediate regulatory attention, and are starting to leverage and look for assistance from other regulatory authorities; data protection is better achieved through co-regulation and promotion of self-compliance through greater reliance on DPOs, privacy management programs, codes of conduct and certifications. [Senior Leaders Working Session on Smart Data Protection – Dublin 14th June 2017 – CIPL]

Facts & Stats

WW – Cyber Insurance Covers Less than 15% of Damages: Lloyds of London Emerging Risk Report on Cyber Insurance

A report from Lloyds of London, using two realistic examples, shows that “Only around 15% of damages would be covered in the cloud example and 7% in the vulnerability example.” Lloyds says that companies offering cybersecurity insurance should treat worldwide cyber attacks like natural disasters rather than as traditional crimes. : Lloyds of London: Insure cyberattacks like natural disasters | Counting the cost: A Lloyd’s emerging risk report]


CA – Federal Bill Amends Access to Information, Privacy Act and PIPEDA

Bill C-58 has been introduced in the House of Commons, amending the: Access to Information Act (“AIA”); Privacy Act (“PA”); and Personal Information Protection and Electronic Documents Act (“PIPEDA”). Amendments to the Access to Information Act would allow public bodies to decline requests that would unreasonably interfere with operations, are vexatious or in bad faith, or does not meet requirements and government institutions covered under all Acts can refuse disclosure of records subject to litigation or solicitor-client privilege, or professional secrecy; the Information Commissioner can compel disclosure of government record and examine the validity of privilege claimed. [Bill C-58]

CA – Manitoba WRHA Withholds Info on Assisted Dying FoI Requests

The Winnipeg Regional Health Authority is deliberately trying to keep its assisted-dying policies out of the public eye. The province’s largest regional health authority admits the decision is motivated by a bid to shield staff and facilities from controversy surrounding the legal changes that now allow patients to seek the assistance of physicians to end their lives. In large part, the WRHA relied on section 24(a) of the Freedom of Information and Protection of Privacy Act, which allows it to withhold any information that “could reasonably be expected to threaten or harm the mental or physical health or the safety of another person.” A WRHA spokeswoman said “There are reasonable grounds for vigilance in protecting individuals and sites associated with the provision of a health service that remains highly contentious. If a site is identified as a (site for medical assistance in dying), it may reasonably be expected that this would threaten public safety or other individuals at that site.” Vincent Gogolek, executive director of the B.C. Freedom of Information and Privacy Association, said that defence doesn’t hold up. There are a number of legitimate reasons public information can be redacted, Gogolek said, but if the WRHA is going to cite harm to individuals or public safety, then it needs to share the reasons why. The FIPPA wording “could reasonably be expected” means their concerns can’t be hypothetical, he said, and have to actually include “some sort of credible threat.” [ Winnipeg Free Press | Ontario’s privacy commissioner calls for transparency in assisted dying | Ontario privacy watchdog criticizes secrecy about facilities that provide assisted dying ]

US – Public Access to Cop Videos Gets Support in California & New Jersey

A bill moving through the California legislature shows the right way to handle privacy concerns about police body camera footage: Require law enforcement agencies to make the case why recordings should be withheld from the public. California’s AB 748 approaches any police video or audio recording with the presumption that it is a public record, but it creates a system by which law enforcement may request to withhold access in limited situations. Here are the bill’s most important provisions: 1)Police can request a recording be exempt for release for 90 days if disclosing it would impede an active investigation; 2) Police can redact parts of a recording in cases where they might otherwise violate somebody’s privacy; 3) In a broader situation where they can’t adequately redact a private person’s identity from a recording but want to withhold it, they still have to release the recording to the person him or herself or the person’s parents (in the case of children) or other family members; and 4) Recordings involving a police officer using force or that show a violation of law or government policy will be assumed to be “a matter of public concern.” The bill also prohibits the use of biometric programs and facial recognition software to process police recordings. The bill has already passed California’s Assembly (77-0) and has moved into the Senate. It was approved by the Senate’s Public Safety Committee on Tuesday. It looks like New Jersey’s Supreme Court agrees. The court ruled unanimously Tuesday that dashboard camera recordings that document deadly use of force by police officers should be made available to the public. [See 51 pg ruling here & news here] [Hit & Run Blog (Reason) ]

Health / Medical

US – ONC Plans to Lean on OCR for Privacy Support

Facing a $22 million budget cut in 2018, the Office of the National Coordinator for Health IT (ONC) is planning to defund the office that oversees privacy and instead tap a federal enforcement agency as its primary resource for privacy and security issues. During a media briefing, ONC National Coordinator Don Rucker, M.D., acknowledged that privacy and security are “at the heart of interoperability,” which senior administrators highlighted as a key focal point for the agency in the coming years. Rucker told reporters that the ONC will be working jointly with Office for Civil Rights to provide support for privacy functions. A primary focus will be helping providers get a better grasp on HIPAA regulations. On a broader level, eliminating a dedicated staff of privacy professionals could impact the agency’s ability to maintain outreach efforts. In the past, ONC’s chief privacy officer has made appearances at various national conferences as a resource for providers. As the agency shifts gears to tackle complex issues like information blocking and governance, it will have to do so without a dedicated privacy office. [FierceHealthCare]

US – Pacemaker Data is Admissible Evidence

A judge in Ohio has ruled that data obtained from a suspect’s pacemaker in an arson case is admissible as evidence in court. The suspect was charged with aggravated arson and insurance fraud. Information obtained from his pacemaker showed cardiac rhythms and heart rates inconsistent with the story he told in court. The defense attorney was disappointed with the judge’s ruling, saying that it “further expands the government’s ability to access some of our most fundamental private information.” [Court  records | Judge rules pacemaker data admissible in court | Judge rules pacemaker data can be used against defendant]

UK – Health Trust Unlawfully Disclosed 1.6 Million Patients’ Medical Data

The Information Commissioner’s Office in the UK (ICO) issued an undertaking to Royal Free London NHS Foundation Trust, following allegations of disclosure and use of personal data in violation of the Data Protection Act 1998. Patient details were provided to a third-party processor by a company for clinical safety testing of a new application and platform without the following – completing a PIA, ensuring only minimal data would be processed, or informing patients that their records would be processed for the testing; the company must complete a PIA, establish a proper legal basis for disclosing the data, and hire a third party to conduct an audit of its processing arrangements. [ICO UK – Royal Free London NHS Foundation Trust – Undertaking]

US – Technologies Used to Transmit PHI Must Provide Sufficient Security

Recommendations to minimize risks under the HIPAA Privacy and Security Rule (“Rule”), when using different technologies to collect, use or disclose personal health information (PHI). Recent technologies (i.e. patient portals, email, text messaging, IoT and mobile apps) have made it easier to communicate and engage patients, however, they can increase risks of improper disclosure of PHI; evaluate technology environments before implementation and document all risks and benefits, provide clear terms of service and privacy notices, obtain patient consent for communications, and create specific policies detailing protocols for communicating PHI, incorporating the employer’s right to access, monitor and audit devices, and prohibiting texting of medical orders. [HIPAA and Emerging Technologies – Jill DeGraff, Helen R. Pfister and Randi Seigel – Manatt Phelps & Phillips LLP]

Horror Stories

US – Verizon Customer Data Exposed

Fourteen million Verizon customer records were exposed when a third-party vendor stored the information on a misconfigured Amazon S3 server. The data include names, addresses, account PINs, and other account details. Read more in:

  • theregister.co.uk: 14 MEEELLION Verizon subscribers’ details leak from crappily configured AWS S3 data store
  • scmagazine.com: 14M Verizon customer records exposed on Amazon server
  • zdnet.com: Security experts warn of account risks after Verizon customer data leak
  • cnet.com: Verizon customer data exposed in security lapse
    www.darkreading.com: Verizon Suffers Cloud Data Leak Exposing Data on Millions of Customers
  • cyberscoop.com: Report: personal data of more than 14M Verizon customers is exposed in server breach

CA – NS Health Breach Affecting 337 Patients Dating Back to 2006

The Nova Scotia health authority says two separate investigations have resulted in the identification of 337 breaches of patient confidentiality. The authority said it’s in the process of contacting all 337 people. It said everyone will be contacted directly, and officials will be available to discuss the details of the breaches. The investigation found 244 breaches by three staff members. The incidents range from unauthorized access of personal medical information to poor handling of files, such as sending them to the wrong location by fax or leaving them unattended or open where they could be seen by others. The second investigation was started after a manager voiced concern about an apparent breach this past January, and resulted in the identification of 93 breaches by three individuals. The earliest unauthorized access of information found dated back to 2006. Colin Stevenson, the authority’s vice-president of quality and system performance said he doesn’t know whether there was any connection among the patients whose files were being accessed, or whether there was any particular reason. But, he said “nothing has been identified that would indicate that any information was shared. It was just accessed inappropriately.” Stevenson wouldn’t say what action is being taken against the individuals involved but that privacy breaches can result in penalties as severe as firing. [Local Xpress]

CA – Ottawa Victims of Ashley Madison Data Breach Not Eligible for U.S. Settlement

A tentative court settlement [see here] agreed to by Ashley Madison’s parent company, Toronto-based Ruby Life Inc., limits individual payouts to $3,500 US for documented, valid claims. The $11.2-million settlement deal must still be approved by the U.S. District Court in Missouri, where the class-action lawsuit was filed on behalf of 37 million (mostly male) Ashley Madison account holders. It will not affect thousands of Canadian victims, including Ottawa’s Eliot Shore, the representative plaintiff in a national class proceeding against Ruby Life Inc. Last year, Canada’s privacy commissioner investigated the data breach and issued a report that found the Ashley Madison website had “inadequate security safeguards and policies.” [See here, here, here, here & here ] It ordered Ruby Life Inc. to take measures to prevent data theft and to remove phony security awards from its website. [Ottawa Sun]

Law Enforcement

US – New York ‘Textalyzer’ Bill Threatens Privacy Under the Guise of Safety

In an effort to crack down on distracted driving, lawmakers in several states are looking to pass legislation that would allow police to use a new device that can determine if a driver was using their cell phone behind the wheel. While the intentions are benevolent, the potential for abuse with the “Textalyzer” is startling. The device has not been approved for use by law enforcement yet. But it would involve police plugging the device into a driver’s cell phone at an accident scene to scan phone data, which would give police exact times of phone use. It can tell police if a motorist opened any apps, sent any texts, and received or made phone calls. If police determine that the driver was doing any of these things, they would be able to go after them for distracted driving. Those who support the Textalyzer, such as New Yorker Ben Lieberman who has advocated for policies to prevent texting and driving since his son was killed by a distracted driver, argue the device is essential in the fight against dangerous behavior behind the wheel. They counter privacy claims from opponents by saying the device can simply detect “swiping and typing,” not the content of a person’s conversations. The ACLU and EFF have rightfully pointed out that the Textalyzer might be yet another way for government agents to spy on their citizens. …The New York bill would treat Textalyzers much in the same way as breathalyzers. Failure to submit to one would carry stiff punishments, including the revocation of a motorist’s license or learner’s permit and substantial fines. These punishments can stick whether the driver is found guilty or not. [Observer | NY Lawmakers Consider Adding a ‘Textalyzer’ to Accident Investigations ]

US – ACLU Seeks Information About Albuquerque Police Stingray Use

The American Civil Liberties Union (UCLA) is suing the city of Albuquerque, New Mexico, seeking information about the Albuquerque Police Department’s use of cell site simulators, also known as Stingrays. The ACLU of New Mexico executive director says that says that Stingray’s “are incredibly invasive and the government isn’t being transparent about how they’re being used.” Read more in: www.scmagazine.com: ACLU New Mexico sues Albuquerque PD for info on StingRay use | arstechnica.com: Albuquerque police refuse to say if they have stingrays, so ACLU sues

Privacy (US)

US – Judge Denies DOJ Effort to Halt Twitter Lawsuit over National Security Orders

Twitter argued that, just as it has been precise in other areas of its transparency report, so too should it be allowed to say precisely how many national security orders it has received from American authorities. For now, under federal law, it is only allowed to describe those numbers in vague ranges, such as “0 to 499,” and “500 to 999,” and so forth. Lawyers for Twitter say that this law constitutes a violation of the company’s First Amendment rights and is “prior restraint,” a concept of blocking legitimate speech before it is uttered. Attorneys from the Department of Justice claimed in a hearing in federal court in Oakland, California, earlier this year that if Twitter is allowed to specifically say how many national security orders it has received, potential adversaries could somehow use that number to inflict harm. But the judge didn’t buy it. [see here] “The Government has not presented evidence, beyond a generalized explanation, to demonstrate that disclosure of the information in the Draft Transparency Report would present such a grave and serious threat of damage to national security as to meet the applicable strict scrutiny standard,” US District Judge Yvonne Gonzalez Rogers wrote in a 21-page order. She continued: “The Government has not sufficiently explained how a restriction on reporting, beyond the bands in section 1874, could be characterized as narrowly tailored to prevent a national security risk of sufficient gravity to justify the restraint, either in general or with respect to Twitter specifically.” [Ars Technica See also: Facebook fights gag prohibiting it from alerting users to search warrants | Requests for data rise sharply under secretive U.S. surveillance orders | Twitter reveals FBI national security requests that may have infringed on legal guidelines | Did FBI overstep its bounds in requesting information from Twitter? | FBI request for Twitter account data may have overstepped legal guidelines | US fights Microsoft’s bid to tell users when feds take data | Microsoft, feds face off in court over customer privacy | Cloudflare’s In-House Lawyers Open Up About Privacy Fight With FBI | Progressive Phone Company Discloses Legal Battle Over FBI’s National Security Letters | Google Publishes Eight Secret FBI Requests | What Happens When My Company Receives a National Security Letter? A Primer | Freed From Gag Order, Google Reveals It Received Secret FBI Subpoena | Senate Intelligence Committee Expands FBI NSL Powers With Secret Amendment To Secret Intelligence Bill | Requests for data rise sharply under secretive U.S. surveillance orders

US – Appeals Court: Gag Orders Do Not Violate First Amendment

A US federal appeals court has ruled that the gag orders accompanying national security letters (NSLs) do not violate the First Amendment. The ruling comes in a case brought by Cloudflare and Credo Mobile, which between the two companies received five NSLs between 2011 and 2013. Their lawsuit maintained that they had a First Amendment right to notify their customers. In 2013, a district judge initially ruled that the letters were unconstitutional, but later stayed and then reversed her decision after legislators added civil liberties protections. [thehill.com: Federal court rejects challenge to national security data requests]

US – Customs and Border Protection Cannot Search Travelers’ Cloud Data

While US Customs and Border Protection (CBP) does have the authority to search travelers’ mobile devices without their consent and often without a warrant, that authority does not extend to travelers’ data stored in the cloud. The CBP acknowledged the limitation in response to a letter from Senator Ron Wyden (D-Oregon). Their authority is limited to “information that is physically resident on an electronic device transported by an international traveler.” US Border Patrol says it won’t search travelers’ cloud data | Border Patrol Says It’s Barred From Searching Cloud Data on Phones | Wyden Letter (PDF)]

US – Adoptees’ Bid for Birth Records Access Stirs Debate Across Country

Today, just nine states give adoptees unrestricted access to birth records. Others provide limited access. And there’s no systematic access at all in about 20 states, including the four most populous — California, Texas, Florida and New York. The issue remains highly contentious. Some opponents of full access argue that making birth certificates available on demand would violate birth mothers’ privacy and induce some pregnant women to opt for abortion rather than adoption. Adoptee-rights activists, while calling those arguments groundless, have divisions in their own ranks. Some are willing to consider compromise bills that provide limited access; others say it’s wrong to accept anything other than unrestricted access equal to what’s available for non-adopted people. One striking aspect of the debate is how it doesn’t reflect the Republican-Democrat, liberal-conservative divide that pervades U.S. politics. Here’s a look at those struggles. [[ AP via U.S. News & World Report]

Privacy Enhancing Technologies (PETs)

WW – Free “Somewhat-Homomorphic Encryption” to Help Limit Data Sharing

A new approach to limit how much of your data you need to share is being offered it to companies for free. It’s stunning how much data is unnecessarily shared with cloud providers and others. There are two reasons for this. First, the time and effort needed to be remove data that the third party doesn’t truly need from the data that is needed can make the ROI seem unattractive …The second reason is more practical: technological limitations. Researchers at the Swiss Federal Institute of Technology (EPFL) in Lausanne may have come up with a way to deal with both issues. Their approach limits what data is shared and uses an encryption approach that allows data to be crunched while still encrypted. The approach they are proposing is designed to deal with a very limited issue: privacy and security issues involving ride-sharing services …But its creators see the approach applying to a wide range of cloud, big data and other third-party services that enterprises deal with every day — when they are typically sharing far more information than they need and want to. The approach, detailed in this paper, involves Somewhat-Homomorphic Encryption (SHE). (Note: Stanford University has published a short description of SHE.) Still, even for its intended ride-hailing approach, their system has its drawbacks, the paper said. Those drawbacks, though, seem limited to a car-sharing service. It wouldn’t likely have much of an impact on typical big data outsourced enterprise efforts. [Computerworld | The Trend Towards Blockchain Privacy: Zero Knowledge Proofs | Researchers crack homomorphic encryption | Homomorphic Encryption and Smart Contracts for Privacy and Transparency | Banks looking at Enigma to bring perfect secrecy to blockchains | The Man Who Wants To Encrypt Everything]


WW – Data Breaches and Cybersecurity Now Top C-Suite Concerns

The report 2017 Views from the C-Suite survey of global executives finds that, of all the myriad challenges facing businesses worldwide, executives are most concerned about cybersecurity. An overwhelming 85% said they believe that cyberattacks will become more frequent and costly over the next 12 months. Almost half (up from 40% percent last year) of the executives surveyed cite cybersecurity as one of the top challenges to their business operations in the next 12 months. Their biggest focus is on weak cyber defenses, both in terms of hardware and software, and they have good reason to be concerned. Executives are also focused on the people who manage technology, in addition to the technology itself. Specifically, global executives point to recruiting and retaining qualified IT talent as a major problem. [Information Management | Cybersecurity spending outlook: $1 trillion from 2017 to 2021]

S – NIST Issues Verification and Test Methods for Access Control Policies and Models

The National Institute of Standards and Technology (“NIST”) provides draft guidance on verification and test methods for access control (“AC”) policies and models. The report reviews methods for the verification of access control models and the testing of model implementations, defines standardized structures for access control models, and discusses an efficient way of generating test cases for the implementation of a model and detecting rule faults in access controls. [NIST – Special Publication 800-192 – Verification and Test Methods for Access Control Policies/Models]

WW – Google Android Panic Button Feature

Google appears to be testing a panic button option in Android 7.1 that will let users shut down apps they believe to be malicious. If a user quickly pushes the back button four times in a row, all open apps will close and the home screen will be displayed. The option is currently disabled. [www.bleepingcomputer.com]


WW – China and Russia Ban VPNs

Legislators in Russia and China are banning the use of virtual private networks (VPNs) in their countries. Russia’s State Duma also adopted the first reading of legislation that would ban the use of anonymizing networks like Tor if they do not block access to a list of websites determined by the government. [ Russia, China vow to kill off VPNs, Tor browser]

US – Amazon, WhatsApp & US Telco’s Failing on Privacy: EFF Report

Amazon and WhatsApp, along with the big four US Telco’s have ranked as the worst tech companies for protecting user privacy. That’s according to a new report from the Electronic Frontier Foundation (EFF), entitled ‘Who Has Your Back?’ The report evaluated 26 tech companies on how well they protected their users from government surveillance. The EFF used five main criteria in reaching the conclusions they have, awarding a star for each. Those criteria were; if they followed industry best practices for privacy; if they informed users when the government requested their data; if they promised not to sell users’ data; if they stood up to gag orders; and if they supported reform of the National Security Agency’s Section 702 surveillance program. For users of Amazon and WhatsApp, the report is clearly hugely worrying and many will inevitably be considering taking additional steps to protect their online privacy when using those services in future. And as the report highlights, pretty much every internet user in the USA connects through one of the big-four Telco’s and none of those can be trusted to protect you from online government surveillance even slightly. This is one of many reasons why it is highly advisable for all US internet users to take additional steps to protect themselves online. VPNCompare | This scorecard shows which tech companies protect user data from the government (and which don’t).

Telecom / TV

US – Single Robocall at No Charge to Recipient Is Injury: 3d Cir.

A single robocall that resulted in no fee to the recipient is sufficient injury to support a Telephone Consumer Protection Act lawsuit, a federal appeals court held July 10 (Susinno v. Work Out World, Inc., 2017 BL 236450, 3d Cir., No. 16-3277, 7/10/17). If phone calls not charged to the recipient weren’t covered by the TCPA’s general prohibition against unwanted telemarketing, “there would have been no need for Congress to grant the FCC discretion to exempt some of those calls,” the U.S. Court of Appeals for the Third Circuit ruled. The appeals court also rejected defendant membership gym Work Out World Inc.’s argument that plaintiff Noreen Susinno didn’t suffer a sufficiently concrete injury to file a class action suit. Under the U.S. Supreme Court’s 2016 decision in Spokeo Inc. v. Robins, Susinno has “alleged a concrete, albeit intangible, harm,” Judge Thomas Hardiman said. [Bloomberg BNA | FTC Throws Support Behind FCC’s Proposed Anti-Robocall Rule | Scammer who made 96 million robocalls should pay $120M fine, FCC says | FCC imposes largest-ever fine to robocall network | FCC is voting to end robocalls, the ‘scourge of civilization’ | Robocall crackdown tops agenda for FCC March meeting | FCC Confirms: Entire U.S. Government Allowed To Place Annoying Robocalls | Entire federal government exempt from robocall laws, FCC rules | Why companies can’t spam you with robo-calls, but the government can | FCC: Government Exempt From Robocall Consent ]

US Legislation

US – Lawmakers to Spar Over Sunsetting Section 702

Surveillance programs deemed by supporters as the “crown jewels” of the intelligence community rely on a U.S. law that expires in December. Section 702 of the Foreign Intelligence Surveillance Act authorizes the National Security Agency to run warrantless foreign-surveillance programs like Prism and Upstream. Defenders of Section 702 surveillance have called the law essential to keeping the United States safe from terrorist attacks. But privacy advocates in Congress are threatening to oppose reauthorization without major reform. The debate about Section 702 is “far from over,” says a legislative counsel with the American Civil Liberties Union. “An effort to sort of ram through some sort of straight reauthorization that doesn’t address some of the core concerns about the program, I suspect, is going to face a lot of resistance.” Critics see several problems with the existing Section 702 programs: 1) No court warrant; 2) Incidental collection; 3) Searches of U.S. communications; 4) Number of U.S. residents affected is unknown; 5) “About” collection; and 6) Widespread foreign surveillance. [The Parallax | No Surveillance Reform in Defense Policy Bill | Trump backs permanent snooping powers he once criticized as abusive | White House, intel chiefs want to make digital spying law permanent | Tech companies urge Congress to amend NSA spying laws | Fight Brews Over Push to Shield Americans in Warrantless Surveillance | The Real Surveillance Problem | Companies Can’t Hide From U.S. Surveillance Renewal Debate ]

US – Connecticut Bill Prohibits Searches of Students’ Personal Devices

Raised Bill No. 77154, An Act Concerning Students’ Right to Privacy in their Personal Mobile Electronics Devices, has been passed the Connecticut House and been introduced in the Senate: If passed, the Act would be effective July 1, 2017. School employees cannot take custody of, or compel students to provide access to, their devices unless the device is on school property, and there is a reasonable suspicion it contains evidence of a policy violation, or there is risk of injury to students; students, parents and/or guardians must be notified of searches within 24 hours (including what data was accessed. [Raised Bill No. 7154 – An Act Concerning Students Right to Privacy in Their Personal Mobile Electronics Devices – State of Connecticut]

US – Pennsylvania Bill Provides Student Data Privacy and Protection

House Bill 1345, An Act Providing for Student Data Privacy and Protection (Act), was introduced in the Pennsylvania Legislature:  The bill was referred to the Committee on Education. If passed, the Secretary of Education must designate an individual to serve as the Chief Data Privacy Officer with primary responsibility for student data privacy and security policies; educational entities may not disclose student data unless authorized in writing by the student or parent, authorized by law, or as determined necessary in an imminent health or safety emergency. [House Bill 1345 – An Act Providing For Student Data Privacy and Protection – Legislature of Pennsylvania] See also: Who is Considered A Parent For Purposes of Accessing School Records – Melinda Kaufmann, Pullman and Comley LLC. A Court Order May Revoke Parents’ Right to Access Records – a review of the definition of “parent” under the Family Educational Rights and Privacy Act (FERPA).

US – New Hampshire Bill Restricts Sharing of Student Data

House Bill 396, An Act Relative to Student Assessment Data Privacy, has been introduced and referred to the Committee on Education: If passed, the Act would take effect 60 days after passage. Student and family PII cannot be provided to the federal government or for-profit corporations, including religion, psychometric data, criminal records, social security numbers, health data, and voting history; aggregated student performance data can be shared outside the district only if privacy can be guaranteed. [HB0396 – An Act Relative to Student Assessment Data Privacy – State of New Hampshire]

US – Wisconsin Bill Permits Use of Body-Worn Cameras by Law Enforcement

Senate Bill 279, An Act Relating to Body Cameras on Law Enforcement Officers (“Act”), was introduced in the Legislature of Wisconsin:  The bill has been referred to the Senate Judiciary and Public Safety Committee; and similarly, Assembly Bill 351 was introduced in the House of Representatives and referred to the Committee on Criminal Justice and Public Safety. If passed, law enforcement agencies must establish policies regarding the use, maintenance and storage of the camera and data recorded by the camera, and limitations the agency imposes on which officers may wear a camera and situations that may be recorded; data obtained from the camera should be retained for a minimum of 120 days after the date of recording. [Senate Bill 279 – An Act Relating to Body Cameras on Law Enforcement Officers – Legislature of Wisconsin]

Workplace Privacy

EU – 29WP to Bosses, No Looking at Workers’ Facebook Profiles

Bosses should not snoop on employees’ Facebook and Twitter profiles even if their accounts are publicly available, regulators have said. The heads of Europe’s top data protection authorities said that “in-employment screening of employees’ social media profiles should not take place on a generalised basis”. Employees and applicants should also not be forced into accepting friend requests from their bosses or handing over their passwords. The declaration was made in updated guidance from the Article 29 Working Party [also see here]. Since social media has become widely-used, concerns have grown that posts about employees’ personal lives are influencing their job prospects. Workers have been fired for posting inappropriate Facebook status updates, and job applications have been rejected. Last year, the European Court of Human Rights said that bosses are allowed to monitor employees’ emails. It adds that job applicants should not have their profiles summarily checked as part of the screening process, saying “employers should not assume that merely because an individual’s social media profile is publicly available they are then allowed to process the data.” The guidelines add that employers should not track their workers’ devices or the internet traffic from them, even if they have consent from the employee. [The Telegraph | A29 Working Party Opinion on Data Processing at Work | EU Article 29 Working Party Releases Extensive GDPR Guidance on Data Processing at Work]


10 June – 07 July 2017


CA – Spies, Cops & Border Agents Coordinating on Biometrics

For over a year, Canadian military, intelligence, police, and border agencies have been meeting to develop and coordinate their biometric capabilities, which use biological markers like facial recognition and iris scanning to identify individuals. This initiative—details of which were revealed in documents obtained through an access to information request—shows that the Canadian government is reigniting its focus on biometrics after a similar attempt a decade ago fizzled out. According to these documents, which include emails, meeting agendas, and briefing reports, the meetings are an effort to coordinate the critical mass of biometrics programs that exist across many government agencies, particularly those relating to national security. The Canadian effort is “informal,” spokespeople emphasized, and it hasn’t been promoted by the government except for four tweets from Defence Research and Development Canada (DRDC), the department that spearheaded the initiative. The Canadian Security Intelligence Service, the Royal Canadian Mounted Police, the Canadian Armed Forces, as well as the country’s border and immigration agencies are all participants in the “Government of Canada Biometrics Community of Practice” (CoP), which had its first meeting in March of 2016. RCMP documents showed the force was seeking to upgrade its fingerprint database with biometric facial recognition technology in order to keep pace with US law enforcement. Police documents stated that the force had “no authority” in Canada to use biometrics like facial and iris recognition, however, and the police have no specific plans to implement the technology. [Motherboard]

WW – UN Pushing Biometric-Based Digital ID for Every Person on Earth

At the summit [see here], tech companies like Microsoft and Accenture and humanitarian groups including the World Food Programme and the UN Refugee Agency want to create a digital identification for every person on the planet, one that’s tied to their fingerprints, birth date, medical records, education, travel, bank accounts and more. Accenture demonstrated a working prototype that would provide a person’s information through an app. In the absence of a personal device, that person could still be recognized through fingerprints or iris scans, as long as that information was in the database. It’s a scary thought to put all your personal information — including your medical records and banking information — in a single app, but experts at the summit believe that blockchain technology, a way of using databases to encrypt data that’s also used for bitcoin, can protect users. In 2009, India launched Aadhaar, a digital ID program in which citizens voluntarily enroll name, birth date, gender, address, phone number, email, 10 fingerprints, two eye scans and photo. In exchange, they can use the digital ID to sign documents online, apply for credit and jobs, go to hospitals and exchange money, among other features. While a government official told the Supreme Court in India that Aadhaar was “the most foolproof method that has evolved,” the Centre for Internet and Society discovered that 130 million people had their information leaked from four government websites. [CNET]

WW – Using Mouse Movements, AI Software Accurately Spots Online Lying

A surprising new method for catching out online fraudsters has been uncovered by researchers studying computer mouse movements. Cognitive scientists from Italy have created AI software that can spot when a person is lying thanks to changes in the way they move their onscreen pointer, with 95% accuracy. [See here] The researchers found that fake answers produced a different style of movement to people who were answering truthfully, particularly in these unexpected questions. The researchers said: ‘While truth-tellers respond automatically to unexpected questions, liars have to “build” and verify their responses. This lack of automaticity is reflected in the mouse movements used to record the responses as well as in the number of errors.” [Daily Mail]

Big Data / Analytics

WW – Data Quality, Staffing Issues Still Plague Data Analytics Efforts

A new study [see here and here] by Forbes and Dun & Bradstreet says that the majority of organizations lack tools and investment necessary for analytics usage in business. Indeed, 59% of organizations surveyed for the study reveal they are not using predictive models or advanced analytics. The study surveyed more than 300 senior executives in North America, Britain, and Ireland for the report. Its findings reveal that if analytics efforts are to provide the expected return on investment, corporate leadership needs to invest in the people, processes and technologies that empower decision support and automation. A general lack of skills is also hampering the success of many firms when dealing with analytics, as 27% cited skills gaps as a road block to their data and analytics efforts. Illustrating this lack of skills in-house, 55% of those surveyed reported that third-party analytics partners produced better work than analytics work done internally. [Information Management]


CA – OPC Recommends Amending Bill C-23 to Ensure Border Privacy Rights

The Office of the Privacy Commissioner of Canada sent letters to the Standing Committee on Public Safety and National Security regarding Bill C-23, An Act respecting the preclearance of persons and goods in Canada and the United States. The Bill should place border searches of electronic devices on the same footing as searches of persons (e.g., pat-down, strip and body cavity searches) which require reasonable grounds to search; electronic devices should not be considered as mere goods subject to border searches without legal grounds. [OPC Canada – Follow-up Letter to the Standing Committee on Public Safety and National Security Regarding Bill C-23, An Act respecting the preclearance of persons and goods in Canada and the United States | First Letter | CP via National News Watch: National Security Bill Aims at Some Border Agency Oversight]

CA – OPCC Investigation & Clarifying Border Search Rights for Lawyers

The recent launch of an investigation by the Office of the Privacy Commissioner of Canada into the Canadian Border Services Agency’s practices [see here and here and here] will help clarify how far mobile device inspections can go at the border, says Shaun Brown, a partner at nNovation LLP. He hopes the investigation will provide guidance to Canadians, including lawyers, about what their rights are during searches. Lawyers who practise in the area expect the matter to end up before a judge in the near future. Regardless of the country in which he’s pulled over, David Fraser the Halifax-based privacy lawyer, says he will explain to the authorities that he simply can’t unlock his devices or provide any passwords because of the possibility that they contain solicitor-client privileged information. “Solicitor-client privilege has been held sacrosanct, with only a couple of exceptions. Those are extremely narrow, and none of them are impacted at the border,” Fraser says. In any case, “it’s not the lawyer’s privilege to waive; it’s the client’s. In my view, that trumps virtually any other right of access to that sort of information,” he adds. BC Law Society president Herman Van Ommen remains concerned by the situation. In a letter [see here and here] to the federal ministers of justice and public safety, he claimed demands for passwords to devices that could be expected to contain privileged information would violate Canada’s Customs Act. Arguing that a lawyer’s electronic device constitutes a “law office” for the purposes of a search, Van Ommen suggested a simple solution: “We therefore seek your assurance that border service agents will not seek to obtain passwords from lawyers to their electronic devices when crossing the border into Canada. If such a request is made and a lawyer refuses it, we seek your assurance that border agents will not confiscate the electronic device or otherwise detain the lawyer. By refusing access to the password, the lawyer is only discharging his or her professional obligations as required by the various codes of professional conduct across the country.” [Law Times See also: The BC Civil Liberties Association issued a report outlining its proposals for civilian oversight and review of the agency. [See BCCLU PR here & 56 pg PDF here]

CA – Trudeau Government Peels Back Bill C-51 — Mostly

Bill C-59 [see here] was tabled by Public Safety Minister Ralph Goodale, and makes wide-ranging changes to Canada’s national security framework — adding significant and expansive new oversight for intelligence collection and surveillance; putting new limits on government surveillance; and codifying the powers of Canada’s signals intelligence service. The most significant change to the bill will create new powers that will allow the Canadian Security Intelligence Service (CSIS) to analyze and exploit datasets with information obtained on Canadians and foreign citizens. The new law will give clear directions for how CSIS can use advanced technology to analyze data, without worrying so much about the courts. Under this law CSIS has the authority to analyze and decrypt intelligence they’ve obtained through a warrant or collected from open sources — which could include “phonebook” information, but also social media profiles and information available online. This regime is subject to approval from within CSIS, by an independent intelligence commissioner, and by the courts. This new power is likely a boon for the Operational Data Analysis Centre [see here], which can pour through huge sums of intelligence to try and establish links or connections. While CSIS will have some updated powers to process its raw intelligence, much of C-59 will actually walk back powers given to it under C-51, introduced by the previous Harper government — which has become a scourge amongst privacy advocates and lawyers. Here’s what the bill does to the powers laid out in C-51. [vice.com]

CA – A Report Card on the National Security Bill

Bill C-59 [see companion Charter Statement here] is the government’s massive reform of Canada’s national security law. It is the biggest reform in this area since 1984, and the creation of the Canadian Security Intelligence Service (CSIS). It is a big deal: 150 pages. We have been pouring through it, contrasting its features against the views we expressed in our 2015 book, False Security, which addressed the Stephen Harper government’s controversial Bill C-51[see here & here]. We have not finished reviewing it yet, but we want to make observations and raise questions and issues in the hope of galvanizing discussion and commentary. Where we misstate, overstate or err, we appreciate feedback. So, this is a mid-term assessment, not the final grade. Our key takeaway based on close second and third readings of C-59 is there is much to like. There are, however, a few bugs in C-59, but they appear to be bugs, not features. Hopefully they can be corrected. There are also some omissions – new roles for special advocates, for instance, and intelligence to evidence. And the information-sharing law will rightly remain controversial. Not everyone will agree with the tradeoffs and compromises in the Bill. [Policy Options | [VICE News: Everything We Could Find Out About CSIS’s Secret Spy Database]

CA – Supreme Court of Canada Clears Way for Facebook Class Action to Be Heard in B.C.

Facebook Inc. must defend against a class action lawsuit that it violated user privacy in B.C. court, not California, despite laying the groundwork for handling litigation in its home state in its user agreement. That’s effectively what the Supreme Court of Canada ruled on Friday in a 4-3 decision in favour of Deborah Douez in her legal fight against the social network.[See here & here] Doeuz originally took action against Facebook regarding a breach of the B.C. Privacy Act, saying that Facebook’s use of her name and likeness in a “Sponsored Story” ad was done without her consent. Whether there was a violation of privacy or not hasn’t been considered by a court yet. Facebook’s Terms of Use includes a forum selection clause (also called a “choice of law” clause) that requires all disputes against it be filed in California courts only. Douez and her lawyers argued against that, saying the Privacy Act requires that the B.C. Supreme Court must hear court cases related to the provincial Privacy Act. [IT World Canada]

CA – Importing EU-Style RTBF Criteria into Canada Would Likely Prove Unconstitutional: Opinion

An analysis of whether the right to be forgotten (RTBF) would be legal in Canada. Canadian courts would likely find that the RTBF infringes on the right to freedom of expression; private corporations should not have to enforce the RTBF (they have an incentive to grant requests to reduce costs and avoid fines), the right would extend to personal information that is not intrinsically private (e.g. public activities), and authors, webmasters and members of the public would have no way to intervene to show that information requested for delisting is adequate and relevant. [Droit à l’oubli: Canadian Perspective on the Global ‘Right to be Forgotten’ Debate – Eloise Gratton and Jules Polonetsky]

CA – Landmark Legal Case: Canadian Precedent has International Implications

The case against Facebook was brought by Deborah Douez of British Columbia. She had clicked “like” on Facebook to a particular service, and then found that without her knowledge or permission, Facebook was distributing her “like” to all her Facebook friends implying that she endorses that company. She later tried to sue Facebook in British Columbia for violating her privacy. Facebook challenged and the case made it the provincial Supreme Court where it was accepted as a ‘class action’ lawsuit. Initially won by Douez, Facebook appealed and won its argument on the basis of its “forum selection/choice of law” clause stated in its terms of use policy. Facebook head office is in California, and the “forum” clause says any lawsuits against it would have to be filed in the jurisdiction of California under California law (its “forum”) and so the suit could not be heard in British Columbia. This “forum selection clause” was then appealed to the Supreme Court of Canada which ruled [see here] in a split decision that in fact Facebook’s ‘forum selection clause” in its terms of use was unenforceable and that the case against Facebook could indeed proceed in Canada, in this case British Columbia. Professor Jeremy De Beer, a professor of law at the Centre for Law Technology and Society (CLTS) at the University of Ottawa and a member of the team which appeared as intervenors in the case at the Supreme Court of Canada, says this is a landmark and major judgement which could affect all multi-nationals, in that the same reasoning in this case could apply to all manner of other companies selling or providing services to Canadians. Professor De Beer notes that there may well be implications not just for online sites, but that this ruling potentially also may be used for international offline companies. Additionally, the SCC ruling may be studied and used by other international jurisdictions in decisions in those countries. [RCI.net]

CA – Manitoba Ombudsman’s Comments for FIPPA and PHIA Review

Manitoba’s ombudsman is recommending improved public access to government information, including provincial cabinet documents. [see here] Charlene Paquin said consideration should be given to whether it is in the public’s interest for some government information now routinely kept under wraps to be disclosed. Earlier this year, the Manitoba government led by Premier Brian Pallister launched a formal review of both the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Act (PHIA). Neither have been reviewed since 2004. Paquin further recommended any cabinet document be released within a period of 15 years, as opposed to the current 20 years. She also proposed, under FIPPA and PHIA, the ombudsman be called the “information and privacy commissioner,” as it is in other provinces, to better reflect the office’s role in these areas. (The job would retain the ombudsman title in its oversight role in the delivery of other public services.) PHIA should be amended to make it mandatory for health bodies to notify individuals of a privacy breach that may result “in a real risk of significant harm,” Paquin said. Paquin said her office is not so concerned about minor breaches, such as a fax or email being sent to the wrong person. “We don’t feel that we need those to always to be reported to us unless they have significant risk of harm” [Winnipeg Free Press]

CA – NS OIPC Report, Access & Privacy Law ‘No Longer Up to Task’

Commissioner Catherine Tully released her annual report. [See 2 pg pdf PR here, 40 pg pdf Report here & 90 pg pdf Companion Report here] It shows the result of a failure by successive governments to follow recommendations from Tully and her predecessors: A system no longer in step with modern society and not doing enough to work in the interest of the public. Tully notes the Freedom of Information and Protection of Privacy Act has not been significantly updated since it was introduced in 1993. Given the advancements in the way personal information is collected, stored and used, Tully says that’s a problem. “Nova Scotia’s privacy laws lack virtually all of the essential modern privacy protections found in other Canadian jurisdictions,” she writes. “Without fundamental privacy protections, databases of citizen information are not adequately protected for the 21st century.” [CBC News]

CA – NS OIPC Calls for Mandatory Breach Notification

Nova Scotia privacy czar calls for mandatory breach notification. It was one of 34 recommendations Catherine Tully made in her annual report to update the provincial Freedom of Information and Protection of Privacy Act (FIOPOPA). The breach notification requirements would essentially mirror the upcoming changes to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) the covering federally-regulated organizations. [See here] Nova Scotia organizations would be required to keep of a record of all data breaches with specified details available to the provincial commissioner upon request, Tully said. She also recommended the breach notification to potential victims should include details about the cause of the breach, a list of the type of data lost or stolen, an explanation of the risks of harm affected individuals may experience as a result of the breach, and information about the right to complain to the provincial commissioner. Finally, she said the province should authorize the commissioner be able to order notification to an individual affected by a breach. See also: Gowlings: Overview of Data Breach Reporting Obligations, Class Actions and Breach Management in Canada]

CA – SK OIPC Tables Annual Report

In his annual report [see here], commissioner Ron Kruzeniski outlines nine areas of concern, including security breaches from inside workplaces, hacking from outside, as well as how government employees store emails and use smartphones. Kruzeniski said one employee conduct that is worrisome is when a worker clicks on an attachment or a link in an email that could let in a hacker. “I have no doubt that we will have to spend a lot more time and energy collectively as a society protecting ourselves against this,” he said. Kruzeniski said he doesn’t think the risk can be eliminated, but it must be reduced. Kruzeniski also raised concerns about privacy breaches on mobile devices. [CP via Metro Toronto]

CA – SK OIPC Report Critical of Premier Wall’s Private Email Server

Saskatchewan’s opposition NDP is renewing calls for an investigation into Premier Brad Wall’s use of a private email server. A new report [see here] from Saskatchewan’s Information and Privacy Commissioner Ron Kruzeniski encourages government leaders to use government email systems provided by the Ministry of Central Services. Wall’s use of private emails came to the fore in May, when the NDP requested documents relating to a 2016 trip he had taken to Texas. The premier’s office responded to the access to information request by releasing a portion, but not all, of the documentation requested. The IPC wrote “Questions about security and records management arise if and when government leaders or employees use non-government email accounts to do government-related activities.” The Interim NDP leader says the report, “really exposes the premier for hiding this from Saskatchewan people, and of course it also exposes the fact they were hiding the domain name, hiding the fact they were using this private political server housed at their party office. The question is why are they hiding that? Why are they housing this information inappropriately over at their party office?” He is renewing calls he made in May to have the matter of Wall’s private email use fully investigated by Kruzenski’s office. [LeaderPost]

CA – OIPC SK May Compel Production of Privileged Documents in Certain Circumstances: Court

The Court considered an application by the OIPC SK to compel the University of Saskatchewan to disclose records sought by the OIPC SK pursuant to The Local Authority Freedom of Information and Protection of Privacy Act. The OIPC is not required under the municipal FOI law to demand such production, but if a detailed affidavit is insufficient to determine whether the statutory privilege exemption from disclosure applies, the OIPC may demand the actual document for examination (but it cannot release them to an applicant seeking review); the Court rejected the argument that an applicant should be required to appeal to a Court to review the documents. [OIPC SK v. The University of Saskatchewan – 2017 SKQB 140 – Queen’s Bench for Saskatchewan]

CA – Manitoba Whistleblower Sues Health Authority and Lawyers

A whistleblower who sounded the alarm about financial mismanagement, nepotism and fraud at a West St. Paul personal care home is suing the Winnipeg Regional Health Authority and three lawyers after the person’s identity was allegedly revealed in court documents. The whistleblower, known as “Jean Doe” in a statement of claim filed in Manitoba’s Court of Queen’s Bench, is suing for an undisclosed amount of money for mental distress, psychiatric illness, depression, embarrassment and fear for their safety. Doe is a former employee of the Middlechurch Home of Winnipeg, located just north of Winnipeg in West St. Paul. The lawsuit alleges the WRHA’s lawyers failed to expunge information from documents that identified the whistleblower and that Rod Roy, a lawyer for Laurie Kuivenhoven, the home’s then executive director, didn’t take measures to protect Doe’s privacy. It also alleges Roy intentionally intruded on the whistleblower’s privacy in a way that would be “highly offensive to a reasonable person,” by reading the 2015 affidavit documents. [CBC]

CA – PEI Health Information Act Goes Live July 1

The P.E.I. government is hoping to strengthen protection from unauthorized “snooping” into private healthcare information records with new legislation coming into effect on July 1. Karen Rose, P.E.I.’s Information and Privacy Commissioner, said on CBC News: Compass that the “Health Information Act” will encourage people to provide all of their relevant personal health information on the grounds that it remains private. Otherwise, the concern is that people may be reluctant to provide full health information. Rose said the legislation helps protect private healthcare information by giving organizations and providers a unified set of rules to follow to help prevent breaches. She added that the legislation requires that breaches must be reported to the individual whose record was breached as well as the Office of the Information and Privacy Commissioner. [See HIA guide here] [CBC News]

CA – Health PEI Denies Privacy Commissioner Access to Report, Heads to Court

Health PEI wants to take the Island’s information and privacy commissioner to court to settle a dispute over an internal report which the government agency is refusing to let the commissioner see. Commissioner Karen Rose issued an order in April, insisting Health PEI hand her the report on the basis that she “has the power to compel the public body to produce the record at issue.” In response, Health PEI filed an application for a judicial review in P.E.I. Supreme Court, arguing the commissioner “does not have the jurisdiction or authority to inspect or review” the specific information she’s ordered the agency produce. [CBC]

CA – YK Missing Persons Law to Give Cops Access to Personal Info

The Yukon government is proposing new legislation that would allow police to access the personal information of missing persons. That could include things such as cell phone records, text messages, and health information. Right now, police in Yukon are limited in what they can do in a search for a missing person, unless there is evidence of criminal activity. The new legislation would allow police access to personal information “while still protecting a person’s right to privacy,” the release [see here] states. Several provinces already have similar missing persons legislation, including B.C., Alberta, Saskatchewan, Manitoba, Newfoundland and Labrador, and Nova Scotia. The legislation would also provide safeguards for organizations and businesses that may be required to release clients’ records or information to police. The government is accepting comments and completed surveys [see here] on the proposed legislation until September 11. [CBC News]

CA – BC IPC Updates Guidance on Social Media Background Checks

To assist employers, the Office of the Information & Privacy Commissioner for British Columbia recently published an updated guideline, Conducting Social Media Background Checks (“Updated Guideline”). When a private sector company conducts social media background checks, the use, disclosure, and collection of personal information is governed by the Personal Information Protection Act; whereas, public bodies are governed by the Freedom of Information and Protection of Privacy Act. This article focuses on the requirements for private sector companies. The Updated Guideline outlines the risks employers need to consider when conducting social media background checks, including: 1) Inaccuracy; 2) Collecting irrelevant and/or too much information; and 3) Over-reliance on consent. To minimize the risk of breaching an individual’s privacy when conducting social media background checks, the Updated Guideline reminds employers that any information collected about individuals is personal information and is subject to privacy laws. The Updated Guideline also recommends that companies conduct a privacy impact assessment of the risks associated with using social media in background checks. [Borden Ladner Gervais News & Publications]

CA – Saskatoon Gets 2 More ALPRs, Cops Promise No Info Sharing

The number of automatic licence plate readers being used to scan vehicles in Saskatoon will double when the Saskatoon Police Service buys two new devices in August. Police say no personal information collected by the readers will be shared with other police services. The devices have been controversial in other parts of North America due to privacy concerns. The readers, known as ALPRs, use infra-red technology to scan plates as police travel around the city. Officers are alerted if a plate is linked to a person wanted by police, a stolen or unregistered vehicle, or a suspended driver. The storage of information collected by ALPRs has raised privacy concerns that the devices could be used for other purposes, such as tracking a person’s location over time. In B.C., police changed their procedures after the province’s privacy commissioner raised concerns about how long “non-hit” data was being stored on RCMP computers. [see here] Saskatoon police said information collected by its scanners is kept for 40 days, and plates that register as a hit would be kept for 90 days. Sharon Polsky, the president of the Privacy and Access Council of Canada, raised concerns that information collected by police could be shared with other organizations and kept indefinitely. The police service said the same standards apply to an ALPR hit as any other standard traffic stop, adding that the Supreme Court of Canada allows officers to stop drivers to check for vehicle registration, driver impairment and vehicle safety equipment. [CBC News]

CA – NL Investigation Launched After Government Posts Employee IDs, RNC Officers in Sunshine List Screw-Up

Newfoundland and Labrador’s justice minister says an investigation is underway, after the release of the province’s first Sunshine List, when the government posted information officials had warned could put Royal Newfoundland Constabulary officers in danger. The so-called Sunshine List includes the names, job titles and pay information of public servants making more than $100,000. Government had agreed to a request from the Royal Newfoundland Constabulary Association (RNCA) to leave the names of officers off the list, but those names were included in public spreadsheets Friday. The information also included some employees whose salaries aren’t covered under the disclosure rules. For example, employees of the legislature aren’t supposed to be part of the Sunshine List, but their full information was also included. “It certainly has the appearance of a breach,” said Donovan Molloy, the province’s information and privacy commissioner. Molloy said the department had an obligation to review data before it’s sent out to ensure personal information like employee ID numbers aren’t included. He said an investigation would need to look at what the potential misuse of this information could mean. However, he said it’s much less serious than if the file had contained social insurance numbers. [CBC] [CBC: NL Sunshine List of Civil Service Salaries Goes Live Friday News | Telegram: Province releases sunshine list]

CA – Canada’s Political Parties, Media Vulnerable to Foreign Hacks: Spy Agency

The Communications Security Establishment said it expects multiple groups will “deploy cyber capabilities” in order to influence the outcome of the next federal election. CSE’s assessment is largely an outline of the different types of “cyber threats” to Canada’s electoral process. The good news is Canada’s low-tech, largely paper-based electoral system appears to be largely safe from the kind of hacks seen in other countries. Ballots are paper, voter lists at polling stations are paper-based, and CSE officials say the elections agency has strong cyber defences in place. The bad news is that politicians, political parties, and traditional and social media are much more vulnerable to hacking and influence operations. And it will be up to politicians and media — not CSE — to guard against them. According to the agency’s report, malicious actors can use “bots” to hijack political discussions online — basically millions of fake Twitter or Facebook accounts broadcasting “false or defamatory information” against a candidate or party. Canadian parties’ voter databases — huge stores of information on individual Canadian voters, not subject to federal privacy or information security rules — are also vulnerable to theft or manipulation, according to the report. [The Star]

CA – Conservative MP Says Constituency Office Computers Were Hacked

Conservative MP and former party leadership candidate Deepak Obhrai says the computers at his constituency office in Calgary fell victim to a virus. The apparent hack comes just two days after worldwide ransomware attacks disabled government, airline and banking networks, with Ukraine hit especially hard earlier in the week. There is no evidence that the virus affecting Obhrai’s office is part of that wider series of attacks, however. The incident in Calgary also comes about a week after Canada’s Communications Security Establishment (CSE), which monitors online threats against the government, launched a series of training sessions for all federal parties to help them better defend against cyberattacks. [GlobalNews]

CA – PMO Says It Can’t Reveal Staff Salaries Due to Privacy Issues

The Liberal government says it would violate privacy law to reveal the salary details of top aides to Prime Minister Justin Trudeau who are earning at least $150,000 annually. A spokesman for the Privy Council Office said that fewer than 10 PMO staff earn more than 150,000 but refused to name them or even provide an exact number. “We are unable to provide additional information due to privacy considerations,” said PCO spokesman Paul Duchesne. CTV News obtained a list of exempt staff working in the Trudeau’s office and their salary ranges, in a heavily-redacted document that excludes all the names and also blanks out the salary ranges for those in the $150,000 to $350,000 ranges. The salary ranges for Trudeau’s top aides — Chief of Staff Katie Telford and Principal Secretary Gerald Butts — are not provided. The lack of disclosure from the country’s top elected office contrasts with other jurisdictions, where salary information about senior officials is automatically disclosed. [CTV News]

CA – AB OIPC Says Thousands in Province Targeted by Hackers Annually

The growing number of breach notification decisions released by Alberta’s Office of the Information and Privacy Commissioner (OIPC) have shown an increasing trend of online hacks, phishing and so-called social engineering ploys that compromise the personal data of hundreds of thousands of Albertans every year. Jill Clayton, Alberta’s privacy commissioner says online data breaches are becoming a major focus of her office. Clayton said there’s been solid buy-in from the private sector on self-reporting breaches, with about 30% reporting them even if there doesn’t appear to be any real risk of harm based on stolen data. The rise in online breaches has meant a reciprocal increase in the number of files handed by OIPC, Clayton said. In 2016-17, her office saw a 70% increase in files compared to just five years ago. And those trends aren’t likely to reverse, Clayton added. [Calgary Herald]

CA – Alberta Police Draft Policy on Naming Victims Now with OIPC

A draft report from the Alberta Association of Chiefs of Police on standardizing the policy on naming homicide victims is now with the Office of the Privacy Commissioner. It’s the result of work done by the police chiefs and the lawyers from their organizations over the last couple of months after some inconsistencies were discovered around the province. EPS Chief Rod Knecht said in an interview “There clearly was differences in the way we were applying the release of homicide victims’ names across the province. We landed on some consensus. We developed a policy around that consensus. That has now gone to the privacy commissioner which is probably the best place for it to go. They’ll come back and say, ‘this is a policy, this is a good policy, this is how the policy should be interpreted and this is how all police across Alberta should be doing this. If you back up the bus a little bit I think our interpretation was a good interpretation, but let’s see what the privacy commissioner comes back with.” [Global News]

CA – Regina, Saskatoon Transit Have Provided Police with Transit Card Information in Investigations

Transit systems in Regina and Saskatoon say they have shared transit card information with police to help with an investigation. Saskatoon Transit said it hands over generic card information to police about five times a year, often to confirm whether or not a person was using the bus at a specific time. In Regina, spokesperson Nathan Luhning said police have asked for information once, in relation to a missing persons case. Luhning said police are often more interested in video recorded from the bus, which also requires a Freedom of Information request. [CBC]

CA – ON OIPC 2016 Annual Report Pushes Public-Sector Big Data Law

In his 2016 Annual Report, Facing Challenges Together, Ontario’s Information and Privacy Commissioner, Brian Beamish, is calling for a number of legislative changes to enhance both access to information and protection of privacy in Ontario. One proposal is for the government to enact legislation that would allow public institutions to share personal information for policy and research purposes while protecting individual privacy by establishing a strong, government-wide framework for big data programs. Ontario IPC Brian Beamish said “We now live in the era of big data, where information technology holds the promise of creating a more efficient and responsive public service. However, we must not overlook the risks to privacy in pursuit of the benefits. It is possible to use big data in a privacy-protective manner but it will require fundamental changes to privacy legislation, involving government, citizens, and regulators.” This recommendation is one of several tabled by the Commissioner in his 2016 annual report. Further recommendations include: 1) Clarify Solicitor-Client Privilege Exemption; 2) Framework for Electronic Health Records; 3) Increased Transparency of Ontario’s Medical System; 4) Ensure the Security of Abandoned Health Records; 5) Public Disclosure of Health Privacy Breach Prosecutions; and 6) Routine Audits of Freedom of Information Practices. [Information and Privacy Commissioner of Ontario]

CA – ON OIPC Calls for Transparency in Assisted Dying

In his annual report [see here] last week, privacy commissioner Brian Beamish took aim at the Medical Assistance in Dying Statute Law Amendment Act, or Bill 84, which became law in Ontario last month. The act, in part, is a green light for secrecy. Any information that could identify hospitals, long-term care homes or hospices that offer medically assisted death is now exempt from freedom of information laws. Before the bill became law, [Beamish] recommended amendments that kept the names of physicians anonymous but the names of facilities public. “Information should be public unless there’s a really good reason why it shouldn’t be,” Beamish told the Star. In this case, he said, there was no evidence presented by legislators to suggest any reason why hospitals and care facilities should be exempt from disclosing their practices. The same concern was presented by Hamilton Health Sciences ethicist Andrea Frolic at a committee meeting about the bill in March. Frolic praised the protection of physicians, but questioned why publicly funded facilities could draw a dark curtain over their practices. “Information-sharing with the public is essential to patients’ informed decision-making,” she told the room, recommending that facilities disclose whether they grant assisted-death requests. [The Star]

CA – Ontario Doctors Go to Court to Keep Billing Information Secret

The information and privacy commissioner last year ordered the public disclosure of the top billers’ identities, along with amounts each receives in payments from the taxpayer-funded insurance plan. The information is business-related, not personal, and should be public because of the importance of transparency of government expenditures, the ruling said. A judicial review of that decision is being sought by the OMA and two groups of doctors — known in court submissions only as “several physicians affected directly by the order” and “affected third-party doctors.” They are asking a three-judge panel in Divisional Court to quash the information and privacy commissioner tribunal’s order. [The Star]

CA – BC Court Finds Email Communications Mistakenly Disclosed Are Privileged

The BC Court of Appeals has considered whether communications between government lawyers and employees were protected by solicitor-client privilege. Email communications between a government employer and employees of the agency were inadvertently included in a package of documents disclosed in response to an access request; disclosure of communications where the lawyer recommended a particular decision be made, or involving employee discussions of the lawyer’s advice would reveal previous legal advice given, and inadvertent disclosure of a privileged document does not result in an implied waiver of privilege. [AG of BC v. Kyla Lee et al. – 2017 BCCA 219 CanLII – Court of Appeal for British Columbia]


US – Survey Shows Consumers Need More Education on Identity theft

In 2016, over 15 million Americans were victims of identity theft, up 16% from the previous year. News of data breaches and the risks of identity theft and fraud persist, but consumers’ vigilance and awareness haven’t kept pace. A national survey by Experian revealed that not only is America’s collective guard down, but people feel they are at a disadvantage when it comes to identity theft. While 84% of respondents acknowledge being concerned about the security of personal information online, almost two-thirds (64%) agree it’s too much of a hassle to constantly worry about securing personal information online. The majority say staying on top of financial transactions is a challenge (53%), and nearly half (48%) don’t check their credit reports regularly for errors or suspicious activity. [Inside Counsel]

US – Privacy Paradox: People Like the Idea but Not the Effort Study Shows

In “Digital Privacy Paradox: Small Money, Small Costs, Small Talk,” a new paper published through the National Bureau of Economic Research, the authors explore a phenomenon that has been widely observed: The disconnect between what people say about privacy and what they do. t’s a discrepancy that calls into question the validity of notice and consent, the foundation of privacy rules. Susan Athey, professor of economics at Stanford, said the paper does not address how legislation should be calibrated. “It suggests that users’ preferences for privacy may not be particularly strong, which has the implication that if privacy regulation imposes costs, it can be important to carefully consider whether preferences are strong enough to outweigh the costs in the particular context.” [The Register]

WW – Global Survey Finds Most Consumers Read App Privacy Policies

More than half of consumers, 53%, say it is “extremely important” that they know an app or service is using their personal data, a new survey has found. [Mobile Ecosystem Forum’s Consumer Trust Report see here] The survey of 6,500 people in Belgium, China, France, Germany, Poland, Romania, South, Africa, Spain, UK and the US were surveyed in the second quarter of this year revealed 75% of respondents always or sometimes read privacy policies and terms of conditions before signing up to a mobile app or service. A total of 86% of them say they will go on to take some kind of action if their trust is challenged. Almost half will stop using a service (a year-on-year increase from 38% to 44%) and nearly one in three (30%) will warn friends and family. [Irish Times]


WW – Too Smart to Fall for A Spear-Phishing Message? Think Again

Researchers believe that under the right conditions anyone can be fooled by a spear-phishing message. Experts at GreatHorn, a cloud-security company with a vested interest in spear phishing, write in the company’s 2017 Spear Phishing Report that more than 90% of phishing emails captured from March to November 2016 contain spear-phishing components designed to impersonate a person familiar to a business user in order to fool the recipient into thinking the message came from a trusted source. For several years, security researchers from Friedrich-Alexander-Universitat [see here], and from Universitat des Saarlandes [see here], have been interested in what they consider unexplored territory related to spear phishing. In their paper Unpacking Spear Phishing Susceptibility, the researchers explore the decision-making process of users when they are enticed by an advertised link in a variety of spear-phishing messages. The selected participants were sent either an email or a personal Facebook message with a link from a non-existing person, claiming the link led to pictures from a party. Out of 720 participants, 117 clicked on the link, 502 did not, and the remaining 101 participants could not remember if they clicked or not. The proverb “curiosity killed the cat” seems applicable, as the number-one reason for clicking on the link was curiousness. “The participants explained that they knew the pictures could not be for them, but were interested in the supposedly funny or private content.” [TechRepublic]

US – CERT Issues Security Warning About Email Attachments

The U.S. Computer Emergency Readiness Team (“US-CERT”) has issued a security warning concerning email attachments. Recommended steps for protection include being wary of unsolicited attachments even from known senders (confirm the legitimacy of the email with the supposed sender), keep software up to date (install patches), trust one’s instincts (do not open a suspicious attachment even if anti-virus software says it is ok), save and scan any attachment prior to opening it, turn off the automatic download attachment option, consider creating a separate restricted account on the computer, and apply other security practices (e.g. a firewall). [Security Tip (ST04-10) – Using Caution with Email Attachments – US-CERT]

WW – Google Will Stop Scanning eMail for Targeted Ads

By the end of this year, Google will stop scanning Gmail messages to serve personalized advertisements to users. Google has already stopped the practice in its G Suite Gmail. Ads will instead be served based on users’ settings.

CA – CASL Survey Report Clarifies Anti-Spam Compliance Strategies

Fasken Martineau in collaboration with the Direct Marketing Association of Canada (DMAC) has launched the outcome of the first-ever CASL (Canada’s anti-spam legislation) Survey Report. The report gives a clear picture of how organizations comprehend CASL and comply with its terms and conditions when it comes to implementing effective strategies and programs. The report aims at assisting businesses and companies to apprehend the common barriers in acknowledging and accepting CASL compliance. The report also reflects the gap between how organizations understand CASL and what measures they have adopted to comply with the regulations. Additionally, it shows that even being in force for three years, the key elements of the CASL laws are still not fully understood or implemented. The survey output clearly indicates that most companies who assume that they are compliant. [MarTech Series Blog]

US – FTC Launches Review of Its Email Marketing Rule

The FTC announced that it is undertaking a review of its CAN-SPAM Rule, which sets out the requirements for sending commercial e-mail messages. Among other things, the CAN-SPAM Rule requires that senders of commercial e-mails provide recipients a mechanism to opt out of receiving commercial e-mails, honor opt-out requests within 10 business days, and include specific disclosures in the body of the commercial messages. The FTC specifically is asking for comments from the public on the following topics: a) The economic impact and benefits of the CAN-SPAM Rule; b) Possible conflict between the CAN-SPAM Rule and state, local, or other federal laws or regulations (note that the CAN-SPAM statute preempts state commercial e-mail laws, except to the extent they prohibit “falsity or deception”); and c) The effect any technological, economic, or other industry changes have had on the CAN-SPAM Rule. [Inside Privacy]

US – House Judiciary Continues Email Privacy Law Overhaul Debate

At a June 15 hearing of the House Judiciary Committee U.S. tech sector and bipartisan lawmakers pushed for updates to the nearly 30-year-old Email Communications Privacy Act (ECPA) [see here] and its related Stored Communications Act (SCA) [see here]. ECPA bans unauthorized interception of electronic communications. The SCA, which is part of ECPA, prohibits unauthorized access of electronic communications in a storage facility. Tech giants such as Alphabet Inc.’s Google, Apple Inc., Amazon.com Inc., and Microsoft Corp. have supported updates to ECPA and the SCA. Updating the law would lift legal uncertainty that U.S. technology companies and email service providers say they face. They often have overseas data centers and get requests from law enforcement agencies for data related to investigations. However, ECPA remains unclear as to how much and which data stored abroad is available under such requests, they say. The House Feb. 6 passed a measure to update ECPA. The Email Privacy Act (H.R. 387) [see here], introduced by Rep Kevin Yoder (R-Kan.), would require law enforcement to obtain a warrant before obtaining data “that is in electronic storage with or otherwise stored, held or maintained by that service,” regardless of the age of the communications. On the Senate side, Sen. Orrin Hatch (R- Utah) recently introduced the International Communications Privacy Act [see here], which would establish a legal framework for law enforcement bodies to use warrants to obtain emails sent to or from any U.S. citizen, even if that person—or the server being used to send and store emails—is overseas. The Senate has yet to take up the measure. [BNA.com]


WW – Five Eyes Alliance Stress ‘More Timely and Detailed’ Information Sharing to Detect Terrorists

Public security ministers and attorneys general from Canada, the U.S., Britain, Australia and New Zealand gathered in Ottawa for two days of closed-door talks. A joint communique [see here & PR here] indicated Security officials are worried about the widespread availability of encryption tools and applications that can allow extremists to more easily communicate without their phone calls and texts being intercepted. Civil libertarians argue the right of law-abiding people to converse in private should not be compromised in the name of fighting terrorism by giving authorities the means to crack encryption or build back doors into security programs. The alliance said the ability of terrorists and other criminals to shield their electronic activities through encryption can “severely undermine public safety efforts by impeding lawful access to the content of communications.” They agreed to a common approach to engaging with communication service providers to deal with online terrorist activities and propaganda, while “upholding cybersecurity and individual rights and freedoms.” [The Star See also: Globe & Mail: The battle over encryption and what it means for our privacy | Australia Advocates Weakening Strong Crypto at Upcoming “Five Eyes” meeting | Five Eyes intelligence alliance meeting in Ottawa to tackle digital terror tactics | ‘Five Eyes’ talks in Canada to focus on encryption: Australian PM ]

UK – PM Pushes Demand for Gov’t Access to Encrypted Messages

Britain is once again focusing on a controversial plan: to regulate the internet. On one side are British policy makers and law enforcement officials, who want to crack down on how extremist messaging and communication are spread across the internet. On the other are privacy and freedom of speech groups — alongside the tech giants themselves — who say that the government’s proposals go too far. Recent legislation already gives Britain’s law enforcement officials some of the world’s strongest powers to read and monitor online chatter from potential extremists. Now the country’s politicians want to go further. Earlier this month, prime minister Theresa May told the British public. “We need to do everything we can at home to reduce the risks of extremism online” Echoing a similar message by her government after a previous attack in Manchester. Part of that plan is to demand that companies such as Apple and Facebook allow Britain’s national security agencies access to people’s encrypted messages on services like FaceTime and WhatsApp. [The New York Times]

EU – End-to-End Crypto Plan Puts Europe On Collision Course With UK

Proposed draft legislation [see here] by European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs [LIBE] potentially puts EU at loggerheads with the UK over the encryption debate. The proposals, which could enforce the use of end-to-end encryption as an extension of individual privacy, look to enshrine “a high level of protection of individuals with regard to their fundamental rights of private life and data protection” into European law. As such, Theresa May’s government, which has expressed concerns about the use of encryption, may find itself on a collision course with European legislators over internet privacy rights. The recommendation by European Parliament MEPs comes as the UK government – in addition to beginning Brexit negotiations has called for more power over the internet, including the possibilities of weakening encryption and being able to place backdoors into devices. [ZDNet]

EU Developments

EU – WP29 Fire Warning Shots Ahead of First Privacy Shield Review

Europe’s data protection chiefs have fired a warning shot across the bows of the executive body of the Union ahead of the first annual review of the EU-US Privacy Shield. The Article 29 Working Party set out a series of concerns about Privacy Shield as far back as April 2016. They’re now gearing up for the annual review, due to take place in the US in September, and today say they’ve sent the EC a letter setting out their views and recommendations, and reserving the right to publish their own report “subject to the outcome of the Joint Review and the report of the Commission”. The WP29 describes the forthcoming review as “a fact-finding mission in order to collect the relevant information and necessary evidence to assess the robustness of the Privacy Shield”. [see 2 pg PDF here] [TechCrunch]

EU – EU Deals Theresa May Encryption Setback as MEPs Propose Ban on Government Backdoors

EU MEPs have tabled laws that would forbid countries in the EU from breaking the electronic protection that prevents security services from reading messages sent via WhatsApp. The plans would also impose obligations on tech companies that do not currently apply encryption to messages to do so. The proposals would be a major setback to Theresa May’s election pledge that terrorists should have no “safe space” to conspire online, and threatens existing security legislation that requires companies to remove encryption where possible. The proposals, from MEPs on the European Parliament’s Civil Liberties, Justice and Home Affairs Committee[LIBE], have been tabled as amendments to draft EU privacy legislation. The proposals will first have to be approved by MEPs and scrutinised by the EU Council. As well as hampering any attempts to access encrypted messages, the rules could also imperil the Investigatory Powers Act [see here and here], [Telegraph.co] See also: [Highlights of the draft LIBE report on the ePrivacy Reg | EU Parliament Wants Stronger Privacy in e-Communications Proposal]

EU – Parliamentary Committee is Concerned About Technical Neutrality, Cookie and Tracking Provisions

An EU parliamentary committee has issued its rapporteur’s opinion and recommendations on the proposed ePrivacy Regulation. The Regulation is narrowly focused on browsers, making a strict distinction between first and third party cookies that is not future proof; the impact on privacy of a cookie should be based on its purpose, the types of data it collects and how the collected data is shared. Data emitted by terminal equipment and collected to enable to connect to another device should not occur, even if there is a sign informing users of the tracking area; this creates a risk of fears and anxiety among end-users without providing them with the ability to opt-out of being tracked. [European Parliament Committee on Industry, Research and Energy – Draft Opinion for the Committee on Civil Liberties, Justice and Home Affairs on the ePrivacy Regulation]

EU – Proposed Regulation Does Not Protect Communications Content and Metadata

The Directorate General for Internal Policies, on request from the EU Parliament, has assessed the standards of privacy protections in the proposed ePrivacy Regulation. Analysis of communications content and metadata should only be permitted in strictly necessary, limited circumstances, or if end users provide meaningful consent, and individuals should not be required to allow analysis for marketing purposes; storage of anonymised communications content should be permitted only in specific circumstances (given that it is difficult to anonymise email messages or phone conversations). [An Assessment of the Commissions Proposal on Privacy and Electronic Communications – Directorate General for Internal Policies

EU – EBA Issues Draft Guidance for Outsourcing Cloud Services

The European Banking Authority has issued a consultation paper on proposed recommendations on outsourcing to cloud service providers. Organisations should conduct assessments on the materiality of business activities proposed for outsourcing (impact of outages, disruptions), maintain a register of all information related to outsourced activities, and consider the potential risks and oversight limitations of outsourcing outside of the EEA; written agreements with providers should provide full access and audit rights, require that sufficient security protections are put in place, specify activities excluded from potential subcontracting, include an obligation for the provider to orderly transfer activities in case of termination. Comments can be submitted until August 18, 2017. [EBA – Consultation Paper – Draft Recommendations on Outsourcing to Cloud Service Providers under Article 16 of Regulation No. 1093/2010]

UK – NHS DeepMind Deal Broke Data Protection Law, Regulator Rules

A London hospital trust was wrong to share details of 1.6 million patients with Google’s artificial intelligence company DeepMind, the UK’s data protection regulator has said. [See PR here & blog post here] Following a year-long investigation the Information Commissioner’s Office (ICO) has ordered the Royal Free NHS Foundation Trust to set-out a proper legal basis for processing the patient data. The data watchdog said the Trust didn’t properly tell patients that their information would be used as part of the work with DeepMind. The ICO said the NHS Trust is the controller of personal data and as a result is responsible for how patient information is used. The regulator said patient information wasn’t processed fairly and lawfully, was excessive, wasn’t used within the rights of the subjects and contractual controls weren’t in place. Overall, four of the Data Protection Act 1998’s principles were broken. [Wired]

UK – ICO’s Strategic Plan for the ‘New Frontier’ of Data Protection

The ICO recently published its Information Rights Strategic Plan for 2017 – 2021. Within it, the ICO Commissioner, Elizabeth Denham, asserts that we are on the “edge of a new frontier,” and that the data protection landscape is about to be reshaped by the “game changing” General Data Protection Regulation (the ‘GDPR’). The Plan also emphasises the ICO’s commitment to achieving the aforementioned goals by: (i) exploring innovative and technologically agile ways to protect privacy; (ii) leading the implementation of the GDPR and other data protection reforms; (iii) strengthening transparency and accountability by promoting good information governance; and (iv) protecting the public in a digital world. The highest priorities for the ICO for the first two years of this five-year plan will be preparing business processes and guidance for the GDPR, the Law Enforcement Directive and the ePrivacy Regulation, in order to avoid the ICO’s biggest risk: not being prepared in time. [Technology Law Dispatch]

UK – ICO Announces Grants Programme for Independent Research

The ICO have launched their first ever Grants Programme for new, independent research into data protection and privacy enhancing solutions, and we believe it is a genuinely exciting development. The programme will also help us achieve many of the key goals set out in the ICO’s new Information Rights Strategic Plan – for example, staying relevant and keeping abreast of evolving technology, improving standards, increasing public trust and maintaining and developing international leadership and influence. For many years the ICO has run research tenders to support specific policy projects and we have very much valued our interactions with the academic community, NGOs and innovators and the input they’ve had into our work. This new programme will take a broader ‘horizon-scanning’ approach, encouraging them to develop new insight and solutions into key data protection and privacy challenges posed by new technologies such as artificial intelligence and machine learning. [Information Commissioner’s Office Blog]

EU – Article 29 Working Party Releases Extensive GDPR Guidance on Data Processing at Work

The EU’s Article 29 Working Party has issued new guidance on data processing in the employment context (available here). Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive, but also considers the developments coming into force on May 25, 2018 under the EU General Data Protection Regulation). The WP29 released the guidance partly as a result of the GDPR, but also due to the number of new technologies that have been adopted since previous WP29 publications relating to personal data in the workplace The new guidance is not restricted to the protection of persons with an employment contract, but is more expansive in scope and intended to cover a range of individuals in an employment relationship with an organization, such as applicants and part-time workers (the term “employee” applies broadly in all such contexts). The WP29 also intends to release guidance in the coming months on other GDPR topics such as transparency, certification, breach notification and data transfers, to add to recent guidance on data portability, Data Protection Officers and the “One Stop Shop.” [Inside Privacy]

EU – Germany Merkel’s CDU Party Criticizes Data Minimization Principle

Proposals that German firms could start scooping up more than just essential personal data have been met with anger by privacy advocates. “Der Spiegel” reported on a CDU Angela Merkel’s party strategy paper that criticizes the principle of data minimization, or “Datensparsamkeit”. The term refers to collecting only the data you really need through sensors and online platforms, rather than scooping up as much as you can. According to the CDU document, data minimization should no longer be a general guideline as it “reduces opportunities for new products and services and potential progress”. Rights activists see things quite differently. Joe McNamee, the executive director of the Brussels-based European Digital Rights (EDRi), said a shift towards recording and exploiting more data would reduce people’s trust in European digital services. “The CDU’s political spin is horrifyingly ill-informed, ill-conceived and naïve,” McNamee said. [ZDNet]

EU – Germany Probes Facebook Over Claims It ‘Extorts’ Data from Users

Germany’s Federal Cartel Office is examining whether Facebook essentially takes advantage of its popularity to bully users into agreeing to terms and conditions they might not understand. The details that users provide help generate the targeted ads that make the company so rich. In the eyes of the Cartel Office, Facebook is “extorting” information from its users, said Frederik Wiemer, a lawyer in Hamburg. “Whoever doesn’t agree to the data use, gets locked out of the social network community,” he said. “The fear of social isolation is exploited to get access to the complete surfing activities of users.” It’s “more radical” than the EU’s Google case [see here] “because it asserts that privacy concerns can be antitrust concerns” and that consumers have a broader role than buyers of services in an economy, said Alec Burnside, an attorney at Dechert in Brussels. Some lawyers say the Facebook case is so novel in its approach to antitrust that the Cartel Office should have left the question of whether the company abuses users’ data to privacy regulators. Those watchdogs, once relatively toothless, will be empowered next year when tougher EU data privacy rules take effect, allowing them to levy fines of as much as 4% of global annual sales. Ironically, Facebook may have less to fear financially from a Cartel Office probe as, unlike Google, it may not be fined. The current terms of the investigation rule out a financial penalty even if it’s found to breach antitrust rules. At worst, Facebook faces an order to change how it operates. [Bloomberg via The Independent]

UK – Privacy International Sends Brexit Teams Anti-Surveillance Package

Rights group Privacy International (PI) has sent Brexit negotiators advice and technology designed to mitigate the risk of surveillance by intelligence agencies on the opposite side.[See PR here] With the long-awaited EU divorce negotiations starting today, the privacy NGO claimed that there’s a heightened risk of sophisticated tools and tactics being used to enable one side or the other to gain the upper hand. The PI package contains a short briefing warning the recipient against the surveillance powers available to the UK and some European agencies, as well as a Faraday Cage to protect their mobile devices. The gesture is mainly symbolic given the range of powers at the disposal of the British and European intelligence agencies, Privacy International admitted. PI warned the Brexit negotiators that government agencies can remotely activate mobile device mics, webcams and GPS systems; force service providers to decrypt comms; intercept internet traffic travelling on undersea cables; and access intelligence collected by their spy agencies. [InfoSecurity]

Facts & Stats

US – Cost of Breaches in the US Hit Record High

Breaches cost companies an average of $225 per compromised record ($221 in 2016), and the average total cost was $7.35 million ($7.01 in 2016); heavily regulated industries have higher breach costs, e.g., healthcare ($380) and finance ($336), and malicious or criminal attacks continue to be the primary cause of breaches (52%) as well as the costliest ($244). [2017 Ponemon Cost of Data Breach – US]

CA – Breach Costs Down but Canada’s Are Second Highest in World

The average cost of a data breach suffered last year by 27 Canadian companies was $5.78 million, or $255 per lost or stolen record, according to a new study. It was the third annual report, paid for by IBM and conducted by the Ponemon Institute, part of a survey of 419 breached organizations in 11 countries and two regions.[See here] The good news is that the Canadian numbers represent a 4% decrease in the total cost of a data breach among the group studied, and a 9% decrease in the cost per lost or stolen record, compared to the 2015/2016 study period. The bad news is it’s still a lot of money. Of all nations studied the Canadian group had the second highest costs. One important take-away from the report is how being proactive can reduce the cost of a breach per record. [IT World Canada]

CA – Cost of Breaches to Canadian Companies Decreased

The average cost per compromised record decreased from $278 to $255, and the root cause of data breaches were malicious or criminal attacks ($269 per capita cost), system glitches ($243 per capita cost), and human error ($241 per capital cost); preventative measures taken after a data breach include training and awareness programs (65%), additional manual procedures and controls (50%), identify and access management solutions (41%), and expanded use of encryption (40%). [2017 Ponemon Cost of Data Breach – Canada]


CA – Supreme Court Rules Search Engine Must De-Index Websites Worldwide

The Supreme Court has heard an appeal of a decision of the BC Supreme Court, requiring Google Inc.to de-index specific search results. The US search engine must stop indexing or referencing websites selling infringed products from locations outside Canada; the search engine was crucial to the website owners being able to sell counterfeit goods (which they were ordered not to sell by a BC court), the only way to ensure the injunction’s effectiveness is to apply it worldwide, and any negative impact on freedom of expression is outweighed by the need to prevent harm from facilitating the sale of the counterfeit goods. [Google Inc. v. Equustek Solutions Inc. – 2017 SCC 34 – Supreme Court of Canada | Related Article]

CA – Supreme Court Rules 7-2 to Facilitate Worldwide Internet Censorship

In a 7-2 majority decision written by Justice Rosalie Abella that has “troubling” implications for free expression online, the Supreme Court of Canada upheld a company’s effort to force Google to de-list entire domains and websites from its search index, effectively making them invisible to everyone using Google’s search engine [See Google v. Equustek] EFF intervened in the case, explaining [.pdf] that such an injunction ran directly contrary to both the U.S. Constitution and statutory speech protections. Issuing an order that would cut off access to information for U.S. users would set a dangerous precedent for online speech. In essence, it would expand the power of any court in the world to edit the entire Internet, whether or not the targeted material or site is lawful in another country. That, we warned, is likely to result in a race to the bottom, as well-resourced individuals engage in international forum-shopping to impose the one country’s restrictive laws regarding free expression on the rest of the world. Beyond the flaws of the ruling itself, the court’s decision will likely embolden other countries to try to enforce their own speech-restricting laws on the Internet, to the detriment of all users. As others have pointed out, it’s not difficult to see repressive regimes such as China or Iran use the ruling to order Google to de-index sites they object to, creating a worldwide heckler’s veto. The Equustek decision is part of a troubling trend around the world of courts and other governmental bodies ordering that content be removed from the entirety of the Internet, not just in that country’s locale. On the same day the Supreme Court of Canada’s decision issued, a court in Europe heard arguments as to whether to expand the right-to-be-forgotten worldwide. [Electronic Frontier Foundation] See also: Open Media: Disappointing Supreme Court ruling has worrying implications for online free expression and access to information in Canada and across the globe | Canada Claims Authority to Censor Your Internet Searches


US – Financial Institutions Cautioned that Communications Using Emerging Technologies May Fall Under FINRA Rules

The Financial Industry Regulatory Authority (“FINRA”) has provided guidance regarding the application of FINRA rules governing communications with the public to digital communications, in light of emerging technologies and communications innovations. Registered entities are required to retain interactions with investors conducted using text messaging apps and chat services if the communication is about business; entities must not establish links to any third party site that the entity knows contains false or misleading content, and “likes” or sharing of social media comments by a representative. Comments that were posted by a third party about an entity representative will be subject to FINRA’s communications rules. [Financial Industry Regulatory Authority – Regulatory Notice 17-18 – Social Media and Digital Communications]

US – Study: Why Are So Many Customers Still Afraid of Mobile Banking?

In a new study [see here], J.D. Power asked 5,364 adults in the U.S. what they thought of the mobile offerings of the 10 largest banks and the 10 biggest credit card issuers and USAA. Overall mobile adoption among Americans remains relatively low — 31% for banking and 17% for credit cards, according to J.D. Power. It’s not surprising that card apps are used less, because they’re typically limited to providing balances, payment due dates and loyalty points. Online banking adoption, by contrast, is 80%. A major barrier — and perhaps one of the easiest to address — is that many are unsure how to use mobile banking: 39% of users say they don’t fully understand their mobile banking and credit card apps. At least that’s down from 61% in 2012, when mobile banking was still in its early days. Only 32% of consumers trust mobile banking, the study found. Only 42% of consumers feel their personal data is adequately protected by their bank when they use mobile apps. [American Banker]


CA – NL Privacy Commissioner to Investigate Sunshine List Screw-Up

Their names were supposed to be kept off a published list of Newfoundland and Labrador public servants who earned $100,000 or more in 2016, and now the province’s Information and Privacy Commissioner is launching a formal investigation into why police officers didn’t get the protection they were promised. Donovan Molloy announced Thursday that his office is acting on its own, without a complaint. [See here] The investigation will look into why employees who were granted an exemption from the so-called Sunshine List disclosure had their privacy breached, and why information not authorized for disclosure was published. [CBC]

CA – OIPC BC: Landlords May Process Tenants’ Information to the Extent Necessary

The Office of the information and Privacy Commissioner for British Columbia has issued guidance to assist landlords and property managers in meeting their obligations under the Personal Information Protection Act. Landlords may collect tenant’s information to make a decision about whether or not to rent the property (e.g., pay-slip, T4, other landlords references, credit reports, etc.), but to use it for another purpose the tenant’s consent is required; landlords should examine their tenancy application forms to ensure that there is a business need for collecting the information and include statements about why it is collected. [OIPC BC – Privacy Guidance for Landlords and Tenants]

CA – OIPC AB May Authorize Entities to Disregard Access and Information Requests

The Office of the Information Privacy Commissioner of Alberta has issued a practice note about the authorization to disregard requests under the: Freedom of Information and Protection of Privacy Act (“FOIP Act”); Health Information Act (“HIA”); and Personal Information Protection Act (“PIPA”). The authorization is given under the criteria set out in the FOIP Act, HIA and the PIPA when the request would unreasonably interfere with the entity’s operation because of its repetitious or systematic nature, or is frivolous or vexatious. [OIPC AB – Practice Note Authorization to Disregard Requests]

CA – OIPC BC Provides Guidance on Preparing for a Written Inquiry

The BC Office of the Information and Privacy Commissioner has issued guidance for organizations participating in an OIPC-inquiry. When public bodies are participating in an OIPC-review of an FOI or access decision, submissions should include arguments about how relevant legislation applies, copies of letters, meeting minutes, transcripts, affidavits, expert reports, meeting minutes, or in camera material; information or records related to the mediation process and attempts to settle issues should not be included (to preserve the ‘without prejudice’ nature of the process), and new issues or exceptions not listed in the notice of inquiry should not be included. [OIPC BC – Instructions for Written Inquiries]

CA – Supreme Court Rules User May Sue U.S. Social Network in B.C. Courts

The Supreme Court of Canada has considered whether a U.S. social network may impose a forum selection clause on users. The Court ruled that while the social network’s terms of use forum selection clause is enforceable, there is strong cause not to do so; there is gross inequality of bargaining power between the parties (i.e. individual consumers have no choice but to agree to the terms of use), the B.C. Privacy Act cause of action implicates quasi-constitutional privacy rights of British Columbians, B.C. courts are in better position to adjudicate regarding local legislation, and B.C. citizens would face the expense and inconvenience of litigating in California. [Deborah Louise Douez v. Facebook, Inc. – 2017 SCC 33 – Supreme Court of Canada | CBC]

CA – OIPC AB: Information that Merely Relates to a Legal Service is not Privileged

The Office of the Information and Privacy Commissioner in Alberta has reviewed an inquiry into the Alberta Justice and Solicitor General’s response for records under the Freedom of Information and Protection of Privacy Act. The client-solicitor privilege does not apply to information that does not reveal the substance of the legal service such as date of emails, date of the proposed events, the subject lines of the emails, the participants in the emails or in the proposed events. [OIPC AB – Order F2017-44 April 28 2017 Alberta Justice and Solicitor General]

CA – OIPC AB Finds Public Body Was Authorized to Contact Petitioners

The Office of the Information and Privacy Commissioner of Alberta has reviewed a complaint regarding the unauthorised use of personal information by the Summer Village of West Cove, pursuant to the Freedom of Information and Protection of Privacy Act. An individual complained when the public body sent a letter asking questions about the petition she submitted (her name and address were documented next to her signature); however, the individual signed and submitted a written statement with the petition indicating that she could be reached if they had questions about the petition, and the public body used the information only to the extent required to obtain more information about why the petition was submitted. [OIPC AB – Order F2017-48 – Summer Village of West Cove]

CA – OIPC NL Issues Recommendations for Ensuring Proper PHI Handling

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador has provided guidance on compliance with the Personal Health Information Act. Healthcare custodians must ensure information policies and procedures include appropriate measures for processing, storage and disposition of PHI; all individuals handling PHI must sign confidentiality agreements and be made aware of obligations relating to consent for collection, use and disclosure of PHI. Outsourcing agreements must include prescribed uses and disclosures of PHI and security arrangements, and material breaches of PHI must be reported to the OIPC and affected patients. [OIPC NL – Safeguard Newsletter – Volume 01 Issue 01]

CA – PEI Muni’s Working to Avoid Inclusion in Access to Info Law

The Federation of P.E.I. Municipalities is taking steps to help towns and communities become more proactively transparent in an effort to keep municipalities from being brought under access to information law. The federation has issued a request for proposals [see here] for an open municipal government toolkit, which would be an online resource for municipalities to use to develop more open government practices. In 2015, Premier Wade MacLauchlan gave municipalities and post-secondary institutions a two-year window to develop more transparent policies prior to a review of the Freedom of Information and Protection of Privacy (FOIPP) Act, which is to be conducted later this year. Prince Edward Island is the only province in Canada where municipalities are not subject to freedom of information law. The province’s publicly funded university and colleges are also not covered. But that’s something municipalities would rather not see changed P.E.I.’s privacy commissioner Karen Rose told a provincial standing committee in March she will likely make a formal recommendation to bring municipalities and post-secondary institutions under FOIPP legislation as part of a number of recommended changes and updates to the act that she is set to deliver to government. [The Guardian (Charlottetown, PEI)]

Health / Medical

UK – Google DeepMind Report Fails to Justify Use by the NHS, Claim Privacy Campaigners

A report [see here] that claims Google DeepMind did not break the law in its use of NHS patient data has failed to address the company’s breach of UK privacy laws, campaigners have warned. The independent review panel released its findings this week after the Information Commissioner’s Office (ICO) ruled the Royal Free NHS Foundation Trust breached the Data Protection Act when it provided DeepMind with the personal data of around 1.6 million patients. “Our legal advice found that DMH [DeepMind] had acted only as a data processor on behalf of the Royal Free, which has remained the data controller,” the report states. “It found no evidence that DMH had violated the data sharing agreement or any other contractual arrangements with the Royal Free. It found no evidence to suggest that DMH has breached confidence.” This classification makes the Royal Free liable for the breach, as the collection of information falls under the responsibilities of the data controller. DeepMind may, however, have been liable under the terms of the GDPR, which comes into effect across the EU in May 2018. The limited criticisms of DeepMind have raised the ire of privacy campaigners. The report failed to hold DeepMind accountable for its unlawful data processing or to fully investigate the company’s more questionable actions, campaign group medConfidential warned. The independent review panel’s principle concerns around DeepMind Health were an inadequate public engagement and a lack of clarity in the original information sharing agreement with the Royal Free Hospital. A total of 11 vulnerabilities were identified, none of which were deemed critical or high-level. A single medium level issue was revealed, that the report states “should be addressed but is not thought to present an immediate threat to the environment or data handled by it”. In a written response to the report, DeepMind health acknowledged that it should have done more to engage with patients at an earlier stage, and that its initial legal agreement with the Royal Free should have been more detailed. It pledged to continue to publish all its NHS contracts, and to support other groups developing healthcare technology. [Techworld]

Horror Stories

US – Voting Record Database Configuration Error Exposes Nearly 200 Million Records

Databases containing information about 198 million US voters was found to be stored in an Amazon cloud account with no access protection. The databases belong to Deep Root Analytics, a contractor employed by the US Republican National Committee (RNC). While the information contained in the database is by and large a matter of public record, having all those data aggregated could prove valuable to data thieves.

US – Lawsuit Targets Firm that Failed to Secure 198 million Americans’ Data

Two Floridians James and Linda McAleer filed a lawsuit last week against Deep Root Analytics, the campaign consultancy that accidentally left information on 198 million Americans accessible online without protecting it with a password. They want to turn [it] into a class action suit. Deep Root specializes in using data analytics to determine how to target specific voters. The exposed data included contact information and estimates of political preferences for around 80% of voting-age Americans. On June 19, researcher Chris Vickery of the security firm UpGuard announced that he had found Deep Root had configured that data to be available to any who visited Deep Root’s Amazon cloud storage account without needing to log in. According to a statement from Deep Root, the data was only exposed for two weeks. The lawsuit claims that Deep Root was negligent in the way it protected data and seeks to cover two classes of victims — the general public and Florida residents in particular. [The Lawsuit is Dr. James A. McAleer, et al. v. Deep Root Analytics LLC, Case No. 6:17-cv-01142, in the U.S. District Court for the Middle District of Florida. See here | The Hill | Dr. James Albert McAleer and Linda McAleer v. Deep Root Analytics, LLC – Middle District of Florida Orlando Division]

US – Anthem to Pay 115 Million USD in Breach Settlement

US healthcare company Anthem will pay 115 million ISD to settle several lawsuits related to 2015 breach of customer data. Most of the money will be used to pay for victims’ credit monitoring. [Anthem will pay $115 million in largest data breach settlement in history | Anthem Agrees to Settle 2015 Data Breach for $115 Million]

US – WSU Safe Heist Included Hard Drive with PII on 1 Million

WSU learned on April 21, 2017 that a “locked safe containing a hard drive had been stolen.” The hard drive contained the backup files from WSU’s Social & Economic Science Research Center (SESRC). On April 26, WSU confirmed PII was compromised. On June 9, they began informing those affected and sending breach notification notices to various state’s Attorney General Offices. In WSU’s public statement, they noted, “The drive contained documents that included personal information from survey participants, such as names, Social Security numbers and, in some cases, personal health information. Entities that provided data to the SESRC include school districts, community colleges, and other customers.” Normally when we associate a breach of this size, we ascribe it to a hacking incident or other technological magic. In this case it was a physical theft, of the safe, which was serving to protect the data stored within. The university in its letter to the New Hampshire Attorney General’s Office (NHAGO) noted that not all (though apparently some) of the files on the hard drive were encrypted. [CSO Online]

CA – Hackers Dump Data from Calgary’s Cowboys Casino Breach

Personal information along with the gambling habits and payouts of hundreds of patrons of Calgary’s Cowboys Casino have been dumped online by hackers, a year after a massive cyber attack. Thousands of files purportedly containing the personal information of patrons, customer payouts, tracking of gambling habits and the Calgary’s Cowboys Casino’s “elite members list,” were leaked to the data-sharing website Pastebin, along with a dire warning that even more information could be made public in the coming weeks. The post warns the data dump is the first, and the smallest, of four planned for release. Last June, the casino announced it had been the victim of a cyber attack on its computer system, warning that information from patrons and employees, along with corporate data, had been compromised. [See here] [Calgary Herald]

Identity Issues

WW – At least 44 States Refuse Trump Commission’s Demand for Voter Info

CNN reported that 44 states have now refused a request by the Trump administration to provide certain information about registered voters, ranging from their criminal records to time spent abroad. A CNN inquiry into all 50 U.S. states found that state leaders and voting officials across the country have been fairly quick to respond to the request for voter data, sent by the Presidential Advisory Commission on Election Integrity [see here]–and, in most cases, to reject it. The requested information includes registered voters’ full names, addresses, birth dates, political parties, a list of the elections they’ve voted in since 2006, whether they’ve registered to vote in other states, their military status, info on any felony convictions, whether they’ve lived overseas, and the last four digits of their social security numbers. Kansas Secretary of State Kris Kobach, vice chairman of the commission stated twice in the letter [see here] that only “public” information was being requested, and reiterated that “Every state receives the same letter, but we’re not asking for it if it’s not publicly available” Numerous states have already responded that they can’t provide the social security numbers, in the very least, while others objected to the commission’s request that states surrender this information through an online portal. [Forbes]


US –SCOTUS to Hear Mobile Locational Privacy Case

On June 5, 2017, the US Supreme Court granted cert in “Carpenter v. United States” [see here], a case in the hotly contested area of mobile cellular location data privacy. The question before the Court is whether law enforcement must obtain a warrant for historical cell-site location information. On appeal, a panel of the Sixth Circuit upheld Carpenter’s conviction. [See here] In the majority opinion, Judge Kethledge concluded that the Fourth Amendment does not require a warrant for law enforcement officers to request historical cell-site location information. In reaching this conclusion, Judge Kethledge relied on the third-party doctrine, which stands for the proposition that individuals do not have a reasonable expectation of privacy in information that they voluntarily disclose to third parties such as mobile carriers. Notably, in a concurring opinion [see here at P.14], Judge Stranch expressed concern about applying the third-party doctrine to records which reveal personal location information, noted that “[d]etermining the parameters of the Fourth Amendment is the task of the judiciary”, and stated that the courts “have more work to do to determine the best methods for assessing the application of the Fourth Amendment in the context of new technology.” Judge Stranch is far from the first to invite reexamination of the third-party doctrine. To give but one example, in a concurring opinion in the 2012 GPS-tracking case “United States v. Jones” [see here], Justice Sotomayor wrote, “I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.” Regardless of whether the Supreme Court accepts Judge Stranch’s invitation, “Carpenter v. United States” may hold important compliance implications for carriers. [Comm Law Monitor]


WW – Due Diligence: Vendor Management is Crucial for Data Protection

This article provides an overview of data privacy and security obligations in vendor management in the United States. Organizations should maintain a vendor data protection program by using the RFP process to establish minimum data protection qualifications for the contract, conducting privacy and security due diligence when selecting vendors, and being clear about to what extent vendors can use data for its own purposes; when negotiating a contract, organizations should define personal information broadly to include any and all identifiable information, impose requirements for retention, transition and destruction or return of data at termination of the agreement, and require mandatory breach notification to the organization. [Deeper Dive – Vendor Management Crucial for Data Protection – Alan L. Friel, Partner, BakerHostetler]

Online Privacy

US – Facebook Can Track Your Browsing Even After You’ve Logged Out: Judge

Plaintiffs alleged that Facebook used the “like” buttons found on other websites to track which sites they visited, meaning that the Menlo Park, California-headquartered company could build up detailed records of their browsing history. The plaintiffs argued that this violated federal and state privacy and wiretapping laws. US district judge Edward Davila in San Jose, California, dismissed the case because he said that the plaintiffs failed to show that they had a reasonable expectation of privacy or suffered any realistic economic harm or loss. [see 14 pg PDF here] Davila said that plaintiffs could have taken steps to keep their browsing histories private, for example by using the Digital Advertising Alliance’s opt-out tool or using “incognito mode”, and failed to show that Facebook illegally “intercepted” or eavesdropped on their communications. The plaintiffs cannot bring privacy and wiretapping claims, Davila said, but can pursue a breach of contract claim. To address privacy concerns, Facebook introduced a way for users to opt out of this type of advertising targeting from within user settings. [The Gurdian]

WW – Google Takes 2 Steps to Protect User Privacy

Google announced two new steps to protect user privacy — moving to scrub personal medical records from search results and halting its long-standing policy of scanning emails to deliver targeted ads. Previously, Google surveyed the contents of emails to provide personalized ads to users of its free Gmail service. Although paying Gmail customers were never subject to such scanning, Diane Greene, a senior vice president at Google, told Bloomberg that there was confusion about the policy among businesses that pay for its service. The shift comes as Google tweaked its search engine to help hide results that include “confidential, personal medical records of private people.” The change was also first reported by Bloomberg. Google has previously taken steps to mask search results that included individuals’ financial information and revenge porn — explicit photos uploaded without a person’s consent. [LA Times]

Other Jurisdictions

AU – OAIC Publishes Draft Guidance on Breach Notification

The Office of the Australian Information Commissioner has issued a draft guidance about data breach notification. Comments from interested parties can be submitted until July 14, 2017. If practicable, entities can notify each of the individuals to whom the relevant information relates or only those at risk of serious harm; where notification is not practicable, entities should publish a copy of the statement sent to the commissioner on their website. [OAIC Australia – Notifying Individuals About an Eligible Data Breach]

Privacy (US)

US – Google Urges Congress to Revise Outdated Overseas Data Laws

Access to data stored overseas has become a contentious issue with tech companies and the US government. Today, in a speech given to the Heritage Foundation [watch here], a conservative think tank, Google’s senior vice president and general counsel, Kent Walker, urged Congress to update the laws concerning this topic. On this front, Microsoft scored a major victory last year. Other courts reached opposing rulings in similar trials. In February, a US District Court in Pennsylvania ruled that Google had to comply with an FBI warrant to hand over data stored on an overseas server. And additional cases involving Google and Yahoo came to similar conclusions in Wisconsin, Florida and California. Walker today urged Congress to change relevant laws, making it clear what tech companies are to do when faced with government requests for data. He also proposed that the US should allow countries that commit to privacy and human rights to directly request data from US companies without have to first consult with the US government. [Engadget]

US – FTC Issues Recommendations for Complying With COPPA

The FTC has provided guidance for operators of websites and online services on protection of children’s safety and privacy online to ensure compliance with the Children’s Online Privacy Protection Act. Organisations should determine if children’s personal information is collected by its sites or services (including allowing another company to collect PI through the site or service, or passive online tracking), notify parents of the specific information being collected, and post a privacy policy that describes all operators collecting information; verify consent by having parents sign a consent form, call a toll-free number, connect via video conference, or verify an identity document. [FTC – Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business]

US – Senate Considers Changes to ECPA to Ease Foreign Data Access

Members of the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism addressed practical issues regarding warrants for overseas data in a hearing titled “Law Enforcement Access to Data Stored Across Borders.” It featured representatives from the Attorney General’s office, the U.K. government, the private sector (Microsoft), as well as from academia. Senators and panelists raised a host of issues, but chief among them was the perceived absurdity that a U.S. enforcement agency that has a U.S.-issued warrant based on probable cause for the data of a U.S. citizen who is suspected of committing a crime in the U.S. against a U.S. victim will not be honored by a U.S. ISP if that individual’s data happens to be stored on a server in Ireland (or anywhere other than the U.S.). Senators participating in the hearing readily welcomed arguments that Congress should change the ECPA in a way that would (a) overturn Microsoft and return to the prior status quo, where warrants served on U.S. ISPs are honored even if the data is stored on a server located abroad, and (b) lift the restrictions in the EPCA that prevent U.S. ISPs from turning over data pursuant to foreign warrants (like those issued in the U.K.). The panel focused on the differences and similarities between data security laws in the U.S. and U.K., and in particular, discussed a proposed bilateral agreement between the countries that would essentially allow each country to honor the other’s search warrants. [Corporate Defense and Disputes Blog (Proskauer Rose) ]

US – FTC Said to be Probing Uber Over Privacy Practices

The FTC’s investigative staff is focusing its attention on potential data-handling problems at Uber, Recode reported Wednesday, citing four unnamed sources familiar with the matter. That might include an internal Uber feature known as “God View“ that lets employees see logs of customer activity. Recode said its sources cautioned that FTC staff members regularly question companies on consumer protection issues and then quietly close their inquiries without pursuing penalties. Uber was recently caught using an internal tool called Greyball to thwart efforts by local authorities to catch the ride-hailing company violating local regulations. Uber has since said it would stop using the tool for that purpose. The company was also caught using a program called Hell to spy on its rival Lyft. And Apple reportedly threatened to boot Uber from the App Store for violating privacy rules. (A consumer watchdog group later asked the FTC to investigate related matters.) [CNET]

US – Post-Snowden Efforts to Secure NSA Data Fell Short: Report

The government’s efforts to tighten access to its most sensitive surveillance and hacking data after the leaks of National Security Agency files by Edward J. Snowden fell short, according to a newly declassified report. The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Department’s inspector general completed in 2016. The report was classified at the time and made public in redacted form this week in response to a Freedom of Information Act lawsuit by The New York Times. The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of “privileged” users, who have greater power to access the N.S.A.’s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing. The report said the chief information officer of the N.S.A., Gregory L. Smithberger, had cautioned the inspector general that “eliminating all risk of insider threats is not feasible.” [NYTimes]

US – FTC Recommends Tweaks to IoT Transparency Guidelines

The FTC has some suggested changes for a draft proposal on making the Internet of Things more secure and informing consumers about that level of security. Those came in comments on the National Telecommunications & Information Administration’s effort—through a multistakeholder working group—to draft guidelines for upgrading and improving security for the devices, which include everything from smart TVs, lightbulbs and fridges to fitness trackers, wine cellars and self-driving cars. [Broadcasting Cable]

US – Underwriters Laboratory Issuing Software Security Certifications

Underwriters Laboratory is now issuing security certifications for networked software. UL launched its Cybersecurity Assurance Program in April 2016. So far, just a few products have received certification.

US – Girl Scouts to Offer Cyber Security Badges

The Girl Scouts of the USA (GSUSA) will start offering badges in cyber security in 2018. In all, there will be 18 cyber security badges. GSUSA is partnering with Palo Alto Networks to develop the curriculum.


EU – ENISA Recommend Addressing Challenges of Emerging Disruptive Technologies

ENISA has issued a paper identifying principles and opportunities that should be addressed in the renewed EU cybersecurity strategy. New technologies such as robotics, IoT, artificial intelligence, and internet of people will have significant effects on the EU digital single market; the EU should assess risks over the entire lifecycle of products, ensure access to trustworthy products and services that do not depend on a single service provider, and examine software ownership and control issues (liability for compromised software or mistakes by autonomous devices, imposition of manufacturers’ terms and conditions on end users, and possible mandatory disclosure of security vulnerabilities). [ENISA – Principles and Opportunities for a Renewed EU Cyber Security Strategy]


US – FBI Issues 2016 Internet Crime Report

The 2016 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3) provides information about trends in online crime. In 2016, more than 10,000 incidents of tech support fraud were reported to IC3, with losses totaling nearly 8 million USD. Other trends noted in the report are email compromise, ransomware, and extortion. Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year. [See here] The IC3 report [see 28 pg pdf here] correctly identifies some of the most prevalent and insidious forms of cybercrimes today, but the total financial losses tied to each crime type also underscore how infrequently victims actually report such crimes to law enforcement. One expert observed that the FBI’s ransomware numbers “are ridiculously small compared to what happens in the real world, where ransomware is one of today’s most prevalent cyber-threats. The only explanation is that people are paying ransoms, restoring from backups, or reinstalling PCs without filing a complaint with authorities.” [See here] The IC3 report notes that only an estimated 15% of the nation’s fraud victims report their crimes to law enforcement. For 2016, 298,728 complaints were received, with a total victim loss of $1.33 billion. If that 15% estimate is close to accurate, that means the real cost of cyber fraud for Americans last year was probably closer to $9 billion, and the losses from ransomware attacks upwards of $16 million. The IC3 said losses from CEO fraud (also known as the “business email compromise” or BEC scam) [see here] totaled more than $360 million. Applying that same 15% rule, that brings the likely actual losses from CEO fraud schemes to around $2.4 billion last year. [Krebs on Security | https://www.fbi.gov: IC3 Releases Annual Report Highlighting Trends in Internet Crime | https://pdf.ic3.gov: 2016 Internet Crime Report]

US – Companies Create Principles for Cybersecurity Risk Ratings

The U.S. Chamber of Commerce has announced that a consortium of more than two dozen chamber member companies, including prominent big banks, big-box retailers, and technology giants released a set of principles designed to promote fair and accurate cybersecurity ratings. The creation of the “Principles for Fair and Accurate Security Ratings“ comes in response to the recent emergence of several companies that collect and analyze publicly accessible data to develop a rating of a company’s cybersecurity risk posture. Importantly, however, cybersecurity ratings have the potential for being inaccurate, incomplete, unverifiable and unreliable if, for example, the source data is inaccurate or the methodology doesn’t account for risk mitigations in place at a company. The principles developed by the consortium were designed to increase confidence in and the usability of fair and accurate cybersecurity ratings by addressing the potential problems. The principles were modeled after the Fair Credit Reporting Act, which helped increase confidence in the credit process by ensuring the usability of ratings for legitimate purposes while recognizing the interests of consumers to ensure that the data underlying the scores was accurate and complete. The principles are as follows: 1) Transparency; 2) Dispute, correct and appeal; 3) Accuracy and validation; 4) Model governance; 5) Independence; and 6) Confidentiality. Becoming adept at understanding and effectively utilizing cybersecurity ratings will be an important strategic advantage for companies in the future. [Data Privacy Monitor (Baker Hostetler)]

US –NIST Issues Risk Management Implementation Guidance

The National Institute of Standards and Technology (NIST) issued a draft Cybersecurity Framework to be used by federal agencies in conjunction with the current and planned suite of NIST security and privacy risk management publications. The guidance, which includes 8 use cases in which agencies can leverage the cybersecurity framework to address common vulnerabilities, is designed to elicit feedback to determine which cybersecurity framework concepts are incorporated into future versions of the suite of NIST security and privacy risk management publications. Comments are due by June 30, 2017. [NIST – The Cybersecurity Framework – Draft NISTIR 8170]

US – Senators Weigh Conflicting Privacy, Security Concerns on FISA Rule

The delicate balance between national security and individual privacy came into stark relief as senators debated whether to extend a soon-to-expire intelligence-gathering tool for foreign suspects, which critics say has massive potential for abuse. [See here] At issue for Senate Judiciary Committee members is reauthorization of Section 702 of the Foreign Intelligence Surveillance Act [see here, here & here] beyond Dec. 31, 2017. That provision allows the federal government to acquire intelligence by targeting foreigners “reasonably believed” to be outside U.S. borders. The panel is divided over a permanent extension of Section 702, as advocated by Sen. Tom Cotton (R-Ark.) and others. Sen. Dianne Feinstein (D-Calif.), otherwise a supporter of the provision, said it should sunset every five years, with reauthorization needed from Congress. [Morning Consult]

EU – Mainframes Especially Vulnerable to Insider Threats: Study

While most chief information officers at large companies say their mainframes are more secure than other systems, a majority say their organizations are still exposed to a significant risk of insider threats due to blind-spots in internal data access and controls. That is the finding of a new report by research firm Vanson Bourne. [See here] For the study, sponsored by mainframe software company Compuware, the firm surveyed 400 CIOs in the U.S., France, Germany, Italy, Spain, and the U.K. in April 2017. Many of the CIOs (84%) say they find it difficult to track who has accessed data stored on the mainframe, exposing them to an increased risk of insider threats. [Information Management]

WW – 43% of Security Incidents Caused by Phishing, Hacking and Malware

Employee actions or mistakes caused 32% of breaches, 18% were caused by lost or stolen devices and records, and 3% were due to internal theft; organisations should identify and implement safeguards (authentication, segregation, intrusion detection/prevention systems, log retention), create a forensic plan, build business continuity into incident response planning, prepare for breach containment and management, and ensure breach notifications are clear and consistent. 2017 Baker Hostetler – Be Compromise Ready – Go Back to Basics – 2017 Data Security Incident Response Report

Smart Cars

US – Regulators, Carmakers Plot Road to Connected Car Privacy, Security

Regulators should exercise “humility” when considering government oversight of privacy and data security issues for vehicles connected to the internet, FTC Acting Chairman Maureen Ohlhausen said. Predicting the future of how connected cars will develop is very difficult, Ohlhausen said in remarks at a connected cars workshop [see here] sponsored by the FTC and the National Highway Traffic Safety Administration. [Read her opening remarks here] The FTC should address actual or likely injury to consumer privacy and data security while fostering development of connected cars, Ohlhausen said. The FTC will use its enforcement powers under the FTC Act but also wants to avoid overlap or conflict with NHTSA oversight efforts, she said. Terry T. Shelton, acting executive director of NHTSA, agreed, saying that her agency will work with the FTC on those goals. Lauren Smith, policy counsel at the Future of Privacy Forum, pointed to the self-regulatory efforts of the Alliance of Automobile Manufacturers, the Association of Global Automakers and their members The groups established Privacy Principles for Vehicle Technologies and Services voluntary industry standards, which went into effect in January 2016. [BNA.com] [Broadcasting Cable | Wilmerhale]

US Government Programs

US – DHS Updates Policy Guidance to Accommodate Changes in Privacy Protection for Non-US Citizens

The Department of Homeland Security issued an updated memorandum providing privacy policy guidance. For US citizens, lawfully permitted residents, and individuals protected by the Judicial Redress Act, disclosures to law enforcement agencies will continue to be made pursuant to System of Records Notices (SORNs) and authorized disclosures under the Privacy Act; however, for all other persons, employees must determine whether the proposed use of the records is consistent with the purpose for which DHS collected them, and routine or regular sharing must be described in applicable privacy notices and PIAs (however, DHS does not plan on collecting additional data targeting citizenship status when not otherwise required). DHS – Privacy Policy Guidance and Memorandum | Q&A]

US – New TSA Policy May Lead to Increased Scrutiny of Reading Material

The TSA is testing new requirements that passengers remove books and other paper goods from their carry-on baggage when going through airline security. Given the sensitivity of our reading choices, this raises privacy concerns. DHS Secretary John Kelly recently said that “we might, and likely will” apply the policy nationwide. Books raise very special privacy issues. As has been discussed, there is a long history of special legal protection for the privacy of one’s reading habits in the United States, not only through numerous Supreme Court and other court decisions, but also through state laws that criminalize the violation of public library reading privacy or require a warrant to obtain book sales, rental, or lending records. There have been multiple cases where passengers have been singled out because of their First Amendment-protected expressions. For example, in 2010 the ACLU sued on behalf of a man who was abusively interrogated, handcuffed, and detained for nearly five hours because he was carrying a set of Arabic-language flash cards and a book critical of U.S. foreign policy. We also know that the DHS database known as the “Automated Targeting System,” which tracks information on international travelers, has included notations in travelers’ permanent files about controversial books in their possession. If the TSA is to begin implementing this practice, I would make two recommendations for them. First, the agency and its screeners need to be sensitive to the potential privacy concerns at work here. Second, given any rule or practice requiring the unpacking and separation of books and other papers, the TSA should allow those materials to be contained by themselves within another package. [ACLU]

US Legislation

US – Bill Limits Collection and Use of Information from Vehicle Data Recorders

Senate Bill 196, amending the Wisconsin Statutes relating to motor vehicle data recorders, has been introduced in the Senate, and referred to the Committee on Government Operations, Technology and Consumer Protection. If passed, the amendments would take effect on the first day of the 7th month after publication. Express consent of owners is required for access, collection, or transfer of information stored on vehicle recorders; exceptions to the consent requirement include court orders, production requests, compliance with a service contract, law enforcement transfers for insurance purposes, for vehicle maintenance and repair, emergency medical responses, or insurance claim investigations. [SB 196 – An Act to Amend the Wisconsin Statutes Relating to Motor Vehicle Data Recorders – State of Wisconsin]

Workplace Privacy

EU – Article 29 WP Updates Opinion on Processing Employee Data

The Article 29 Working Party updated its Opinion 8/2001 on processing of personal data in the employment context. When implementing technologies that enable more systematic processing of employees’ personal data (e.g. BYOD, CCTV, and mobile device management) principles of proportionality and minimisation must be followed; employees should receive effective notice about any monitoring that takes place and consent should not be used a legal basis for processing. Article 29 WP – Opinion Opinion2-2017 – Data Processing At Work

CA – Overview of Provincial Privacy Statutes on Background Checks

This article provides an overview of what employers need to know about background checks in each Canadian province. Ontario, Alberta, Saskatchewan, Manitoba, New Brunswick, Nova Scotia, and Newfoundland and Labrador all permit employers to refuse to hire a candidate convicted of a criminal offence (Ontario employers may not refuse a candidate who has received a pardon); however, human rights legislation in British Columbia, Quebec and Prince Edward Island prohibit an employer from discriminating against a candidate for having a conviction of an offence unrelated to the intended employment. [Background Checks by Province – What Employers Need to Know – Michael Howcroft, Partner, and Noemi Blasutta, Associate, Blake Cassels and Graydon LLP]



20 May – 09 June 2017


US – Washington Becomes the Third State with a Biometric Law

On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute. The law prohibits any “person” from “enrolling a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.” It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers. With the new law, Washington has become only the third state after Illinois and Texas to enact legislation that regulates business activities related to biometric information. Legislatures in other states around the country are considering similar bills including Alaska, California, Massachusetts, and New Hampshire. The Washington law defines the content and activity it regulates in different terms, and, similar to Texas, but unlike Illinois, the Washington law does not provide a private right of action. On the same day that Governor Inslee signed H.B. 1493, he also signed H.B. 1717, which covers government agencies. Both laws go into effect on July 23, 2017. [Washington Becomes the Third State with a Biometric Law]

US – JetBlue Will Test Facial Recognition for Boarding

The airline will test facial-recognition check-in next month for flights from Boston to Aruba, the latest attempt by the industry to streamline boarding. Passengers will step up to a camera, and the kiosk will compare the facial scan to passport photos in the U.S. customs database to confirm the match. (You still have to bring your passport.) A screen above the camera will let passengers know when they’re cleared to board. JetBlue is collaborating on the technology with SITA, a tech company that specializes in air travel, including products like robotic check-in kiosks that autonomously rove around airports, sensing where they are needed. JetBlue says it will be the first airline to use facial recognition for boarding. The airline says it won’t have access to the photos – only SITA will. SITA said it will not store the photos. Delta Air Lines plans to test face-scanning technology with four kiosks at Minneapolis-St. Paul this summer for passengers to check their own luggage. [CNN Tech] See also: [Face it, this new Blippar mobile app may creepily destroy your privacy] and [UK police arrest man via automatic face recognition tech]


CA – Canada’s Privacy Czar Raises Flag Over Planned U.S. Border Password Searches

Canadian privacy could be imperilled by apparent U.S. plans to demand cellphone and social media passwords from foreign visitors, a federal watchdog says. In a letter [see here] to the House of Commons public safety committee, privacy commissioner Daniel Therrien warns the recent pronouncements from the Trump administration could mean intrusive searches — even at preclearance facilities in Canada. The Commons public safety committee is studying legislation [Bill C-23 see here] that would expand preclearance operations. Under the bill, U.S. searches at preclearance facilities would be governed by Canadian law, including the Charter of Rights and Freedoms. But Therrien says those protections appear to be hollow because they could not be enforced in court due to immunity provisions that significantly limit access to civil remedies for the actions of U.S. border officers carrying out preclearance duties. The Liberal government says the preclearance arrangements would strengthen security and prosperity while ensuring respect for the sovereignty of both countries. [Globe & Mail]

CA – CSIS Kept ‘All’ Metadata on Third Parties for a Decade: Top Secret Memo

When CSIS intercepted the communications of innocent people between 2006 and 2016 “all” the metadata related to those communications was retained in a controversial database, a top secret memo obtained by the Star suggests. The document relates to CSIS’s Operational Data Analysis Centre (ODAC) and a now-discontinued program that stored data intercepted from the service’s targets — and people who were in contact with them at the time. The Federal Court ruled in 2016 it was illegal for the service to indefinitely keep data on people who posed no threat to Canada’s national for future analysis. While the basics of the program were revealed in heavily censored court documents, the scale of the program is not widely understood. CSIS told parliamentarians earlier this year that it didn’t know how many Canadians were caught up in the ODAC. But in an October 2016 memo to Public Safety Minister Ralph Goodale, outgoing Canadian Security Intelligence Service director Michel Coulombe suggested the court’s ruling would have a significant impact. In a statement Thursday evening, CSIS spokesperson Tahera Mufti reiterated that all the ODAC data was collected legally via court warrants over the years. The Federal Court did not rule the collection of third-party metadata was illegal — just the indefinite retention. Mufti also confirmed the new six-month period to assess whether metadata is relevant to a CSIS investigation. “CSIS has implemented new retention practices for information, including associated data (metadata), collected via warrant that are in compliance with (Noël’s) decision, which will allow ODAC to recommence its analysis of newly acquired associated data,” Mufti wrote. “ODAC historical metadata holdings remain fenced off, and unavailable for use, until a final decision regarding their disposition is made.” Toronto Star: Top secret memo suggests large scale for CSIS metadata program, Federal Court ruled keeping the data was illegal in 2016]

CA – Report on C-51 Public Consultations, Most Disapprove

Last fall, the government asked Canadians to weigh in on the future of the country’s national security legislation. The government received 58,933 responses through an online questionnaire, and another 17,862 via email — in addition to feedback from cross-country meetings with constituents, academics and expert groups. On May 19, a report summarizing the results of the consultation was released, with one topic in particular drawing considerable attention: what sort of powers should law enforcement and intelligence agencies have when investigating crimes in the digital world? “Most participants in these Consultations have opted to err on the side of protecting individual rights and freedoms rather than granting additional powers to national security agencies and law enforcement, even with enhanced transparency and independent oversight,” the report reads. “The thrust of the report suggests that there’s significant appetite for reform,” said Craig Forcese, a law professor at the University of Ottawa who has written extensively on Bill C-51 — in particular, “a significant appetite for limiting state power in terms of the sorts of powers that security services have.” [CBC News: Canadians ‘reluctant’ to accept new police powers, prefer privacy online, government finds]

CA – Goodale Calls C-22 ‘Major Piece’ of National Security Agenda

Canada’s Public Safety Minister Ralph Goodale signalled that he’s hoping to bring in further national security legislation as he looks to the Senate to pass the Liberals’ first “major piece” of the government public safety and security agenda, Bill C-22 [see here] The legislation would establish the new joint National Security and Intelligence Committee of Parliamentarians, the first of its kind in Canada. It will set up its scope, mandate, and outline its legal rights and restrictions. It also establish a secretariat for the committee. The mandate of the committee is to review, monitor, and scrutinize the work of the country’s most secret intelligence agencies, including CSIS, the RCMP, the CSE, and the CBSA. As it’s drafted, the committee would be under the purview of the Government House Leader’s Office, but the secretariat will be established through the Privy Council Office and the committee will report to Prime Minister Justin Trudeau (Papineau, Que.). Mr. Trudeau appointed five-term Liberal MP David McGuinty (Ottawa South, Ont.) last January to chair the committee. Other members of the committee have not been chosen yet. [The Hill Times: Goodale calls C-22 ‘major piece’ of feds’ national security agenda, says amendments to Conservatives’ Anti-Terrorism Bill C-51 coming soon]

CA – Journalist Shield Law Could Soon Become Reality in Canada

The federal Liberal government is prepared to throw its support behind proposed legislation to protect the identity of journalists’ confidential sources. The government is expected to announce it will back a Conservative senator’s privately sponsored bill that would, for the first time in Canada, provide statutory protection for the identity of journalists’ sources. The bill would make it harder for police and other law enforcement or security agencies to spy on journalists’ communications or to seize documents that could reveal their sources. It would also make it harder for the cops to use whatever information is seized or captured by warranted surveillance. The Journalistic Sources Protection Act, S-231, was introduced by Sen. Claude Carignan in November after revelations that Montreal police spied on the communications of 10 journalists in Quebec in recent years — a scandal that has prompted a public inquiry in the province. In a major move that could see a new law adopted within a few months, the Liberals will propose a handful of technical amendments to address “legal and policy concerns” with the bill as drafted — changes that a senior government official characterized as “reasonable” and that Carignan said he supports. [The Star]

CA – Federal Housing Agency Boosting Its Ability to Detect Mortgage Fraud

The head of Canada Mortgage and Housing Corp. says it is beefing up its ability to detect mortgage fraud after being directed to do so by the federal government. CMHC president and CEO Evan Siddall says there is no evidence of a widespread mortgage fraud problem. But Siddall says there are incentives to commit fraud in the system and therefore the agency needs to be vigilant. Siddall says CMHC is looking at ways it can use data analytics to spot patterns that could be indicative of fraud networks or fraud rings. (Toronto Star)

CA – OIPC QC Rules Individuals Cannot Be Barred from Requesting Access to Information by Telephone

The Commission d’Accès à l’Information du Québec investigated a complaint against Surete du Quebec, alleging non-compliance with the Act on Access to Documents of Public Bodies and Protection of Information. The Quebec Commissioner received a complaint that the Police Headquarter’s telephone system barred callers from requesting access to information held; the institution does respond to written requests received from individuals within the legislated timeframe, however, modifications had to be made to its telephone message to ensure individuals could also request access orally, through speaking with an employee, or leaving a message after hours. [CAI QC – Decision 1011205 – Surete du Quebec]

CA – OIPC ON Issues Compliance Guidelines for Security, Breach Protocols, and Electronic Health Records

The Information and Privacy Commissioner in Ontario provided an update on the latest developments in healthcare and guidance on protection of personal health information, pursuant to the Personal Health Information Protection Act. Healthcare custodians should ensure the following – a written policy for sending and receiving emails, encryption of emails containing PHI (unless it is an urgent situation), restrictions on access to servers and portable devices, appropriate access controls (including staff training on access to PHI), and appropriate discipline for unauthorized access. PHI can be collected from the provincial EHR only to assist in healthcare provision, or eliminate significant risk of serious harm, and the IPC and affected individuals must be notified of theft, loss or unauthorised access to PHI. [IPC ON – Latest Developments in Protecting Personal Health Information]

CA – OIPC ON Issues Best Practices on Adequate Search

This IPC guidance examines the components of a reasonable search. Document the details of the search; ensure a full understanding of the request (contact the requester if necessary), consider the search methods (e.g. who conducted the search, who was consulted, what types of files were considered, and were any areas left out), consider destruction of records (if possible, provide details of record retention policies and schedules), and consider records outside the organization’s custody (who has them and why). [IPC ON – Reasonable Search Press Release | Guidance]

CA – OIPC AB ‘Fearful’ NDP Won’t Fix Flawed Freedom of Information Law

More than a month after the release of a report [see 55 Pg pdf here] raising alarm over government secrecy, information and privacy commissioner Jill Clayton is disappointed and frustrated with the lack of action by the NDP to ensure Albertans have proper access to government information. In a separate report [see 11 Pg pdf here], Clayton has called on the NDP government to amend the legislation to give her office that capacity — a power that had long been recognized by the province until recent years — but the province has given no signal on how it will proceed. “I am fearful that nothing’s going to happen,” Clayton said in a recent interview. “It’s impossible to imagine how citizens can hold a government to account, how they can engage fully in a democracy, if they’re not able to get information, and a big piece of that is to have independent, objective and effective oversight.” The most recent issues raised by Clayton follow reports see here she issued in February warning of “unacceptable” delays in processing information requests and a “lack of respect” for access to information among some senior officials within the civil service. [Calgary Herald]

CA – CRA Employee Fired After Agency’s Biggest Privacy Breach

Eight CRA staffers were fired during the fiscal year that ended March 31 for improperly accessing taxpayer data. Now comes news that another person was fired just before that for committing the biggest privacy breach in the department’s history. Sometime before March 23, 2016 the unnamed employee improperly accessed the accounts of 38 taxpayers in detail, and briefly accessed another 1,264 accounts using a search function to find surnames and postal codes. CRA spokesman said no taxpayer data was changed and stressed that of the 1,264 accounts briefly accessed files were viewed for approximately two seconds per account. So this is time for another reminder that the federal privacy commissioner’s office has issued guidance on ways to cut down on employee snooping. Suggestion number one is foster a culture of privacy. [IT World Canada | Tax worker fired after biggest privacy breach at Revenue Canada]

CA – SCoC Hears Fed’s Appeal on Residential School Records

Lawyers for the federal government and the National Centre for Truth and Reconciliation took turns Thursday trying to convince the Supreme Court how to handle the personal records of those who endured life inside Canada’s infamous residential schools. The Liberal government is appealing a lower court decision that allows the records to be destroyed after 15 years unless the individual in question directs otherwise. Justice Department lawyers say the documents are subject to federal laws governing access to information, privacy and the national archives, and should be preserved to ensure the residential school legacy is never forgotten. A lower court judge ruled the material should be destroyed after 15 years, but individuals could consent to have their stories preserved at the National Centre for Truth and Reconciliation in Winnipeg. In a split decision in April 2016, the Ontario Court of Appeal agreed, noting the documents were not government records subject to archiving laws. The court also rejected the idea the documents were “government records” but fell under judicial control. A dissenting justice maintained, however, that the documents should be turned over to Library and Archives Canada, subject to normal privacy safeguards and rules. The Assembly of First Nations argues the Ontario Court of Appeal upheld the promises of confidentiality made to former students of residential schools by ordering the destruction of records and ensuring former students maintain control over the accounts of their residential school experiences. [The Canadian Press via The Chronicle Herald]

CA – OIPC ON Recommendations for Creation and Analysis of Data Sets

The Information and Privacy Commissioner of Ontario has issued guidance on the use of big data by government institutions. Institutions should ensure they have the legal authority to collect personal information for big data projects, publish a description of the project on their website, de-identify linked data sets (to ensure adequate separation between policy analysis and administrative functions), ensure information analyzed is accurate, complete, and up-to-date, be aware of misleading correlations, and ensure profiling decisions that significantly affect individuals are verified. [IPC ON – Big Data Guidelines]

CA – OIPC SK Finds Health Authority Failed to Properly Respond to Privacy Breach

This OIPC report investigates the handling of a privacy breach by the Keewatin Yatthè Regional Health Authority (“Keewatin”) pursuant to Saskatchewan’s The Health Information Protection Act. The authority did not contain the breach (it did not recognize that a suspended nurse’s 3 hours of unsupervised access to patient records as a breach), conduct an adequate investigation (it does not interview employees on unpaid leave), or notify affected individuals (it should provide written notification, post a public notice regarding the breach, and provide patients with the opportunity to view their chart free of charge); the provincial nurses’ association and union should support the authority’s request for an interview with the employee. [OIPC SK – Investigation Report 230-2016 – Keewatin Yatthè Regional Health Authority]

CA – OIPC SK Issues Guidelines for Conducting Audits of Users’ Access to Medical Records

The Office of the Saskatchewan Information and Privacy Commissioner issued guidance about auditing users accessing personal health information in accordance with the Health Information Protection Act. A proactive audit and monitoring program includes random audits of user activity, focused audits as a result of a complaint made by a staff member or the general public, and monitoring procedures; a user viewing their own record, a record of an individual with the same last name or another employee’s are some of the events that should trigger an audit. [OIPC SK – Audit and Monitoring Guidelines for Trustees eHealth Saskatchewan]

CA – OIPC SK Finds Doctor’s Access to PHI for Training Purposes is Unlawful

The Office of the Information and Privacy Commissioner in Saskatchewan investigates a complaint against a doctor’s access to personal health information in contravention of the Health Information Protection Act. The doctor accessed personal health information of a non-patient without a legitimate need-to-know basis (i.e., to train his wife to assist with various aspects of his medical practice); if the doctor’s wife had a legitimate need to access the information to complete her job duties, the doctor should have registered her with her own user account. [OIPC SK – Investigation Report 282-2016 Eastside Medical Clinic Dr Serhii Haidash]

CA – OIPC SK Recommends GTH Board Quit Private Email

The provincial privacy commissioner says members of the Global Transportation Hub’s board of directors received “sensitive” information at private email addresses — and says board members should conduct government business with government email rather than their personal email accounts. The suggestion was contained in a report [see here] related to a Freedom of Information request filed by CBC Saskatchewan in April 2016 “It is clear from the record in this case that sensitive GTH information was sent to board members at their personal email addresses. I strongly sent to board members at their personal to reconsider this practice,” the report said. [see line 17 here] The report comes a month after Saskatchewan Premier Brad Wall was criticized by the Opposition New Democrats for conducting government business using his own personal email server. “We appreciate the advice of the Information and Privacy Commissioner and will consider all the recommendations,” a GTH spokesperson said through an email Tuesday afternoon. [GTH board shouldn’t use personal email to send ‘sensitive’ info: privacy report ]

CA – Saskatoon Health Region Sees Increase in Privacy Breaches and Complaints

The Saskatoon Health Region’s latest data shows that there has been a 50% increase in the total number of privacy breaches and complaints. The data was compiled between April 1 and March 31 in each fiscal year [from 2012 to 2016]. According to the region’s enterprise risk management director Lori Frank, the increase can be attributed to awareness. Social media has also played a role in the increase of violations and subsequent complaints. [GlobalNews]

CA – OIPC NFLD Guidance on Disclosure of Records Containing Policy Advice or Recommendations

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador has issued recommendations on determining whether records requested, pursuant to the Access to Information and Protection of Privacy Act, are exempted from disclosure. Public bodies can refuse disclosure of records contain advice (identifying options for a decision without making specific recommendations), proposals, and recommendations (suggested course of action); however, since this a discretionary exemption, institutions should consider whether disclosure would subject its decisions and policy-making to excessive scrutiny, or whether there is a public interest in the information that overrides its interests in refusing disclosure. [OIPC NFLD – Policy Advice or Recommendations]

CA – Alberta Gov’t Says Shredded Documents an Isolated Incident

Alberta legislature visitor logs shredded in the months following the 2015 election have the Opposition demanding an investigation by the privacy commissioner. Justice Minister Kathleen Ganley said Wednesday it seems the missing documents were due to what she labelled “inappropriate” actions of a single person employed with the legislature’s sheriff’s office at the time. Wildrose democracy and accountability critic Nathan Cooper said shredding documents is a clear violation of the transparency the NDP pledged to Albertans. [Shredded documents an isolated incident: justice minister]

CA – Ottawa Police Back External Case Reviews Modelled After Philadelphia Approach

The Ottawa Police Service will adopt an external review of sexual assault cases modelled after an oversight program in Philadelphia that has been shown to improve the quality of sex-assault investigations dramatically and reduce the number of complaints dismissed as unfounded. The move is a significant reversal for the Ottawa service, which in December, 2015, after nearly two years of negotiations, rejected a proposal from local advocacy groups to adopt the oversight model. At the time, the service said it was advised that privacy laws prohibited sharing case files with civilians. Brian Beamish, the Information and Privacy Commissioner of Ontario, told The Globe in a statement that his office has been working with police services about how to implement the Philadelphia model in a way that complies with privacy legislation. “It is my view that external review of sexual-assault case files can make an important contribution to improving the investigation of sexual assault complaints while complying with privacy requirements, including through the use of agreements, oaths of confidentiality and privacy and confidentiality training,” Mr. Beamish said in the statement. [Source]

CA – Ontario Court Considers Harm as Factor for Merging Class Action Suits

The Court considers a carriage motion to join two separate class action complaints regarding a data security breach at Casino Rama Services Inc. Two similar class action suits were brought forward in Ontario regarding a data breach of confidential personal and financial information where the hacker dumped data on the Internet; the firm that is in a better position to provide class members with a speedy resolution is considered as with each passing month it becomes easier for the defendant to say that no harm has been done. [Kaplan v Casino Rama Services Inc. et al – 2017 ONSC 2671 CANLII – Superior Court of Justice Ontario]

CA – Winnipeg Transit Gave Rider Location Data to Cops, No Warrants

City officials confirmed that on four occasions since March of 2017, Winnipeg police have requested the data generated through the use of Peggo cards for a specific passenger to assist with an investigation. On each occasion, the transit service provided police with the desired records. In July of 2016, Winnipeg Transit launched its new Peggo card system, which allows users to pay their fare using an electronic card. It also allows Transit officials to track the exact travel habits of the 130,000 daily Transit passengers. Every time a passenger uses their Peggo card, data is generated on the date, time, bus number, boarding and transfer locations. If the user has registered their card online, the passenger’s name becomes linked to the data. Other government bodies also forward personal information to law enforcement without requiring a warrant or court orders. Bruce Owen, spokesperson for Manitoba Hydro, said requests from police for account information must be made in writing. “We provide police information on a customer’s account, including confirmation there has been a higher than normal kilowatt-hour consumption,” he said. Tom Keenan, a professor at the University of Calgary who specializes in information security says “I see a growing sensitivity to this kind of information and it is quite appropriate to question it” The privacy and information watchdog for the province says that under the Freedom of Information and Protection of Privacy Act, or FIPPA, any public body can release personal information to law enforcement without the need for a warrant or the consent of the individual being targeted under certain conditions. Specifically, Section 44(1) of the act outlines conditions under which a public body may disclose personal information to law enforcement Winnipeg Mayor Brian Bowman said while he has been assured transit complied with privacy legislation, he wants to know more about what councillors were told about Peggo privacy before the cards went online last year. [Winnipeg Transit gave Peggo card travel history to police without warrants]

CA – Toronto Committee Scraps Proposal for In-Cab Cameras Due to Privacy Concerns

At a May 29 city meeting, Toronto’s Government Management Committee voted to scrap a proposal that would place cameras in the cabs of the city’s garbage truck fleet. The intention of the proposal was to increase internal surveillance in order to improve safety management and determine causes of accidents when they happen. However most city officials predicted this proposal would have a negative effect on morale. Beaches-East York Councillor Janet Davis said at the meeting, “This is about invasion of personal privacy and the extent that management can do that,” InsideToronto.com reported. Some other committee members said the suggestion to monitor garbage truck drivers on their routes should be part of a bigger discussion about management. [wastedive.com]

CA – Court-Ordered Reconsideration by OIPC BC Upholds Government Corporation’s FOI Disclosure of Email Correspondence

This OIPC order is a court-ordered reconsideration of Order F13-23 and redetermination of an unpublished investigation report by the OIPC concerning a request from a journalist for correspondence pursuant to British Columbia’ Freedom of Information and Protection of Privacy Act. Emails that reflect 2 employees’ intertwined business and personal relationships must be disclosed (with portions severed); the emails were largely created for in the course of professional duties, and are under the corporation’s control (e.g. there were sent/received by the corporation’s email system and are stored on its servers). The corporation was not required to notify one of the employees that it was “collecting” his PI as it was not doing so; the employee voluntarily provided his PI in the emails and his PI was not solicited by his colleague. [OIPC BC – Order F17-20 – British Columbia Lottery Corporation]

CA – MB Freedom of Information Review Gives PCs Opportunity to Close Legislative Loopholes

The Manitoba Legislative Assembly Press Gallery is asking for clarity around exemptions, reports to cabinet. Manitoba is reviewing the Freedom of Information and Protection of Privacy Act (FIPPA), but balancing a transparent government with a right to privacy is a tricky act. The act came into force in 1998 and provides right of access to records held by public bodies while protecting privacy by setting rules for information collection, use and disclosure. Provincial legislation calls for it to undergo regular reviews and the last was in 2004, before it was significantly amended again in 2011. Reviewing the legislation is a good opportunity for the province to catch up to freedom of information laws in other provinces, said Steve Lambert, past-president of the Manitoba Legislative Assembly Press Gallery. The Manitoba Legislative Assembly Press gallery, which has 46 members and represents 11 media outlets, contributed a submission to the review calling for clarity and more reasonable time frames for access to information. “Our biggest concern is that background information, data reports, things that the public pays for on matters of public interest are currently kept hidden,” Lambert said. “Basically right now anything that is submitted to a cabinet minister or produced by a cabinet minister cannot be released to the public for 20 years and that is such a wide all-encompassing exception that if you are in government and wanted to hide something you could just give it to a cabinet minister and claim that exemption.” Manitobans are being asked to take part in the review and submissions will be collected until the end of the month. [CBC News]

CA – Proposed Amendments to PIPEDA Will Make It Mandatory to Notify a Breach

There is currently no mandatory requirement in Canadian legislation for organizations to notify of a breach, except in certain circumstances (e.g., private sector organizations in Alberta, and health information in Ontario, New Brunswick and Newfoundland and Labrador); organizations should make it a best practice to voluntarily notify affected individuals of privacy breaches, as once it is made mandatory under PIPEDA, organizations that fail to notify may be subject to a fine of up to $100,000, and may be publicly named by the Privacy Commissioner. [Privacy Breaches in Manitoba– A Mitigation and Prevention Primer – Andrew Buck, Lawyer, Pitblado Law: Manitoba: Whistleblower sues health authority and lawyers, alleging identity revealed


CA – Canadians Want More Regulatory Review of Emerging Technologies: Accenture

Canadians prioritize regulatory reviews of drones, autonomous vehicles and online user agreements above those of other emerging technologies, according to new research from global professional services company Accenture on Canadian attitudes on government regulation of emergent technology-enabled products and services. The survey found that four in 10 (40%) of those polled said that “drones equipped with video cameras” should be a key area for government regulatory review. Nearly as many Canadians said that key areas for government regulatory review should include autonomous (driverless) vehicles and for online user agreements for new products or services (each cited by 38% of respondents). Other areas in which Canadians want to prioritize a regulatory review include connected homes and products, such as technology that controls a home’s lights, alarms, temperatures, or baby monitors from a mobile phone or other device (cited by 30% of respondents); social media, including privacy rights and/or guidelines around advertising (26%); ridesharing services like Uber and Lyft (26%); and sharing economy accommodations like Airbnb and HomeAway (23%). However, many Canadians believe that the government should step away from regulating certain technologies “because they are evolving well without the need for additional regulation.” For example, half (51%) of Canadians want government to step away from further regulating video/music streaming, and almost as many want government to stop regulating connected homes/products (48%), social media (46%) and artificial intelligence (43%). [Canadian Underwriter]

WW – Google Starts Tracking Offline Shopping — What You Buy at Stores in Person

Google already monitors online shopping — but now it’s also keeping an eye on what people buy in physical stores as it tries to sell more digital advertising. The Internet giant said that a new tool will track how much money people spend in merchants’ bricks-and-mortar stores after clicking on their digital ads. The analysis will be done by matching the combined ad clicks of people who are logged into Google services with their collective purchases on credit and debit cards. Google says it won’t be able to examine the specific items bought or how much a specific individual spent. But even aggregated data can sometimes be converted back to data that can identify individuals, said Larry Ponemon, chairman of the Ponemon Institute privacy research firm. Google’s tool doesn’t work for cash payments or the 30% of U.S. card transactions that Google can’t currently access. Google gives its users the option to limit the company’s tracking and control what types of ads they are shown — although in practice, relatively few users tweak such settings. [Associated Press | How the latest Google data mine digs into credit-card privacy] and also Be careful celebrating Google’s new Ad Blocker. Here’s what’s really going on


NZ – Govt Backtracks On Data-for-Funding Proposal

Social service providers will no longer need to hand over the private details of their clients to the government until a new data protection policy is in place. The government had said it would only give funding to providers if they handed over client names, birth dates, ethnicity and the personal details of any dependants. Last month the Privacy Commissioner found handing over the details was “excessive”, disproportionate to the government’s need, and the Ministry of Social Development acted “prematurely” without considering privacy risks. Minister for Children Anne Tolley has temporarily suspended the process. She said an advisory group would be set up to consider the best way to increase the level of data being collected, while maintaining privacy and trust with providers. [Radio New Zealand]

US – DEFCON to Plumb Electronic Voting Machines’ Security

The DEFCON conference in July will include a “village” of electronic voting machines for attendees to try to crack. DEFCON founder Jeff Moss said that the voting machine companies are welcome to be involved in the process, but expects that they will not take him up on his offer. [Top hacker conference to target voting machines]


CA – Feds Suspend Implementation of CASL Private Right of Action

The federal government has issued an Order in Council today delaying the coming into force date of the private right of action under Canada’s Anti-Spam Legislation until completion of a parliamentary review “in order to promote legal certainty for numerous stakeholders claiming to experience difficulties in interpreting several provisions of the Act while being exposed to litigation risk.” “If they are delaying it, that’s definitely good news for businesses. A lot of them have been struggling in the past few months to make sure they are complying with CASL in light of the two changes that will be coming into force — the private right of action as well as the end of the transition period,” says Eloïse Gratton of Borden Ladner Gervais LLP. Inga Andriessen says the big message that will need to get out is that CASL hasn’t been repealed. CASL is still going to be in place. The government can still fine you the same way as they could before, but the good news is nobody is going to be suing you in court for any violation of CASL. If anything, it’s a time to really take a look at your CASL policies and make sure you’re still compliant or get compliant if you weren’t before.” [Last minute reprieve as feds suspend controversial private right of action provision in CASL] Canada: CASL – Government Suspends Private Right of Action

Electronic Records

CA – Conservative Party Takes Disciplinary Action After Membership List Shared

The Conservative party is demanding that the National Firearms Association destroy a party membership list that it appears to have illicitly obtained from one of the camps in the recent leadership contest. “We are aware that our members are being contacted by an outside organization,” the party said. “We will be issuing a cease-and-desist letter to the organization in question, demanding that they destroy the list.” The party did not identify the outside organization but the post came after numerous Conservatives complained through social media that they’d received a letter this week from the National Firearms Association, seeking a donation. They suspected that the association had obtained their names and addresses from the party membership list, distributed to each of the 14 candidates during the leadership race, which concluded last weekend with the election of Andrew Scheer. CBC News contacted spokespeople for all 14 campaigns, all of whom denied sharing the list with the National Firearms Association. The party did not name the culprit but said it has “identified the parties responsible for sharing the information, and will be taking disciplinary action against them.” [The Canadian Press]

EU Developments

EU – Cybersecurity Skills Gap of 350,000 Workers by 2022

This month sees the third release of data from the “Global Information Security Workforce Study 2017: Benchmarking Workforce Capacity and Response to Cyber Risk” [see here & here], which was conducted by Frost & Sullivan for the Center for Cyber Safety and Education, with the support of (ISC)2, Booz Allen Hamilton and Alta Associates; and offers up a deeper exploration of the growing cybersecurity skills gap. It predicts a] cybersecurity skills gap for Europe of 350,000 (globally 1.8 million) by 2022, resulting in European organisations planning their fastest rate of cybersecurity hiring in the world – as 38% of surveyed hiring managers in the region admitting they intend to grow their workforce by at least 15% in the coming year. Though, this is despite the fact that two-thirds of organisations have also stated that they currently have too few cybersecurity workers. The lack of professionals entering the industry has a two-fold impact on the profile of the workforce. Not only is it not increasing at a rate fast enough to fill the necessary roles, it has also led to a greying workforce, with just 12% of workers under 35, and 53% over 45. The profession faces a looming skills cliff edge, with the majority of workers getting closer to retirement and companies failing to recruit long-term replacements. Recommendations by this release suggest that organisations need to adapt their approach to recruitment and draw from a broader pool of talent. This is backed by findings that show that workers with non-computing related backgrounds account for nearly a fifth of the current workforce in Europe, and that they hold positions at every level of practice, with 63% at manager level or above. [What we learned from this month’s European GISWS report]

UK – ICO Promotes Funding for Data Protection and Privacy Research

The Information Commissioner’s Office (ICO) has announced that it will provide between £20,000 and £100,000 to organisations that meet its criteria for funding under the new grants programme. The ICO said there its grants programme has five objectives, which including supporting and encouraging research and “privacy enhancing solutions in significant areas of data protection risk”, in projects “that will make a real different to the UK public”, as well as raising data controllers’ awareness of “privacy enhancing solutions”. The watchdog said data protection and privacy research projects must meet at least one of the five strategic goals it set out in its recently published information rights strategic plan (14-page / 209KB PDF) to be eligible for funding. [Organisations given chance to win funding for data protection research by UK watchdog]

EU – EU Adopts Regulation for Wearable Technology

The European Union adopts Regulation 2017/745 on Medical Devices, which includes the issuance of a press release; and fact sheet. The Regulation, which applies to devices and related software, requires EU registration of each device, designation of an EU authorised representative for the manufacturer, and informed consent from the subjects of any clinical investigations concerning the device; a manufacturer must have a risk management plan for the lifecycle of each devices, and keep technical documentation available to EU authorities for 10 years. [Regulation 2017/745 on Medical Devices – European Union | Press Release | Fact Sheet | DLA Piper | Emergo]

UK – ICO Outlines 4-Year Plan to Strengthen Transparency and Accountability

The UK Information Commissioner’s Office released a 4 year plan outlining its mission, vision and strategic goals. The ICO will increase public trust and confidence in how their data is used and made available by creating a culture of accountability, improve standards of information rights practice through clear, targeted engagement and influence, and maintain and develop influence within the global regulatory community (despite Brexit); a technology strategy will be developed to assist organisations, and there will be continued focus on lead generation and data broking organisations to ensure compliance with the law. [ICO UK – Information Rights Strategic Plan 2017-2021]

Facts & Stats

US – FTC Finds Thieves Attempt to Use Stolen Data Within 9 Min of Breach

In an effort to see what happens after a data breach, the Federal Trade Commission leaked a database of 100 fake customers and found it only took 9 minutes for crooks to attempt to access the information. The FTC’s Office of Technology made the information realistic by using popular names based on Census data, addresses from across the country, email addresses that used common email address naming conventions, phone numbers that corresponded to the addresses, and one of three types of payment information (an online payment service, a bitcoin wallet or a credit card), according to a May 24 blog post. Researchers then twice posted the information to a popular hacker forum where stolen credentials are shared, within 9 minutes of the second post, hackers were attempting to use the stolen data to pay for all sorts of things, including clothing, games, online dating memberships and pizza. More than 1,200 attempts were made to exploit the stolen information. [scmagazine.com]


CA – Information Commissioner Tables 2016/17 Annual Report

Information Commissioner Suzanne Legault tabled her 2016–2017 Annual Report in Parliament today. [See here] The year began on a positive note for access to information and transparency with many constructive advancements and a promise by the government to reform the “Access to Information Act.”[See here] As the year drew to a close, Commissioner Legault says there is “a shadow of disinterest on behalf of the government.” Several investigations illustrate longstanding deficiencies with the Act, which include the deletion of emails subject to a request, difficulties accessing documents in a ministers’ office, failure to document decisions, and lengthy delays to obtain information. Institutional performance in relation to compliance with the Act is showing signs of decline. Much-needed reform is necessary to solve ongoing problems across the access system. Commissioner Legault says “our investigations highlight that the Act continues to be used as a shield against transparency and is failing to meet its policy objective to foster accountability and trust in our government. The Act urgently needs to be updated to ensure that Canadians’ access rights are respected. A lot of work needs to be done before this government delivers on its transparency promises.” [The Information Commissioner’s 2016−2017 annual report] Canada: The Information Commissioner’s 2016−2017 annual report

CA – Government Accused of Hoarding Canadian History in ‘Secret’ Archives

Some of Canada’s leading historians say the federal government is putting the country’s historical record at risk by hoarding piles of documents inside secret archives that together would make a stack taller than the CN Tower. Historian Dennis Molinaro of Trent University discovered ministries and agencies are stockpiling millions of decades-old papers rather than handing them over to Library and Archives Canada for safekeeping and public access. He’s launched a petition to try to convince the government to set them free. The Canadian Historical Association (CHA) has joined his campaign and is calling on the government to mark Canada’s 150th anniversary by overhauling the laws on access to government records. As part of his research, Molinaro has been asking government departments to hand over information about Canada’s Cold War domestic spy and surveillance programs run by the RCMP. Last fall, the federal government initially refused his access-to-information request for the papers (which were never transferred to the national archives) concerning a 65-year-old top secret RCMP wiretapping program dubbed Project Picnic. One day after CBC News reported on Molinaro’s battle with the bureaucracy, officials notified him they would release the 1951 “secret order” that authorized the wiretapping program targeting suspected Soviet spies and other subversives, signed by Prime Minister Louis St-Laurent. Access-to-information officials have told Molinaro the Privy Council Office holds at least 1.6 million more pages from the era, many of which could concern Cold War counter-espionage programs. He’s also learned many more intelligence-related records dating back four, five and six decades are being held by the Communications Security Establishment (CSE) and the departments of Justice and Foreign Affairs. He’s been told in email exchanges that there’s currently no public list to help him — or any other researcher — understand, let alone access, these mountains of papers kept inside closed government storerooms. “The government seems to be, in essence, running some kind of secret or shadow archive,” Molinaro told CBC News. Keeping millions of records from the national archives is “appalling,” he said. “You’re hiding the historical record from the Canadian people.” [CBC News]

WW – Apple Transparency Report

Apple’s transparency report for the second half of 2016 shows that the company received between 5,750 and 5,999 FISA orders and National Security Letters regarding between 4,750 and 4,999 accounts. [Apple transparency report shows increased U.S. national security requests | Apple Receives First National Security Letter, Reports Spike in Requests for Data | Report on Government and Private Party Requests for Customer Information: July 1 – December 31, 2016.

Health / Medical

WW – Medical Device Security ‘Is A Life or Death Issue’, Warns Researcher

There are more than 8,000 vulnerabilities in the code that runs in seven analyzed pacemakers from four manufacturers, according to a new [WhiteScope] study. And that’s just a subset of the overall medical device scene, in which devices have scarcely any security at all. A second, separate, study [Ponemon/Synopsys] that looked at the broader market of medical devices found that only 17% of manufacturers have taken serious steps to secure their devices, and only 15% of healthcare delivery organizations (HDOs) have taken significant steps to thwart attacks. Patients have already suffered adverse events and attacks. Its findings: a) 31% of device makers and 40% of HDOs surveyed by Ponemon Institute said that they’re aware of patients suffering from such incidents; b) Of those respondents, 38% of HDOs said they were aware of inappropriate therapy/treatment delivered to patients because of an insecure medical device; and c) Another 39% of device makers confirm that attackers have taken control of medical devices. As far as the pacemaker-specific vulnerabilities go, Researcher Billy Rios and Dr Jonathan Butts from security company WhiteScope found that few manufacturers encrypt or otherwise protect data on a device or when that data was being transferred to monitoring systems. Neither were any of the devices they looked at protected with the most basic authentication: login name and password. Nor did the devices authenticate the devices or systems to which they connect. [Naked Security (Sophos)]

UK – Health Sector Accounts for ‘43% of All Data Breach Incidents’

The UK health sector suffered a disproportionate number of data breach incidents between January 2014 and December 2016. In total, healthcare organisations suffered 2,447 incidents and accounted for 43% of all reported incidents in the time period. According to a data analysis by Egress, the data, received from the Information Commissioner’s office, also shows that human error accounts for the almost half of these incidents across every sector. Furthermore, the number of incidents rose year on year, with a 20% increase, from 184 incidents in the last quarter of 2014, to 221 in the last quarter of 2016. Taking the 221 incidents occurring between October and December 2016, the top-ranking incident types were: 1) Theft or loss of paperwork – 24%; 2) [Other principle 7 failure] – 22%; 3) Data faxed/posted to incorrect recipient – 19%; 4) Data sent by email to incorrect recipient – 9%; and 5) Failure to redact data – 5% [Source]

WW – Study: Most Dementia Apps Lack a Privacy Policy

Mobile health apps targeting dementia patients lack appropriate privacy policies, according to researchers, highlighting concerns about the possibility of privacy breaches within a particularly vulnerable population. Researchers with Harvard Medical School reviewed 125 iPhone apps built for dementia patients and found that 72 collected user data. Of those apps that collected data, just 33 had an available privacy policy, according to results published in the American Journal of Geriatric Psychiatry. Many of those mobile apps that had an accessible privacy policy lacked clarity, often failing to address the specific functions of the app, describe safeguards or differentiate between individual protections versus aggregate data protection. The authors said the findings of the study highlighted a significant concern for patients with cognitive impairment and their caregivers, eroding trust among users. [fiercehealthcare.com]

US – Healthcare Industry in Critical Condition, Says Cybersecurity Task Force

In a recent report, the U.S. Department of Health and Human Services has flagged the country’s healthcare industry as highly vulnerable to cyber-attacks and ransomware. The DHHS’ Health Care Industry Cybersecurity Task Force’s report [96 pg PDF see here, PR see here] has revealed damning details on the healthcare industry’s cyber-security standards and how well the industry is prepared to safeguard private information from hackers. “Healthcare cybersecurity is in critical condition,” said Josh Corman, a member of the task force and Atlantic Council Director of the Cyber Statecraft Initiative. The report revealed a lack of designated cyber-security officials in most hospitals and also that smaller hospitals did not invest in cyber-security as they [erroneously] believed only larger institutions were targeted by hackers. The task force has recommended that the Health and Human Services Secretary must publish standards and guidance consistent with the NIST Cybersecurity Framework, must establish a Task Force to explore options to incentivize risk-based cybersecurity, and should make recommendations to Congress about required statutory changes. [Source]

Horror Stories

EU – Commission Fines Facebook €110 Million for Providing Inaccurate Information about WhatsApp Takeover

The European Commission has imposed a fine on Facebook for provision of misleading information during its investigation of Facebook’s acquisition of WhatsApp. In its notification to the Commission about its acquisition of WhatsApp, Facebook stated it would not be able to automatically match its users’ IDs with WhatsApp users’ IDs; however, the technical possibility for automated matching existed, Facebook staff were aware of the possibility, and the omission prevented the Commission from having all relevant information for assessing the transaction (regardless of whether there would have been an impact on the outcome. [EC – Mergers: Commission Fines Facebook 110 Million Euros for Providing Misleading Information about WhatsApp Takeover]

CA – Massive Breach at PSPC Reveals Workers’ Salaries & More

The personal information of almost 13,000 public servants was exposed in one of the largest ever privacy breaches at a federal government department. The July 11, 2016, breach at Public Services and Procurement Canada (PSPC) included the salary, age, reading-and-writing test results and other private information of 12,901 employees — nearly everyone working in the department, which employed 13,300 people at the time. The largest ever privacy breaches at a federal government department. Also included was confidential employment-equity data of about 2,590 employees, such as whether they self-identified as a visible minority, disabled or Indigenous. The department reported the breach to Canada’s privacy commissioner, Daniel Therrien, more than a month later, on Aug. 19, 2016. Employees themselves were notified even later, by email, on Aug. 26 — six weeks after the fact. The July 2016 privacy breach was at least the third at PSPC in the space of about a year. The first two breaches — which occurred between March and July 2015, and February and April of 2016 — were the result of the wonky Phoenix payroll system which has been underpaying, overpaying or not paying federal workers. The earlier breaches affected more workers — 300,000 — but the kind of personal information exposed was relatively minor compared with the depth of private information revealed in the latest incident, which included the size of workers’ paycheques. Other federal government departments have a far worse record of privacy breaches than PSPC, as detailed in last fall’s annual report from Therrien, which covered the period between April 1, 2015, and March 31, 2016. The worst offenders were Veterans Affairs (84), Corrections Canada (50), Immigration (47), the Canada Revenue Agency (21) and Employment and Social Development (17). [Massive privacy breach at Public Services reveals workers’ salaries ]

CA – OHIP Card Renewal Notices Breach Caused by ‘Anomaly’

Ontario plans to resume mailing health card renewal notices more than a month after a printing “anomaly” caused a privacy breach. Incorrectly printed forms resulted in the personal information for thousands of children being mailed to strangers in April. All health card renewal notices were suspended while the province tried to find the cause of the problem, brought to its attention late in the last week of April by parents who received incorrect forms. A printing mistake on the double-sided form resulted in a mismatch between the mailing address on the front and the information on the back, including a full name, home address, birth date and health number. All the incorrectly printed health card renewal notices belonged to children with a birth date in early July. Kitchener-Waterloo MPP Catherine Fife called the explanation of an anomaly “thin” and said residents “deserve real answers” about the privacy breach. “It doesn’t leave people with a lot of confidence. How do you control against an anomaly? There’s still some outstanding questions,” Fife said. [Waterloo Record | Ontario considering offering system to renew health cards online

Identity Issues

US – Identity Manager OneLogin Has Suffered a Nasty Looking Data Breach

OneLogin—a company that allows users to manage logins to multiple sites and apps all at once—announced [see here] it had suffered some form of breach. OneLogin says that all customers served by the company’s US data centre are impacted, and has quietly issued a set of serious steps for affected customers to take. Notably, the public blog post omitted certain details that OneLogin mentioned to customers in an email; namely that hackers have stolen customer information. “Customer data was compromised, including the ability to decrypt encrypted data,” according to a message OneLogin sent to customers. Multiple OneLogin customers provided Motherboard with a copy of the message. The message also directed customers to a list of required steps to minimize any damage from the breach, which in turn gave an indication of just how serious this episode might be. It’s always worth remembering that when a service aggregates the ability to log into multiple apps or sites at once, it is creating a very juicy target for hackers. [Motherboard | OneLogin admits recent breach is pretty dang serious | OneLogin: Breach Exposed Ability to Decrypt Data | Identity Manager OneLogin Has Suffered a Nasty Looking Data Breach | Password manager OneLogin hacked, exposing sensitive customer data: Password manager OneLogin hacked, attackers could ‘decrypt encrypted data’ | http://www.onelogin.com/blog/may-31-2017-security-incident]

AU — Australia Post to Create Federal Government Identity Concept

Australia Post has announced a partnership with the Digital Transformation Agency to create a proof-of-concept identity platform that integrates its digital ID system with the Commonwealth’s Digital Identity Framework. “Our research shows these processes cost the Australian economy up to AU$11 billion a year in proving identity alone, and can be unlocked by making it easy, safe and secure to prove that you are who you say you are when interacting online,” said Australia Post managing director and group CEO Ahmed Fahour, who resigned from his position in February and is set to leave the role in July. “We envisage an identity solution, like Digital iD, could unlock significant benefits for everyday Australians doing business with government.” [ZDNet]

Law Enforcement

CA – Worries over Ottawa Police Nerve Centre & “Predictive Policing”

The $2-million Ottawa Police Service’s Strategic Operations Centre (OPSOC) began operating last October at the Greenbank police station. Located in a room now ringed by big-screen TVs tuned to cable news, the OPSOC is staffed from 6 a.m. to 2 a.m. by five employees drawn from a pool of 16 sworn officers and eight civilians. They sit in front of banks of computer screens, keeping an eye on traffic cameras, social media and other sources of information. OPSOC has an annual budget of $1,982,600, and is only in the first of a three-phase rollout. Civil liberties groups are concerned over OPSOC’s apparent reliance on what’s known as “predictive policing,” which involves the use of various analytical techniques to identify potential criminal activity before it occurs. Brenda McPhail, privacy director for the Canadian Civil Liberties Association (CCLA), said Canadians aren’t being given the opportunity to have a conversation about this level of surveillance by police. In particular, McPhail said it could have a chilling effect on protesters. We’ve been talking to activists who’ve experienced surveillance and [they say] it makes them think twice about protesting.” [Doubts swirl around new Ottawa police nerve centre]

CA – Cobourg Police Add ALPR Technology to Cruiser

Cobourg Police Service has launched an ALPR-equipped cruiser, and law enforcement has just gotten what Acting Sergeant Marc Bellemare considers a significant boost. “You go out on patrol. It scans license plates and, any license plates where there’s an issue, it creates a positive hit and alerts us to stop that vehicle,” Bellemare said. Issues that might cause a stop include everything from driving while suspended and expired validation stickers to Amber Alerts and involvement in a crime. [Northumberland Today]

CA – Doubts Swirl Around New Ottawa Police Nerve Centre

A $2-million police initiative billed as a sort of “virtual backup” for front-line officers is drawing criticism from both their union and civil liberties advocates. The Ottawa Police Service’s Strategic Operations Centre (OPSOC) began operating last October at the Greenbank police station. Located in a room now ringed by big-screen TVs tuned to cable news, the OPSOC is staffed from 6 a.m. to 2 a.m. by five employees drawn from a pool of 16 sworn officers and eight civilians. They sit in front of banks of computer screens, keeping an eye on traffic cameras, social media and other sources of information. Their task, according to the Ottawa Police Service, is “supporting front-line officers, particularly during high-risk and/or complex calls.” OPSOC staff use all the resources at their disposal to gather information for their colleagues as they rush to the scene of a crime or collision. Since it opened in October, the operations centre has assisted with more than 2,000 calls for service. OPSOC has an annual budget of $1,982,600, and is only in the first of a three-phase rollout. Civil liberties groups are concerned over OPSOC’s apparent reliance on what’s known as “predictive policing,” which involves the use of various analytical techniques to identify potential criminal activity before it occurs. Brenda McPhail, privacy director for the Canadian Civil Liberties Association (CCLA), said Canadians aren’t being given the opportunity to have a conversation about this level of surveillance by police. In particular, McPhail said it could have a chilling effect on protesters. “We’ve been talking to activists who’ve experienced surveillance and [they say] it makes them think twice about protesting.” Cartright dismissed those privacy concerns. “We are only accessing things that are available to the public,” he said. “That’s the balance.” The unit is still operating like a pilot project, he said, and a report assessing its usefulness is expected by the end of its first year of operation. Other police services have launched similar units with success, Cartright noted. “We’re not recreating any wheel,” he said. [CBC]


US – Supreme Court Will Hear Mobile Phone Location Data Case

The US Supreme Court will hear arguments in a case regarding the need for a warrant to use cell-site data to track a suspect’s location. The case, Carpenter v. United States, No. 16-402, involves data held by a mobile phone company. The question is whether police are required to obtain a warrant to access mobile phone location histories. Police currently have access to the information without the need for a warrant through the third-party doctrine, which allows police to demand information from companies if the information is considered a normal business record. [Supreme Court Agrees to Hear Cellphone Tracking Case | Supreme Court agrees to rule if cops need warrant for cell-site data | Supreme Court to hear case on tracking phone location data]

Online Privacy

WW – 7 in 10 Smartphone Apps Share Your Data With Third-Party Services

More than 1,600 people who have used Lumen [see here] since October 2015 allowed us to analyze more than 5,000 apps. We discovered 598 internet sites likely to be tracking users for advertising purposes, including social media services like Facebook, large internet companies like Google and Yahoo, and online marketing companies under the umbrella of internet service providers like Verizon Wireless. We found that more than 70 percent of the apps we studied connected to at least one tracker, and 15% of them connected to five or more trackers. One in every four trackers harvested at least one unique device identifier, such as the phone number or its device-specific unique 15-digit IMEI number. Unique identifiers are crucial for online tracking services because they can connect different types of personal data provided by different apps to a single person or device. Most users, even privacy-savvy ones, are unaware of those hidden practices. Tracking users on their mobile devices is just part of a larger problem. More than half of the app-trackers we identified also track users through websites. Thanks to this technique, called “cross-device” tracking, these services can build a much more complete profile of your online persona. [Source]

WW – Synaptics Warns That Fingerprint Spoofing Makes Laptops Vulnerable

According to Godfrey Cheng, vice president of product at Synaptics, earlier this month [the company] issued a warning that some computer makers have chosen to use insecure smartphone fingerprint sensors instead of more secure laptop sensors The smartphone fingerprint sensors typically use unencrypted methods to store and send the fingerprint to a central processing unit (CPU) for processing. That makes the data vulnerable to snooping software and other hacks. Synaptics sensors, by contrast, use encryption and a secondary host processor to do the recognition work. That encryption makes it a lot harder for hackers to copy the fingerprint and use it to unlock a computer remotely, Cheng said. The insecure fingerprint sensors are disturbing because modern laptop users are conditioned to believe that fingerprints are unique and are much safer than passwords. This is largely true, but a laptop manufacturer’s choice in sensors can potentially lead to the theft of your fingerprint image. That makes a user’s laptop secrets vulnerable, as well as those of an entire enterprise, if it’s a work computer. “There are two types of fingerprint sensors in the notebook market today,” Cheng said. “Those that are encrypted and safe, and those that are unencrypted and unsafe.” [Source]

WW – Distributed Ledger Technology May Not Be Compliant with the GDPR

A review of the applicability of the General Data Protection Regulation in the blockchain context. It is virtually impossible to identify the entity responsible for the blockchain process (e.g., data controller, data processor) and to change or delete information contained on a blockchain (making the right to be forgotten impossible). [Blockchains and Personal Data Protection Regulations Explained] See alsol [Toyota pushes into blockchain tech to enable the next generation of cars]

CA – Ontario Owner of Website That Names and Shames Debtors Told to Shut Down

The Ministry of Government and Consumer Services has ordered the owner of a website that publishes public information about people who’ve been successfully sued but won’t pay up to “cease and desist”. “I will not be bullied by some officious twit at the Ministry of Government and Consumer Services, whose mandate is the protection of consumers and they seem to be hell bent to do exactly the opposite.” said Dougall Grange, the owner of the website publicexecutions.ca. “What I’m doing is allowing judgement creditors, ie those are people who are owed money certified by the courts, to publish that information online in an accessible way, to motivate the person who owes them money to pay.” But the ministry sees it differently. It said in a letter to Grange, he’s providing a consumer report without registering as a Consumer Reporting Agency, a violation of the Consumer Reporting Act. If Grange is convicted of violating the Consumer Reporting Act, he could face a fine of up to $100,000. Grange said the website doesn’t break even and he was considering shutting it down until he got the ministry’s letter. [CBC News]

NZ – Privacy Call to Limit Power Usage Monitoring

Smart meters that relay half-hourly power usage are a potential risk to people’s personal security and privacy, and standards should be set to curb data collection, NZ Privacy Commissioner John Edwards says. The commissioner said about 70% of households in New Zealand have smart meters. The devices automatically record and transmit power usage data in half hourly intervals, but that information can also reveal much about the comings and goings of people in a household at a given time. The information is collected by electricity retailers like Meridian or Mercury, who use it to prepare their bills. It is then passed on to lines companies under information-sharing pacts. Mr Edwards said it could indicate when people were out, at home or in the shower – and this could put their security at risk if abused. The trend all over the world was to require that collection of data about people’s private lives be kept to a minimum, he said. In an open letter to the industry, Mr Edwards recommended electricity companies ensure that personal information was not collected unnecessarily or held for longer than it had to be. He also suggested aggregating data into clusters to cover an entire community, or all the people in a street, rather than recording data on individual homes. [radionz.co.nz]

Other Jurisdictions

WW – How to Keep Track of Cloud Providers and Products for Security Compliance

Tracking to ensure cloud providers and their products are complaint with corporate security controls and with compliance demands of business partners isn’t easy, security consultant James Arlen told a recent meeting of the Toronto Area Security Klatch (TASK), a community of infosec pros and students, because few organizations have the leverage to get providers to divulge the secrets of their security processes. However, he said, by gathering information and asking incisive questions infosec pros may be able to create a risk model that will meet the needs of management. Ironically, in this digital age, security compliance with a cloud provider comes down to paper. “The contract with the provider is the whole damn thing,” Arlen told the meeting. However, unless the customer is a government or a global corporation, the provider usually holds the whip hand. On top of that CISOs may have a raft of security standards to comply with, including the federal PIPEDA, the EU privacy directive, PCI for credit cards, NIST and various ISO/IEC rules. How does that relate to what a provider follows? One answer is using the Cloud Security Alliance’s free cloud controls matrix, which cross-indexes major compliance regimes and discover how they map to another. But, Arlen said, the real work of tracking compliance is creating a tracking list for every cloud provider and service staff are entitled to use – or, if the CISO decides, services staff are known to use even without permission. Arlen admits to frustration with third party security attestations in contracts (“We attest to following ISO 27001”), which says nothing about the provider’s actual security capability. As for documenting the provider’s security compliance, Arlen urges CISOs to follow these seven steps: 1) Review contract documents/exhibits; 2) Request vendor compliance documentation; 3) Review the Cloud Security Alliance Star registry for vendor compliance statements; 3) If neither exist, submit your own vendor security risk assessment; 4) Consider the provider and product stance relative to your requirements using the CSA cloud controls matrix; 5) Document deviations and your recommendations to the business/technology owner; and 6) Revise this regularly [IT World]

Privacy (US)

US – FTC Issues Recommendations to Small Businesses for Protecting Personal Information

The FTC’s issues recommendations for small businesses trying to protect personal information. Strong, complex passwords should be used that mix numbers, symbols and capital letters into the middle of the password (rather than at the beginning or end) and do not use repeating patterns to lengthen the password; organizations should also stick to websites that use encryption to protect the information as it travels from the computer to their server (check for https in the URL of all pages, not just the login page) and avoid using mobile apps that require sharing personal or financial information over public Wi-Fi. [FTC – Small Business Security Basics]

CA – California Class Action Filed over “BART Watch APP”

A class action complaint was filed against BART [see here], the San Francisco Bay Area Rapid Transit District, on May 22, 2017 in the District Court for the Northern District of California alleging BART created a “clandestine collection of private cell phone identifiers.” In particular, the plaintiffs claim the “BART Watch APP” [see here] —a mobile application that provided users with transit information and the ability to contact the police—collected private data in violation of California’s privacy laws. Elerts Corporation, the software developer, was also named as a defendant for its development of the App. The Plaintiffs claim that “a detailed review of the BART Watch App reveals that Defendants have been using it to secretly collect Californians’ unique mobile device identification numbers and periodically track their location.” The Plaintiffs further allege that “by collecting the device identification numbers, locations, and other personal information…Defendants have amassed a trove of data through the App.” And, Plaintiffs claim that these actions by BART and BART Police are prohibited under California law. [App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data]

US – Supreme Court to Settle Major Cellphone Privacy Case

Police officers for the first time could be required to obtain warrants to get data on the past locations of criminal suspects based on cellphone use under a major case on privacy rights in the digital age taken up by the U.S. Supreme Court on Monday. The justices agreed to hear an appeal by a man [Timothy Carpenter] convicted in a series of armed robberies in Ohio and Michigan with the help of past cellphone location data who contends that without a warrant from a court such data amounts to an unreasonable search and seizure under the U.S. Constitution’s Fourth Amendment. The case reaches the high court amid growing scrutiny of the surveillance practices of U.S. law enforcement and intelligence agencies amid concern among lawmakers across the political spectrum about civil liberties and police evading warrant requirements. “Because cellphone location records can reveal countless private details of our lives, police should only be able to access them by getting a warrant based on probable cause,” said Nathan Freed Wessler, a staff attorney with the American Civil Liberty Union’s Speech, Privacy and Technology Project who represents Carpenter. The case will be heard and decided in the court’s next term, which starts in October and ends in June 2018. [Reuters]

US – Trump Backs Permanent FISA Sec. 702 Powers He Once Criticized

Just months after President Trump complained about being spied on by the Obama administration, his administration is embracing a full permanent extension of the secret snooping powers the government used to track conversations between his campaign aides and Russian operatives. Mr. Trump’s intelligence and counterterrorism team said Section 702 of the Foreign Intelligence Surveillance Act has saved hundreds of lives by preventing terrorist attacks and insisted — despite Mr. Trump’s claimed experiences — that the law is not being abused. Without congressional action, Section 702 is set to expire on Dec. 31. That part of the law allows federal intelligence agencies to scoop up the communications of foreigners outside the U.S. It does not allow Americans to be targets of snooping, but if foreigners who are targeted are communicating with Americans, then those exchanges can be tracked in what is dubbed “incidental collection.” About 10% of conversations monitored end up with incidental collection, National Security Agency Director Michael Rogers testified to Congress on Wednesday. [watch here starting at 22:37 min] Civil liberties advocates accused Mr. Trump of hypocrisy for complaining about snooping during the campaign and now supporting the very tools he was worried about. [Trump backs permanent snooping powers he once criticized as abusive]

US – Obligation to Notify is Triggered by Unauthorized Access and the Likelihood of Harm to Consumers

A review of the breach notification in the wake of a ransomware attack in accordance with the US Department of Health and Human Services and State law. HIPAA provides that if there is a low probability that the PHI affected by the breach has been compromised, then the notification requirement does not apply; the attorneys general and other authorities have not issued specific guidance, however, the majority of state breach notification obligations are triggered when an unauthorized actor accesses and acquires personal information stored on a company’s network, and the breach poses a reasonable likelihood of harm to the customer. [Ransomware Attacks When is Notification Required – Latham and Watkins]

US – $11.7 Million Class Action Suit Dismissed for Failure to Establish Real-World Harm

The Court considers Experian Information Solutions, Inc.’s appeal of a judgement awarded in a class action suit for violations of the Fair Credit Reporting Act. An individual alleged he suffered an injury when a consumer reporting agency identified a defunct credit card company, rather than the name of the current servicer, as the source of a trade-line on his consumer report; however, no real-world harm was caused by the error since the error did not hinder the accuracy of the report or efficiency of the credit report resolution process (the individual was still able to obtain the necessary information and resolve his credit issues). [Michael T. Dreher v. Experian Information Solution Inc. – No. 15-2119 – United States Court of Appeals for the Fourth Circuit]


US – GAO Issues Report on Security, Privacy & Governance Challenges of IoT

In May 2017, the Government Accountability Office (GAO) released a technology assessment of the Internet of Things (IoT) for Congressional members of the IoT Caucus. The GAO report offers an introduction to IoT; reviews the many uses and their associated benefits that connected devices may bring to consumers, industry, and the public sector; and highlights the potential implications of the use of IoT, including information security challenges, privacy challenges, and government oversight. The report also identifies areas of apparent consensus among experts regarding the challenges posed by IoT, though the appropriate responses are disputed. Accordingly, the report may act as a foundation for future policymaker discussions about regulating IoT. The GAO’s report provides an introduction to IoT and answers three overarching questions: (i) what is known about current and emerging IoT technologies, (ii) how and for what purpose IoT technologies are being applied, and (iii) the potential implications of the use of IoT technologies. [GAO Report Highlights Security, Privacy, and Governance Challenges of the Internet of Things]

WW – 94% Believe Unsecured IoT Devices Could Lead to ‘Catastrophic’ Cybersecurity Attack

A new research report on third-party IoT integrations shows a strong concern over IoT security, but not many actions taken to mitigate it. 94% of risk management professionals believe that a security incident resulting from unsecured IoT devices “could be catastrophic.” The report, jointly released by the Ponemon Institute and the Shared Assessments Program, was built on the responses of 553 individuals from various industries. The Internet of Things (IoT): A New Era of Third Party Risk takes a look at the concerns around third-party risks in IoT security, and what business leaders are doing to address it. …One of the most surprising points was how many survey respondents expected to be the victim of an attack. Some 76% of those surveyed said that a DDoS attack resulting from an unsecured IoT device would be “likely to occur within the next two years” Despite this belief, only 44% said their organization would be able to protect either their network or other systems from “risky” IoT devices. [Technical Republic]


US – Healthcare Cyber Security Task Force Issues Report

The US Department of Health and Human Services Health Care Industry Cybersecurity Task Force has released its first report to US legislators. The report underscores the point that digital vulnerabilities are threats not only to information but also to patients’ safety. It calls for the government and private sector healthcare entities to work together on six imperatives that include defining leadership, governance, and expectations for healthcare cybersecurity; increasing the resilience and security of medical devices and IT; and identifying ways to protect research and development and intellectual property from theft. [Federal task force: Here’s how to fix healthcare cybersecurity | HHS Cyber Task Force wants better partnerships, stronger federal leadership | Health Care Industry Cybersecurity Task Force ]

US – Department of Health and Human Services OIG Report

The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has submitted its semi-annual report to Congress. Among OIG’s findings: HHS “faces challenges to protect the privacy and security of the data it collects and maintains.” [Health Data Security Tops HHS’ List of Challenges | Semiannual Report to Congress: October 1, 2016 to March 31, 2017]

UK – ICO Data on Reported Breaches

According to data obtained from the UK’s Information Commissioner’s Office (ICO), 43 percent of breaches reported between January 2014 and December 2016 affected the healthcare sector. While healthcare had the highest percentage of reported breaches, other sectors are seeing greater increases in the number of breaches reported. Across all sectors, more breaches were caused by human error than by external cyber threats. [Healthcare tops UK data breach chart – but it’s not what you’re thinking]

US – Classified Defense Data Found in Unprotected Cloud Storage

A US defense contractor appears to have stored top secret US intelligence data on a publicly-accessible Amazon cloud storage server. The account has been linked to contractors Booz Allen Hamilton. The data are related to the US National Geospatial-Intelligence Agency, which provides battlefield satellite and drone surveillance imagery. [Defense contractor stored intelligence data in Amazon cloud unprotected | US military data reportedly left on unsecured Amazon server | Intelligence contractor credentials left unsecured on Amazon server: report | Security company finds unsecured bucket of US military images on AWS]

US – Insider Threat Training Requirement for US Gov’t Contractors

US federal contractors wishing to maintain their clearances must have completed an insider threat training course by June 1, 2017. The requirement is described in the National Industrial Security Program Operating Manual (NISPOM) Change 2. The course is the second step of a new compliance requirement. The first part took effect late last year and required contractors implementing changes to protect their systems from insider threats. [Insider threat training deadline here for federal contractors | NISPOM Change 2 (May 18, 2016)]

US – Medical Device Vulnerabilities Reports issued

Two separate studies have found that numerous medical devices contain software vulnerabilities. One study that focused on implantable cardiac devices and their associated equipment found more than 8,000 vulnerabilities. That study found that in most cases, data were not protected either on the devices or while being transferred to monitoring equipment. In addition, the study found that there was no authentication for connecting devices. The second study examined a broader spectrum of devices, polling manufacturers, hospitals, and health organizations about the equipment; the majority said the devices are difficult to secure. [‘Thousands’ of known bugs found in pacemaker code]

WW – Cybersecurity: Third Parties are the Weakest Link

63% of all data breaches are linked in some way to third-parties such as contractors, suppliers and vendors that have access to a business’ system; organizations should utilize a service-level agreement with specific details of the types of security measures the vendor must use when handling data for the business, have the vendor perform periodic security assessments on its systems, and limit the third party’s access to the business network. [Third-Party Data Breaches: Weakest Link in Cybersecurity – John DiGiacomo, Lawyer, Revision Legal]

WW – Increase in Ransomware Attacks and Cyberespionage in 2016

Verizon has released the results of its 2017 data breach investigation, based on analysis of: 1,935 confirmed data breaches; and 42,068 incidents. 62% of breaches featured hacking (most of these breaches leveraged stolen and/or weak passwords), 51% of breaches included malware (66% of malware was installed via malicious email attachments), and 43% were social attacks; organizations should train staff to spot warning signs, only provide data access to employees that require it to perform their duties, promptly apply patches and updates, encrypt sensitive data, and use 2-factor authentication. [2017 Data Breach Investigations Report – Verizon]

AU – Ransomware Attack Will Count as Data Breach Under NDB

Leonard Kleinman [chief cyber security adviser at RSA] gave a rundown of what one could expect when the Privacy Amendment (Notifiable Data Breaches) Act 2017 [see here] takes effect [February 22, 2018], focusing on the security side of things, at a seminar in Melbourne on Tuesday. Given the cyber security environment at the moment, Kleinman said it was necessary to understand the legislation and its obligations, even if a company was not planning to take the necessary steps to plan for it. Indeed, this was a common theme which was advanced by the other two speakers at the seminar: Helaine Leggat, the director of Information Legal, and Mani Amini, GRC group manager at Content Security, the other firm that was involved in organising the seminar. The Office of the Australian Information Commissioner has a rundown of the data breach act here) The Office of the Australian Information Commissioner is currently seeking public comment on entities covered by the NDB scheme; notifying individuals about an eligible data breach; identifying eligible data breaches; and the Australian Information Commissioner’s role in the scheme. The last date for submitting comments is 14 July. [Ransomware attack will count as data breach: security pro]

WW – InfoSec 2017: A Look at the Family Album of Ransomware

Ransomware is among the topics at this week’s InfoSec Europe 2017 gathering this week in London. It’s been with us for some time and is considered old news by many security practitioners. But it remains a vexing problem for companies and continues to dominate many a conference agenda. SophosLabs recently looked at the most prolific ransomware families and attack vectors over a six-month period and boiled it down to the graphic below. In this article we break down the statistics, review some of the ransomware-themed events on the InfoSec agenda and offer up some defensive measures. [InfoSec 2017: a look at the family album of ransomware]


US – Nest Security Camera Knows Who’s Home With Google Face Tech

Nest Labs, owned by Alphabet Inc., is adding Google’s facial recognition technology to a high-resolution home-security camera, offering a glimpse of a future in which increasingly intelligent, internet-connected computers can see and understand what’s going on in people’s homes. Facebook deploys similar technology to automatically recognize and recommend tags of people in photos posted on its social network. The camera will only identify people you select through Nest’s app for iPhones and Android devices. It won’t try to recognize anyone that an owner hasn’t tagged. Even if a Nest Cam IQ video spies a burglar in a home, law enforcement officials will have to identify the suspect through their own investigation and analysis, according to Nest. Netatmo , for instance, introduced a security camera touting a similar facial recognition system in 2015. The way that the Nest and Netatmo cameras are being used doesn’t raise serious privacy concerns because they are only verifying familiar faces, not those of complete strangers, said Jennifer Lynch, who specializes in biometrics as a senior staff attorney for the Electronic Frontier Foundation, a digital advocacy group. [Source]

US – Explosive Revelation of Obama Administration Illegal Surveillance of Americans

During the Obama years, the National Security Agency intentionally and routinely intercepted and reviewed communications of American citizens in violation of the Constitution and of court-ordered guidelines implemented pursuant to federal law. The unlawful surveillance appears to have been a massive abuse of the government’s foreign-intelligence-collection authority, carried out for the purpose of monitoring the communications of Americans in the United States. While aware that it was going on for an extensive period of time, the administration failed to disclose its unlawful surveillance of Americans until late October 2016, when the administration was winding down and the NSA needed to meet a court deadline in order to renew various surveillance authorities under the Foreign Intelligence Surveillance Act (FISA). The administration’s stonewalling about the scope of the violation induced an exasperated Foreign Intelligence Surveillance Court to accuse the NSA of “an institutional lack of candor” in connection with what the court described as “a very serious Fourth Amendment issue.” The FISA-court opinion is now public, available here. The unlawful surveillance was first exposed in a report at Circa by John Solomon and Sara Carter here, who have also gotten access to internal, classified reports. The story was also covered extensively Wednesday evening by James Rosen and Bret Baier on Fox News’s Special Report. [See here] According to the internal reports reviewed by Solomon and Carter, the illegal surveillance may involve more than 5 percent of NSA searches of databases derived from what is called “upstream” collection of Internet communications. To summarize, we have the communications of Americans inside the United States being incidentally intercepted, stored, sifted through, and in some instances analyzed, even though those Americans are not targets of foreign-intelligence collection. The minimization procedures are supposed to prevent the worst potential abuses, particularly, the pretextual use of foreign-intelligence-collection authority in order to conduct domestic spying. But even when complied with, there is a colorable argument that the minimization procedures do not eliminate the Fourth Amendment problem — i.e., they permit seizure and search without adequate cause. Clearly, this new scandal must be considered in context. The NSA says it does not share raw upstream collection data with any other intelligence agency. But that data is refined into reports. To the extent the data collected has increased the number of Americans whose activities make it into reports, it has simultaneously increased the opportunities for unmasking American identities. Other reporting indicates that there was a significant uptick in unmasking incidents in the latter years of the Obama administration. More officials were given unmasking authority. At the same time, President Obama loosened restrictions to allow wider access to raw intelligence collection and wider dissemination of intelligence reports. [National Review]

US Government Programs

US – U.S. Now Can Ask Travelers for Facebook, Twitter Handles

Travelers wishing to visit the United States can now be asked for their social media handles and email addresses going back five years, a new U.S. government request that’s alarmed privacy advocates but which the Trump Administration says could help weed out travelers who intend harm. Citizens of most countries must apply for visas to travel to the United States, which are granted by the State Department. This generally involves a visit to a local U.S. embassy or consulate and an in-person interview with a consular official. The supplemental questionnaire will only be given to “a fraction of 1% of the 13 or so million people who apply for a visa to visit the United States each year and is meant for applications for which consular officials feel more information is necessary,” said Will Cox, a spokesman for the State Department’s Bureau of Consular Affairs. About 85% of those apply for visas are granted them, he said. Applicants are not being asked for the passwords to these accounts and consular officers will not be going into social media and friending people, Cox said. The questionnaire also asked about employment history, siblings, children and spouses, “current or previous” and “living or deceased. “The State Department asked for the right to collect the information under an emergency request on May 3 which was granted on May 23 by the Office of Budget and Management. It was implemented with no fanfare on May 23 and it wasn’t until Thursday, when Reuters first reported on it, that the existence of the new form became widely known. [USA TODAY | If you have a Twitter account, change these privacy settings now]

US – DHS Sec. Kelly Affirms US Citizens’ Phone Searched of at Border

American citizens coming to the United States from overseas risk having their cellphones confiscated and searched at airports or other border crossings, Homeland Security Secretary John Kelly confirmed on Capitol Hill, walking back previous statements. Pressed by Republican Senator Rand Paul about the searches and threats to detain or turn back travelers if they did not comply, including citizens and U.S. green card holders, Kelly affirmed [at 51.55 – 57.40 min] to the Senate Homeland Security and Governmental Affairs Committee: “We do it whether they’re citizens or noncitizens coming in.” The retired general acknowledged his statement was “a change” from his comments during an April 5 hearing, in which he told senators, “I don’t believe we ever turn back citizens or legal residents.” At that April hearing, Kelly had emphasized that the targets of the searches were foreigners, but Paul pointed out there had been news reports of Americans also being caught up in the dragnet. And on Tuesday, the Kentucky libertarian read from several public reports of Americans being detained by Customs and Border Patrol agents until they divulged the contents of their phones, including a NASA engineer and a couple returning from Canada. Paul and Democratic Senator Ron Wyden have introduced legislation that would require border agents to obtain warrants before searching Americans’ electronic devices. A bipartisan companion bill is also pending in the House. [Cellphone Privacy: Homeland Security Chief Acknowledges Searches of U.S. Citizens’ ] See also: [1Password’s new ‘travel mode’ keeps your data safe from border agents]

Workplace Privacy

CA – Federal Benefits Workers Told to Stay Off Social Media When Vetting Applications

Federal workers whose job it is to determine whether someone is eligible for employment, disability or seniors’ benefits have been told to stop being amateur sleuths by searching the Facebook profiles of applicants. The order came after senior officials learned that staff were logging on to social media websites to check on any suspicions they had with someone’s application for Canada Pension Plan disability benefits. And now other benefit programs — employment insurance, seniors’ benefits like old age security and the guaranteed income supplement — have been subjected to the same reminder. The only personal information the department is allowed to collect has to come from the applicant or from a third party like a doctor, employer, or family member, provided the applicant consents. The briefing note says that using publicly available information like social media posts and even address listings could be considered “an invasion of privacy” and a violation of the Privacy Act and the Charter of Rights and Freedoms. Staff were reminded that if they came across something odd in a file, including anything that could be easily found online, they were to send it to the wing of the department that investigates and roots out fraud in the federal benefits system. [The Star See also: Get Ready for the Next Big Privacy Backlash Against Facebook]


24 April – 19 May 2017


US – Airport Facial Recognition Scans to be Mandatory for All Passengers

All US airports may soon have facial recognition software activated to scan each passenger regardless of their citizenship. The plan was first proposed for select airports and international passengers only, but the Customs and Border Protection (CBP) department has suggested it be made mandatory for all passengers, even if they are holding US passports. The initial plan was to register visitors leaving the country using facial recognition. But now it is proposed that facial scans be made mandatory for any passenger when they, leave, re-enter the country or pass through TSA checkpoints. The agency aims to create an airport-wide system dubbing it as The Biometric Pathway, where along with regular passenger details, facial scans become mandatory. At present, the Exit program is being tested on a flight from Atlanta to Tokyo, and will soon roll out in seven new airports. The mechanism is limited to the airport departure gates for now and expanding it to all check points will depend on the cooperation from partner agencies like the TSA. [IB Times]

AU – Australia Adds Millions of Citizen Photos to Govpass Face Rec System

The Australian government intends to add citizen’s passport photos to a national facial recognition database to be used for its Govpass digital identity system and criminal justice purposes. These 12 million records will bolster the system launched in 2016, which previously held only images of foreigners seeking Australian citizenship. But it has privacy advocates pushing for creation of a new national commissioner with biometrics oversight. In addition to the passport photos, InnovationAus.com reported that negotiations are underway that could result in the inclusion of millions of driver license images as well. A privacy impact assessment was conducted in 2015 but it focused on the design and governance rather than privacy protection. Recent academic research has led to the call for creation of a biometrics commissioner to address the governance gap. [Secure-IDNews]

US – NYPD Refuses to Disclose Information About Its Face Recognition Program, So Privacy Researchers Are Suing

Researchers at Georgetown University law school Center on Privacy and Technology [see here] filed a Freedom of Information lawsuit against the New York City Police Department today for the agency’s refusal to disclose documents about its longstanding use of face recognition technology. The researchers requested records pertaining to the NYPD’s program in January 2016 as part of The Perpetual Line-Up, a year-long study on law enforcement uses of facial recognition technology. After receiving public records from more than 90 agencies across the country the NYPD determined in January 2017 that it was unable to find any records responsive to the Center’s detailed records requests. Clare Garvie, one of the co-authors of Georgetown’s report and an expert on face recognition technology, described the NYPD’s lack of transparency as a “very worrying prospect” given the technology’s potential for invasive surveillance, including in real time. Because the NYPD’s own policies, manuals, and documents are “the only controls” on its own system, their disclosure is in the public interest, Garvie explained. “If no records exist, that means that there are no controls on the use of face recognition technology and we ought to worry about that. If there are records, then why did the Police Department say that it couldn’t find them?” said David Vladeck, a member of Georgetown’s law faculty, in a press release. [The Intercept]

US – Illinois Biometrics Privacy Law Could Be Adopted by Other States

Illinois’ Biometric Information Privacy Act [see here], which came into effect in 2008, established protocols which require organizations collecting biometric data to notify people about the practice before they begin to gather data, as well as provide an exact timeline for deleting the data. Five states are currently evaluating amendments to their biometric laws. Alaska, Montana and New Hampshire take a similar approach to BIPA and allow private causes of action. Connecticut’s bill takes a very different approach and aims to prohibit retailers from using facial recognition technology for marketing purposes. Washington has some similarities to BIPA and is also like Texas’ current biometric law, in that it can be enforced solely by the attorney general. The lack of federal laws has cleared the path for state-driven initiatives to take charge, with Illinois introducing three other privacy bills since January. BIPA allows for a private cause of action. ”It is unclear whether other states (will) adopt similar legislation, but we are seeing an uptick in states that care about biometric information,” Kadish said. [Biometric Update]


CA – MPs Calling on Government to Boost Protection of Canadian Civil Liberties

An influential group of Liberal MPs on the Commons standing committee on public safety released a report [see here] containing 41 recommendations [see here]. They urged Prime Minister Justin Trudeau to increase parliamentary, civilian and judicial oversight of national security agencies, to create a new watchdog agency for Canada’s border agency, and to dial back extraordinary threat reduction powers given to CSIS by the Conservatives in controversial changes to Canada’s anti-terror law under Bill C51. They want the law to require ministerial approval and prior judicial warrants for any measures that could be perceived as potential violations of the Charter of Rights and Freedoms. But the Liberals would not move to repeal that CSIS power altogether. Other recommendations say vague definitions in the Criminal Code, such as “terrorist propaganda,” must be clarified, and there must be an obligatory review of all appeals from persons who feel they are wrongly listed on the so-called “no fly” list for air travel. The Liberals recommended the government not legislate greater “lawful access” for police and intelligence agencies who want to acquire telecom companies’ customers’ subscriber information, online activities, telephone conversations, and encrypted communications, without further study. But the Liberals would make it easier to prosecute terror cases by allowing criminal trial judges to review secret information and decide on matters of confidentiality in national security cases, without requiring those questions be put before a separate Federal Court judge. The Conservatives issued a dissenting report that supported the previous government’s approach to Bill C51. Public safety critic Tony Clement said he supported the Liberal majority report on matters such as increased oversight for the Canada Border Services Agency, and the creation of an office with responsibility to oversee the information-sharing and national security activities of the roughly 17 departments and agencies that have some role in national security. [See here] The NDP issued a separate report that supported the majority of the Liberal report but said the government should go further and completely repeal Bill C51. [See here] Elizabeth May, Green Party leader, agreed. “I urge the Government to take this report as a floor, not a ceiling, of what is possible in undoing the harms of C-51.” Josh Paterson, head of the BC Civil Liberties Association, supported the call for a dedicated, integrated agency to provide review of national security operations across the whole of the government. [See here] [Toronto Star]

CA — Oversight of National Security in Canada Still Needs A Lot of Work, New Reports Show

Given the use of Stingrays, along with CSIS’s recently exposed (and illegal) practice of retaining large amounts of Canadian metadata, it should be clear that Canada’s capacity for holding our intelligence agencies accountable should be increased. And two recent reports show that there’s still a lot of work to be done on oversight of national security in Canada. One report is much more technical. It came from an assessment by the Commons Standing Committee on Access to Information, Privacy and Ethics of the Security of Canada Information Sharing Act, http://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-5/ which is contained in the controversial Bill C-51, also known as the Anti-terrorism Act. The other is much broader in its scope and recommendations, and is the product of cross-country hearings on Canadian national security conducted last year by the Commons Standing Committee on Public Safety and National Security. While both reports reinforce, in spirit and content, that Canadian national security oversight needs to be bolstered, they don’t really get at the details of how to do so on a practical level. This is especially true of the report from SECU, the public safety and national security committee, given its broad range. [CBC] See also: Globe editorial: Ottawa should stop delaying and start fixing Bill C-51 | Time to rein in security overreach: Editorial | Don’t change lawful access rules, Parliamentary committee recommends | Restrict spy powers and increase oversight, Liberal and NDP MPs recommend]

CA – Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the 2017-18 Main Estimates

Privacy Commissioner of Canada, Daniel Therrien, appeared before the Standing Committee on Access to Information, Privacy and Ethics to discuss the 2017 Main Estimates. In his remarks, he noted that to face the sustained volume but increased complexity of the work, the OPC will continue to make the most efficient use of its resources. Amidst competing demands, the OPC will not lose sight of its mandate: Ensuring that the privacy rights of Canadians are respected and that their personal information is protected. [Source]

CA – Federal Privacy Commissioner to Initiate Investigations, Not Just Wait for Complaints

The federal privacy commissioner says he’s temporarily no longer going to wait until people file complaints about alleged privacy issues before acting. [see here] Instead, Daniel Therrien will be more proactive, including launching investigations into questionable privacy practices or “chronic problems” on his own when necessary. It’s what Therrien called the commission’s new policy of “proactive compliance.” His office will draw on complaints and trends to determine if there are issues or sectors that would benefit from a special investigation. In an interview he said investigations would be on “issues of broad concern.” This “proactive enforcement” will will last at least until September, when Therrien files his annual report to Parliament, where he may call for changes to federal legislation to update his office’s mandate. As part of being proactive, to help the private sector Therrien is considering offering to audit companies – perhaps for a fee – to see if they comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). [ITWorld] [Course correction for improved outcomes for Canadians]

US – To Fight ‘Surveillance Culture,’ Activists Release Kid-Focused Privacy Toolkit

“You shouldn’t need a PhD or law degree to ensure that your child’s sensitive student data isn’t shared with commercial entities” The Parent Toolkit for Student Privacy: A Practical Guide for Protecting Your Child’s Sensitive School Data from Snoops, Hackers, and Marketers, released by the Parent Coalition for Student Privacy (PCSP) and the Campaign for a Commercial-Free Childhood (CCFC), teaches families about federal laws safeguarding their information, how to ask about schools’ data policies, and how to advocate for stronger protections in an age when records are increasingly stored digitally. The toolkit was released after the Electronic Frontier Foundation (EFF) published a report in April which found that “surveillance culture begins in grade school,” with tech companies spying on students through devices and software used in classrooms to collect kids’ names, birth dates, browsing histories, grades, disciplinary records, and other information. [Common Dreams]

CA – Canada’s Spies Examining ‘Vulnerabilities’ in Election System

CSE, Canada’s signals intelligence and cyberdefence agency, is conducting a “risk assessment” into how vulnerable Canadian elections are to foreign hacking and information operations. The review was ordered by the Liberal government in February, as the scope of Russian meddling in the 2016 U.S. presidential election was being made public by American intelligence agencies. The review is unlikely to focus on the security of the actual vote, which still relies on pens and paper rather than electronic voting. The greater risk is likely the kind of information – and disinformation – campaigns seen in the U.S. and the recent French presidential election. [The Star]

CA – RCMP Created, Then Abandoned Metadata-Crunching Tool to Extract Criminal Intelligence

The RCMP created, then suddenly abandoned, a tool to crunch electronic message trails gathered during criminal investigations — a previously unknown foray into the controversial realm of big-data analysis. Telecommunications Analytical Platform was operating as recently as mid-November, say internal RCMP notes obtained by The Canadian Press through the Access to Information Act. “The TAP is a platform that regroups copies of certain telecommunications metadata from concluded investigations only, such as phone numbers, associated crime types, source links to police records management systems and the geographical region where the metadata was recorded which are lawfully collected by the RCMP and other Canadian police services in the course of criminal investigations,” the RCMP notes say. The tool was a “proof of concept” that turned out to be unsuccessful and “therefore the project was ended,” said Cpl. Annie Delisle, an RCMP spokeswoman. “No data was retained.” The Mounties would not say why the tool was ineffective, nor exactly how long it existed. [The Star]

CA – Queries for B.C. Liberal government Text Messages, Skype Calls, And Slack Logs All Turn Up Empty

In order to analyze government record-keeping, the Straight filed dozens of FoI requests for communication logs created via text message, Blackberry BBM, Skype, and Slack. Five ministries were targeted as a sample of the government. Within each ministry, records were requested for the minister, deputy ministers, and chiefs of staff for those offices. Those requests pertained to more than 20 public servants. Only three resulted in government records. Vincent Gogolek, executive director of the B.C. Freedom of Information and Privacy Association, noted that these communication tools are primarily used on mobile devices and are examples of tools that have become crucial for modern business. “It’s concerning that something that is this common a means of communication has no records,” he told the Straight. “That’s clear. There should be something there. How can you have a very common means of communication where there is nothing?” The B.C. Ministry of Information and Technology—the agency responsible for government computer systems—declined to grant an interview, on account of the ongoing provincial election. “It’s hard not to come to the obvious conclusion that there are missing records. I simply find it not credible, the suggestion that there is a group of people that does not use text messages” said David Eby the NDP incumbent candidate for Vancouver-Point Grey. [Source]

CA – Lawful Access: The Privacy Commissioner Reiterates its Position

On April 5, 2017, Patricia Kosseim, Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis for the Office of the Privacy Commissioner of Canada (the “OPC”), gave testimony [read here] before the Quebec Commission of Inquiry on protection of confidential media sources. Ms. Kosseim took the opportunity to present a clear view of the OPC’s position on how lawful access, as articulated in section 7(3) of PIPEDA, should be addressed. Of particular interest is how this position differs from the position taken by the federal government in recent years. Ms. Kosseim went on to reiterate the position that the Privacy Commissioner of Canada, Daniel Therrien, has taken on the subject. The OPC would like to see the lawful access rights of government institutions, including police, be limited, clearly articulated, and supervised by the judiciary. Canadians have the right to be secure against unreasonable search and seizure under the Charter and have the right to have their personal information protected under PIPEDA. These rights must be balanced with the reality that circumstances will arise when personal information will need to be disclosed for purposes such as public safety. [Canadian Cyber Security Law]

CA – Implied Consent: Creditors Can Directly Obtain Mortgage Discharge Statements

A review of a recent Supreme Court of Canada decision about whether the Personal Information Protection and Electronic Documents Act (PIPEDA) precludes disclosure of mortgage statements. The Supreme Court of Canada ruled that, if a judgment has been obtained, creditors are entitled to a court order requiring disclosure of a mortgage discharge statement from mortgagees without express consent of the debtor; however, lenders should still try to obtain borrower’s express consent to disclose certain financial information in the terms of the agreement to avoid legal proceedings, or having to file motions to compel disclosure. [Privacy and Property – The Supreme Court Clarifies The Limits of PIPEDA – Scott R. Venton and Kyle Kuepfer – Fogler Rubinoff LLP]

CA – Some Canadian Bank Record Information Being Sent Directly to IRS

Thousands of reports containing confidential Canadian banking information records have been sent directly to the U.S Internal Revenue Service, without the Canadian government’s knowledge. According to information obtained under a U.S. Freedom of Information Act request, 31,574 such reports have been sent directly to IRS over the past two years under the U.S. Foreign Account Tax Compliance Act (FATCA). Under U.S. law, anyone who is a U.S. citizen or considered a U.S. person for tax purposes has to file an income tax return to the IRS, regardless of whether they are living in the States. Some estimate as many as a million Canadian residents could be affected by FATCA — from Americans and dual citizens who are living in Canada to someone born in a U.S. border hospital who has lived their entire lives in Canada. This week, the impact of the reporting regime on Americans living outside the United States will be front and centre when a House of Representatives subcommittee holds hearings on the issue in Washington. Stephen Kish, a member of the group fighting in Canada’s Federal Court to have the banking record sharing deal struck down, said one of the key concerns of those affected by FATCA is the confidentiality of their banking information. [CBC]

CA – OIPC SK Believes Stand-Alone Legislation Required for Data Matching

The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance for organizations on use of data matching. Data matching is a highly invasive activity that can lead to inaccurate information about individuals due to the incorporation of implicit and explicit biases, use of poorly selected data sets, and lack of knowledge about the logic used; legislation should include principles of data minimization, openness, accuracy, de-identification, and establishing purpose and safeguards, projects should be limited to government and health institutions, and require prior completion of PIAs and notification to the OIPC. [OIPC SK – Data Matching]

CA – Privacy and Property: The Supreme Court Clarifies Limits of PIPEDA

In Royal Bank of Canada v Trang (Trang) [see here], the Supreme Court removed a number of hurdles that judgment creditors often face when attempting to execute against a judgment debtor’s real property. Whereas a judgment creditor was previously required to obtain a debtor’s consent or a court order before obtaining a mortgage discharge statement (a prerequisite to a sheriff’s sale), the “Trang” decision allows the same creditor to obtain the debtor’s implied consent simply by filing a writ of seizure and sale with the sheriff. At a broader level, Trang makes clear that individuals cannot hide behind the “Personal Information Protection and Electronic Documents Act” (PIPEDA) to escape their legal obligations. While “Trang” provides a principled justification for the disclosure of a mortgagor’s personal information, a prudent lender might nonetheless wish to obtain a borrower’s express consent to the disclosure of certain financial information as a term of the standard mortgage agreement. This preventive step may assist in avoiding the expense and trouble associated with legal proceedings commenced under PIPEDA or, as was the case in “Trang”, motions to compel the disclosure of private financial information. [Mondaq]

CA – Ontario Bill Outlines Obligations for Handling Personal Information of Children Under Government or Foster Care

Bill 89, Supporting Children, Youth and Families Act, 2017 is introduced in the Ontario Legislative Assembly: the Act amends and repeals the Child and Family Services Act; The Bill has passed second reading and referred to the Standing Committee on Justice Policy; and if passed, will come into force on a day to be named by proclamation of the Lieutenant Governor. Service providers (e.g., Minister, licensee or society) and other ministries may disclose personal information (PI) and collect PI from each other for the purpose of planning, managing or delivering a service that the ministry provides, and must comply with a court order requiring the disclosure of PI for the purposes of inspection; notification must be provided to affected individuals, the Privacy Commissioner and Minister of Child and Youth Services in the event of a data breach. [Bill 89 – Supporting Children, Youth and Families Act, 2017 – Ministry of Children and Youth Services – Legislative Assembly of the Province of Ontario ]

CA – IPC Ontario Recommends Bill 89 Amendments Regarding Handling PI Under Government or Foster Care

The Information and Privacy Commissioner of Ontario presented his comments on Bill 89, the Supporting Children, Youth and Families Act. The bill provides too much authority to the Minister of Children and Youth Services by conflating the authorities to collect and use PI, and the purposes for which indirection collection of PI is allowed (service delivery versus planning and managing the delivery of services); amendments include using a privacy framework that incorporates data minimization, oversight and transparency, and provisions prohibiting the Minister from disclosing any PI if other information will serve the purpose [IPC ON – Comments of the Information and Privacy Commissioner of Ontario on Bill 89]

CA – PEI Privacy Commissioner Upholds Public Body’s Decision to Withhold Records Covered by Solicitor-Client Privilege

The Information and Privacy Commissioner reviewed a request denied by the Public School Branch pursuant to the Freedom of Information and Protection of Privacy Act. the Information and Privacy Commissioner reviews a request denied by the Public School Branch pursuant to the Freedom of Information and Protection of Privacy Act. [IPC PEI – Order No FI17004 Public Schools Branch]

CA – Ontario Court Orders Insurance Company to Collaborate With Insured on Reasonableness of Consent Form

The Court considered Intact Insurance Company’s application for a determination of rights based on the Court’s interpretation of the Statutory Accident Benefits Schedule (SABS). The SABS is silent on the issue of the form of any consent that may be required by an examiner related to evaluations for insurance claims, and health professionals could experience negative consequences if they perform medical-legal examinations without having obtained consent in advance; since the essence of SABS is to have relevant, reasonable and necessary measures in place, collaborative efforts to develop a consent form that is reasonable would be beneficial to both parties. [Intact Insurance Company v Beaudry – 2016 ONSC 6127 CANLII – Ontario Supreme Court of Justice]

CA – Privacy Concerns Raised as Calgary Considers Electronic Parking Permit Proposal

Some Calgarians are up in arms over a proposed change to residential parking zone enforcement that would do away with physical parking permits and introduce an electronic registry of licence plates. Some residents fear the registry will provide the City with the ability to track and analyze their movements and potentially share this information with third parties. The system would be similar to the Calgary Parking Authority’s ParkPlus scheme where patrol cars scan licence plates and issue tickets to the owners of vehicles found to be in violation of the posted rules. Under the proposal, the practice of providing residents with plastic permits to place on the rearview mirrors of their vehicles or the vehicles of their visitors would be eliminated. Residents in Calgary’s 77 residential parking zones would be required to register their licence plates, and the licence plates of their visitors, online. Enforcement of residential parking zones would be patrolled by vehicles equipped with cameras as opposed to having officers on foot checking for the placards. Lee Tasker, a resident of Hillhurst, believes the proposed system is an invasion of privacy and suggests the City is prioritizing monetary gains over the security of its citizens. A report projects the introduction of the proposed system would result in $200,000 in additional revenue in 2018 and $400,000 the following year. The estimated cost of implementing the program is $400,000. Tasker and representatives of the Privacy and Access Council of Canada, who refer to the program as Orwellian and Kafkaesque, say the storing of personal information for an extended time is completely unreasonable. [CiviNews]

CA – Let Territorial Job Applicants See Their References, Says Nunavut MLA

MLA Pat Angnakak says]”as soon as somebody makes a reference about you that’s your information, it belongs to you, so you should be able to say, ‘I want my information about myself,’“ She says unsuccessful candidates should have the opportunity to defend claims made by their referees. Nunavut’s Privacy Commissioner, Elaine Keenan Bengts, addressed the MLA’s concerns at a standing committee meeting last week. “A policy which says we are simply not going to disclose any of the information we get from references, is clearly, in my opinion, contrary to the act,” Keenan Bengts said. She said access to personal information, such as references, was of the “highest level of entitlement.” [CBC]

CA – Nunavut Privacy Boss Says Privacy Not a Priority for GN Health

Nunavut’s IPC, Elaine Keenan Bengts says the health department’s lack of communication on the privacy shortfalls at the Qikiqtani General Hospital in Iqaluit proved privacy was not it’s top priority. Keenan Bengts told a standing committee of Nunavut MLAs May 10 that she has heard nothing from the Department of Health since her report was tabled last fall. Some of the more egregious violations noted by Keenan Bengts during her two days of testimony were: Fax machines printing off sensitive medical data in public hallways, computers left idle, lackluster security for medical records and even employees unofficially accessing their own medical data, were some of the more egregious violations noted by Keenan Bengts during her two days of testimony. The commissioner submitted 31 recommendations following her audit, calling for MLAs to enshrine patients’ privacy rights in standalone health information legislation, shifting fully to electronic records, and creating a dedicated privacy officer position at the hospital. [Source] [Nunavut’s health records ‘ripe for privacy breach’, says territory’s information commissioner]

CA – Security Camera Makers Urged to Beef Up Privacy After School Streaming Incident

Canada’s privacy commissioner will once again press companies that make security cameras to strengthen privacy on their devices so users don’t unwittingly stream personal images on the internet. Jennifer Rees-Jones, a senior advisor at the Office of the Privacy Commissioner of Canada said the action was inspired by a CBC News story last week about Rankin School of the Narrows in Iona, Cape Breton, where a surveillance camera was streaming images of students outside a bathroom live to the internet. She said the privacy commissioner sent similar letters in early 2015, but the threat to Canadians’ privacy is still acute. Robert Currie, director of the Law and Technology Institute at the Schulich School of Law at Dalhousie University said there are between 100 million and 200 million digital security cameras in Canada with varying levels of security. He thinks renewed action by the privacy commissioner will work. Currie said manufacturers “don’t want the government passing laws to fix this problem if they can fix it internally in the industry.” [CBC | N.S. privacy commissioner investigates after school webcam broadcasts images | Russian website broadcast live pictures of Cape Breton schoolchildren | Unsecured Webcams Are Broadcasting Canadian Daycares, Schools Online


US – Over 80% of Americans Are More Worried About Privacy, Security Than a Year Ago

More than 80% of Americans are more concerned about their online privacy and security today than they were a year ago, a recent Anchor Free survey [PDF] of more than 2,000 Americans found. The survey found that over 95% of respondents are concerned about companies collecting and selling their personal information without their consent, and more than 50% are looking for new ways to safeguard their personal data. The survey also found that while 70% of respondents are doing more today to protect their online privacy than they were a year ago, just one in four believe they’re ultimately responsible for ensuring safe and secure Internet access. A separate TeleSign survey [PDF] of 1,300 U.S. adults found that 31% of consumers said their online life is worth $100,000 or more — and 55% said businesses are primarily responsible for account security. An EyeVerify survey of 1,002 U.S. adults recently found that 79% of respondents want the ability to use more biometric authentication methods beyond the fingerprint to access mobile banking or payment apps, and 42 percent said they wouldn’t use a banking or payment app that doesn’t offer biometric authentication. [eSecurity Planet]


CA – Sask Issue of MLA’s Using Private Email May Go to OIPC

A senior provincial cabinet minister says every MLA uses private email for government business, a statement seemingly at odds with the government’s position one week ago. All the members have used their private email for business related to government to respond to constituents and, you know, myself included, as has every other member,” Crown Investments Corporation Minister Joe Hargrave told reporters in Regina, following the end of the legislative session. Saskatoon man Marcus Grundahl said he was “surprised and alarmed” when Hargrave replied via private email to his concerns over the Saskatchewan Transportation Company. Hargrave has since admitted to the mistake and says it won’t happen again. Grundahl, though, said that isn’t the end of things. He’s taken the matter to Saskatchewan’s information and privacy commissioner for review. [CBC]

Electronic Records

UK – Hospitals Rapped for Sharing 1.6m Patient Records With Google

When the tie-up between Google’s DeepMind and London’s Royal Free NHS Trust was announced in 2016, it was praised as the sort of forward-looking innovation the NHS badly needed. But within weeks a wrinkle emerged – DeepMind had been given access to 1.6m patient records stretching back up to five years This week a leaked letter from the National Data Guardian (NDG) health watchdog described this transfer of data as having been carried out on an “inappropriate legal basis” – a formal way of saying it shouldn’t have happened in the way it did. The letter lays bare thorny issues, starting with the basis on which an NHS Trust can transfer data. Britain’s Information Commissioner’s Office (ICO) will soon publish its report on whether the data transfer to DeepMind was legal under the Data Protection Act (DPA). When it does, people on all sides of this tangled story will be paying close attention. [Naked Security]

EU Developments

EU – The State of Privacy 2017: EDPS Provides Mid-Mandate Report

As we approach the mid-point of the current EDPS mandate and continue the countdown to the General Data Protection Regulation (GDPR), the EU must build on current momentum to reinforce its position as the leading force in the global dialogue on data protection and privacy in the digital age, the European Data Protection Supervisor (EDPS) said to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), as he presented his 2016 Annual Report [see 75 pg pdf here]. [EDPS]

EU – European Data Protection Supervisor Calls for Additional Changes to Proposed ePrivacy Regulation

The European Data Protection Supervisor (EDPS) has recommended further changes to the proposed ePrivacy Regulation that would have significant impacts on the electronic communication sector and other online companies. In a 40-page opinion issued on April 24, 2017, the EDPS praises certain aspects of the current proposal as positive, voices key concerns about other aspects of the proposal, and makes several recommendations to change the proposed draft. The EDPS’s opinion follows another recent opinion by the Article 29 Working Party that recommended also changing the current proposal. The European Parliament and European Council are set to review and negotiate the final text over the coming months, with the ambitious goal of concluding negotiations by the end of 2017. The EDPS’s opinion focuses on the following key concerns and recommendations: 1) Privacy-focused definitions; 2) Strengthened consent requirements; 3) Limitations on legal grounds for processing electronic communications data and information related to terminal equipment of users; 4) Prohibition on “tracking walls” and other practices that exclude users with ad-blocking or similar applications installed; 5) Privacy-friendly default settings; 6) Mandatory adherence to accepted technical and policy compliance standards, which could include “Do Not Track”; 7) Restrictions on mobile location tracking; and 8) Safeguards against Member State restrictions on privacy rights and mandatory disclosures about government access requests. [WilmerHale]

EU – Article 29 Working Party Issues Guidance on Data Protection Impact Assessments

The steady trickle of GDPR guidance from the Article 29 Working Party continues. Fresh from finalising its guidance on data portability, lead supervisory authorities and data protection officers, the Working Party has published draft guidance on data protection impact assessments (DPIA), the full text of which is available on the Working Party website. Comments can be submitted to the Working Party by 23 May 2017, after which the guidance will be finalised. DPIAs are a key part of the GDPR accountability principle, and have to be carried out if a processing activity is “likely to result in a high risk” to data subjects. The Working Party’s guidance clarifies this phrase, and provides a series of concrete criteria which might trigger a DPIA There is a useful diagram in the guidance which sets out a seven-step generic process for DPIAs. There are also helpful Annexes to the guidance, including examples of existing national and Europe-wide DPIA frameworks and a checklist of items to be included in DPIAs. These are likely to be useful resources when preparing DPIA templates, as the regulators may well want to see clear evidence of each of these steps being followed and each element in the checklist covered. [HLDA]

UK – State of the Cyber Nation: Gov’t Report on Cybersecurity Breaches

On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cybersecurity breaches and how they affected UK companies in the last year. Headline statistics from the report include:

  • 61% of businesses hold personal data electronically;
  • 46% of all UK businesses identified at least one cybersecurity breach in the past year, rising to 51% of those that hold personal data on customers, 66% amongst medium-sized firms and 68% amongst large firms;
  • The most common breaches involved members of staff receiving fraudulent emails. This demonstrates that technical measures can only take an organisation so far, and that strong procedures and training are vital;
  • External reporting of breaches is still not common – only 26% of companies reported their most serious breach to someone other than a cybersecurity company who could assist with solving the problem. This will have to change where personal data is lost under the GDPR;
  • Only 37% of businesses have any rules around encryption of personal data, and 37% of businesses have segregated wireless networks; and
  • Only 13% of businesses require their suppliers to adhere to specific cyber security standards.

The report indicates that many UK companies have not implemented comprehensive cybersecurity policies or implemented strong safeguards to protect against cyber attacks. [HLDA]

EU – Article 29 Working Party Issues Recommendations on Draft Code of Conduct for Mobile Health Applications

The Article 29 Working Party issued recommendations on the draft code of conduct on privacy for mobile health (mhealth) applications. The definition of health data needs to be re-evaluated to ensure it is consistent with the definition provided in the General Data Protection Regulation (GDPR), and not all of the data protection principles are mentioned (the missing principles should be added, or it should be noted why they are absent); the Code should make clear that consent should fulfil all requirements of the GDPR, acknowledge the other conditions that render data processing fair and lawful, and ensure that wording does not imply that a controller may make a service conditional on consent for marketing. [Article 29 Working Party – Letter to the Project Editor of the Draft Code of Conduct on Privacy for Mobile Health Applications]

UK – ICO Recommendations on Prevention of Ransomware Attacks

The Information Commissioner’s Office in the UK has provided guidance on preventing ransomware attacks. Organizations should remove unnecessary user accounts, restrict user privileges to only what is necessary, ensure online and offline backups are encrypted, ensure remote access or control applications have strong credentials (2-factor authentication, and timely patch updates), and segment networks to limit any damage from successful attacks; if there is a successful attack, organisations should conduct a full security scan and penetration test of all systems and networks (attacks may have gained other undetectable access). [ICO UK – Statement on Recent Cyber Attacks at NHS]

UK – UK Information Commissioner Issues Guidelines for Organisations Using Big Data Analytics

The UK Information Commissioner’s Office issued guidance about big data, artificial intelligence, machine learning and data protection. Organizations should consider whether the analytics actually requires the processing of personal data (anonymized data is not considered personal data and does not fall under data protection laws); conduct privacy impact assessments to help identify privacy risks and assess the necessity and proportionality of the processing, and adopt a privacy by design approach (data minimization, purpose limitation and respecting individuals’ preferences in the metadata). [ICO UK – Big Data, Artificial Intelligence, Machine Learning and Data Protection]

EU – Facebook Fined $122 Million for Misleading EU Over WhatsApp

Facebook Inc. was fined 110 million euros by the E.U. for misleading regulators during a 2014 review of the WhatsApp messaging-service takeover. The European Commission won’t overturn approval for the $22 billion WhatsApp purchase as “the incorrect or misleading information provided by Facebook did not have an impact on the outcome of the clearance decision,” the regulator said. Vestager targeted Facebook after it announced privacy policy changes in August that would allow the advertising platforms on Facebook and Instagram to draw upon data from WhatsApp. The company informed the EU in 2014 it couldn’t combine WhatsApp data with its other services but moved to do that last year. Facebook said the firm “acted in good faith” in its interactions with the commission. “The errors we made in our 2014 filings were not intentional and the commission has confirmed that they did not impact the outcome of the merger review,” a Facebook spokesman said. “Today’s announcement brings this matter to a close.” The social networking company said it wouldn’t appeal the EU decision. [Bloomberg]

UK – Record Fine for Company Behind Nearly 100 Million Nuisance Calls

The UK’s Information Commissioner’s Office (ICO) has issued a record £400,000 fine to a business responsible for nearly 100 million nuisance calls over an 18 month period. [See ICO PR here] Keurboom Communications did not have the necessary prior consent to engage in the marketing activity from the people it targeted with the 99,535,654 calls, and was in “serious contravention” of the UK’s Privacy and Electronic Communications Regulations (PECR), the ICO said. The fine issued by the ICO to Keurboom Communications is the highest it has ever issued for a breach of PECR. It previously fined TalkTalk £400,000 for a serious breach of the Data Protection Act after the company suffered a data breach affecting approximately 157,000 customers [Out-Law]

Facts & Stats

WW – New Symantec Report 1.1 Billion Identities Exposed In 2016 Breaches

1.1 billion identities exposed in data breaches in 2016, says Symantec report. In the last eight years, more than 7.1 billion identities have been exposed in data breaches globally, which is almost the equivalent of one for every person on the planet, according to the findings of Symantec’s Internet Security Threat Report.[see here] In 2016 alone, almost 1.1 billion identities were stolen globally, a big jump from the 563.8 million stolen in 2015. This is despite the fact that the number of data breaches actually fell between 2015 and 2016—dropping from 1,211 to 1,209, said the report. In 2016, there were 15 mega breaches—breaches in which more than 10 million identities were stolen—an increase from 11 in 2014 and 13 in 2015. [LiveMint]


CA – Survey: Half of Us Are Ready for Cashless Canada

Forget about the end of the Canadian penny or even the possible impending demise of the nickel — half of Canadians are ready to abandon cash altogether. A new survey from Payments Canada finds 50 per cent of Canadians are ready to get rid of banknotes and coins. Two-thirds of respondents said they are ready to say goodbye to personal cheques. Some observers have raised privacy concerns about digital payments, noting that in a cashless society, every purchase can be tracked. But the Payments Canada survey suggests a large share of the population is willing to accept lesser privacy for greater convenience: 48% of respondents said they would trade away some of their privacy when paying digitally. [HuffPost]


WW – Facebook Transparency Report Signals Need for Privacy Guidelines

Facebook’s latest Global Government Requests Report [see PR here see Report here] covering the second half of 2016. It showed that requests for account data increased by nine percent – from 59,229 to 64,279 requests, globally – over first half 2016. Half of the data requests the firm received from law enforcement in the U.S. contained a non-disclosure order that prohibited Facebook from notifying the user. Facebook used the report to reiterate that it does not provide governments with backdoors or direct access points to users’ information. The company continues to seek ways to work with industry partners and civil society to push governments around the world to reform surveillance in a way that protects their citizens’ safety and security while respecting their rights and freedoms, the report said. The report is also reminder of how governments around the world are regularly prying open the digital lives of subscribers. Facebook said that reform is needed in the legal process for handling data requests. “The current process for handling cross border requests for data is slow and cumbersome, and legitimate requests are often subject to months and months of delays,” the report said. “We believe that companies, governments, civil society organizations, and academics should work together to improve this process and to raise human rights standards throughout the world” [SC Magazine]


CA – New Genetic Non-Discrimination Law to Promote Privacy and Human Rights

The Privacy Commissioner of Canada and the Chief Commissioner of the Canadian Human Rights Commission are welcoming the coming into force of the “Genetic Non-Discrimination Act” [see here], as an important step for privacy and human rights in Canada. The Act, which received Royal Assent on May 4th, now prohibits genetic discrimination across Canada. It bars any person from requiring individuals to undergo a genetic test or disclose the results of a genetic test as a condition of providing goods or services, or entering into a contract. Both Commissioners acknowledge that the Government has stated it may refer the law to the Supreme Court of Canada for its opinion on the law’s constitutionality. In the meantime, the “Genetic Non-Discrimination Act” remains in place and represents the current law on this important public policy issue. Commissioner Therrien says he expects organizations subject to Canada’s federal private sector privacy law to re-examine their practices related to genetic tests and bring them in line with the new law. In light of Parliament’s passage of S-201, organizations that require genetic test results as a condition of providing a good or service will also generally be considered in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA). [Source]

Health / Medical

US – Health Care Industry Task Force Issues Recommendations to Protect Patient Information

The Health Care Industry Cybersecurity Task Force, established pursuant to the Cybersecurity Act of 2015, issued a report outlining recommendations to address challenges in protection of patient information. The health care industry faces cybersecurity risks from severe lack of security talent, use of unsupported legacy systems, significant recourse constraints, and lack of threat identification infrastructure; organizations should cooperate with vendors and providers to inventory and secure legacy systems, adopt strong authentication, ensure strategic, architectural approaches to reduce attack surfaces, and establish cybersecurity leadership positions. [Health Care Industry Cybersecurity Task Force – Report on Improving Cybersecurity in the Health Care Industry]

US – Five HHS Settlements Imposed for Lack of Safeguards, Risk Analysis and Management Plans

This article reviews the U.S. Department of Health and Human Services, Office for Civil Rights’ (OCR) 2017 settlements under the Health Insurance Portability and Accountability Act. Electronic personal health information was exposed due to hackers, inappropriate employee access and lost or stolen unencrypted devices; companies were asked to conduct a risk analysis and implement risk management plans to fix vulnerabilities, and to monitor their information systems’ activity (e.g., review audit logs, access reports and security incident tracking reports). [2017 OCR HIPAA Settlements Focus on Risk Analyses Safeguards – Elizabeth Snell – HealthIT and Security]

US – HHS Issues Guidance on How to Detect, Deter and Recover from Ransomware Attacks

A new HHS Fact Sheets reviews the U.S. Department of Health and Human Services’s guidance about ransomware and requirements under the Health Insurance Portability and Accountability Act and the HIPAA Rules. Entities may prevent malware intrusion by implementing security management processes to identify threats and vulnerabilities, to mitigate or remediate identified risks and to guard against and detect malicious software; ransomware attack recovery activities include conducting an initial analysis to determine the scope and origination of the incident, whether it is finished, how it occurred and vulnerabilities and restoring data lost during the incident. [HHS Fact Sheet: Ransomware and HIPPA]

Horror Stories

CA – 1.9 Million Bell Customer Email Addresses Stolen by ‘Anonymous Hacker’

Bell is apologizing to its customers after 1.9 million email addresses and approximately 1,700 names and phone numbers were stolen from a company database. The information appears to have been posted online, but the company could not confirm the leaked data was one and the same. Bell, the country’s largest telecommunications company, attributed the incident to “an anonymous hacker,” and says it is working with the RCMP to investigate the breach. “Bell said the incident was unrelated to the massive spike in ransomware infections that affected an estimated 200,000 computers in more than 150 countries late last week. It is not clear when the breach occurred, how the data was accessed, or how long the attacker had access to Bell’s systems. [Source]

WW – Two Billion Numbers Leaked by Chinese Phone App

The app, DU Caller, developed by DU Group, a subsidiary of Baidu, was initially for users to blacklist nuisance callers and filter them out. But a “reverse look-up” function allowed access to two billion phone numbers stored in Baidu’s Beijing server. Among those affected are security minister Lai Tung-kwok and privacy commissioner Stephen Wong, according to news agency FactWire – see here The Security Bureau has referred the case to the Office of the Privacy Commissioner for Personal Data for investigation. Independent news agency FactWire reported on Saturday that once downloaded and installed, the app would automatically gather sensitive information such as the address book and phone numbers even before users agreed to the privacy policy. [SCMP]

US – $2.5M Fine Imposed on Wireless Health Services Provider for PHI Breach

The Department of Health and Human Services, Office for Civil Rights entered into an agreement with CardioNet Inc. to settle alleged violations of the HIPAA Privacy and Security Rules. The provider did not have sufficient risk analysis and risk management processes in place at the time an employee’s laptop was stolen from their vehicle (containing ePHI of 1,391 individuals); the organization must conduct an enterprise-wide risk analysis, implement a risk management plan that addresses all security risks and vulnerabilities, revise and distribute policies and procedures among employees, and report the HHS at least annually for a 2 year period [HHS – Resolution Agreement – CardioNet Inc. [Press Release | Resolution Agreement]

Identity Issues

CA – Edmonton Man Sounds Alarm After ID Scanned While Buying Cigarettes

Nick Radloff said he was asked for ID last at an Esso Station owned by 7-Eleven. “She just automatically scanned it into her system” he said. A directive from 7-Eleven head office states that the store’s ID scanners do not collect personal information that could identify the customer. Instead the scanners “read only anonymous information (expiry date, province, date of birth, and only the last four digits of a driver’s licence).” A regional 7-Eleven manager wrote “if you do not want your ID or driver’s licence scanned, our sales associates have been instructed to respect your decision.” 7-Eleven’s policy was implemented on April 24 across their 650 stores. 7-Eleven said the policy was put in place “to further reduce the risk that tobacco products would be sold to minors.” The Office of the Information and Privacy Commissioner of Alberta has looked into a number of such complaints over the past decade. [CBC]

EU—Blockchain Startup Forms Partnership to Develop Identity Platform

Billed as an “identity platform,” the product is designed to allow businesses and consumers to store and exchange information while staying on the right side of regulations such as the European Union’s General Data Protection Regulation, which sets strict limits on what information companies are allowed to hold on their customers. The platform’s development, announced Monday, is a joint effort between Cambridge [see here] and LuxTrust [see here], an established firm that is already managing digital identities for the entire individual and corporate population of Luxembourg, according to a news release. [see here] A key piece of the platform will be Cambridge’s software, in which each individual holds his or her personal data in a private store and the blockchain holds proof that the data is valid. Such proof could include picture ID. A bank can refer to the blockchain to verify customers’ identities, but the information held there can’t be used to falsify personal data. [American Banker]

Internet / WWW

CA – WannaCry Ransomware “A Wakeup Event” for Directors

“It may be the WannaCry virus will be a watershed event for directors and officers liability in this area,” Bradley Freedman [see here], national leader of the cyber security law group at Borden Ladner Gervais, said. “And I say that because the primary result of it has been business disruption and financial loss. Shareholders are going to be asking what their directors did to make sure their organizations were doing the right thing to manage these types of risks. Did it have an appropriate patch management program? Was there proper oversight? Why was this organization running a Windows XP machine?” Freedman noted that when it comes to cyber risk management courts say directors and officers have to consider the same things when making any corporate risk decision: Exercise the care of a reasonable person, and make “reasonable and informed and properly advised independent decisions.” Perfection, he said, isn’t demanded. Still, he said, it may be the WannaCry attack, which according to the U.S. infected 300,000 computers around the world, may be a seminal event for directors. In making decisions in civil lawsuits relating to breaches on whether the organization took “reasonable care”, Freedman added, judges will look to what he called “soft law” — best practices, industry guidance, previous decisions in other jurisdictions. Rene Pelletier, IT audit principal in the Alberta auditor general’s office, said organizations are playing defensive because they don’t share their knowledge with other firms. Canada, he noted, is the second biggest target for reported ransomware incidents after the U.S. Ransomware works because it relies on ignorance and isolation of users, he said. “We all need to work together” on cyber security,” he added. “If we don’t we’re dead.” [IT World Canada]

Law Enforcement

CA – Alberta Police Inch Closer to Policy on Identifying Homicide Victims

After a meeting of the Edmonton Police Commission, police Chief Rod Knecht gave an update on a contentious issue which came to the fore this year after Edmonton police withheld the names of roughly half of the city’s 2017 homicide victims, a departure from long-standing practice. Critics say withholding names is a misreading of the province’s Freedom of Information and Protection of Privacy (FOIP) law, and which goes against the public interest. The opposition Wildrose has criticized the policy, saying in particular that withholding names in domestic violence cases could stigmatize victims. Edmonton police have cited privacy concerns and the lack of “an investigative purpose” in not naming some homicide victims this year. Members of the Alberta Association of Chiefs of Police met last Friday to discuss the issue, Knecht said. The departments’ FOIP lawyers will soon gather to discuss the legal issues. “We all agreed — every case on its own merits,” he said. “We may release the name in a certain case, and in another case we may not.” [Edmonton Journal See also: Alberta police chiefs try for common ground on naming homicide victims | Alberta chiefs of police to discuss homicide victim naming policies | Edmonton police chief defends policy of not releasing names of homicide victims | Edmonton police policy of not naming murder victims stands alone in Alberta | Secret murder: A tale of two police forces in Alberta | Bureaucratic secrecy erodes democratic rights | RCMP silent on Alberta murder victims citing Privacy Act ]

US – Police May Have Been Less than Forthcoming to Judge About Stingray Use

A California defense attorney maintains that law enforcement officers misled a judge when seeking a warrant to use cell-site simulator technology to track her client’s location. In a related story, the US Supreme Court plans to discuss the issue of whether law enforcement authorities require warrants to compel mobile phone companies to disclose customer’s cell site data. Read more in:

  • arstechnica.com: Lawyer: Cops “deliberately misled” judge who seemingly signed off on stingray
  • arstechnica.com: Supreme Court asked to rule if cops need warrant for cell-site data
  • arstechnica.com: DHS now needs warrant for stingray use, but not when protecting president
  • arstechnica.com: FBI, DEA and others will now have to get a warrant to use stingrays
  • www.usatoday.com: Bipartisan bill seeks warrants for police use of ‘stingray’ cell trackers
  • arstechnica.com: Appeals Court: No stingrays without a warrant, explanation to judge
  • www.reuters.com: In first, U.S. judge throws out cell phone ‘stingray’ evidence

Online Privacy

WW – Hundreds of Privacy-Invading Apps Are Using Ultrasonic Sounds to Track You

These near-silent tones can’t be picked up by the human ear, but there are apps in your phone that are always listening for them. This technology is called ultrasonic cross-device tracking, and it works by emitting high-frequency tones in advertisements and billboards, web pages, and across brick-and-mortar retail outlets or sports stadiums. Apps with access to your phone’s microphone can pick up these tones and build up a profile about what you’ve seen, where, and in some cases even the websites you’ve visited. In the past year, researchers found 234 Android apps that include the ability to listen for ultrasonic tones “without the user’s knowledge,” one paper said. The researchers criticize the technique as a “threat to the privacy of a user,” as they “enable unnoticeably tracking locations, behavior and devices.” Using this ad-tracking technology allows ad companies to link media-consuming habits to a person’s identity by picking up ultrasonic tones from websites, and radio and television broadcasts. The ultrasonic tones can also be used to track locations, behavior, and purchase habits across different devices, which allows the advertiser to serve more specific and tailored advertisements based on where you’ve been. Worst of all, the researchers say that this ultrasonic tracking technology can de-anonymize users of bitcoin, which is designed to be used without the need for a name. [ZDNet]

Other Jurisdictions

AU – Australian DPA Recommendations for Identifying Personal Information

The Office of the Australian Information Commissioner has provided guidance to organizations on determining whether information processed is personal information, pursuant to the Privacy Act 1988. Organizations should consider whether there is connection between the information and the individual, if the information reveals or conveys something about the individual, and whether the individual is reasonably identifiable (considering the nature and amount of information, and who will have access); personal information does not include de-identified information, information about deceased persons, business information, or cases where individuals are not identifiable (e.g. an aerial photo of a public event without enough detail to determine identifying features). [OIC Australia – What is Personal Information]

Privacy (US)

US – Advocates Urge FCC to Immediately Repeal Mandatory Data Retention Rule

Advocates urge the Federal Communications Commission to immediately end the data retention mandate. The rule, requiring telephone carriers to retain customer billing records for 18 months, is outdated (carriers no longer bill in a way that makes the retention of this data relevant), violates customers’ privacy rights by requiring carriers to retain sensitive personal data, and increases the likelihood of the data being exposed in a security breach. [Letter Urging FCC to Act Immediately on Petition to End Data Retention Mandate]

US – Security Spending: School Budgets Inadequate to Meet Increased Challenges

The Consortium for School Networks issued its 5th IT Leadership Survey: 495 surveys were completed by US school system technology leaders between January and February of 2017. 38% of IT departments spend 51-75% of their time reacting to technical problems as opposed to working in a proactive mode, and 37% see no change in the priority of security and privacy of student data compared to the last year; IT leaders overcome budget and funding issues by delaying maintenance and upgrades (65%), reducing technology purchases (37%), and relying on E-rate funds (53%) and grants (35%). [2017 K-12 IT Leadership Survey Report – Consortium for School Networking]

US – School Districts and Online Services Providers Must Better Protect Student Privacy

The Electronic Frontier Foundation has issued a report on student data handling practices of school districts and educational technology companies. Schools have issued devices to students without parental knowledge or consent, parents were unable to opt-out their children from device or software use, and provider policies (which lacked details about encryption, retention and sharing) were relied on by schools to ensure student data protection; schools and providers should have privacy policies that are accessible, not over-broad, and describe data collected, methods used, and data minimization measures employed, obtain explicit consent from parents before signing students up for services, and should not track student’s online behavior. [EFF – Spying on Students – School-Issued Devices and Student Privacy]

US – Parties Discuss Privacy Issues in Advance of FTC, NHTSA Workshop on Connected Cars

On June 28, 2017, the Federal Trade Commission and the National Highway Traffic Safety Administration (NHTSA) will hold a workshop to examine the consumer privacy and security issues posed by automated and connected vehicles. The workshop comes several months after the Department of Transportation and NHTSA promulgated a Notice of Proposed Rulemaking (NPRM) that would require all new passenger vehicles to be capable of vehicle-to-vehicle (V2V) communications by the early 2020s. The FTC and NHTSA have raised several questions to be addressed at the workshop Car manufacturers, tech organizations, privacy organizations, and other parties filed comments in advance of the workshop, responding to these questions and more. [Inside Privacy]

US – Second Circuit Limits Standing to Bring Data Breach Class Actions

The U.S. Court of Appeals for the Second Circuit issued an important decision [see 5 pg pdf here] in “Whalen v. Michaels Stores”, placing the court at the center of the controversy around what allegations are sufficient to establish Article III standing in data breach class actions. In “Whalen”, the plaintiff alleged that payment card information stolen in a data breach was used in unsuccessful, attempted fraudulent transactions. The payment card owner further alleged that she faced an increased risk of future identity fraud, forcing her to spend time and money resolving the attempted fraudulent charges and monitoring her credit. The court ruled that these allegations did not establish a concrete injury sufficient to confer Article III standing. [Fenwick]

US — California Senate Committee Votes Against Privacy for Our Travel Patterns

The Electronic Frontier Foundation and the ACLU of California joined forces with California State Sen. Joel Anderson (R-Alpine) to testify before the Senate Transportation and Housing Committee – watch the full hearing here] in favor of S.B. 712 (text), a bill that would have allowed drivers to cover their license plates when parked in order to protect their travel patterns from private companies operating automated license plate readers (ALPRs). Despite learning how this data may be misused to target vulnerable communities by the federal government, a Democratic majority voted to kill the bill 5-6. The bill would have adjusted current law, which allows drivers to cover their entire vehicles (for example with a tarp), so that a driver can cover just a portion: the plate. Police would still have the ability to lift the cover to inspect the plate, and since the measure only applied to parked vehicles, it would not have affected law enforcement’s ability to collect data on moving vehicles. [EFF.org]

US — Lawyers Demand Answers After Artist Forced to Unlock His Phone

In February, artist Aaron Gach flew home to San Francisco after putting on a gallery installation in Brussels. US Customs and Border Patrol (CBP) decided to interrogate Gach, to detain him, and to demand that he unlock and hand over his phone. It’s fruitless to try to surmise the actions of CBP detentions. The CBP isn’t in the habit of sharing whatever possibly reasonable suspicions they might have about a traveler that would lead agents to detain that traveler. But we are now in an era of skyrocketing device searches at the US border, and there are many who would very much like to dissect the reasons – and the constitutionality – of this type of search. As the American Civil Liberties Union (ACLU) notes, the Department of Homeland Security (DHS) has estimated that CBP officers searched 2,700 devices in January and 2,200 in February alone, putting it on pace to easily exceed the 19,000 devices they searched in all of 2016. On Thursday, the ACLU took action on behalf of Gach and others who’ve been subjected to similar non-consensual searches at the border. Six ACLU attorneys filed an eight-page administrative complaint, seeking answers from DHS, the parent agency of CBP. [Source]

US – Swabbing a Car Door Handle in A Public Lot to Collect DNA is a 4th Amendment Trespass Search

In United States v. Jones, 132 S.Ct. 945 (2012), the Supreme Court added a second test for what government action counts as a Fourth Amendment “search.” Since the 1970s, the Supreme Court had held that the government commits a search when it violates a person’s reasonable expectation of privacy. Jones added that the government also commits a search when it trespasses on to a person’s “persons, houses, papers, and effects.” The significance of Jones hinges on just what kind of trespass test courts interpret Jones to have adopted. In light of that uncertainty, I was fascinated by a new decision, Schmidt v. Stassi, from the Eastern District of Louisiana last week. When Schmidt drove to a local strip mall, parked and went inside a store, an agent used a cotton swab to wipe the exterior door handle on Schmidt’s Hummer to collect a DNA sample. Schmidt sued the officers, claiming that swabbing his car door handle was an unlawful Fourth Amendment search. In the new decision, Judge Lance M. Africk holds that collecting the DNA from the door handle using the cotton swab was a Fourth Amendment search because it trespassed on to the car. Notably, the idea here is that collecting the DNA was a search because it interfered with Schmidt’s rights in the car, not in the DNA itself. That’s different from the reasonable-expectation-of-privacy cases on collecting DNA, which generally focus on the potential privacy invasion in the testing of the DNA sample to reveal sensitive information. [Washington Post]

US – Google Data Privacy Fight Hinges on Cloud Storage Tech

U.S. District Court for the Northern District of California Magistrate Judge Laurel Beeler’s ruling [see here] that Alphabet Inc.’s Google turn over customer data stored overseas relied more on the specific storage technology at play than on an outdated federal email privacy law, attorneys told Bloomberg BNA. The ruling may not offer real clarity sought by companies that store large amounts of data in the cloud on whether they must comply with government demands for the release of consumer data stored outside the U.S. But it does offer some insight into how courts may parse the technological issues surrounding the storage of data and identification of the consumers tied to that data by focusing on the ability of the company to readily identify the citizenship of a particular user. [BNA]

US – NY Lawmakers Consider Adding a ‘Textalyzer’ to Accident Investigations

A bill before the New York State Senate would give law officers a tool to check drivers’ cell phones after an accident in order to determine if distracted driving was the cause. Titled Evan’s Law, named after Evan Lieberman, a New Castle teenager who lost his life in 2011 due to a distracted driver in Westchester County, the bill would be the first in the nation to receive legislative approval. But not everyone is excited about the prospect. Rashida Richardson of the New York Civil Liberties Union is concerned that private information would not be private with any phone-scanning technology. She also questioned its accuracy, according to CBS New York. [Patch.com]


US – New ABA Opinion: Attorneys Must Take Reasonable Cybersecurity Measures to Protect Client Data

On May 11, 2017, the American Bar Association (ABA) issued Formal Opinion 477, making clear that a lawyer may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct so long as the lawyer takes reasonable efforts to prevent inadvertent or unauthorized access to client information. Lawyers may also be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. This new opinion updates a prior opinion issued by the ABA in 1999 (Formal Opinion 99-413)[see here], in which the ABA concluded that attorneys may use the Internet to transmit unencrypted communications relating to a client without running afoul of the Model Rules of Professional Conduct. Although most enterprises and firms use some level of protection in their electronic communications, this new opinion highlights the growing focus on cybersecurity across all industries and professions. Encryption is increasingly becoming the industry standard in securing electronic data and communications, and is often the first line of defense when facing a data breach scenario. [Privacy and Security See also: 8 Steps to Evaluating Cloud Service Security]

WW – Google Docs Phishing Scam

An enormous phishing scheme disguised as a Google Docs request has been sent to as many as one million users. The attackers used Google developer tools that create an app that was designed to trick users into thinking they were viewing the real Google Docs app. It displayed a legitimate OAuth screen seeking permission to access and manage users’ email and contacts. Within an hour of learning about the phishing scheme, Google had taken steps to protect users. Read more in:
computerworld.com: Google Docs phishing scam underscores OAuth security risks
www.wired.com: Don’t Open That Google Doc Unless You’re Positive It’s Legit
www.scmagazine.com: Massive Google Docs phishing attack targeted credentials, permissions
www.eweek.com: Google Docs Phishing Attack Tricks Unsuspecting Users to Click
www.cyberscoop.com: OAuth-based phishing campaign gives Gmail users a scare
threatpost.com: 1 Million Gmail Users Impacted by Google Docs Phishing Attack
www.bleepingcomputer.com: It Took Google One Hour to Shut Down Massive Self-Replicating Phishing Campaign

US – HHS to Launch Cybersecurity Center

The Department of Health and Human Services (HHS) will soon launch a healthcare focused cybersecurity initiative modeled on the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC). The new center, to be called the Health Cybersecurity and Communications Integration Center (HCCIC) would seek to reduce the extensive “noise” in the health care industry about cyber threats and to analyze and “deliver best practices and the two or three things that a small provider, a small office, a doc in a box can do to protect his patient’s privacy and information security around those systems.” HHS also envisions the HCCIC working with developers of mobile health apps to promote data security best practices in that fast-growing area. In December, the Food & Drug Administration responded to the “growing number of medical devices designed to be networked to facilitate patient care” by issuing guidance addressing the management and reporting of post-market cybersecurity vulnerabilities in medical devices. On May 3, HHS’ Health Care Industry Cybersecurity Task Force released its draft report to Capitol Hill. The report includes recommendations to create a medical-device specific “MedCERT” modeled after the United States Computer Emergency Readiness Team, which “would assess vulnerabilities, evaluate patient safety risks, adjudicate between the vulnerability finder and product manufacturer, and consult organizations about how to navigate the vulnerability process.” [Security and Privacy Health Law]

WW – CompTIA Study Finds Old Tactics Often Used to Fight Breach Threats

Old tactics too often used to fight top data security threats Organizations recognize information security as a growing imperative, but too many remain on the defensive and use dated tactics and training to protect their data. That is the conclusion of the new study “The Evolution of Security Skills” from CompTIA, the leading technology association. According to the study, one of the challenges for many organizations is that they put their focus on the cyber threats they understand the best. Malware and viruses, two of the oldest forms of cyberattacks, generally get the most attention. Of the 350 organizations surveyed, 29 percent said they are highly proactive in their security posture, emphasizing detection and response. Another 34 percent said they balance a strong cyber defense with some proactive measures. Too many organizations remain on the defensive and use dated tactics and training to protect their data. That is the conclusion of the new study “The Evolution of Security Skills” [see here] from CompTIA . Of the 350 organizations surveyed, 29 percent said they are highly proactive in their security posture, emphasizing detection and response. Another 34 percent said they balance a strong cyber defense with some proactive measures. Seth Robinson, senior director, technology analysis, at CompTIA calls on organizations to adopt proactive measures to protect their data. These include identifying weak links before they are exploited, broadening the skills of their technology professionals, and increasing security training top to bottom throughout the organization. [Info Mgmt]

UK – ICO Reports Record Number of Data Breaches and Fines

The ICO’s annual performance statistics for 2016/17 also reveal that the regulator received more reported data protection breaches and fined more companies for unlawful activities than any previous year. The statistics show that data protection complaint cases rose to 18,354, around 2,000 more than the previous year. Some 2,565 self-reported data breaches resulted in 16 civil monetary penalties totalling £1,624,500 for serious breaches across a range of public, private and voluntary sectors. The ICO received more than 166,000 reports about nuisance calls and texts. The ICO issued a record number of 23 fines in this regard, totalling £1,923,000, and issued nine enforcement notices and placed 31 organisations under monitoring. More than 5,400 freedom of information (FOI) cases were received and 5,100 closed during the year, with 1,351 decision notices, which was “broadly similar” to the previous year, the ICO said. The ICO expects its work to intensify next year in the run up to deadline for compliance with the EU’s General Data Protection Regulation (GDPR) on 25 May 2018. .Testifying to the House of Lords EU Home Affairs Sub-Committee in a hearing on the new EU data protection ackage, Denham planned to expand the ICO’s staff to deal with the extra work burden to be imposed by the GDPR. [Computer Weekly]

WW – Organizations’ Lack of Attention to Printer Security Makes Them Vulnerable

This white paper surveyed individuals responsible for printer security at 16 organizations, which averaged 51 million pages printed per year by 8,800 printers used by 57,200 IT users and involving 4,500 IT staff. More than half of companies experienced an IT security breach in the last year that involved print security, yet almost 2/5 of senior managers are more likely to be involved in decision making for overall IT security than for print security; breaches commonly occur from the device’s network ports, print/copy/scan job interception, print/MFP hard drives and memory, printed or copied documents left in output trays or illegal use of secure media (checks, prescriptions). [The Business Value of Printer Security – IDC]

WW – Mobile Devices: Only 36% of Organizations Believe Cyberattacks Can Be Prevented

410 security professionals from an independent global database participated in a survey on mobile device security. Types of attacks experienced on employees’ mobile devices include malware, phishing using text messages, network attacks, intercepted calls and text messages over a carrier network, key logging, and credential theft; 62% of organizations do not use mobile security solutions (due to lack of budget, shortage of resources, lack of experience, or insufficient risk), despite 94% of organizations believing that the frequency and types of mobile device attacks will increase in the next year. [The Growing Threat of Mobile Device Security Breaches – Global Survey of Security Professionals – Check Point Software Technologies]

US – Uber Responds to Report That It Tracked Devices After Its App Was Deleted

Uber tracked former users even after they deleted the app from their iPhones, a practice that eventually earned CEO Travis Kalanick a scolding from Apple chief executive Tim Cook, the New York Times reports. Uber allegedly used a practice called fingerprinting to track devices after the app was deleted. Uber reportedly began fingerprinting iPhones as a fraud-prevention method in locations like China. Drivers there would register multiple Uber accounts on stolen iPhones and use them to request rides, thereby boosting the number of overall rides — a metric that Uber rewards with bonuses. Apple previously allowed developers to track their users with a Unique Device Identifier, or UDID. This kind of tracking was persistent across installs, but as Apple became more concerned with user privacy, it deprecated UDIDs in 2013. Apple replaced UDIDs with other variants of trackers that are designed to be less intrusive, including vendor IDs and advertising IDs. It’s not clear how Uber fingerprinted the devices in 2015 that led to the meeting between Kalanick and Cook. In order to prevent Apple engineers from discovering the fingerprinting, Uber allegedly geofenced Apple’s Cupertino headquarters to hide the code used in the process. But Apple engineers based in other offices discovered the trick, according to the New York Times [see here] and confirmed by TechCrunch, leading Cook to summon Kalanick to his office in early 2015. An Uber spokesperson said “We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users” [TechCrunch]

US – DHS Provides Guidance on Implementing Security Improvements for Mobile Devices

The Department of Homeland Security, in coordination with the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence, conducted a study on current and emerging threats to the government’s use of mobile devices. Mobile devices are vulnerable to attacks on back-end systems that require a security approach different from protection developed for desktop workstations; organizations should ensure timely patching of known vulnerabilities, block network access for obsolete devices (those no longer supported with updates), enable strong authentication methods, automatically monitor, detect and report any security policy violations, and enable remote wiping capabilities. [DHS – Study on Mobile Device Security]

US – NIST: Let Passwords Be Longer and Eliminate Character Variation Requirements

Later this summer, the US National Institute of Standards and Technology (NIST) will release new Digital Identity Guidelines. NIST appears likely to recommend against requiring periodic changes for passwords and instead, employing other measures to make passwords both easier to remember and more difficult to crack. For instance, allowing up to 64 characters could let people use passphrases rather than passwords. And allowing spaces and doing away with character variation requirements would help with memorization. NIST is currently reviewing public comment received on the guidelines. Read more in:
https://qz.com: The US standards office wants to do away with periodic password changes
https://pages.nist.gov: Digital Identity Guidelines

Smart Cars & Cities

WW – Report on IoT, Automation, Autonomy, and Megacities in 2025

Engineers designing and implementing internet-connected IOT devices face daunting challenges that is creating a discomfort with what they see evolving in their infrastructures. This paper brings their concerns to life by extrapolating from present trends to describe plausible future crises playing out in multiple global cities within 10 years. Much of what occurs in the scenarios is fully possible today. IoT, Automation, Autonomy, and Megacities in 2025

US – California Bill Mandates Privacy by Design for IoT Devices

Manufacturers of Internet-connected devices (better known as the Internet of Things) should be following a new California bill closely because it would create a mandate under California law that all IoT devices have built-in security features appropriate to the device and information collected. California Senate Bill 327 [see here], amended in March, is the latest in a trend of legislative and regulatory efforts by state and federal authorities to hold IoT device makers more accountable for consumer data security. The California bill was introduced at nearly the same time the FTC brought an enforcement complaint in federal court in California against a computer networking equipment manufacturer for failing to take reasonable steps to secure its products from hackers. California’s Senate Bill 327 would go much further than the FTC has in “encouraging” manufacturers to adopt industry best practices for device security by codifying the State of California’s ability to bring enforcement complaints against those companies that do not build adequate security safeguards into their devices. It could be the first legislative mandate for IoT device manufacturers to proactively implement “security by design” [WCSR]

WW – Securing the Internet of Things

Microsoft is calling for the development of a cybersecurity policy for the Internet of Things (IoT). While “industry can build security into the development of IoT devices and infrastructure, the number of IoT devices, the scale of their deployments, the heterogeneity of systems, and the technical challenges of deployment into new scenarios require an approach specific to IoT.” In a separate story, Japan’s Internal Affairs and Communications Ministry will introduce a certification system for IoT devices that will rate their resilience to cyberattacks. Read more in:
www.darkreading.com: Microsoft Calls for IoT Cybersecurity Policy Development
mscorpmedia.azureedge.net: Cybersecurity Policy for the Internet of Things (PDF)
www.sltrib.com: Japan to rate home devices on cyber-attack vulnerabilities


US – NSA Collected Americans’ Phone Records Despite Law Change: Report

The U.S. National Security Agency collected more than 151 million records of Americans’ phone calls last year, even after Congress limited its ability to collect bulk phone records, according to an annual report [see PR here & Report here] issued by the top U.S. intelligence officer the NSA collected the 151 million records of Americans’ phone calls last year even after Congress limited its ability to collect bulk phone records though it had warrants from the secret Foreign Intelligence Surveillance court to spy on only 42 terrorism suspects in 2016, in addition to a handful identified the previous year. The report came as Congress faced a decision on whether to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA), which permits the NSA to collect foreign intelligence information on non-U.S. persons outside the United States, and is scheduled to expire at the end of this year. Officials on Tuesday argued that the 151 million records collected last year were tiny compared with the number collected under procedures that were stopped after former NSA contractor Edward Snowden revealed the surveillance program in 2013. The report said the names of 1,934 “U.S. persons” were “unmasked” last year in response to specific requests, compared with 2,232 in 2015, but it did not identify who requested the names or on what grounds. [Reuters]

US – Cop Union Opposes New Bill That Would Thwart License Plate Readers

If the Electronic Frontier Foundation and a San Diego-based Republican state senator have their way [and here], it will soon become legal for Californians to cover their license plates while parked as a way to thwart automated license plate readers. As written, the new senate bill would allow for law enforcement to manually lift a cover, or flap, as a way to manually inspect a plate number. The idea is not only to prevent dragnet license plate data collection by law enforcement, but also by private companies. A California company, Vigilant Solutions, is believed to have the largest private ALPR database in America, with billions of records. The California Police Chiefs Association has already filed its opposition to the bill. In a letter to Sen. Joel Anderson, the group argued that the bill would only benefit one group: “those who are trying to evade law enforcement and detection.” Similarly, the bill has faced resistance from the California Public Parking Association, among other groups. .In March 2015, Ars obtained the Oakland Police Department’s 4.6 million reads of more than 1.1 million unique plates, which were gathered between December 23, 2010 and May 31, 2014, as part of a public records request. The dataset showed precisely how revelatory such information can be—we were able to discern the home of a city council member with little difficulty. [Ars Technica]

US – Study Lays Out Privacy Concerns That Kids and Parents Have About Toys That Listen

University of Washington researchers explored the attitudes of kids and parents toward Wi-Fi-enabled toys in a study. “It’s inevitable that kids’ toys, as with everything else in society, will have computers in them, so it’s important to design them with security measures in mind,” said Franziska Roesner, one of the co-authors of the study, which was funded by the Consumer Privacy Rights Fund at the Foundation for Communities and the Environment and by UW’s Tech Policy Lab. This year, sales of My Friend Cayla were banned in Germany due to concerns that personal data could be stolen. In the U.S., advocacy groups have filed a complaint with the FTC over Cayla and i-Que Robot. (The FTC is reviewing the complaint.) The researchers say toy designers, parents and policymakers should become more aware of the potential vulnerabilities. and the potential solutions. One of the suggested strategies is to program the toys themselves to tell kids that they’re being recorded – and to alert parents to any concerns that come up. [Geekwire]

US Government Programs

US – FTC Requests Comments on Significant Changes Proposed to Organization’s Safe Harbor Program Under COPPA Rule

The Federal Trade Commission issued a notice on proposed changes to TRUSTe’s safe harbor program under the COPPA Rule: The proposed changes include measures to reduce the risk of misrepresentation by participants in the program (the organization would have greater control over use of the trustmark); new obligations require participants to conduct an annual internal assessment of third parties’ use of tracking technologies to collect children’s PI, describe their retention policies, undergo an annual compliance review, implement a user complaint process, enhance security measures, and notify affected users and the organization of any data breach. Public comments are due by May 24, 2017. [FTC – 16 CFR Part 312 – Children’s Online Privacy Protection Rule Safe Harbor Proposed Self-Regulatory Guidelines; TRUSTe COPPA Safe Harbor Program Application to Modify Program Requirements Press Release | Consultation

US – NSA Announces Data Collection Changes

The US National Security Agency says it has stopped collecting email traffic for simply containing the email address or phone number of a foreign target. The NSA agreed to end the practice as part of an agreement with a federal court that allows the agency to continue its Section 702 surveillance program. Sources- www.wired.com: A Big Change in NSA Spying Marks a Win for American Privacy
www.theregister.co.uk: NSA pulls plug on some email spying before Congress slaps it down
www.scmagazine.com: NSA to end controversial warrantless surveillance practice
www.zdnet.com: NSA stops controversial program that searches Americans’ emails
arstechnica.com: NSA ends spying on messages Americans send about foreign surveillance targets
omputerworld.com: NSA ends surveillance tactic that pulled in citizens’ emails, texts
www.washingtonpost.com: NSA halts controversial email collection practice to preserve larger surveillance program

Workplace Privacy

CA – Wearables in the Workplace Have Major Implications

With the growth of wearables in the workplace, how employee information is gathered, stored and used is becoming cause for concern. Researchers Steven Richardson and Debra Mackinnon at Queen’s University have published a report titled ‘Left to their own devices? Privacy Implications of Wearable Technology in Canadian Workplaces‘ and highlighted some of the issues that have to be considered by all stakeholders. Researchers have identified more than 420 devices that are currently available for use in the workplace. The researchers argue that there is a need for greater accountability and transparency in how the devices are being implemented so that we have a more informed approach to privacy in the workplace. Wearables offer huge benefits and the technology is undoubtedly here to stay. However, the privacy issues do need more careful consideration by all the stakeholders involved prior to implementation. [Toronto Sun]

CA – Mandatory Locomotive Recorder Bill ‘Addresses A Key Safety Issue,’ Says Transportation Safety Board

Amendments to the federal “Railway Safety Act” [see here] mandating recording devices, if passed into law, could provide “essential information” to Transportation Safety Board of Canada staff investigating rail accidents and could help prevent such accidents in the future, TSB suggested Tuesday. Bill C-49, an omnibus piece of legislation, was tabled Tuesday in the House of Commons by Transport Minister Marc Garneau. [See here] This would mandate installation of locomotive voice and video recorders, TSB said in a separate release Tuesday. [See here] In September, 2016, the Canadian branch of International Brotherhood of Teamsters stated that railway companies should “not to be given access to the recordings because that would be an unprecedented and unparalleled intrusion into the workplace, one that is unnecessary, and would be tantamount to violating workers’ right to privacy.” [Canadian Underwriter]